diff --git a/.s2i/httpd-cfg/01-commercial.conf b/.s2i/httpd-cfg/01-commercial.conf
index 63737951fdbc..7e2fadf0799e 100644
--- a/.s2i/httpd-cfg/01-commercial.conf
+++ b/.s2i/httpd-cfg/01-commercial.conf
@@ -295,22 +295,22 @@ AddType text/vtt                            vtt
     RewriteRule ^container-platform/(4\.9|4\.10|4\.11|4\.12)/serverless/develop/serverless-traffic-management.html /container-platform/$1/serverless/knative-serving/traffic-splitting/traffic-splitting-overview.html [NE,R=302]
 
 
-    # redirect latest to 1.32
+    # redirect latest to 1.33
     RewriteRule ^serverless/?$ /serverless/latest [R=302]
-    RewriteRule ^serverless/latest/?(.*)$ /serverless/1\.32/$1 [NE,R=302]
+    RewriteRule ^serverless/latest/?(.*)$ /serverless/1\.33/$1 [NE,R=302]
 
     # redirect top-level without filespec to the about file
-    RewriteRule ^serverless/(1\.28|1\.29|1\.30|1\.31|1\.32)/?$ /serverless/$1/about/about-serverless.html [L,R=302]
+    RewriteRule ^serverless/(1\.28|1\.29|1\.30|1\.31|1\.32|1\.33)/?$ /serverless/$1/about/about-serverless.html [L,R=302]
 
     # redirect rel notes
-    RewriteRule ^container-platform/(4\.10|4\.11|4\.12|4\.13|4\.14)/serverless/serverless-release-notes.html$ /serverless/1.32/about/serverless-release-notes.html [L,R=302]
-    RewriteRule ^(rosa|dedicated)/serverless/serverless-release-notes.html$ /serverless/1.32/about/serverless-release-notes.html [L,R=302]
+    RewriteRule ^container-platform/(4\.10|4\.11|4\.12|4\.13|4\.14)/serverless/serverless-release-notes.html$ /serverless/1.33/about/serverless-release-notes.html [L,R=302]
+    RewriteRule ^(rosa|dedicated)/serverless/serverless-release-notes.html$ /serverless/1.33/about/serverless-release-notes.html [L,R=302]
 
     # redirect any links to existing OCP embedded content to standalone equivalent
-    RewriteRule ^container-platform/(4\.10|4\.11|4\.12|4\.13|4\.14|4\.15|4\.16|4\.17|4\.18)/serverless/?(.*)$ /serverless/1.32/$2  [L,R=302]
+    RewriteRule ^container-platform/(4\.10|4\.11|4\.12|4\.13|4\.14|4\.15|4\.16|4\.17|4\.18)/serverless/?(.*)$ /serverless/1.33/$2  [L,R=302]
 
     # redirect any links to existing ROSA/Dedicated embedded content to standalone equivalent
-    RewriteRule ^(rosa|dedicated)/serverless/?(.*)$ /serverless/1.32/$2  [L,R=302]
+    RewriteRule ^(rosa|dedicated)/serverless/?(.*)$ /serverless/1.33/$2  [L,R=302]
 
     # redirect builds latest to 1.0
     RewriteRule ^builds/?$ /builds/latest [R=302]
@@ -358,7 +358,7 @@ AddType text/vtt                            vtt
 
     # Pipelines handling unversioned and latest links
     RewriteRule ^pipelines/?$ /pipelines/latest [R=302]
-    RewriteRule ^pipelines/latest/?(.*)$ /pipelines/1\.14/$1 [NE,R=302]
+    RewriteRule ^pipelines/latest/?(.*)$ /pipelines/1\.15/$1 [NE,R=302]
 
     # Pipelines landing page
 
@@ -386,7 +386,7 @@ AddType text/vtt                            vtt
     RewriteRule ^container-platform/(4\.10|4\.11|4\.12|4\.13|4\.14)/cicd/pipelines/securing-webhooks-with-event-listeners.html /pipelines/latest/secure/securing-webhooks-with-event-listeners.html [L,R=302]
 
     # redirect top-level without filespec to the about file
-    RewriteRule ^pipelines/(1\.10|1\.11|1\.12|1\.13|1\.14)/?$ /pipelines/$1/about/understanding-openshift-pipelines.html [L,R=302]
+    RewriteRule ^pipelines/(1\.10|1\.11|1\.12|1\.13|1\.14|1\.15|1\.16|1\.17|1\.18)/?$ /pipelines/$1/about/understanding-openshift-pipelines.html [L,R=302]
 
 
     # OSD redirects for new content
@@ -446,6 +446,9 @@ AddType text/vtt                            vtt
     # ROSA UI short-term redirect https://issues.redhat.com/browse/OSDOCS-3511
     RewriteRule rosa/post_installation_configuration/machine-configuration-tasks.html rosa/rosa_getting_started/rosa-getting-started.html#rosa-getting-started-configure-an-idp-and-grant-access_rosa-getting-started [NE,R=301]
 
+    # ROSA outdated log forwarding tutorial redirect https://issues.redhat.com/browse/OSDOCS-10983
+    RewriteRule rosa/cloud_experts_tutorials/cloud-experts-rosa-cloudwatch-sts.html rosa/observability/logging/log_collection_forwarding/configuring-log-forwarding.html#rosa-cluster-logging-collector-log-forward-sts-cloudwatch_configuring-log-forwarding [NE,R=301]
+
     # ACS welcome page redirect to StackRox docs
     # RewriteRule ^acs/?(.*)$ https://help.stackrox.com/ [NE,R=301]
 
@@ -502,15 +505,15 @@ AddType text/vtt                            vtt
     RewriteRule ^container-platform/(4\.4|4\.5)/authentication/(allowing-javascript-access-api-server|encrypting-etcd|certificate-types-descriptions)\.html$ /container-platform/$1/security/$2\.html [NE,R=301]
 
 
-    # The following rule prevents an infinite redirect loop when browsing to /container-platform/4.15/virt/about_virt/about-virt.html
-    # RewriteRule ^container-platform/4\.15/virt/about_virt/about-virt.html$ - [L]
+    # The following rule prevents an infinite redirect loop when browsing to /container-platform/4.16/virt/about_virt/about-virt.html
+    RewriteRule ^container-platform/4\.16/virt/about_virt/about-virt.html$ - [L]
 
     # OpenShift Virtualization (CNV) catchall redirect; use when CNV releases asynchronously from OCP. Do not change the 302 to a 301.
     # When uncommented, this redirects all `virt` directory traffic to the about-virt page.
     # Pay mind to the redirect directly above this which prevents redirect loops.
     # To activate the redirects, uncomment the next and previous lines and update the version number to the pending release.
 
-    # RewriteRule container-platform/4\.15/virt/(?!about-virt\.html)(.+)$ /container-platform/4.15/virt/about_virt/about-virt.html [NE,R=302]
+    RewriteRule container-platform/4\.16/virt/(?!about-virt\.html)(.+)$ /container-platform/4.16/virt/about_virt/about-virt.html [NE,R=302]
 
 
     # Red Hat OpenShift support for Windows Containers (WMCO) catchall redirect; use when WMCO releases asynchronously from OCP. Do not change the 302 to a 301.
diff --git a/.s2i/httpd-cfg/01-community.conf b/.s2i/httpd-cfg/01-community.conf
index 67d21aa3f38e..209f6f561549 100644
--- a/.s2i/httpd-cfg/01-community.conf
+++ b/.s2i/httpd-cfg/01-community.conf
@@ -159,14 +159,14 @@ AddType text/vtt                            vtt
     RewriteRule ^latest/install_config/upgrades\.html(.*)$ /latest/install_config/upgrading/index.html$1 [NE,R=301]
     RewriteRule ^latest/install_config/upgrading/(.*)$ /latest/upgrading/$1 [NE,R=301]
 
-    # The following rule prevents an infinite redirect loop when browsing to /(latest|4\.15)/virt/about_virt/about-virt.html
-    # RewriteRule ^(latest|4\.15)/virt/about_virt/about-virt.html$ - [L]
+    # The following rule prevents an infinite redirect loop when browsing to /(latest|4\.16)/virt/about_virt/about-virt.html
+    RewriteRule ^(latest|4\.16)/virt/about_virt/about-virt.html$ - [L]
 
     # OpenShift Virtualization (CNV) catchall redirect; use when CNV releases asynchronously from OCP. Do not change the 302 to a 301.
     # When uncommented, this redirects all `virt` directory traffic to the about-virt page.
     # Pay mind to the redirect directly above this which prevents redirect loops.
     # To activate the redirects, uncomment the next and previous lines and update the version number to the pending release.
-    # RewriteRule ^(latest|4\.15)/virt/(?!about-virt\.html)(.+)$ /$1/virt/about_virt/about-virt.html [NE,R=302]
+    RewriteRule ^(latest|4\.16)/virt/(?!about-virt\.html)(.+)$ /$1/virt/about_virt/about-virt.html [NE,R=302]
 
     # Red Hat OpenShift support for Windows Containers (WMCO) catchall redirect; use when WMCO releases asynchronously from OCP. Do not change the 302 to a 301.
     # When uncommented, this redirects all `windows_containers` directory traffic to the /windows_containers/index.html page.
diff --git a/.vale/styles/config/vocabularies/OpenShiftDocs/accept.txt b/.vale/styles/config/vocabularies/OpenShiftDocs/accept.txt
index d803ff4a5906..16c5f5e09ace 100644
--- a/.vale/styles/config/vocabularies/OpenShiftDocs/accept.txt
+++ b/.vale/styles/config/vocabularies/OpenShiftDocs/accept.txt
@@ -1,11 +1,13 @@
 # Regex terms added to accept.txt are ignored by the Vale linter and override RedHat Vale rules.
 # Add terms that have a corresponding incorrectly capitalized form to reject.txt.
 [Ff]ronthaul
+[Mm][Bb]ps
 [Mm]idhaul
 [Pp]assthrough
 [Pp]ostinstall
 [Pp]recaching
 [Pp]reinstall
+[Oo]n-premise
 [Rr]ealtime
 [Tt]elco
 Assisted Installer
@@ -17,7 +19,6 @@ gpspipe
 hyperthreads?
 KPIs?
 linuxptp
-[Mm][Bb]ps
 Mellanox
 MetalLB
 NICs?
diff --git a/_attributes/attributes-openshift-dedicated.adoc b/_attributes/attributes-openshift-dedicated.adoc
index 4cce2014c835..409b9f96fac4 100644
--- a/_attributes/attributes-openshift-dedicated.adoc
+++ b/_attributes/attributes-openshift-dedicated.adoc
@@ -50,4 +50,6 @@
 :hcp: hosted control planes
 :hcp-title: ROSA with HCP
 :hcp-title-first: {product-title} (ROSA) with {hcp} (HCP)
+:rosa-classic: ROSA (classic architecture)
+:rosa-classic-first: {product-title} (ROSA) (classic architecture)
 //ROSA CLI variables
diff --git a/_attributes/common-attributes.adoc b/_attributes/common-attributes.adoc
index afc1acaf3408..61c10ba22034 100644
--- a/_attributes/common-attributes.adoc
+++ b/_attributes/common-attributes.adoc
@@ -46,7 +46,7 @@ endif::[]
 :rh-storage: OpenShift Data Foundation
 :rh-rhacm-first: Red Hat Advanced Cluster Management (RHACM)
 :rh-rhacm: RHACM
-:rh-rhacm-version: 2.9
+:rh-rhacm-version: 2.10
 :sandboxed-containers-first: OpenShift sandboxed containers
 :sandboxed-containers-operator: OpenShift sandboxed containers Operator
 :sandboxed-containers-version: 1.5
@@ -164,7 +164,7 @@ endif::[]
 :product-rosa: Red Hat OpenShift Service on AWS
 :SMProductName: Red Hat OpenShift Service Mesh
 :SMProductShortName: Service Mesh
-:SMProductVersion: 2.5.1
+:SMProductVersion: 2.5.2
 :MaistraVersion: 2.5
 :KialiProduct: Kiali Operator provided by Red Hat
 :SMPlugin: OpenShift Service Mesh Console (OSSMC) plugin
@@ -203,9 +203,18 @@ endif::[]
 :osdk_ver: 1.31.0
 //Operator SDK version that shipped with the previous OCP 4.x release
 :osdk_ver_n1: 1.28.0
+//Version-agnostic OLM
+:olm-first: Operator Lifecycle Manager (OLM)
+:olm: OLM
+//Initial version of OLM that shipped with OCP 4, aka "v0"
+:olmv0: legacy OLM
+:olmv0-caps: Legacy OLM
+:olmv0-first: legacy Operator Lifecycle Manager (OLM)
+:olmv0-first-caps: Legacy Operator Lifecycle Manager (OLM)
 //Next-gen (OCP 4.14+) Operator Lifecycle Manager, aka "v1"
 :olmv1: OLM 1.0
 :olmv1-first: Operator Lifecycle Manager (OLM) 1.0
+//
 :ztp-first: GitOps Zero Touch Provisioning (ZTP)
 :ztp: GitOps ZTP
 :3no: three-node OpenShift
@@ -303,7 +312,9 @@ endif::openshift-origin[]
 :entra-short: Workload ID
 
 
-// Cluster API Providers
+// Cluster API terminology
+// Cluster CAPI Operator
+:cluster-capi-operator: Cluster CAPI Operator
 // Cluster API Provider Amazon Web Services (AWS)
 :cap-aws-first: Cluster API Provider Amazon Web Services (AWS)
 :cap-aws-short: Cluster API Provider AWS
diff --git a/_distro_map.yml b/_distro_map.yml
index 08ed33ae2159..02927e3af1b7 100644
--- a/_distro_map.yml
+++ b/_distro_map.yml
@@ -187,6 +187,19 @@ openshift-rosa:
     rosa-preview:
       name: ''
       dir: rosa-preview/
+openshift-rosa-hcp:
+  name: Red Hat OpenShift Service on AWS
+  author: OpenShift Documentation Project <openshift-docs@redhat.com>
+  site: commercial
+  site_name: Documentation
+  site_url: https://docs.openshift.com/
+  branches:
+    enterprise-4.15:
+      name: ''
+      dir: rosa-hcp/
+    rosa-preview:
+      name: ''
+      dir: rosa-hcp-preview/
 openshift-rosa-portal:
   name: Red Hat OpenShift Service on AWS
   author: OpenShift Documentation Project <openshift-docs@redhat.com>
@@ -326,6 +339,9 @@ openshift-serverless:
     serverless-docs-1.32:
       name: '1.32'
       dir: serverless/1.32
+    serverless-docs-1.33:
+      name: '1.33'
+      dir: serverless/1.33
 openshift-gitops:
   name: Red Hat OpenShift GitOps
   author: OpenShift documentation team <openshift-docs@redhat.com>
@@ -386,3 +402,13 @@ openshift-builds:
     build-docs-1.0:
       name: '1.0'
       dir: builds/1.0
+openshift-lightspeed:
+  name: Red Hat OpenShift Lightspeed
+  author: OpenShift documentation team <openshift-docs@redhat.com>
+  site: commercial
+  site_name: Documentation
+  site_url: https://docs.openshift.com/
+  branches:
+    lightspeed-docs-1.0tp1:
+      name: '1.0tp1'
+      dir: lightspeed/1.0tp1      
diff --git a/_templates/_page_openshift.html.erb b/_templates/_page_openshift.html.erb
index 4cae4062563f..cb7a1482455e 100644
--- a/_templates/_page_openshift.html.erb
+++ b/_templates/_page_openshift.html.erb
@@ -43,7 +43,7 @@
   <%
     unsupported_versions = ["3.0", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.9", "3.10", "4.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11"];
 
-    unsupported_versions_acs = ["3.65", "3.66", "3.67", "3.68", "3.69", "3.70", "3.71", "3.72", "3.73", "3.74", "4.0", "4.1", "4.2"];
+    unsupported_versions_acs = ["3.65", "3.66", "3.67", "3.68", "3.69", "3.70", "3.71", "3.72", "3.73", "3.74", "4.0", "4.1", "4.2", "4.3"];
 
     unsupported_versions_serverless = [];
 
@@ -67,7 +67,7 @@
       </span>
       <% end %>
 
-      <% if (version == "4.16") && (distro_key != "openshift-webscale" && distro_key != "openshift-dpu") %>
+      <% if (version == "4.16") && (distro_key != "openshift-webscale" && distro_key != "openshift-dpu" && distro_key != "rosa-hcp") %>
       <span>
         <div class="alert alert-danger" role="alert" id="support-alert">
           <strong>This documentation is a work in progress that aligns to preview releases of the next pending OpenShift Container Platform version 4 minor release. It might not be complete or fully tested, and some features and content might be removed before the next release. </strong>For the most recent released and supported version, see <a href="https://docs.openshift.com/container-platform/latest/welcome/index.html" style="color: #545454 !important" class="link-primary">[4]</a>.
@@ -216,6 +216,7 @@
               <%= distro %>
             </a>
             <select id="version-selector" onchange="versionSelector(this);">
+              <option value="1.33">1.33</option>
               <option value="1.32">1.32</option>
               <option value="1.31">1.31</option>
               <option value="1.30">1.30</option>
@@ -227,6 +228,7 @@
               <%= distro %>
             </a>
             <select id="version-selector" onchange="versionSelector(this);">
+              <option value="1.15">1.15</option>
               <option value="1.14">1.14</option>
               <option value="1.13">1.13</option>
               <option value="1.12">1.12</option>
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
index d1f03886f0f4..8cf7df912ff1 100644
--- a/_topic_maps/_topic_map.yml
+++ b/_topic_maps/_topic_map.yml
@@ -1,3 +1,4 @@
+# trunk-ignore-all(prettier)
 # This configuration file dictates the organization of the topic groups and
 # topics on the main page of the doc site for this branch. Each record
 # consists of the following:
@@ -104,7 +105,7 @@ Topics:
   Distros: openshift-enterprise
 - Name: Admission plugins
   File: admission-plug-ins
-  Distros: openshift-enterprise,openshift-aro
+  Distros: openshift-enterprise,openshift-aro,openshift-origin
 ---
 Name: Installing
 Dir: installing
@@ -129,28 +130,16 @@ Topics:
     File: installing-mirroring-creating-registry
   - Name: Mirroring images for a disconnected installation
     File: installing-mirroring-installation-images
-  - Name: Mirroring images for a disconnected installation using the oc-mirror plugin
+  - Name: Mirroring images for a disconnected installation using the oc-mirror plugin v1
     File: installing-mirroring-disconnected
-- Name: Installing on Alibaba
-  Dir: installing_alibaba
+  - Name: Mirroring images for a disconnected installation using oc-mirror plugin v2
+    File: about-installing-oc-mirror-v2
+- Name: Installing on Alibaba Cloud
   Distros: openshift-origin,openshift-enterprise
+  Dir: installing_alibaba
   Topics:
-  - Name: Preparing to install on Alibaba Cloud
-    File: preparing-to-install-on-alibaba
-  - Name: Creating the required Alibaba Cloud resources
-    File: manually-creating-alibaba-ram
-  - Name: Installing a cluster quickly on Alibaba Cloud
-    File: installing-alibaba-default
-  - Name: Installing a cluster on Alibaba Cloud with customizations
-    File: installing-alibaba-customizations
-  - Name: Installing a cluster on Alibaba Cloud with network customizations
-    File: installing-alibaba-network-customizations
-  - Name: Installing a cluster on Alibaba Cloud into an existing VPC
-    File: installing-alibaba-vpc
-  - Name: Installation configuration parameters for Alibaba Cloud
-    File: installation-config-parameters-alibaba
-  - Name: Uninstalling a cluster on Alibaba Cloud
-    File: uninstall-cluster-alibaba
+  - Name: Installing a cluster on Alibaba Cloud using the Assisted Installer
+    File: installing-alibaba-assisted-installer
 - Name: Installing on AWS
   Dir: installing_aws
   Distros: openshift-origin,openshift-enterprise
@@ -193,6 +182,10 @@ Topics:
     Dir: upi
     Distros: openshift-origin,openshift-enterprise
     Topics:
+    - Name: Preparing to install a cluster
+      File: upi-aws-preparing-to-install
+    - Name: Installation requirements
+      File: upi-aws-installation-reqs
     - Name: Installing a cluster using CloudFormation templates
       File: installing-aws-user-infra
     - Name: Installing a cluster in a restricted network with user-provisioned infrastructure
@@ -598,18 +591,20 @@ Topics:
     File: creating-multi-arch-compute-nodes-bare-metal
   - Name: Creating a cluster with multi-architecture compute machines on IBM Z and IBM LinuxONE with z/VM
     File: creating-multi-arch-compute-nodes-ibm-z
+  - Name: Creating a cluster with multi-architecture compute machines on IBM Z and IBM LinuxONE in an LPAR
+    File: creating-multi-arch-compute-nodes-ibm-z-lpar
   - Name: Creating a cluster with multi-architecture compute machines on IBM Z and IBM LinuxONE with RHEL KVM
     File: creating-multi-arch-compute-nodes-ibm-z-kvm
   - Name: Creating a cluster with multi-architecture compute machines on IBM Power
     File: creating-multi-arch-compute-nodes-ibm-power
   - Name: Managing your cluster with multi-architecture compute machines
     File: multi-architecture-compute-managing
+  - Name: Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator
+    File: multiarch-tuning-operator
 - Name: Enabling encryption on a vSphere cluster
   File: vsphere-post-installation-encryption
 - Name: Configuring the vSphere connection settings after an installation
   File: installing-vsphere-post-installation-configuration
-- Name: Machine configuration tasks
-  File: machine-configuration-tasks
 - Name: Cluster tasks
   File: cluster-tasks
 - Name: Node tasks
@@ -620,6 +615,8 @@ Topics:
   File: storage-configuration
 - Name: Preparing for users
   File: preparing-for-users
+- Name: Changing the cloud provider credentials configuration
+  File: changing-cloud-credentials-configuration
 - Name: Configuring alert notifications
   File: configuring-alert-notifications
 - Name: Converting a connected cluster to a disconnected cluster
@@ -631,12 +628,6 @@ Topics:
   File: ibmz-post-install
 - Name: Regions and zones for a VMware vCenter
   File: post-install-vsphere-zones-regions-configuration
-- Name: Red Hat Enterprise Linux CoreOS image layering
-  File: coreos-layering
-  Distros: openshift-enterprise
-- Name: Fedora CoreOS image layering
-  File: coreos-layering
-  Distros: openshift-origin
 - Name: Adding failure domains to an existing Nutanix cluster
   File: adding-nutanix-failure-domains
   Distros: openshift-origin,openshift-enterprise
@@ -669,10 +660,10 @@ Topics:
 - Name: Preparing to update a cluster
   Dir: preparing_for_updates
   Topics:
-  - Name: Preparing to update to OpenShift Container Platform 4.15
+  - Name: Preparing to update to OpenShift Container Platform 4.16
     File: updating-cluster-prepare
     Distros: openshift-enterprise
-  - Name: Preparing to update to OKD 4.15
+  - Name: Preparing to update to OKD 4.16
     File: updating-cluster-prepare
     Distros: openshift-origin
   - Name: Preparing to update a cluster with manually maintained credentials
@@ -1273,14 +1264,26 @@ Topics:
   File: accessing-hosts
 - Name: Networking dashboards
   File: networking-dashboards
-- Name:  OpenShift network security
-  Dir: openshift_network_security
+- Name: Network security
+  Dir: network_security
   Distros: openshift-enterprise,openshift-origin
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
-  - Name: AdminNetworkPolicy
-    File: ovn-k-anp
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-enterprise, openshift-origin
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
+    - Name: Metrics for AdminNetworkPolicy
+      File: ovn-k-anp-banp-metrics
+    - Name: Northbound Traffic Controls for AdminNetworkPolicy
+      File: ovn-k-egress-nodes-networks-peer
+    - Name: Troubleshooting
+      File: ovn-k-anp-troubleshooting
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-enterprise, openshift-origin
@@ -1299,12 +1302,22 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
-  - Name: BaselineAdminNetworkPolicy
-    File: ovn-k-banp
+  - Name: Audit logging for network security
+    File: logging-network-security
   - Name: Understanding the Ingress Node Firewall Operator
     File: ingress-node-firewall-operator
-  - Name: Configuring an egress firewall for a project
-    File: configuring-egress-firewall-ovn
+  - Name: Egress Firewall
+    Dir: egress_firewall
+    Distros: openshift-enterprise,openshift-origin
+    Topics:
+    - Name: Viewing an egress firewall for a project
+      File: viewing-egress-firewall-ovn
+    - Name: Editing an egress firewall for a project
+      File: editing-egress-firewall-ovn
+    - Name: Removing an egress firewall from a project
+      File: removing-egress-firewall-ovn
+    - Name: Configuring an egress firewall for a project
+      File: configuring-egress-firewall-ovn
   - Name: Configuring IPsec encryption
     File: configuring-ipsec-ovn
 - Name: Understanding the Cluster Network Operator
@@ -1466,16 +1479,10 @@ Topics:
     File: rollback-to-openshift-sdn
   - Name: Converting to IPv4/IPv6 dual stack networking
     File: converting-to-dual-stack
-  - Name: Logging for egress firewall and network policy rules
-    File: logging-network-policy
+  - Name: Configuring internal subnets
+    File: configure-ovn-kubernetes-subnets
   - Name: Configure an external gateway on the default network
     File: configuring-secondary-external-gateway
-  - Name: Viewing an egress firewall for a project
-    File: viewing-egress-firewall-ovn
-  - Name: Editing an egress firewall for a project
-    File: editing-egress-firewall-ovn
-  - Name: Removing an egress firewall from a project
-    File: removing-egress-firewall-ovn
   - Name: Configuring an egress IP address
     File: configuring-egress-ips-ovn
   - Name: Assigning an egress IP address
@@ -1606,6 +1613,8 @@ Topics:
     File: metallb-configure-services
   - Name: Managing symmetric routing with MetalLB
     File: metallb-configure-return-traffic
+  - Name: Configuring the integration of MetalLB and FRR-K8s
+    File: metallb-frr-k8s
   - Name: MetalLB logging, troubleshooting, and support
     File: metallb-troubleshoot-support
 - Name: Associating secondary interfaces metrics to network attachments
@@ -1662,8 +1671,6 @@ Topics:
       File: persistent-storage-hostpath
     - Name: Persistent storage using LVM Storage
       File: persistent-storage-using-lvms
-    - Name: Troubleshooting local persistent storage using LVMS
-      File: troubleshooting-local-persistent-storage-using-lvms
 - Name: Using Container Storage Interface (CSI)
   Dir: container_storage_interface
   Distros: openshift-enterprise,openshift-origin
@@ -1708,6 +1715,8 @@ Topics:
     File: persistent-storage-csi-manila
   - Name: Secrets Store CSI Driver Operator
     File: persistent-storage-csi-secrets-store
+  - Name: CIFS/SMB CSI Driver Operator
+    File: persistent-storage-csi-smb-cifs
   - Name: VMware vSphere CSI Driver Operator
     File: persistent-storage-csi-vsphere
 - Name: Generic ephemeral volumes
@@ -1862,9 +1871,6 @@ Topics:
   - Name: Catalog source pod scheduling
     File: olm-cs-podsched
     Distros: openshift-origin,openshift-enterprise
-  - Name: Managing platform Operators
-    File: olm-managing-po
-    Distros: openshift-enterprise,openshift-origin
   - Name: Troubleshooting Operator issues
     File: olm-troubleshooting-operator-issues
     Distros: openshift-enterprise,openshift-origin
@@ -1993,8 +1999,6 @@ Topics:
       File: olmv1-catalogd
   - Name: Installing an Operator from a catalog
     File: olmv1-installing-an-operator-from-a-catalog
-  - Name: Managing plain bundles
-    File: olmv1-managing-plain-bundles
 ---
 Name: CI/CD
 Dir: cicd
@@ -2156,27 +2160,6 @@ Topics:
   File: odc-viewing-application-composition-using-topology-view
 - Name: Exporting applications
   File: odc-exporting-applications
-- Name: Connecting applications to services
-  Dir: connecting_applications_to_services
-  Topics:
-  - Name: Service Binding Operator release notes
-    File: sbo-release-notes
-  - Name: Understanding Service Binding Operator
-    File: understanding-service-binding-operator
-  - Name: Installing Service Binding Operator
-    File: installing-sbo
-  - Name: Getting started with service binding
-    File: getting-started-with-service-binding
-  - Name: Getting started with service binding on IBM Power, IBM Z, and IBM LinuxONE
-    File: getting-started-with-service-binding-ibm-power-ibm-z
-  - Name: Exposing binding data from a service
-    File: exposing-binding-data-from-a-service
-  - Name: Projecting binding data
-    File: projecting-binding-data
-  - Name: Binding workloads using Service Binding Operator
-    File: binding-workloads-using-sbo
-  - Name: Connecting an application to a service using the Developer perspective
-    File: odc-connecting-an-application-to-a-service-using-the-developer-perspective
 - Name: Working with Helm charts
   Dir: working_with_helm_charts
   Topics:
@@ -2241,6 +2224,31 @@ Topics:
   - Name: Serverless overview
     File: about-serverless
 ---
+Name: Machine configuration
+Dir: machine_configuration
+Distros: openshift-enterprise, openshift-origin
+Topics:
+- Name: Machine configuration overview
+  File: index
+- Name: Using machine config objects to configure nodes
+  File: machine-configs-configure
+- Name: Understanding node restart behaviors after machine config changes
+  File: machine-config-node-disruption
+- Name: Configuring MCO-related custom resources
+  File: machine-configs-custom
+- Name: Updated boot images
+  File: mco-update-boot-images
+- Name: Managing unused rendered machine configs
+  File: machine-configs-garbage-collection
+- Name: Red Hat Enterprise Linux (RHEL) CoreOS image layering
+  File: mco-coreos-layering
+  Distros: openshift-enterprise
+- Name: Fedora CoreOS image layering
+  File: mco-coreos-layering
+  Distros: openshift-origin
+- Name: Machine Config Daemon metrics
+  File: machine-config-daemon-metrics
+---
 Name: Machine management
 Dir: machine_management
 Distros: openshift-origin,openshift-enterprise
@@ -2324,7 +2332,7 @@ Topics:
       File: cpmso-config-options-gcp
     - Name: Control plane configuration options for Nutanix
       File: cpmso-config-options-nutanix
-    - Name: Control plane configuration options for Red Hat OpenStack
+    - Name: Control plane configuration options for Red Hat OpenStack Platform
       File: cpmso-config-options-openstack
     - Name: Control plane configuration options for VMware vSphere
       File: cpmso-config-options-vsphere
@@ -2352,6 +2360,8 @@ Topics:
       File: cluster-api-config-options-aws
     - Name: Cluster API configuration options for Google Cloud Platform
       File: cluster-api-config-options-gcp
+    - Name: Cluster API configuration options for VMware vSphere
+      File: cluster-api-config-options-vsphere
 #  - Name: Cluster API resiliency and recovery
 #    File: cluster-api-resiliency
   - Name: Troubleshooting Cluster API clusters
@@ -2371,6 +2381,8 @@ Topics:
   File: hcp-getting-started
 - Name: Authentication and authorization for hosted control planes
   File: hcp-authentication-authorization
+- Name: Handling a machine configuration for hosted control planes
+  File: hcp-machine-config
 - Name: Using feature gates in a hosted cluster
   File: hcp-using-feature-gates
 - Name: Updating hosted control planes
@@ -2559,8 +2571,6 @@ Topics:
     Distros: openshift-enterprise,openshift-origin
 #  - Name: Monitoring for problems in your nodes
 #    File: nodes-nodes-problem-detector
-  - Name: Machine Config Daemon metrics
-    File: nodes-nodes-machine-config-daemon-metrics
   - Name: Creating infrastructure nodes
     File: nodes-nodes-creating-infrastructure-nodes
 - Name: Working with containers
@@ -2625,6 +2635,9 @@ Topics:
     File: nodes-sno-worker-nodes
 - Name: Node metrics dashboard
   File: nodes-dashboard-using
+# Hiding this section until 4.17.
+#- Name: Manage secure signatures with sigstore
+#  File: nodes-sigstore-using
 ---
 Name: Windows Container Support for OpenShift
 Dir: windows_containers
@@ -2823,8 +2836,8 @@ Topics:
   - Name: Release notes
     Dir: distr_tracing_rn
     Topics:
-    - Name: Distributed tracing 3.1.1
-      File: distr-tracing-rn-3-1-1
+    - Name: Distributed tracing 3.2.1
+      File: distr-tracing-rn-3-2-1
     - Name: Past releases
       File: distr-tracing-rn-past-releases
   - Name: Distributed tracing architecture
@@ -2861,20 +2874,33 @@ Topics:
   - Name: Release notes
     Dir: otel_rn
     Topics:
-    - Name: Red Hat build of OpenTelemetry 3.1.1
-      File: otel-rn-3-1-1
+    - Name: Red Hat build of OpenTelemetry 3.2.1
+      File: otel-rn-3-2-1
     - Name: Past releases
       File: otel-rn-past-releases
   - Name: Installing
     File: otel-installing
   - Name: Configuring the Collector
-    File: otel-configuration-of-otel-collector
+    Dir: otel-collector
+    Topics:
+    - Name: Receivers
+      File: otel-collector-receivers
+    - Name: Processors
+      File: otel-collector-processors
+    - Name: Exporters
+      File: otel-collector-exporters
+    - Name: Connectors
+      File: otel-collector-connectors
+    - Name: Extensions
+      File: otel-collector-extensions
+    - Name: Target Allocator
+      File: otel-collector-target-allocator
   - Name: Configuring the instrumentation
     File: otel-configuration-of-instrumentation
   - Name: Sending traces and metrics to the Collector
     File: otel-sending-traces-and-metrics-to-otel-collector
-  - Name: Sending metrics to the monitoring stack
-    File: otel-config-send-metrics-monitoring-stack
+  - Name: Configuring metrics for the monitoring stack
+    File: otel-configuring-metrics-for-monitoring-stack
   - Name: Forwarding traces to a TempoStack
     File: otel-forwarding
   - Name: Configuring the Collector metrics
@@ -2911,9 +2937,22 @@ Topics:
     File: metrics-alerts-dashboards
   - Name: Monitoring the Network Observability Operator
     File: network-observability-operator-monitoring
-  - Name: API reference
+  - Name: Scheduling resources
+    File: network-observability-scheduling-resources
+  - Name: Network Observability CLI
+    Dir: netobserv_cli
+    Topics:
+    - Name: Installing the Network Observability CLI
+      File: netobserv-cli-install
+    - Name: Using the Network Observability CLI
+      File: netobserv-cli-using
+    - Name: Network Observability CLI reference
+      File: netobserv-cli-reference
+  - Name: FlowCollector API reference
     File: flowcollector-api
-  - Name: JSON flows format reference
+  - Name: FlowMetric API reference
+    File: flowmetric-api
+  - Name: Flows format reference
     File: json-flows-format-reference
   - Name: Troubleshooting Network Observability
     File: troubleshooting-network-observability
@@ -3031,9 +3070,7 @@ Topics:
   File: ztp-updating-gitops
 - Name: Installing managed clusters with RHACM and SiteConfig resources
   File: ztp-deploying-far-edge-sites
-- Name: Configuring managed clusters with policies and PolicyGenTemplate resources
-  File: ztp-configuring-managed-clusters-policies
-- Name: Manually installing a single-node OpenShift cluster with ZTP
+- Name: Manually installing a single-node OpenShift cluster with GitOps ZTP
   File: ztp-manual-install
 - Name: Recommended single-node OpenShift cluster configuration for vDU application workloads
   File: ztp-reference-cluster-configuration-for-vdu
@@ -3041,18 +3078,58 @@ Topics:
   File: ztp-vdu-validating-cluster-tuning
 - Name: Advanced managed cluster configuration with SiteConfig resources
   File: ztp-advanced-install-ztp
-- Name: Advanced managed cluster configuration with PolicyGenTemplate resources
-  File: ztp-advanced-policy-config
+- Name: Managing cluster polices with PolicyGenerator resources
+  Dir: policygenerator_for_ztp
+  Distros: openshift-origin,openshift-enterprise
+  Topics:
+  - Name: Configuring managed cluster policies by using PolicyGenerator resources
+    File: ztp-configuring-managed-clusters-policygenerator
+  - Name: Advanced managed cluster configuration with PolicyGenerator resources
+    File: ztp-advanced-policygenerator-config
+  - Name: Updating managed clusters in a disconnected environment with PolicyGenerator resources and TALM
+    File: ztp-talm-updating-managed-policies-pg
+- Name: Managing cluster polices with PolicyGenTemplate resources
+  Dir: policygentemplate_for_ztp
+  Distros: openshift-origin,openshift-enterprise
+  Topics:
+  - Name: Configuring managed cluster policies by using PolicyGenTemplate resources
+    File: ztp-configuring-managed-clusters-policies
+  - Name: Advanced managed cluster configuration with PolicyGenTemplate resources
+    File: ztp-advanced-policy-config
+  - Name: Updating managed clusters in a disconnected environment with PolicyGenTemplate resources and TALM
+    File: ztp-talm-updating-managed-policies
+- Name: Using hub templates in PolicyGenerator or PolicyGenTemplate CRs
+  File: ztp-using-hub-cluster-templates
 - Name: Updating managed clusters with the Topology Aware Lifecycle Manager
   File: cnf-talm-for-cluster-upgrades
-- Name: Updating managed clusters in a disconnected environment with the Topology Aware Lifecycle Manager
-  File: ztp-talm-updating-managed-policies
 - Name: Expanding single-node OpenShift clusters with GitOps ZTP
   File: ztp-sno-additional-worker-node
 - Name: Pre-caching images for single-node OpenShift deployments
   File: ztp-precaching-tool
 - Name: Image-based upgrade for single-node OpenShift clusters
-  File: ztp-image-based-upgrade
+  Dir: image_based_upgrade
+  Distros: openshift-origin,openshift-enterprise
+  Topics:
+  - Name: Understanding the image-based upgrade for single-node OpenShift clusters
+    File: cnf-understanding-image-based-upgrade
+  - Name: Preparing for an image-based upgrade for single-node OpenShift clusters
+    Dir: preparing_for_image_based_upgrade
+    Distros: openshift-origin,openshift-enterprise
+    Topics:
+    - Name: Configuring a shared container directory for the image-based upgrade
+      File: cnf-image-based-upgrade-shared-container-image
+    - Name: Installing Operators for the image-based upgrade
+      File: cnf-image-based-upgrade-install-operators
+    - Name: Generating a seed image for the image-based upgrade with Lifecycle Agent
+      File: cnf-image-based-upgrade-generate-seed
+    - Name: Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent
+      File: cnf-image-based-upgrade-prep-resources
+    - Name: Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent using GitOps ZTP
+      File: ztp-image-based-upgrade-prep-resources
+  - Name: Performing an image-based upgrade for single-node OpenShift clusters
+    File: cnf-image-based-upgrade-base
+  - Name: Performing an image-based upgrade for single-node OpenShift clusters using GitOps ZTP
+    File: ztp-image-based-upgrade
 ---
 Name: Reference design specifications
 Dir: telco_ref_design_specs
@@ -4159,6 +4236,8 @@ Topics:
       File: virt-assigning-compute-resources
     - Name: Running real-time workloads
       File: virt-configuring-cluster-realtime-workloads
+    - Name: About multi-queue functionality
+      File: virt-about-multi-queue
   - Name: VM disks
     Dir: virtual_disks
     Topics:
@@ -4177,6 +4256,8 @@ Topics:
     File: virt-connecting-vm-to-default-pod-network
   - Name: Exposing a VM by using a service
     File: virt-exposing-vm-with-service
+  - Name: Accessing a VM by using its internal FQDN
+    File: virt-accessing-vm-internal-fqdn
   - Name: Connecting a VM to a Linux bridge network
     File: virt-connecting-vm-to-linux-bridge
   - Name: Connecting a VM to an SR-IOV network
@@ -4193,7 +4274,7 @@ Topics:
     File: virt-dedicated-network-live-migration
   - Name: Configuring and viewing IP addresses
     File: virt-configuring-viewing-ips-for-vms
-  - Name: Accessing a VM by using the cluster FQDN
+  - Name: Accessing a VM by using its external FQDN
     File: virt-accessing-vm-secondary-network-fqdn
   - Name: Managing MAC address pools for network interfaces
     File: virt-using-mac-address-pool-for-vms
@@ -4274,14 +4355,8 @@ Topics:
   Topics:
   - Name: Backup and restore by using VM snapshots
     File: virt-backup-restore-snapshots
-  - Name: Installing and configuring OADP
-    File: virt-installing-configuring-oadp
   - Name: Backing up and restoring virtual machines
     File: virt-backup-restore-overview
-  - Name: Backing up virtual machines
-    File: virt-backing-up-vms
-  - Name: Restoring virtual machines
-    File: virt-restoring-vms
   - Name: Disaster recovery
     File: virt-disaster-recovery
 #  - Name: Collecting OKD Virtualization data for community report
diff --git a/_topic_maps/_topic_map_ms.yml b/_topic_maps/_topic_map_ms.yml
index 3f78fecfcd67..4fec37c3fe8a 100644
--- a/_topic_maps/_topic_map_ms.yml
+++ b/_topic_maps/_topic_map_ms.yml
@@ -430,6 +430,8 @@ Topics:
     File: microshift-cni-multus
   - Name: Configuring and using multiple networks
     File: microshift-cni-multus-using
+- Name: Configuring routes
+  File: microshift-configuring-routes
 - Name: Firewall configuration
   File: microshift-firewall
 - Name: Networking settings for fully disconnected hosts
@@ -497,15 +499,17 @@ Name: Troubleshooting
 Dir: microshift_troubleshooting
 Distros: microshift
 Topics:
-- Name: Checking your version
+- Name: Check your version
   File: microshift-version
-- Name: Troubleshooting backup and restore
-  File: microshift-troubleshoot-backup-restore
 - Name: Troubleshoot the cluster
   File: microshift-troubleshoot-cluster
+- Name: Troubleshoot backup and restore
+  File: microshift-troubleshoot-backup-restore
 - Name: Troubleshoot updates
   File: microshift-troubleshoot-updates
-- Name: Checking audit logs
+- Name: Check the audit logs
   File: microshift-audit-logs
+- Name: Troubleshoot etcd
+  File: microshift-etcd-troubleshoot
 - Name: Additional information
   File: microshift-things-to-know
diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml
index e8fedaffdbc8..0ef32cdf5fd9 100644
--- a/_topic_maps/_topic_map_osd.yml
+++ b/_topic_maps/_topic_map_osd.yml
@@ -716,8 +716,6 @@ Topics:
     File: olm-managing-custom-catalogs
   - Name: Catalog source pod scheduling
     File: olm-cs-podsched
-# - Name: Managing platform Operators  <= Tech Preview
-#   File: olm-managing-po
   - Name: Troubleshooting Operator issues
     File: olm-troubleshooting-operator-issues
 - Name: Developing Operators
@@ -835,12 +833,12 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name: OpenShift network security
-  Dir: openshift_network_security
+- Name: Network security
+  Dir: network_security
   Distros: openshift-dedicated
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-dedicated
@@ -893,28 +891,6 @@ Topics:
 # cannot create required namespace
 # - Name: Exporting applications
 #  File: odc-exporting-applications
-- Name: Connecting applications to services
-  Dir: connecting_applications_to_services
-  Topics:
-  - Name: Service Binding Operator release notes
-    File: sbo-release-notes
-  - Name: Understanding Service Binding Operator
-    File: understanding-service-binding-operator
-  - Name: Installing Service Binding Operator
-    File: installing-sbo
-  - Name: Getting started with service binding
-    File: getting-started-with-service-binding
-# Not applicable to ROSA/OSD
-#  - Name: Getting started with service binding on IBM Power, IBM Z, and IBM LinuxONE
-#    File: getting-started-with-service-binding-ibm-power-ibm-z
-  - Name: Exposing binding data from a service
-    File: exposing-binding-data-from-a-service
-  - Name: Projecting binding data
-    File: projecting-binding-data
-  - Name: Binding workloads using Service Binding Operator
-    File: binding-workloads-using-sbo
-  - Name: Connecting an application to a service using the Developer perspective
-    File: odc-connecting-an-application-to-a-service-using-the-developer-perspective
 - Name: Working with Helm charts
   Dir: working_with_helm_charts
   Topics:
@@ -1139,8 +1115,6 @@ Topics:
 #    Distros: openshift-dedicated
 #  - Name: Monitoring for problems in your nodes
 #    File: nodes-nodes-problem-detector
-  - Name: Machine Config Daemon metrics
-    File: nodes-nodes-machine-config-daemon-metrics
 # cannot patch resource "nodes"
 #  - Name: Creating infrastructure nodes
 #    File: nodes-nodes-creating-infrastructure-nodes
@@ -1723,14 +1697,8 @@ Topics:
   Topics:
   - Name: Backup and restore by using VM snapshots
     File: virt-backup-restore-snapshots
-  - Name: Installing and configuring OADP
-    File: virt-installing-configuring-oadp
-  - Name: Backing up and restoring virtual machines
-    File: virt-backup-restore-overview
-  - Name: Backing up virtual machines
-    File: virt-backing-up-vms
-  - Name: Restoring virtual machines
-    File: virt-restoring-vms
+#  - Name: Backing up and restoring virtual machines
+#    File: virt-backup-restore-overview
 #  - Name: Collecting OKD Virtualization data for community report
 #    File: virt-collecting-virt-data
 #    Distros: openshift-origin
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
index b3fc6b9433fe..f5d4b66e8f41 100644
--- a/_topic_maps/_topic_map_rosa.yml
+++ b/_topic_maps/_topic_map_rosa.yml
@@ -111,8 +111,6 @@ Topics:
   File: cloud-experts-rosa-hcp-activation-and-account-linking-tutorial
 - Name: Verifying Permissions for a ROSA STS Deployment
   File: rosa-mobb-verify-permissions-sts-deployment
-- Name: Configuring log forwarding for CloudWatch logs and STS
-  File: cloud-experts-rosa-cloudwatch-sts
 - Name: Using AWS WAF and Amazon CloudFront to protect ROSA workloads
   File: cloud-experts-using-cloudfront-and-waf
 - Name: Using AWS WAF and AWS ALBs to protect ROSA workloads
@@ -121,8 +119,6 @@ Topics:
   File: cloud-experts-deploy-api-data-protection
 - Name: AWS Load Balancer Operator on ROSA
   File: cloud-experts-aws-load-balancer-operator
-- Name: Configuring ROSA/OSD to use custom TLS ciphers on the ingress controllers
-  File: cloud-experts-configure-custom-tls-ciphers
 - Name: Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider
   File: cloud-experts-entra-id-idp
 - Name: Using AWS Secrets Manager CSI on ROSA with STS
@@ -135,6 +131,8 @@ Topics:
   File: cloud-experts-dynamic-certificate-custom-domain
 - Name: Assigning consistent egress IP for external traffic
   File: cloud-experts-consistent-egress-ip
+- Name: Updating component routes with custom domains and TLS certificates
+  File: cloud-experts-update-component-routes
 - Name: Getting started with ROSA
   Dir: cloud-experts-getting-started
   Distros: openshift-rosa
@@ -186,6 +184,12 @@ Topics:
     File: cloud-experts-deploying-application-prerequisites
   - Name: Lab Overview
     File: cloud-experts-deploying-application-lab-overview
+  - Name: Deployment
+    File: cloud-experts-deploying-application-deployment
+  - Name: Networking
+    File: cloud-experts-deploying-application-networking
+  - Name: Storage
+    File: cloud-experts-deploying-application-storage
 ---
 Name: Getting started
 Dir: rosa_getting_started
@@ -216,8 +220,6 @@ Topics:
   File: rosa-sts-required-aws-service-quotas
 - Name: Setting up your environment
   File: rosa-sts-setting-up-environment
-- Name: Preparing Terraform to install ROSA clusters
-  File: rosa-understanding-terraform
 ---
 Name: Install ROSA with HCP clusters
 Dir: rosa_hcp
@@ -225,6 +227,14 @@ Distros: openshift-rosa
 Topics:
 - Name: Creating ROSA with HCP clusters using the default options
   File: rosa-hcp-sts-creating-a-cluster-quickly
+- Name: Creating a ROSA cluster using Terraform
+  Dir: terraform
+  Distros: openshift-rosa
+  Topics:
+  - Name: Creating a default ROSA cluster using Terraform
+    File: rosa-hcp-creating-a-cluster-quickly-terraform
+#  - Name: Customizing a ROSA cluster with Terraform
+#    File: rosa-hcp-creating-a-cluster-with-customizations-terraform
 - Name: Creating ROSA with HCP clusters using a custom AWS KMS encryption key
   File: rosa-hcp-creating-cluster-with-aws-kms-key
 - Name: Creating a private cluster on ROSA with HCP
@@ -244,14 +254,14 @@ Topics:
   File: rosa-sts-creating-a-cluster-quickly
 - Name: Creating a ROSA cluster with STS using customizations
   File: rosa-sts-creating-a-cluster-with-customizations
-- Name: Creating a ROSA cluster with STS using Terraform
+- Name: Creating a ROSA (classic architecture) cluster using Terraform
   Dir: terraform
   Distros: openshift-rosa
   Topics:
-  - Name: Creating a default ROSA Classic cluster using Terraform
-    File: rosa-sts-creating-a-cluster-quickly-terraform
+  - Name: Creating a default ROSA (classic architecture) cluster using Terraform
+    File: rosa-classic-creating-a-cluster-quickly-terraform
 #  - Name: Customizing a ROSA cluster with Terraform
-#    File: rosa-sts-creating-a-cluster-with-customizations-terraform
+#    File: rosa-classic-creating-a-cluster-with-customizations-terraform
 - Name: Interactive cluster creation mode reference
   File: rosa-sts-interactive-mode-reference
 - Name: Creating an AWS PrivateLink cluster on ROSA
@@ -588,6 +598,7 @@ Topics:
     File: nodes-cluster-resource-configure
 - Name: Configuring PID limits
   File: rosa-configuring-pid-limits
+  Distros: openshift-rosa
 ---
 Name: Security and compliance
 Dir: security
@@ -937,8 +948,6 @@ Topics:
     File: olm-managing-custom-catalogs
   - Name: Catalog source pod scheduling
     File: olm-cs-podsched
-# - Name: Managing platform Operators  <= Tech Preview
-#   File: olm-managing-po
   - Name: Troubleshooting Operator issues
     File: olm-troubleshooting-operator-issues
 - Name: Developing Operators
@@ -1058,13 +1067,20 @@ Topics:
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions
-- Name:  OpenShift network security
-  Dir: openshift_network_security
+- Name: Network security
+  Dir: network_security
+  Distros: openshift-rosa
   Topics:
-  - Name: About OVN-Kubernetes network policy
-    File: ovn-k-network-policy
-  - Name: AdminNetworkPolicy
-    File: ovn-k-anp
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
   - Name: Network policy
     Dir: network_policy
     Distros: openshift-rosa
@@ -1083,8 +1099,8 @@ Topics:
       File: default-network-policy
     - Name: Configuring multitenant isolation with network policy
       File: multitenant-network-policy
-  - Name: BaselineAdminNetworkPolicy
-    File: ovn-k-banp
+  - Name: Understanding the Ingress Node Firewall Operator
+    File: ingress-node-firewall-operator
 - Name: OVN-Kubernetes network plugin
   Dir: ovn_kubernetes_network_provider
   Topics:
@@ -1128,28 +1144,6 @@ Topics:
 # cannot create required namespace
 # - Name: Exporting applications
 #  File: odc-exporting-applications
-- Name: Connecting applications to services
-  Dir: connecting_applications_to_services
-  Topics:
-  - Name: Service Binding Operator release notes
-    File: sbo-release-notes
-  - Name: Understanding Service Binding Operator
-    File: understanding-service-binding-operator
-  - Name: Installing Service Binding Operator
-    File: installing-sbo
-  - Name: Getting started with service binding
-    File: getting-started-with-service-binding
-# Not applicable to ROSA/OSD
-#  - Name: Getting started with service binding on IBM Power, IBM Z, and IBM LinuxONE
-#    File: getting-started-with-service-binding-ibm-power-ibm-z
-  - Name: Exposing binding data from a service
-    File: exposing-binding-data-from-a-service
-  - Name: Projecting binding data
-    File: projecting-binding-data
-  - Name: Binding workloads using Service Binding Operator
-    File: binding-workloads-using-sbo
-  - Name: Connecting an application to a service using the Developer perspective
-    File: odc-connecting-an-application-to-a-service-using-the-developer-perspective
 - Name: Working with Helm charts
   Dir: working_with_helm_charts
   Topics:
@@ -1367,8 +1361,8 @@ Topics:
 #    File: nodes-nodes-managing-max-pods
   - Name: Using the Node Tuning Operator
     File: nodes-node-tuning-operator
-  - Name: Remediating, fencing, and maintaining nodes
-    File: nodes-remediating-fencing-maintaining-rhwa
+#  - Name: Remediating, fencing, and maintaining nodes
+#    File: nodes-remediating-fencing-maintaining-rhwa
 # Cannot create namespace needed to oc debug and reboot; revisit after Operator book converted
 #  - Name: Understanding node rebooting
 #    File: nodes-nodes-rebooting
@@ -1387,8 +1381,6 @@ Topics:
 #    Distros: openshift-rosa
 #  - Name: Monitoring for problems in your nodes
 #    File: nodes-nodes-problem-detector
-  - Name: Machine Config Daemon metrics
-    File: nodes-nodes-machine-config-daemon-metrics
 # cannot patch resource "nodes"
 #  - Name: Creating infrastructure nodes
 #    File: nodes-nodes-creating-infrastructure-nodes
@@ -1972,14 +1964,8 @@ Topics:
   Topics:
   - Name: Backup and restore by using VM snapshots
     File: virt-backup-restore-snapshots
-  - Name: Installing and configuring OADP
-    File: virt-installing-configuring-oadp
-  - Name: Backing up and restoring virtual machines
-    File: virt-backup-restore-overview
-  - Name: Backing up virtual machines
-    File: virt-backing-up-vms
-  - Name: Restoring virtual machines
-    File: virt-restoring-vms
+#  - Name: Backing up and restoring virtual machines
+#    File: virt-backup-restore-overview
 #  - Name: Removed topics (Placeholder for topics removed from topic map)
 #    Dir: Removed_topics
 #    Topics:
diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml
index 37873d275cec..385232b8209a 100644
--- a/_topic_maps/_topic_map_rosa_hcp.yml
+++ b/_topic_maps/_topic_map_rosa_hcp.yml
@@ -110,8 +110,6 @@ Topics:
   File: cloud-experts-rosa-hcp-activation-and-account-linking-tutorial
 # - Name: Verifying Permissions for a ROSA STS Deployment
 #   File: rosa-mobb-verify-permissions-sts-deployment
-# - Name: Configuring log forwarding for CloudWatch logs and STS
-#   File: cloud-experts-rosa-cloudwatch-sts
 # - Name: Using AWS WAF and Amazon CloudFront to protect ROSA workloads
 #   File: cloud-experts-using-cloudfront-and-waf
 # - Name: Using AWS WAF and AWS ALBs to protect ROSA workloads
@@ -120,8 +118,6 @@ Topics:
 #   File: cloud-experts-deploy-api-data-protection
 # - Name: AWS Load Balancer Operator on ROSA
 #   File: cloud-experts-aws-load-balancer-operator
-# - Name: Configuring ROSA/OSD to use custom TLS ciphers on the ingress controllers
-#   File: cloud-experts-configure-custom-tls-ciphers
 # - Name: Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider
 #   File: cloud-experts-entra-id-idp
 # - Name: Using AWS Secrets Manager CSI on ROSA with STS
@@ -552,9 +548,9 @@ Topics:
 #    File: rosa-cluster-auth
 #  - Name: Authorization and RBAC
 #    File: rosa-auth-rbac
-  - Name: Cluster notifications
-    File: rosa-cluster-notifications
-    Distros: openshift-rosa-hcp
+- Name: Cluster notifications
+  File: rosa-cluster-notifications
+  Distros: openshift-rosa-hcp
 # - Name: Configuring private connections
 #   Dir: cloud_infrastructure_access
 #   Distros: openshift-rosa-hcp
@@ -584,8 +580,9 @@ Topics:
 #     File: rosa-nodes-about-autoscaling-nodes
 #   - Name: Configuring cluster memory to meet container memory and risk requirements
 #     File: nodes-cluster-resource-configure
-# - Name: Configuring PID limits
-#   File: rosa-configuring-pid-limits
+- Name: Configuring PID limits
+  File: rosa-configuring-pid-limits
+  Distros: openshift-rosa
 # ---
 # Name: Security and compliance
 # Dir: security
@@ -940,8 +937,6 @@ Topics:
 #     File: olm-managing-custom-catalogs
 #   - Name: Catalog source pod scheduling
 #     File: olm-cs-podsched
-#  - Name: Managing platform Operators  <= Tech Preview
-#    File: olm-managing-po
 #   - Name: Troubleshooting Operator issues
 #     File: olm-troubleshooting-operator-issues
 # - Name: Developing Operators
@@ -1117,28 +1112,6 @@ Topics:
 #  cannot create required namespace
 #  - Name: Exporting applications
 #   File: odc-exporting-applications
-# - Name: Connecting applications to services
-#   Dir: connecting_applications_to_services
-#   Topics:
-#   - Name: Service Binding Operator release notes
-#     File: sbo-release-notes
-#   - Name: Understanding Service Binding Operator
-#     File: understanding-service-binding-operator
-#   - Name: Installing Service Binding Operator
-#     File: installing-sbo
-#   - Name: Getting started with service binding
-#     File: getting-started-with-service-binding
-#  Not applicable to ROSA/OSD
-#   - Name: Getting started with service binding on IBM Power, IBM Z, and IBM LinuxONE
-#     File: getting-started-with-service-binding-ibm-power-ibm-z
-#   - Name: Exposing binding data from a service
-#     File: exposing-binding-data-from-a-service
-#   - Name: Projecting binding data
-#     File: projecting-binding-data
-#   - Name: Binding workloads using Service Binding Operator
-#     File: binding-workloads-using-sbo
-#   - Name: Connecting an application to a service using the Developer perspective
-#     File: odc-connecting-an-application-to-a-service-using-the-developer-perspective
 # - Name: Working with Helm charts
 #   Dir: working_with_helm_charts
 #   Topics:
diff --git a/modules/olm-rukpak-plain-bundle.adoc b/_unused_topics/olm-rukpak-plain-bundle.adoc
similarity index 99%
rename from modules/olm-rukpak-plain-bundle.adoc
rename to _unused_topics/olm-rukpak-plain-bundle.adoc
index 6b36cc4b31ab..50b4c5eef8e0 100644
--- a/modules/olm-rukpak-plain-bundle.adoc
+++ b/_unused_topics/olm-rukpak-plain-bundle.adoc
@@ -35,4 +35,4 @@ The static manifests must be located in the `manifests/` directory with at least
 [IMPORTANT]
 ====
 Do not include any content in the `manifests/` directory of a plain bundle that are not static manifests. Otherwise, a failure will occur when creating content on-cluster from that bundle. Any file that would not successfully apply with the `oc apply` command will result in an error. Multi-object YAML or JSON files are valid, as well.
-====
\ No newline at end of file
+====
diff --git a/modules/olmv1-adding-plain-to-fbc.adoc b/_unused_topics/olmv1-adding-plain-to-fbc.adoc
similarity index 99%
rename from modules/olmv1-adding-plain-to-fbc.adoc
rename to _unused_topics/olmv1-adding-plain-to-fbc.adoc
index 705aba85e451..1bfa33f03afc 100644
--- a/modules/olmv1-adding-plain-to-fbc.adoc
+++ b/_unused_topics/olmv1-adding-plain-to-fbc.adoc
@@ -118,4 +118,4 @@ The `opm render` command does not support adding plain bundles to catalogs. You
 [source,terminal]
 ----
 $ opm validate <catalog_dir>
-----
\ No newline at end of file
+----
diff --git a/modules/olmv1-building-plain-image.adoc b/_unused_topics/olmv1-building-plain-image.adoc
similarity index 99%
rename from modules/olmv1-building-plain-image.adoc
rename to _unused_topics/olmv1-building-plain-image.adoc
index 5f2bd160f418..e1e7e40a4eed 100644
--- a/modules/olmv1-building-plain-image.adoc
+++ b/_unused_topics/olmv1-building-plain-image.adoc
@@ -35,4 +35,4 @@ $ podman build -f plainbundle.Dockerfile -t \
 [source,terminal]
 ----
 $ podman push quay.io/<organization_name>/<repository_name>:<image_tag>
-----
\ No newline at end of file
+----
diff --git a/modules/olmv1-semver-support.adoc b/_unused_topics/olmv1-major-version-zero.adoc
similarity index 55%
rename from modules/olmv1-semver-support.adoc
rename to _unused_topics/olmv1-major-version-zero.adoc
index 107240b5f3e2..dfaded380ad3 100644
--- a/modules/olmv1-semver-support.adoc
+++ b/_unused_topics/olmv1-major-version-zero.adoc
@@ -1,25 +1,13 @@
 // Module included in the following assemblies:
 //
 // * operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
-// * operators/olm_v1/arch/olmv1-operator-controller.adoc
 
-:_mod-docs-content-type: CONCEPT
-
-[id="olmv1-semver-support_{context}"]
-= Support for semantic versioning
-
-Support for link:https://semver.org/[semantic versioning (semver)] is enabled in {olmv1} by default. Operator and extension authors can use the semver standard to define compatible updates.
+// Moved to _unused_topics dir with 4.16 in case useful in a later release of OLMv1.
 
-{olmv1-first} can use an Operator or extension's version number to determine if an update can be resolved successfully.
-
-Cluster administrators can define a range of acceptable versions to install and automtically update. For Operators and extensions that follow the semver standard, you can use comparison strings to define to specify a desired version range.
-
-[NOTE]
-====
-{olmv1} does not support automatic updates to the next major version. If you want to perform a major version update, you must verify and apply the update manually. For more information, see "Forcing an update or rollback".
-====
+:_mod-docs-content-type: CONCEPT
 
-== Major version zero releases
+[id="olmv1-major-version-zero_{context}"]
+= Major version zero releases
 
 The semver standard specifies that major version zero releases (`O.y.z`) are reserved for initial development. During the initial development stage, the API is not stable and breaking changes might be introduced in any published version. As a result, major version zero releases apply a special set of update conditions.
 
diff --git a/operators/olm_v1/olmv1-managing-plain-bundles.adoc b/_unused_topics/olmv1-managing-plain-bundles.adoc
similarity index 95%
rename from operators/olm_v1/olmv1-managing-plain-bundles.adoc
rename to _unused_topics/olmv1-managing-plain-bundles.adoc
index 08a5a77736e4..7a90a66e4635 100644
--- a/operators/olm_v1/olmv1-managing-plain-bundles.adoc
+++ b/_unused_topics/olmv1-managing-plain-bundles.adoc
@@ -35,7 +35,7 @@ As a cluster administrator, you can build and publish a file-based catalog that
 --
 include::snippets/olmv1-cli-only.adoc[]
 --
-* The `TechPreviewNoUpgrades` feature set enabled on the cluster
+* The `TechPreviewNoUpgrade` feature set enabled on the cluster
 +
 [WARNING]
 ====
@@ -69,4 +69,4 @@ manifests
 include::modules/olmv1-building-plain-image.adoc[leveloffset=+1]
 include::modules/olmv1-creating-fbc.adoc[leveloffset=+1]
 include::modules/olmv1-adding-plain-to-fbc.adoc[leveloffset=+1]
-include::modules/olmv1-publishing-fbc.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/olmv1-publishing-fbc.adoc[leveloffset=+1]
diff --git a/_unused_topics/olmv1-semver-support.adoc b/_unused_topics/olmv1-semver-support.adoc
new file mode 100644
index 000000000000..9bc77d47544d
--- /dev/null
+++ b/_unused_topics/olmv1-semver-support.adoc
@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
+
+// Moved to _unused_topics dir with 4.16 in case useful in a later release of OLMv1.
+
+:_mod-docs-content-type: CONCEPT
+
+[id="olmv1-semver-support_{context}"]
+= Support for semantic versioning
+
+{olmv1-first} supports link:https://semver.org/[semantic versioning (semver)] when explicitly enabled. Cluster extension authors can use the semver standard to define compatible updates.
+
+[NOTE]
+====
+In {product-title} 4.16, {olmv1} uses {olmv0} semantics by default.
+====
+
+{olmv1} can use an extension's version number to determine if an update can be resolved successfully.
+
+Cluster administrators can define a range of acceptable versions to install and automatically update. For extensions that follow the semver standard, you can use comparison strings to specify a desired version range.
+
+[NOTE]
+====
+{olmv1} does not support automatic updates to the next major version. If you want to perform a major version update, you must verify and apply the update manually. For more information, see "Forcing an update or rollback".
+====
\ No newline at end of file
diff --git a/_unused_topics/persistent-storage-csi-smb-cifs-create-sc.adoc b/_unused_topics/persistent-storage-csi-smb-cifs-create-sc.adoc
new file mode 100644
index 000000000000..b2abd2ae67a7
--- /dev/null
+++ b/_unused_topics/persistent-storage-csi-smb-cifs-create-sc.adoc
@@ -0,0 +1,80 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-smb-cifs-create-sc_{context}"]
+= Creating a storage class for CIFS/SMB
+
+After installing the Operator, you should create a storage class for dynamic provisioning of Common Internet File System (CIFS) dialect/Server Message Block (SMB) protocol volumes.
+
+.Prerequisites
+* You are logged in to the running {product-title} cluster.
+
+* You have SMB server installed and know the following information about the server:
+** Hostname
+** Share name
+** Username and password
+
+.Procedure
+To create a storage class:
+
+. Create a Secret for access to the Samba server using the following command with the following example YAML file:
++
+[source,cli]
+--
+$ oc create -f <file_name>.yaml
+--
++
+[source,yaml]
+.Secret example YAML file
+--
+apiVersion: v1
+kind: Secret
+metadata:
+  name: smbcreds <1>
+  namespace: samba-server <2>
+stringData:
+  username: <username> <3>
+  password: <password> <4>
+--
+<1> Name of the Secret.
+<2> Namespace for the Secret.
+<3> Username for the Secret.
+<4> Password for the Secret.
+
+. Create a storage class using the following command with the following example YAML file:
++
+[source,cli]
+--
+$ oc create -f <file_name>.yaml
+--
++
+[source,yaml]
+.Storage class example YAML file
+--
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: samba
+provisioner: smb.csi.k8s.io
+parameters:
+  source: //<hostname>/<shares> <1>
+  csi.storage.k8s.io/provisioner-secret-name: smbcreds <2>
+  csi.storage.k8s.io/provisioner-secret-namespace: samba-server <3>
+  csi.storage.k8s.io/node-stage-secret-name: smbcreds <2>
+  csi.storage.k8s.io/node-stage-secret-namespace: samba-server <3>
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+mountOptions:
+  - dir_mode=0777
+  - file_mode=0777
+  - noperm
+  - mfsymlinks
+  - cache=strict
+  - noserverino
+--
+<1> The Samba server must be installed somewhere and reachable from the cluster with `<hostname>` being the hostname for the Samba server and `<shares>` the path the server is configured to have among the exported shares.
+<2> Name of Secret that was set in the previous step.
+<3> Namespace for the Secret that was set in the previous step.
+
diff --git a/adding_service_cluster/rosa-available-services.adoc b/adding_service_cluster/rosa-available-services.adoc
index 39530c7c42b1..d81a769cfa5f 100644
--- a/adding_service_cluster/rosa-available-services.adoc
+++ b/adding_service_cluster/rosa-available-services.adoc
@@ -22,7 +22,7 @@ include::modules/osd-rhoam.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_api_management[Red Hat OpenShift API Management] documentation
+* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_api_management[Red{nbsp}Hat OpenShift API Management] documentation
 
 ////
 include::modules/rosa-rhoda.adoc[leveloffset=+1]
@@ -30,7 +30,7 @@ include::modules/rosa-rhoda.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://www.redhat.com/en/technologies/cloud-computing/openshift/openshift-database-access[Red Hat OpenShift Database Access] product page
+* link:https://www.redhat.com/en/technologies/cloud-computing/openshift/openshift-database-access[Red{nbsp}Hat OpenShift Database Access] product page
 ////
 // This module and additional resource are no longer included in the document due to OSDOCS-5817.
 
@@ -38,5 +38,5 @@ include::modules/rosa-rhods.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_science/1[Red Hat OpenShift Data Science] documentation
-* link:https://www.redhat.com/en/technologies/cloud-computing/openshift/openshift-data-science[Red Hat OpenShift Data Science] product page
+* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_science/1[Red{nbsp}Hat OpenShift Data Science] documentation
+* link:https://www.redhat.com/en/technologies/cloud-computing/openshift/openshift-data-science[Red{nbsp}Hat OpenShift Data Science] product page
diff --git a/applications/index.adoc b/applications/index.adoc
index 077e0a621079..48b8b95d5607 100644
--- a/applications/index.adoc
+++ b/applications/index.adoc
@@ -39,14 +39,6 @@ After you create the application, you can use the web console to xref:../applica
 
 When the application is running, not all applications resources are used. As a cluster administrator, you can choose to xref:../applications/idling-applications.adoc#idling-applications[idle these scalable resources] to reduce resource consumption.
 
-[id="connecting-application"]
-=== Connecting an application to services
-
-An application uses backing services to build and connect workloads, which vary according to the service provider. Using the xref:../applications/connecting_applications_to_services/understanding-service-binding-operator.adoc#understanding-service-binding-operator[Service Binding Operator], as a developer, you can bind workloads together with Operator-managed backing services, without any manual procedures to configure the binding connection.
-ifndef::openshift-dedicated,openshift-rosa[]
-You can apply service binding also on xref:../applications/connecting_applications_to_services/getting-started-with-service-binding-ibm-power-ibm-z.adoc#getting-started-with-service-binding-ibm-power-ibm-z[IBM Power Systems, IBM Z, and LinuxONE environments].
-endif::openshift-dedicated,openshift-rosa[]
-
 [id="deploying-application"]
 === Deploying an application
 You can deploy your application using xref:../applications/deployments/what-deployments-are.adoc#what-deployments-are[`Deployment` or `DeploymentConfig`] objects and xref:../applications/deployments/managing-deployment-processes.adoc#deployment-operations[manage] them from the web console. You can create xref:../applications/deployments/deployment-strategies.adoc#deployment-strategies[deployment strategies] that help reduce downtime during a change or an upgrade to the application.
diff --git a/applications/odc-viewing-application-composition-using-topology-view.adoc b/applications/odc-viewing-application-composition-using-topology-view.adoc
index 3cada1b5ede9..4fab3cc5917b 100644
--- a/applications/odc-viewing-application-composition-using-topology-view.adoc
+++ b/applications/odc-viewing-application-composition-using-topology-view.adoc
@@ -14,7 +14,6 @@ To view your applications in the *Topology* view and interact with them, ensure
 ifndef::openshift-rosa,openshift-dedicated[]
 * You have xref:../web_console/web-console.adoc#web-console[logged in to the web console].
 * You have the appropriate xref:../authentication/using-rbac.adoc#default-roles_using-rbac[roles and permissions] in a project to create applications and other workloads in {product-title}.
-* You have xref:../applications/creating_applications/odc-creating-applications-using-developer-perspective.adoc#odc-creating-applications-using-developer-perspective[created and deployed an application on {product-title} using the *Developer* perspective].
 * You are in xref:../web_console/web-console-overview.adoc#about-developer-perspective_web-console-overview[the *Developer* perspective].
 endif::openshift-rosa,openshift-dedicated[]
 ifdef::openshift-rosa,openshift-dedicated[]
@@ -42,7 +41,6 @@ include::modules/odc-labels-and-annotations-used-for-topology-view.adoc[leveloff
 == Additional resources
 
 * See xref:../applications/creating_applications/odc-creating-applications-using-developer-perspective.adoc#odc-importing-codebase-from-git-to-create-application_odc-creating-applications-using-developer-perspective[Importing a codebase from Git to create an application] for more information on creating an application from Git.
-* See xref:../applications/connecting_applications_to_services/odc-connecting-an-application-to-a-service-using-the-developer-perspective.adoc#odc-connecting-an-application-to-a-service-using-the-developer-perspective[Connecting an application to a service using the Developer perspective].
 ifndef::openshift-rosa,openshift-dedicated[]
 * See xref:../applications/odc-exporting-applications.adoc#odc-exporting-applications[Exporting applications].
 endif::openshift-rosa,openshift-dedicated[]
diff --git a/architecture/control-plane.adoc b/architecture/control-plane.adoc
index abfde49056f3..eb32dd6a826d 100644
--- a/architecture/control-plane.adoc
+++ b/architecture/control-plane.adoc
@@ -28,7 +28,7 @@ endif::openshift-dedicated,openshift-rosa[]
 ifndef::openshift-dedicated,openshift-rosa[]
 [role="_additional-resources"]
 .Additional resources
-* xref:../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-drift-detection_post-install-machine-configuration-tasks[Understanding configuration drift detection]
+* xref:../machine_configuration/index.adoc#machine-config-drift-detection_machine-config-overview[Understanding configuration drift detection]
 endif::openshift-dedicated,openshift-rosa[]
 
 include::modules/architecture-machine-roles.adoc[leveloffset=+1]
@@ -50,17 +50,6 @@ include::modules/arch-olm-operators.adoc[leveloffset=+2]
 * For more details on running add-on Operators in {product-title}, see the _Operators_ guide sections on xref:../operators/understanding/olm/olm-understanding-olm.adoc#olm-understanding-olm[Operator Lifecycle Manager (OLM)] and xref:../operators/understanding/olm-understanding-operatorhub.adoc#olm-understanding-operatorhub[OperatorHub].
 * For more details on the Operator SDK, see xref:../operators/operator_sdk/osdk-about.adoc#osdk-about[Developing Operators].
 
-ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
-include::modules/arch-platform-operators.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../operators/admin/olm-managing-po.adoc#olm-managing-po[Managing platform Operators]
-* xref:../operators/admin/olm-managing-po.adoc#olm-po-techpreview_olm-managing-po[Technology Preview restrictions for platform Operators]
-* xref:../operators/understanding/olm-packaging-format.adoc#olm-rukpak-about_olm-packaging-format[RukPak component and packaging format]
-* xref:../installing/cluster-capabilities.adoc#cluster-capabilities[Cluster capabilities]
-endif::[]
-
 // This module does not apply to OSD/ROSA
 ifndef::openshift-dedicated,openshift-rosa[]
 include::modules/understanding-machine-config-operator.adoc[leveloffset=+1]
@@ -70,9 +59,11 @@ endif::openshift-dedicated,openshift-rosa[]
 ifndef::openshift-dedicated,openshift-rosa[]
 [role="_additional-resources"]
 .Additional resources
-* For more information about detecting configuration drift, see xref:../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-drift-detection_post-install-machine-configuration-tasks[Understanding configuration drift detection].
+* For more information about detecting configuration drift, see xref:../machine_configuration/index.adoc#machine-config-drift-detection_machine-config-overview[Understanding configuration drift detection].
 
 * For information about preventing the control plane machines from rebooting after the Machine Config Operator makes changes to the machine configuration, see xref:../support/troubleshooting/troubleshooting-operator-issues.adoc#troubleshooting-disabling-autoreboot-mco_troubleshooting-operator-issues[Disabling Machine Config Operator from automatically rebooting].
+
+* xref:../machine_configuration/machine-config-node-disruption.adoc#machine-config-node-disruption[Understanding node restart behaviors after machine config changes]
 endif::openshift-dedicated,openshift-rosa[]
 
 include::modules/etcd-overview.adoc[leveloffset=+1]
diff --git a/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc b/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
index 54484e2e03a9..b5ef85f33095 100644
--- a/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
+++ b/authentication/assuming-an-aws-iam-role-for-a-service-account.adoc
@@ -38,5 +38,5 @@ include::modules/verifying-the-assumed-iam-role-in-your-pod.adoc[leveloffset=+2]
 * For more information about installing and using the AWS Boto3 SDK for Python, see the link:https://boto3.amazonaws.com/v1/documentation/api/latest/index.html[AWS Boto3 documentation].
 
 ifdef::openshift-rosa,openshift-dedicated[]
-* For general information about webhook admission plugins for OpenShift, see link:https://docs.openshift.com/container-platform/4.15/architecture/admission-plug-ins.html#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the OpenShift Container Platform documentation.
+* For general information about webhook admission plugins for OpenShift, see link:https://docs.openshift.com/container-platform/4.16/architecture/admission-plug-ins.html#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] in the OpenShift Container Platform documentation.
 endif::openshift-rosa,openshift-dedicated[]
diff --git a/authentication/impersonating-system-admin.adoc b/authentication/impersonating-system-admin.adoc
index 69f0c8625e21..c9ea3d2cfee5 100644
--- a/authentication/impersonating-system-admin.adoc
+++ b/authentication/impersonating-system-admin.adoc
@@ -11,3 +11,5 @@ include::modules/authentication-api-impersonation.adoc[leveloffset=+1]
 include::modules/impersonation-system-admin-user.adoc[leveloffset=+1]
 
 include::modules/impersonation-system-admin-group.adoc[leveloffset=+1]
+
+include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/authentication/managing-oauth-access-tokens.adoc b/authentication/managing-oauth-access-tokens.adoc
index 7995ff4dd33d..6ad43641f0c3 100644
--- a/authentication/managing-oauth-access-tokens.adoc
+++ b/authentication/managing-oauth-access-tokens.adoc
@@ -16,3 +16,6 @@ include::modules/oauth-view-details-tokens.adoc[leveloffset=+1]
 
 // Deleting user-owned OAuth access tokens
 include::modules/oauth-delete-tokens.adoc[leveloffset=+1]
+
+// Adding unauthenticated groups to ClusterRoleBindings
+include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1]
diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc
index 0956fb09ae75..a9f8965c9cd9 100644
--- a/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Manual mode is supported for Alibaba Cloud, Amazon Web Services (AWS), global Microsoft Azure, Microsoft Azure Stack Hub, Google Cloud Platform (GCP), {ibm-cloud-name}, and Nutanix.
+Manual mode is supported for Amazon Web Services (AWS), global Microsoft Azure, Microsoft Azure Stack Hub, Google Cloud Platform (GCP), {ibm-cloud-name}, and Nutanix.
 
 [id="manual-mode-classic_{context}"]
 == User-managed credentials
@@ -26,7 +26,6 @@ An AWS, global Azure, or GCP cluster that uses manual mode might be configured t
 [id="additional-resources_cco-mode-manual"]
 == Additional resources
 
-* xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[Manually creating RAM resources for Alibaba Cloud]
 * xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials for AWS]
 * xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials for Azure]
 * xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for GCP]
diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
index 8b8486703abe..5a6c8d2a5580 100644
--- a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
+++ b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc
@@ -17,7 +17,7 @@ With mint mode, each cluster component has only the specific permissions it requ
 
 [NOTE]
 ====
-By default, mint mode requires storing the `admin` credential in the cluster `kube-system` namespace. If this approach does not meet the security requirements of your organization, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove the credential after installing the cluster].
+By default, mint mode requires storing the `admin` credential in the cluster `kube-system` namespace. If this approach does not meet the security requirements of your organization, you can xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove the credential after installing the cluster].
 ====
 
 [id="mint-mode-permissions"]
@@ -72,4 +72,4 @@ include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 == Additional resources
-* xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[Removing cloud provider credentials]
\ No newline at end of file
+* xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[Removing cloud provider credentials]
\ No newline at end of file
diff --git a/authentication/tokens-scoping.adoc b/authentication/tokens-scoping.adoc
index 291b44877b99..71b1b0c7896c 100644
--- a/authentication/tokens-scoping.adoc
+++ b/authentication/tokens-scoping.adoc
@@ -7,3 +7,5 @@ include::_attributes/common-attributes.adoc[]
 toc::[]
 
 include::modules/tokens-scoping-about.adoc[leveloffset=+1]
+
+include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/authentication/using-rbac.adoc b/authentication/using-rbac.adoc
index 3f3145986574..410f11dd3da1 100644
--- a/authentication/using-rbac.adoc
+++ b/authentication/using-rbac.adoc
@@ -42,3 +42,5 @@ endif::openshift-rosa[]
 ifdef::openshift-dedicated[]
 include::modules/osd-grant-admin-privileges.adoc[leveloffset=+1]
 endif::openshift-dedicated[]
+
+include::modules/unauthenticated-users-cluster-role-binding-con.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/authentication/using-service-accounts-in-applications.adoc b/authentication/using-service-accounts-in-applications.adoc
index 153777c25491..8a31f8792af4 100644
--- a/authentication/using-service-accounts-in-applications.adoc
+++ b/authentication/using-service-accounts-in-applications.adoc
@@ -12,12 +12,6 @@ include::modules/service-accounts-default.adoc[leveloffset=+1]
 
 include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
 
-.Additional resources
-
-* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection].
-
-* For information about creating a service account token secret, see xref:../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret].
-
 include::modules/service-accounts-creating.adoc[leveloffset=+1]
 
 // include::modules/service-accounts-using-credentials-inside-a-container.adoc[leveloffset=+1]
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
index f8051773df4d..c6528a15d8f7 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 :context: installing-oadp-kubevirt
 :installing-oadp-kubevirt:
 :credentials: cloud-credentials
-:provider: kubevirt
+:provider: gcp
 
 toc::[]
 
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
index 6b0061400905..b8ea72d897b9 100644
--- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
+++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
@@ -5,7 +5,7 @@ include::_attributes/common-attributes.adoc[]
 :context: installing-oadp-ocs
 :installing-oadp-ocs:
 :credentials: cloud-credentials
-:provider: oadp-ocs
+:provider: gcp
 
 toc::[]
 
diff --git a/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-2.adoc b/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-2.adoc
index c84f2f4ef503..872a299385c6 100644
--- a/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-2.adoc
+++ b/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-2.adoc
@@ -9,6 +9,8 @@ toc::[]
 
 The release notes for OpenShift API for Data Protection (OADP) 1.2 describe new features and enhancements, deprecated features, product recommendations, known issues, and resolved issues.
 
+include::modules/oadp-release-notes-1-2-5.adoc[leveloffset=+1]
+
 include::modules/oadp-release-notes-1-2-4.adoc[leveloffset=+1]
 
 include::modules/oadp-release-notes-1-2-3.adoc[leveloffset=+1]
diff --git a/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-3.adoc b/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-3.adoc
index c06ad2833b7e..7fae5d6357a1 100644
--- a/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-3.adoc
+++ b/backup_and_restore/application_backup_and_restore/release-notes/oadp-release-notes-1-3.adoc
@@ -9,6 +9,7 @@ toc::[]
 
 The release notes for OpenShift API for Data Protection (OADP) describe new features and enhancements, deprecated features, product recommendations, known issues, and resolved issues.
 
+include::modules/oadp-release-notes-1-3-2.adoc[leveloffset=+1]
 include::modules/oadp-release-notes-1-3-1.adoc[leveloffset=+1]
 include::modules/oadp-release-notes-1-3-0.adoc[leveloffset=+1]
 include::modules/oadp-upgrade-from-oadp-data-mover-1-2-0.adoc[leveloffset=+3]
diff --git a/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc b/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc
index 347f19efe12c..ecb54860cf2b 100644
--- a/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc
+++ b/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc
@@ -29,3 +29,5 @@ include::modules/backup-etcd.adoc[leveloffset=+1]
 
 // Creating automated etcd backups
 include::modules/etcd-creating-automated-backups.adoc[leveloffset=+1]
+include::modules/creating-single-etcd-backup.adoc[leveloffset=+1]
+include::modules/creating-recurring-etcd-backups.adoc[leveloffset=+1]
diff --git a/cicd/builds/running-entitled-builds.adoc b/cicd/builds/running-entitled-builds.adoc
index 8673fdfc77f0..fec730560aa6 100644
--- a/cicd/builds/running-entitled-builds.adoc
+++ b/cicd/builds/running-entitled-builds.adoc
@@ -11,9 +11,7 @@ Use the following sections to install Red Hat subscription content within {produ
 
 include::modules/builds-create-imagestreamtag.adoc[leveloffset=+1]
 
-ifndef::openshift-dedicated,openshift-rosa[]
 include::modules/builds-source-secrets-entitlements.adoc[leveloffset=+1]
-endif::openshift-dedicated,openshift-rosa[]
 
 == Running builds with Subscription Manager
 
diff --git a/cicd/builds/triggering-builds-build-hooks.adoc b/cicd/builds/triggering-builds-build-hooks.adoc
index 123549e06b44..d983cf533746 100644
--- a/cicd/builds/triggering-builds-build-hooks.adoc
+++ b/cicd/builds/triggering-builds-build-hooks.adoc
@@ -12,6 +12,13 @@ include::modules/builds-triggers.adoc[leveloffset=+1]
 
 include::modules/builds-webhook-triggers.adoc[leveloffset=+2]
 
+include::modules/unauthenticated-users-system-webhook.adoc[leveloffset=+3]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../authentication/using-rbac.adoc#unauthenticated-users-cluster-role-bindings-concept_using-rbac[Cluster role bindings for unauthenticated groups]
+
 include::modules/builds-using-github-webhooks.adoc[leveloffset=+3]
 
 include::modules/builds-using-gitlab-webhooks.adoc[leveloffset=+3]
@@ -34,4 +41,4 @@ include::modules/builds-build-hooks.adoc[leveloffset=+1]
 
 include::modules/builds-configuring-post-commit-build-hooks.adoc[leveloffset=+2]
 
-include::modules/builds-using-cli-post-commit-build-hooks.adoc[leveloffset=+2]
+include::modules/builds-using-cli-post-commit-build-hooks.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/cli_reference/osdk/cli-osdk-install.adoc b/cli_reference/osdk/cli-osdk-install.adoc
index 15afdc6bd957..c8d28a2a01f8 100644
--- a/cli_reference/osdk/cli-osdk-install.adoc
+++ b/cli_reference/osdk/cli-osdk-install.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 The Operator SDK provides a command-line interface (CLI) tool that Operator developers can use to build, test, and deploy an Operator. You can install the Operator SDK CLI on your workstation so that you are prepared to start authoring your own Operators.
 
+include::snippets/osdk-deprecation.adoc[]
+
 Operator authors with cluster administrator access to a Kubernetes-based cluster, such as {product-title}, can use the Operator SDK CLI to develop their own Operators based on Go, Ansible, Java, or Helm. link:https://kubebuilder.io/[Kubebuilder] is embedded into the Operator SDK as the scaffolding solution for Go-based Operators, which means existing Kubebuilder projects can be used as is with the Operator SDK and continue to work.
 ifndef::openshift-rosa,openshift-dedicated[]
 See xref:../../operators/operator_sdk/osdk-about.adoc#osdk-about[Developing Operators] for full documentation on the Operator SDK.
@@ -20,4 +22,4 @@ endif::openshift-rosa,openshift-dedicated[]
 
 include::modules/osdk-installing-cli-linux-macos.adoc[leveloffset=+1]
 
-include::modules/osdk-installing-cli-macos.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/osdk-installing-cli-macos.adoc[leveloffset=+1]
diff --git a/cli_reference/osdk/cli-osdk-ref.adoc b/cli_reference/osdk/cli-osdk-ref.adoc
index fda321995c57..fe567854fa77 100644
--- a/cli_reference/osdk/cli-osdk-ref.adoc
+++ b/cli_reference/osdk/cli-osdk-ref.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 The Operator SDK command-line interface (CLI) is a development kit designed to make writing Operators easier.
 
+include::snippets/osdk-deprecation.adoc[]
+
 .Operator SDK CLI syntax
 [source,terminal]
 ----
@@ -51,4 +53,4 @@ ifndef::openshift-rosa,openshift-dedicated[]
 .Additional resources
 
 * See xref:../../operators/operator_sdk/osdk-scorecard.adoc#osdk-scorecard[Validating Operators using the scorecard tool] for details about running the scorecard tool.
-endif::openshift-rosa,openshift-dedicated[]
\ No newline at end of file
+endif::openshift-rosa,openshift-dedicated[]
diff --git a/cli_reference/rosa_cli/rosa-cli-permission-examples.adoc b/cli_reference/rosa_cli/rosa-cli-permission-examples.adoc
index 7eb8d62140c9..3328d473376c 100644
--- a/cli_reference/rosa_cli/rosa-cli-permission-examples.adoc
+++ b/cli_reference/rosa_cli/rosa-cli-permission-examples.adoc
@@ -9,7 +9,7 @@ You can create roles with permissions that adhere to the principal of least priv
 
 [IMPORTANT]
 ====
-Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.
+Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red{nbsp}Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.
 ====
 
 [NOTE]
diff --git a/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc b/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc
index b5fa24fbaab4..afe17eeea583 100644
--- a/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc
+++ b/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc
@@ -10,7 +10,7 @@ toc::[]
 Managing objects with the {product-title} (ROSA) CLI, `rosa`, such as adding `dedicated-admin` users, managing clusters, and scheduling cluster upgrades.
 
 [NOTE]
-====	
+====
 To access a cluster that is accessible only over an HTTP proxy server, you can set the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` variables. These environment variables are respected by the `rosa` CLI so that all communication with the cluster goes through the HTTP proxy.
 ====
 
@@ -31,3 +31,4 @@ include::modules/rosa-install-uninstall-addon.adoc[leveloffset=+1]
 include::modules/rosa-list-objects.adoc[leveloffset=+1]
 include::modules/rosa-revoke-objects.adoc[leveloffset=+1]
 include::modules/rosa-upgrade-cluster-cli.adoc[leveloffset=+1]
+
diff --git a/cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc b/cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
index 325e66d43956..965411acfdd5 100644
--- a/cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
+++ b/cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
@@ -194,7 +194,7 @@ stringData:
 EOF
 ----
 +
-. Install the Red Hat AWS Load Balancer Operator:
+. Install the AWS Load Balancer Operator:
 +
 [source,terminal]
 ----
diff --git a/cloud_experts_tutorials/cloud-experts-aws-secret-manager.adoc b/cloud_experts_tutorials/cloud-experts-aws-secret-manager.adoc
index 1f2ff9b47fc6..7c953186b429 100644
--- a/cloud_experts_tutorials/cloud-experts-aws-secret-manager.adoc
+++ b/cloud_experts_tutorials/cloud-experts-aws-secret-manager.adoc
@@ -58,7 +58,7 @@ $ oc get authentication.config.openshift.io cluster -o json \
 "https://xxxxx.cloudfront.net/xxxxx"
 ----
 +
-If your output is different, do not proceed. See xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Red Hat documentation on creating an STS cluster] before continuing this process.
+If your output is different, do not proceed. See xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Red{nbsp}Hat documentation on creating an STS cluster] before continuing this process.
 
 . Set the `SecurityContextConstraints` permission to allow the CSI driver to run by running the following command:
 +
diff --git a/cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc b/cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc
deleted file mode 100644
index d20e679a00c5..000000000000
--- a/cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc
+++ /dev/null
@@ -1,223 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="cloud-experts-configure-custom-tls-ciphers"]
-= Tutorial: Configuring ROSA/OSD to use custom TLS ciphers on the Ingress Controller
-include::_attributes/attributes-openshift-dedicated.adoc[]
-:context: cloud-experts-configure-custom-tls-ciphers
-
-toc::[]
-
-// ---
-// date: '2022-08-24'
-// title: Configure ROSA/OSD to use custom TLS ciphers on the Ingress Controller
-// aliases: ['/docs/ingress/tls-cipher-customization']
-// tags: ["ROSA", "AWS", "OSD"]
-// authors:
-//   - Michael McNeill
-//   - Connor Wooley
-// ---
-
-include::snippets/mobb-support-statement.adoc[leveloffset=+1]
-//Adding the support statement based on a conversation with Michael McNeill
-
-This guide demonstrates how to properly patch the cluster Ingress Controllers, as well as Ingress Controllers created by the Custom Domain Operator.
-This functionality allows customers to modify the `tlsSecurityProfile` value on cluster Ingress Controllers.
-This guide demonstrates how to apply a custom `tlsSecurityProfile`, a scoped service account with the associated role and role binding, and a CronJob that the cipher changes are reapplied with 60 minutes in the event that an Ingress Controller is recreated or modified.
-
-.Prerequisites
-
-* Review the link:https://docs.openshift.com/container-platform/4.13/networking/ingress-operator.html#configuring-ingress-controller-tls[OpenShift Documentation that explains the options for the `tlsSecurityProfile`]. By default, Ingress Controllers are configured to use the `Intermediate` profile, which corresponds to the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29[Intermediate Mozilla profile].
-
-.Procedure
-
-. Create a service account for the CronJob to use.
-+
-A service account allows our CronJob to directly access the cluster API, without using a regular user's credentials.
-To create a service account, run the following command:
-+
-[source,terminal]
-----
-$ oc create sa cron-ingress-patch-sa -n openshift-ingress-operator
-----
-
-. Create a role and role binding that allows limited access to patch the Ingress Controllers.
-+
-Role-based access control (RBAC) is critical to ensuring security inside your cluster.
-Creating a role allows us to provide scoped access to only the API resources needed within the cluster. To create the role, run the following command:
-+
-[source,terminal]
-----
-$ oc create role cron-ingress-patch-role --verb=get,patch,update --resource=ingresscontroller.operator.openshift.io -n openshift-ingress-operator
-----
-+
-Once the role has been created, you must bind the role to the service account using a role binding.
-To create the role binding, run the following command:
-+
-[source,terminal]
-----
-$ oc create rolebinding cron-ingress-patch-rolebinding --role=cron-ingress-patch-role --serviceaccount=openshift-ingress-operator:cron-ingress-patch-sa -n openshift-ingress-operator
-----
-
-. Patch the Ingress Controllers.
-+
-[IMPORTANT]
-====
-The examples provided below add an additional cipher to the Ingress Controller's `tlsSecurityProfile` to allow IE 11 access from Windows Server 2008 R2.
-Modify this command to meet your specific business requirements.
-====
-+
-Before creating the CronJob, apply the `tlsSecurityProfile` configuration to validate changes.
-This process depends on if you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator].
-+
-.. Clusters not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
-+
-If you are only using the default Ingress Controller, and not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], run the following command to patch the Ingress Controller:
-+
-[source,terminal]
-----
-$ oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'
-----
-+
-This patch adds the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher which allows access from IE 11 on Windows Server 2008 R2 when using RSA certificates.
-+
-Once you run the command, you will receive a response that looks like this:
-+
-.Example output
-[source,terminal]
-----
-ingresscontroller.operator.openshift.io/default patched
-----
-+
-.. Clusters using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
-+
-Customers who are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator] need to loop through each of their Ingress Controllers to patch each one.
-To patch all of your cluster's Ingress Controllers, run the following command:
-+
-[source,terminal]
-----
-$ for ic in $(oc get ingresscontroller -o name -n openshift-ingress-operator); do oc patch ${ic} -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'; done
-----
-+
-Once you run the command, you will receive a response that looks like this:
-+
-.Example output
-[source,terminal]
-----
-ingresscontroller.operator.openshift.io/default patched
-ingresscontroller.operator.openshift.io/custom1 patched
-ingresscontroller.operator.openshift.io/custom2 patched
-----
-
-. Create the CronJob to ensure that the TLS configuration is not overwritten.
-+
-Occasionally, the cluster's Ingress Controllers can get recreated. In these cases, the Ingress Controller will likely not retain the `tlsSecurityProfile` changes that were applied.
-To ensure this does not happen, create a CronJob that goes through and updates the cluster's Ingress Controllers.
-This process depends on if you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator].
-+
-.. Clusters not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
-+
-If you are not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], create the CronJob by running the following command:
-+
-[source,terminal]
-----
-$ cat << EOF | oc apply -f -
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: tls-patch
-  namespace: openshift-ingress-operator
-spec:
-  schedule: '@hourly'
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-            - name: tls-patch
-              image: registry.redhat.io/openshift4/ose-tools-rhel8:latest
-              args:
-                - /bin/sh
-                - '-c'
-                - oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'
-          restartPolicy: Never
-          serviceAccountName: cron-ingress-patch-sa
-EOF
-----
-+
-[NOTE]
-====
-This CronJob runs every hour and patches the Ingress Controllers, if necessary.
-It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator.
-Most of the time, the logs of the CronJob pod looks like the following example, as it will not be changing anything:
-
-.Example output
-[source,terminal]
-----
-ingresscontroller.operator.openshift.io/default patched (no change)
-----
-====
-+
-.. Clusters using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
-+
-If you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], the CronJob needs to loop through and patch each Ingress Controller.
-To create this CronJob, run the following command:
-+
-[source,terminal]
-----
-$ cat << EOF | oc apply -f -
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: tls-patch
-  namespace: openshift-ingress-operator
-spec:
-  schedule: '@hourly'
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-            - name: tls-patch
-              image: registry.redhat.io/openshift4/ose-tools-rhel8:latest
-              args:
-                - /bin/sh
-                - '-c'
-                - for ic in $(oc get ingresscontroller -o name -n openshift-ingress-operator); do oc patch ${ic} -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'; done
-          restartPolicy: Never
-          serviceAccountName: cron-ingress-patch-sa
-EOF
-----
-+
-[NOTE]
-====
-This CronJob runs every hour and patches the Ingress Controllers, if necessary. It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator. Most of the time, the logs of the CronJob pod will look something like this, as it will not be changing anything:
-
-.Example output
-[source,terminal]
-----
-ingresscontroller.operator.openshift.io/default patched (no change)
-ingresscontroller.operator.openshift.io/custom1 patched (no change)
-ingresscontroller.operator.openshift.io/custom2 patched (no change)
-----
-====
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-deployment.adoc b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-deployment.adoc
new file mode 100644
index 000000000000..918666bbc52e
--- /dev/null
+++ b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-deployment.adoc
@@ -0,0 +1,153 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-deploying-application-deployment"]
+= Tutorial: Deploying an application
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-deploying-application-deployment
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 23-JAN-2024
+
+== Deploying the OSToy application with Kubernetes
+
+You can deploy the OSToy application by creating and storing the images for the front-end and back-end microservice containers in an image repository. You can then create Kubernetes deployments to deploy the application. 
+
+=== Retrieving the login command
+
+. If you are not logged in to the CLI, access your cluster with the web console.
+
+. Click the dropdown arrow next to your login name in the upper right, and select *Copy Login Command*.
++
+image::4-cli-login.png[CLI login screen]
++
+A new tab opens. 
+
+. Select your authentication method.
+
+. Click *Display Token*.
+
+. Copy the command under *Log in with this token*. 
+
+. From your terminal, paste and run the copied command. If the login is successful, you will see the following confirmation message:
++
+[source,terminal]
+----
+$ oc login --token=<your_token> --server=https://api.osd4-demo.abc1.p1.openshiftapps.com:6443
+Logged into "https://api.myrosacluster.abcd.p1.openshiftapps.com:6443" as "rosa-user" using the token provided.
+
+You don't have any projects. You can try to create a new project, by running
+
+oc new-project <project name>
+----
+
+=== Creating a new project
+
+==== Using the CLI
+
+. Create a new project named `ostoy` in your cluster by running following command:
++
+[source,terminal]
+----
+$ oc new-project ostoy
+----
++
+.Example output
+[source,terminal]
+----
+Now using project "ostoy" on server "https://api.myrosacluster.abcd.p1.openshiftapps.com:6443".
+----
+
+. *Optional*: Alternatively, create a unique project name by running the following command:
++
+[source,terminal]
+----
+$ oc new-project ostoy-$(uuidgen | cut -d - -f 2 | tr '[:upper:]' '[:lower:]')
+----
+
+==== Using the web console
+
+. From the web console, click *Home -> Projects*. 
+
+. On the *Projects* page, click create *Create Project*.
++
+image::4-createnewproj.png[The project creation screen]
+
+=== Deploying the back-end microservice
+
+The microservice serves internal web requests and returns a JSON object containing the current hostname and a randomly generated color string.
+
+* Deploy the microservice by running the following command from your terminal:
++
+[source,terminal]
+----
+$ oc apply -f https://raw.githubusercontent.com/openshift-cs/rosaworkshop/master/rosa-workshop/ostoy/yaml/ostoy-microservice-deployment.yaml
+----
++
+.Example output
+[source,terminal]
+----
+$ oc apply -f https://raw.githubusercontent.com/openshift-cs/rosaworkshop/master/rosa-workshop/ostoy/yaml/ostoy-microservice-deployment.yaml
+deployment.apps/ostoy-microservice created
+service/ostoy-microservice-svc created
+----
+
+=== Deploying the front-end service
+
+The front-end deployment uses the Node.js front-end for the application and additional Kubernetes objects.
+
+The `ostoy-frontend-deployment.yaml` file shows that front-end deployment defines the following features:
+
+- Persistent volume claim
+- Deployment object
+- Service
+- Route
+- Configmaps
+- Secrets
+
+* Deploy the application front-end and create all of the objects by entering the following command:
++
+[source,terminal]
+----
+$ oc apply -f https://raw.githubusercontent.com/openshift-cs/rosaworkshop/master/rosa-workshop/ostoy/yaml/ostoy-frontend-deployment.yaml
+----
++
+.Example output
+[source,terminal]
+----
+persistentvolumeclaim/ostoy-pvc created
+deployment.apps/ostoy-frontend created
+service/ostoy-frontend-svc created
+route.route.openshift.io/ostoy-route created
+configmap/ostoy-configmap-env created
+secret/ostoy-secret-env created
+configmap/ostoy-configmap-files created
+secret/ostoy-secret created
+----
++
+You should see all objects created successfully.
+
+=== Getting the route
+
+You must get the route to access the application.
+
+* Get the route to your application by running the following command:
++
+[source,terminal]
+----
+$ oc get route
+----
++
+.Example output
+[source,terminal]
+----
+NAME          HOST/PORT                                                 PATH   SERVICES             PORT    TERMINATION   WILDCARD
+ostoy-route   ostoy-route-ostoy.apps.<your-rosa-cluster>.abcd.p1.openshiftapps.com          ostoy-frontend-svc   <all>                 None
+----
+
+=== Viewing the application
+
+. Copy the `ostoy-route-ostoy.apps.<your-rosa-cluster>.abcd.p1.openshiftapps.com` URL output from the previous step.
+. Paste the copied URL into your web browser and press enter. You should see the homepage of your application. If the page does not load, make sure you use `http` and not `https`.
++
+image::4-ostoy-homepage.png[OStoy application homepage]
diff --git a/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-networking.adoc b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-networking.adoc
new file mode 100644
index 000000000000..13044b27a6b5
--- /dev/null
+++ b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-networking.adoc
@@ -0,0 +1,62 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-deploying-application-networking"]
+= Tutorial: Networking
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-deploying-application-networking
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2023-12-14
+
+This tutorial shows how the OSToy app uses intra-cluster networking to separate functions by using microservices and visualize the scaling of pods.
+
+image::deploying-networking-arch.png[OSToy Diagram]
+
+The diagram shows there are at least two separate pods, each with its own service. 
+
+One pod functions as the front end web application with a service and a publicly accessible route. The other pod functions as the backend microservice with a service object so that the front end pod can communicate with the microservice. This communication occurs across the pods if more than one. Because of these communication limits, this microservice is not accessible from outside this cluster or from other namespaces or projects if these are configured. The sole purpose of this microservice is to serve internal web requests and return a JSON object containing the current hostname, which is the pod's name, and a randomly generated color string. This color string is used to display a box with that color displayed in the tile titled "Intra-cluster Communication".
+
+For more information about the networking limitations, see xref:../../networking/network_security/network_policy/about-network-policy.adoc[About network policy].
+
+== Intra-cluster networking
+
+You can view your networking configurations in your OSToy application.
+
+.Procedure
+. In the OSToy application, click *Networking* in the left menu. 
+. Review the networking configuration. The right tile titled "Hostname Lookup" illustrates how the service name created for a pod can be used to translate into an internal ClusterIP address.
++
+image::deploying-networking-example.png[OSToy Networking page]
+
+. Enter the name of the microservice created in the right tile ("Hostname Lookup") following the format of `<service_name>.<namespace>.svc.cluster.local`. You can find this service name in the service definition of `ostoy-microservice.yaml` by running the following command: 
++
+[source,terminal]
+----
+$ oc get service <name_of_service> -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  name: ostoy-microservice-svc
+  labels:
+    app: ostoy-microservice
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: ostoy-microservice
+----
++
+In this example, the full hostname is `ostoy-microservice-svc.ostoy.svc.cluster.local`.
+
+. You see an IP address returned. In this example it is `172.30.165.246`. This is the intra-cluster IP address, which is only accessible from within the cluster.
++
+image::deploying-networking-dns.png[OSToy DNS]
\ No newline at end of file
diff --git a/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-prerequisites.adoc b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-prerequisites.adoc
index a8b663d98d5e..4049b3632b68 100644
--- a/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-prerequisites.adoc
+++ b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-prerequisites.adoc
@@ -13,7 +13,7 @@ toc::[]
 
 . A Provisioned ROSA cluster
 +
-This lab assumes you have access to a successfully provisioned a ROSA cluster. If you have not yet created a ROSA cluster, see xref:../../rosa_getting_started/rosa-quickstart-guide-ui.html#rosa-getting-started-prerequisites_rosa-quickstart-guide-ui[Red Hat OpenShift Service on AWS quickstart guide] for more information.
+This lab assumes you have access to a successfully provisioned a ROSA cluster. If you have not yet created a ROSA cluster, see xref:../../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-getting-started-prerequisites_rosa-quickstart-guide-ui[Red{nbsp}Hat OpenShift Service on AWS quick start guide] for more information.
 
 . The OpenShift Command Line Interface (CLI)
 +
diff --git a/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-storage.adoc b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-storage.adoc
new file mode 100644
index 000000000000..b62595871ae2
--- /dev/null
+++ b/cloud_experts_tutorials/cloud-experts-deploying-application/cloud-experts-deploying-application-storage.adoc
@@ -0,0 +1,121 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-deploying-application-storage"]
+= Tutorial: Persistent volumes for cluster storage
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-deploying-application-storage
+
+toc::[]
+
+//rosaworkshop.io content metadata
+//Brought into ROSA product docs 2024-04-30
+
+{rosa-classic-first} and Red Hat OpenShift Service on AWS (ROSA) support storing persistent volumes with either link:https://aws.amazon.com/ebs/[Amazon Web Services (AWS) Elastic Block Store (EBS)] or link:https://aws.amazon.com/efs/[AWS Elastic File System (EFS)].
+
+== Using persistent volumes
+Use the following procedures to create a file, store it on a persistent volume in your cluster, and confirm that it still exists after pod failure and re-creation.
+
+=== Viewing a persistent volume claim
+. Navigate to the cluster's OpenShift web console.
+. Click *Storage* in the left menu, then click *PersistentVolumeClaims* to see a list of all the persistent volume claims. 
+. Click a persistence volume claim to see the size, access mode, storage class, and other additional claim details. 
++
+[NOTE]
+====
+The access mode is `ReadWriteOnce` (RWO). This means that the volume can only be mounted to one node and the pod or pods can read and write to the volume.
+====
+
+=== Storing your file
+
+. In the OSToy app console, click *Persistent Storage* in the left menu.
+. In the *Filename* box, enter a file name with a `.txt` extension, for example `test-pv.txt`.
+. In the *File contents* box, enter a sentence of text, for example `OpenShift is the greatest thing since sliced bread!`.
+. Click *Create file*.
++
+image::cloud-experts-storage-ostoy-createfile.png[]
++
+.Verification
+. Scroll to *Existing files* on the OSToy app console.
+. Click the file you created to see the file name and contents.
++
+image::cloud-experts-storage-ostoy-viewfile.png[]
+
+=== Crashing the pod
+
+. On the OSToy app console, click *Home* in the left menu.
+. Click *Crash pod*.
+
+=== Confirming persistent storage
+
+. Wait for the pod to re-create.
+. On the OSToy app console, click *Persistent Storage* in the left menu.
+. Find the file you created, and open it to view and confirm the contents.
++
+image::cloud-experts-storage-ostoy-existingfile.png[]
+
+.Verification
+The deployment YAML file shows that we mounted link:https://github.com/openshift-cs/rosaworkshop/blob/master/rosa-workshop/ostoy/yaml/ostoy-frontend-deployment.yaml#L61[the directory] `/var/demo_files` to our persistent volume claim.
+
+. Retrieve the name of your front-end pod by running the following command:
++
+[source,terminal]
+----
+$ oc get pods
+----
++
+. Start a secure shell (SSH) session in your container by running the following command:
++
+[source,terminal]
+----
+$ oc rsh <pod_name>
+----
++
+. Go to the directory by running the following command:
++
+[source,terminal]
+----
+$ cd /var/demo_files
+----
++
+. *Optional:* See all the files you created by running the following command:
++
+[source,terminal]
+----
+$ ls
+----
++
+. Open the file to view the contents by running the following command:
++
+[source,terminal]
+----
+$ cat test-pv.txt
+----
++
+. Verify that the output is the text you entered in the OSToy app console.
++
+.Example terminal
+[source,terminal]
+----
+$ oc get pods
+NAME                                  READY     STATUS    RESTARTS   AGE
+ostoy-frontend-5fc8d486dc-wsw24       1/1       Running   0          18m
+ostoy-microservice-6cf764974f-hx4qm   1/1       Running   0          18m
+
+$ oc rsh ostoy-frontend-5fc8d486dc-wsw24
+
+$ cd /var/demo_files/
+
+$ ls
+lost+found   test-pv.txt
+
+$ cat test-pv.txt
+OpenShift is the greatest thing since sliced bread!
+----
+
+=== Ending the session
+
+* Type `exit` in your terminal to quit the session and return to the CLI.
+
+[role="_additional-resources"]
+== Additional resources
+* For more information about persistent volume storage, see xref:../../storage/understanding-persistent-storage.adoc#persistent-volumes_understanding-persistent-storage[Understanding persistent storage].
+* For more information about ROSA storage options, see xref:../../storage/index.adoc#storage-overview[Storage overview].
\ No newline at end of file
diff --git a/cloud_experts_tutorials/cloud-experts-dynamic-certificate-custom-domain.adoc b/cloud_experts_tutorials/cloud-experts-dynamic-certificate-custom-domain.adoc
index 42ac22737fb6..b9c09f514aaf 100644
--- a/cloud_experts_tutorials/cloud-experts-dynamic-certificate-custom-domain.adoc
+++ b/cloud_experts_tutorials/cloud-experts-dynamic-certificate-custom-domain.adoc
@@ -19,16 +19,16 @@ toc::[]
 
 While wildcard certificates provide simplicity by securing all first-level subdomains of a given domain with a single certificate, other use cases can require the use of individual certificates per domain.
 
-Learn how to use the link:https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html[cert-manager Operator for Red Hat OpenShift] and link:https://letsencrypt.org/[Let's Encrypt] to dynamically issue certificates for routes created using a custom domain.
+Learn how to use the link:https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html[cert-manager Operator for Red{nbsp}Hat OpenShift] and link:https://letsencrypt.org/[Let's Encrypt] to dynamically issue certificates for routes created using a custom domain.
 
 [id="cloud-experts-dynamic-certificate-custom-domain-prerequisites"]
 == Prerequisites
 
-* A ROSA cluster
+* A ROSA cluster (HCP or Classic)
 * A user account with `cluster-admin` privileges
 * The OpenShift CLI (`oc`)
 * The Amazon Web Services (AWS) CLI (`aws`)
-* A unique domain, such as `*.apps.<company_name>.io`
+* A unique domain, such as `*.apps.example.com`
 * An Amazon Route 53 public hosted zone for the above domain
 
 [id="cloud-experts-dynamic-certificate-custom-domain-environment-setup"]
@@ -38,24 +38,35 @@ Learn how to use the link:https://docs.openshift.com/container-platform/latest/s
 +
 [source,terminal]
 ----
-$ export DOMAIN=apps.<company_name>.io <1>
-$ export EMAIL=<youremail@company_name.io> <2>
+$ export DOMAIN=apps.example.com <1>
+$ export EMAIL=email@example.com <2>
 $ export AWS_PAGER=""
-$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
+$ export CLUSTER=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
 $ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed  's|^https://||')
 $ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
 $ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-$ export SCRATCH="/tmp/${CLUSTER_NAME}/dynamic-certs"
+$ export SCRATCH="/tmp/${CLUSTER}/dynamic-certs"
 $ mkdir -p ${SCRATCH}
 ----
-<1> The custom domain.
-<2> The e-mail Let's Encrypt will use to send notifications about your certificates.
+<1> Replace with the custom domain you want to use for the `IngressController`.
+<2> Replace with the e-mail you want Let's Encrypt to use to send notifications about your certificates.
++
 . Ensure all fields output correctly before moving to the next section:
 +
 [source,terminal]
 ----
-$ echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
+$ echo "Cluster: ${CLUSTER}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
 ----
++
+[NOTE]
+====
+The "Cluster" output from the previous command may be the name of your cluster, the internal ID of your cluster, or the cluster's domain prefix. If you prefer to use another identifier, you can manually set this value by running the following command:
+
+[source,terminal]
+----
+$ export CLUSTER=my-custom-value
+----
+====
 
 [id="cloud-experts-dynamic-certificate-prep-aws"]
 == Preparing your AWS account
@@ -77,7 +88,7 @@ $ export ZONE_ID=$(aws route53 list-hosted-zones-by-name --output json \
   --dns-name "${DOMAIN}." --query 'HostedZones[0]'.Id --out text | sed 's/\/hostedzone\///')
 ----
 +
-. Create an AWS IAM policy document for the `cert-manager` Operator that provides the ability to update _only_ the specified public hosted zone:
+. Create an AWS IAM policy document for the cert-manager Operator that provides the ability to update _only_ the specified public hosted zone:
 +
 [source,terminal]
 ----
@@ -112,11 +123,11 @@ EOF
 +
 [source,terminal]
 ----
-$ POLICY_ARN=$(aws iam create-policy --policy-name "${CLUSTER_NAME}-cert-manager-policy" \
+$ POLICY_ARN=$(aws iam create-policy --policy-name "${CLUSTER}-cert-manager-policy" \
   --policy-document file://${SCRATCH}/cert-manager-policy.json \
   --query 'Policy.Arn' --output text)
 ----
-. Create an AWS IAM trust policy for the `cert-manager` Operator:
+. Create an AWS IAM trust policy for the cert-manager Operator:
 +
 [source,terminal]
 ----
@@ -141,11 +152,11 @@ $ cat <<EOF > "${SCRATCH}/trust-policy.json"
 EOF
 ----
 +
-. Create an IAM role for the `cert-manager` Operator using the trust policy you created in the previous step:
+. Create an IAM role for the cert-manager Operator using the trust policy you created in the previous step:
 +
 [source,terminal]
 ----
-$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-cert-manager-operator" \
+$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER}-cert-manager-operator" \
    --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
    --query Role.Arn --output text)
 ----
@@ -154,14 +165,14 @@ $ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-cert-manager-opera
 +
 [source,terminal]
 ----
-$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-cert-manager-operator" \
+$ aws iam attach-role-policy --role-name "${CLUSTER}-cert-manager-operator" \
   --policy-arn ${POLICY_ARN}
 ----
 
 [id="cloud-experts-dynamic-certificate-custom-domain-install-cert-man-op"]
 == Installing the cert-manager Operator
 
-. Create a project to install the `cert-manager` Operator into:
+. Create a project to install the cert-manager Operator into:
 +
 [source,terminal]
 ----
@@ -170,10 +181,10 @@ $ oc new-project cert-manager-operator
 +
 [IMPORTANT]
 ====
-Do not attempt to use more than one `cert-manager` Operator in your cluster. If you have a community `cert-manager` Operator installed in your cluster, you must uninstall it before installing the `cert-manager` Operator for Red Hat OpenShift.
+Do not attempt to use more than one cert-manager Operator in your cluster. If you have a community cert-manager Operator installed in your cluster, you must uninstall it before installing the cert-manager Operator for Red{nbsp}Hat OpenShift.
 ====
 +
-. Install the `cert-manager` Operator for Red Hat OpenShift:
+. Install the cert-manager Operator for Red Hat OpenShift:
 +
 [source,terminal]
 ----
@@ -206,7 +217,7 @@ EOF
 It takes a few minutes for this Operator to install and complete its set up.
 ====
 +
-. Verify that the `cert-manager` Operator is running:
+. Verify that the cert-manager Operator is running:
 +
 [source,terminal]
 ----
@@ -220,14 +231,14 @@ NAME                                                        READY   STATUS    RE
 cert-manager-operator-controller-manager-84b8799db5-gv8mx   2/2     Running   0          12s
 ----
 +
-. Annotate the service account used by the `cert-manager` pods with the AWS IAM role you created earlier:
+. Annotate the service account used by the cert-manager pods with the AWS IAM role you created earlier:
 +
 [source,terminal]
 ----
 $ oc -n cert-manager annotate serviceaccount cert-manager eks.amazonaws.com/role-arn=${ROLE_ARN}
 ----
 +
-. Restart the existing `cert-manager` controller pod by running the following command:
+. Restart the existing cert-manager controller pod by running the following command:
 +
 [source,terminal]
 ----
@@ -286,13 +297,6 @@ letsencrypt-production   True    47s
 [id="cloud-experts-dynamic-certificate-custom-domain-create-cd-ingress-con"]
 == Creating a custom domain Ingress Controller
 
-. Create a new project:
-+
-[source,terminal]
-----
-$ oc new-project custom-domain-ingress
-----
-+
 . Create and configure a certificate resource to provision a certificate for the custom domain Ingress Controller:
 +
 [NOTE]
@@ -307,7 +311,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: custom-domain-ingress-cert
-  namespace: custom-domain-ingress
+  namespace: openshift-ingress
 spec:
   secretName: custom-domain-ingress-cert-tls
   issuerRef:
@@ -323,12 +327,12 @@ EOF
 +
 [NOTE]
 ====
-It takes a few minutes for this certificate to be issued by Let's Encrypt. If it takes longer than 5 minutes, run `oc -n custom-domain-ingress describe certificate.cert-manager.io/custom-domain-ingress-cert` to see any issues reported by cert-manager.
+It takes a few minutes for this certificate to be issued by Let's Encrypt. If it takes longer than 5 minutes, run `oc -n openshift-ingress describe certificate.cert-manager.io/custom-domain-ingress-cert` to see any issues reported by cert-manager.
 ====
 +
 [source,terminal]
 ----
-$ oc -n custom-domain-ingress get certificate.cert-manager.io/custom-domain-ingress-cert
+$ oc -n openshift-ingress get certificate.cert-manager.io/custom-domain-ingress-cert
 ----
 +
 .Example output
@@ -339,43 +343,56 @@ NAME                         READY   SECRET                           AGE
 custom-domain-ingress-cert   True    custom-domain-ingress-cert-tls   9m53s
 ----
 +
-. Create a new `CustomDomain` custom resource (CR):
+. Create a new `IngressController` resource:
 +
 [source,terminal]
 ----
 $ cat << EOF | oc apply -f -
-apiVersion: managed.openshift.io/v1alpha1
-kind: CustomDomain
+apiVersion: operator.openshift.io/v1
+kind: IngressController
 metadata:
   name: custom-domain-ingress
+  namespace: openshift-ingress-operator
 spec:
   domain: ${DOMAIN}
-  scope: External
-  loadBalancerType: NLB
-  certificate:
+  defaultCertificate:
     name: custom-domain-ingress-cert-tls
-    namespace: custom-domain-ingress
+  endpointPublishingStrategy:
+    loadBalancer:
+      dnsManagementPolicy: Unmanaged
+      providerParameters:
+        aws:
+          type: NLB
+        type: AWS
+      scope: External
+    type: LoadBalancerService
 EOF
 ----
-. Verify that your custom domain Ingress Controller has been deployed and has a `Ready` status:
++
+[WARNING]
+====
+This `IngressController` example will create an internet accessible Network Load Balancer (NLB) in your AWS account. To provision an internal NLB instead, set the `.spec.endpointPublishingStrategy.loadBalancer.scope` parameter to `Internal` before creating the `IngressController` resource.
+====
++
+. Verify that your custom domain IngressController has successfully created an external load balancer:
 +
 [source,terminal]
 ----
-$ oc get customdomains
+$ oc -n openshift-ingress get service/router-custom-domain-ingress
 ----
 +
 .Example output
 [source,terminal]
 ----
-NAME                    ENDPOINT                                                               DOMAIN            STATUS
-custom-domain-ingress   tfoxdx.custom-domain-ingress.cluster.1234.p1.openshiftapps.com         example.com       Ready
+NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
+router-custom-domain-ingress   LoadBalancer   172.30.174.34   a309962c3bd6e42c08cadb9202eca683-1f5bbb64a1f1ec65.elb.us-east-1.amazonaws.com   80:31342/TCP,443:31821/TCP   7m28s
 ----
 +
 . Prepare a document with the necessary DNS changes to enable DNS resolution for your custom domain Ingress Controller:
 +
 [source,terminal]
 ----
-$ INGRESS=$(oc get customdomain.managed.openshift.io/custom-domain-ingress --template={{.status.endpoint}})
+$ INGRESS=$(oc -n openshift-ingress get service/router-custom-domain-ingress -ojsonpath="{.status.loadBalancer.ingress[0].hostname}")
 $ cat << EOF > "${SCRATCH}/create-cname.json"
 {
   "Comment":"Add CNAME to custom domain endpoint",
@@ -504,7 +521,7 @@ $ oc -n hello-world annotate route hello-openshift-tls cert-manager.io/issuer-ki
 +
 [NOTE]
 ====
-It takes 2-3 minutes for the certificate to be created. The renewal of the certificate will automatically be managed by the `cert-manager` Operator as it approaches expiration.
+It takes 2-3 minutes for the certificate to be created. The renewal of the certificate will automatically be managed by the cert-manager Operator as it approaches expiration.
 ====
 . Verify the certificate for the route is now trusted:
 +
diff --git a/cloud_experts_tutorials/cloud-experts-external-dns.adoc b/cloud_experts_tutorials/cloud-experts-external-dns.adoc
index 0be0656a3708..91b94afd0eed 100644
--- a/cloud_experts_tutorials/cloud-experts-external-dns.adoc
+++ b/cloud_experts_tutorials/cloud-experts-external-dns.adoc
@@ -18,14 +18,7 @@ toc::[]
 //  - Dustin Scott
 //---
 
-[WARNING]
-====
-Starting with {product-title} 4.14, the Custom Domain Operator is deprecated. To manage Ingress in {product-title} 4.14, use the Ingress Operator. The functionality is unchanged for {product-title} 4.13 and earlier versions.
-====
-
-Configuring the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc[Custom Domain Operator] requires a wildcard CNAME DNS record in your Amazon Route 53 hosted zone. If you do not want to use a wildcard record, you can use the `External DNS` Operator to create individual entries for routes.
-
-Use this tutorial to deploy and configure the `External DNS` Operator with a custom domain in {product-title} (ROSA).
+The External DNS Operator deploys and manages `ExternalDNS` to provide the name resolution for services and routes from the external DNS provider, like Amazon Route 53, to {product-title} (ROSA) clusters. In this tutorial, we will deploy and configure the External DNS Operator with a secondary ingress controller to manage DNS records in Amazon Route 53. 
 
 [IMPORTANT]
 ====
@@ -35,100 +28,115 @@ The `External DNS` Operator does not support STS using IAM Roles for Service Acc
 [id="cloud-experts-external-dns-prerequisites"]
 == Prerequisites
 
-* A ROSA cluster
-* A user account with `dedicated-admin` privileges
+* A ROSA Classic cluster
++
+[NOTE]
+====
+ROSA with HCP is not supported at this time.
+====
++
+* A user account with `cluster-admin` privileges
 * The OpenShift CLI (`oc`)
 * The Amazon Web Services (AWS) CLI (`aws`)
-* A unique domain, such as `*.apps.<company_name>.io`
+* A unique domain, such as `apps.example.com`
 * An Amazon Route 53 public hosted zone for the above domain
 
 [id="cloud-experts-external-dns-environment-setup"]
 == Setting up your environment
 
-. Configure the following environment variables, replacing `CLUSTER_NAME` with the name of your cluster:
+. Configure the following environment variables:
 +
 [source,terminal]
 ----
-$ export DOMAIN=apps.<company_name>.io <1>
+$ export DOMAIN=<apps.example.com> <1>
 $ export AWS_PAGER=""
-$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
+$ export CLUSTER=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
 $ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
 $ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-$ export SCRATCH="/tmp/${CLUSTER_NAME}/external-dns"
+$ export SCRATCH="/tmp/${CLUSTER}/external-dns"
 $ mkdir -p ${SCRATCH}
 ----
-<1> The custom domain.
+<1> Replace with the custom domain you want to use for the `IngressController`.
++
 . Ensure all fields output correctly before moving to the next section:
 +
 [source,terminal]
 ----
-$ echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, AWS Account ID: ${AWS_ACCOUNT_ID}"
+$ echo "Cluster: ${CLUSTER}, Region: ${REGION}, AWS Account ID: ${AWS_ACCOUNT_ID}"
 ----
++
+[NOTE]
+====
+The "Cluster" output from the previous command may be the name of your cluster, the internal ID of your cluster, or the cluster's domain prefix. If you prefer to use another identifier, you can manually set this value by running the following command:
+
+[source,terminal]
+----
+$ export CLUSTER=my-custom-value
+----
+====
 
-[id="cloud-experts-external-dns-custom-domain-setup"]
-== Setting up your custom domain
+[id="secondary_ingress_controller_setup_{context}"]
+== Secondary ingress controller setup
 
-ROSA manages secondary Ingress Controllers using the `Custom Domain` Operator. Use the following procedure to deploy a secondary Ingress Controller using a custom domain.
+Use the following procedure to deploy a secondary ingress controller using a custom domain.
 
 .Prerequisites
 
-* A unique domain, such as `*.apps.<company_name>.io`
-* A custom SAN or wildcard certificate, such as `CN=*.apps.<company_name>.io`
+* A unique domain, such as `apps.example.com`
+* A wildcard or SAN TLS certificate configured with the custom domain selected above (`CN=*.apps.example.com`)
 
 .Procedure
 
-. Create a new project:
-+
-[source,terminal]
-----
-$ oc new-project external-dns-operator
-----
-
 . Create a new TLS secret from a private key and a public certificate, where `fullchain.pem` is your full wildcard certificate chain (including any intermediaries) and `privkey.pem` is your wildcard certificate's private key:
 +
 [source,terminal]
 ----
-$ oc -n external-dns-operator create secret tls external-dns-tls --cert=fullchain.pem --key=privkey.pem
+$ oc -n openshift-ingress create secret tls external-dns-tls --cert=fullchain.pem --key=privkey.pem
 ----
 
-. Create a new `CustomDomain` custom resource (CR):
+. Create a new `IngressController` resource:
 +
-.Example `external-dns-custom-domain.yaml`
-[source,yaml]
+[source,terminal]
 ----
-apiVersion: managed.openshift.io/v1alpha1
-kind: CustomDomain
+$ cat << EOF | oc apply -f -
+apiVersion: operator.openshift.io/v1
+kind: IngressController
 metadata:
-  name: external-dns
+  name: external-dns-ingress
+  namespace: openshift-ingress-operator
 spec:
-  domain: apps.<company_name>.io <1>
-  scope: External
-  loadBalancerType: NLB
-  certificate:
+  domain: ${DOMAIN}
+  defaultCertificate:
     name: external-dns-tls
-    namespace: external-dns-operator
+  endpointPublishingStrategy:
+    loadBalancer:
+      dnsManagementPolicy: Unmanaged
+      providerParameters:
+        aws:
+          type: NLB
+        type: AWS
+      scope: External
+    type: LoadBalancerService
+EOF
 ----
-<1> The custom domain.
-
-. Apply the CR:
 +
-[source,terminal]
-----
-$ oc apply -f external-dns-custom-domain.yaml
-----
-
-. Verify that your custom domain Ingress Controller has been deployed and has a `Ready` status:
+[WARNING]
+====
+This `IngressController` example will create an internet accessible Network Load Balancer (NLB) in your AWS account. To provision an internal NLB instead, set the `.spec.endpointPublishingStrategy.loadBalancer.scope` parameter to `Internal` before creating the `IngressController` resource.
+====
++
+. Verify that your custom domain IngressController has successfully created an external load balancer:
 +
 [source,terminal]
 ----
-$ oc get customdomains
+$ oc -n openshift-ingress get service/router-external-dns-ingress
 ----
 +
 .Example output
 [source,terminal]
 ----
-NAME               ENDPOINT                                                    DOMAIN                       STATUS
-external-dns       xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.com  *.apps.<company_name>.io     Ready
+NAME                          TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
+router-external-dns-ingress   LoadBalancer   172.30.71.250   a4838bb991c6748439134ab89f132a43-aeae124077b50c01.elb.us-east-1.amazonaws.com   80:32227/TCP,443:30310/TCP   43s
 ----
 
 [id="cloud-experts-external-dns-prepare-aws-account"]
@@ -142,6 +150,40 @@ $ export ZONE_ID=$(aws route53 list-hosted-zones-by-name --output json \
   --dns-name "${DOMAIN}." --query 'HostedZones[0]'.Id --out text | sed 's/\/hostedzone\///')
 ----
 +
+. Prepare a document with the necessary DNS changes to enable DNS resolution for the canonical domain of the Ingress Controller:
++
+[source,terminal]
+----
+$ NLB_HOST=$(oc -n openshift-ingress get service/router-external-dns-ingress -ojsonpath="{.status.loadBalancer.ingress[0].hostname}")
+$ cat << EOF > "${SCRATCH}/create-cname.json"
+{
+  "Comment":"Add CNAME to ingress controller canonical domain",
+  "Changes":[{
+      "Action":"CREATE",
+      "ResourceRecordSet":{
+        "Name": "router-external-dns-ingress.${DOMAIN}",
+      "Type":"CNAME",
+      "TTL":30,
+      "ResourceRecords":[{
+        "Value": "${NLB_HOST}"
+      }]
+    }
+  }]
+}
+EOF
+----
++
+The External DNS Operator uses this canonical domain as the target for CNAME records. 
++
+. Submit your changes to Amazon Route 53 for propagation:
++
+[source,terminal]
+----
+aws route53 change-resource-record-sets \
+  --hosted-zone-id ${ZONE_ID} \
+  --change-batch file://${SCRATCH}/create-cname.json
+----
++
 . Create an AWS IAM Policy document that allows the `External DNS` Operator to update _only_ the custom domain public hosted zone:
 +
 [source,terminal]
@@ -174,26 +216,17 @@ $ cat << EOF > "${SCRATCH}/external-dns-policy.json"
 EOF
 ----
 +
-. Create an AWS IAM policy:
-+
-[source,terminal]
-----
-$ export POLICY_ARN=$(aws iam create-policy --policy-name "${CLUSTER_NAME}-AllowExternalDNSUpdates" \
-  --policy-document file://${SCRATCH}/external-dns-policy.json \
-  --query 'Policy.Arn' --output text)
-----
-+
 . Create an AWS IAM user:
 +
 [source,terminal]
 ----
-$ aws iam create-user --user-name "${CLUSTER_NAME}-external-dns-operator"
+$ aws iam create-user --user-name "${CLUSTER}-external-dns-operator"
 ----
 . Attach the policy:
 +
 [source,terminal]
 ----
-$ aws iam attach-user-policy --user-name "${CLUSTER_NAME}-external-dns-operator" --policy-arn $POLICY_ARN
+$ aws iam attach-user-policy --user-name "${CLUSTER}-external-dns-operator" --policy-arn $POLICY_ARN
 ----
 +
 [NOTE]
@@ -204,7 +237,7 @@ This will be changed to STS using IRSA in the future.
 +
 [source,terminal]
 ----
-$ SECRET_ACCESS_KEY=$(aws iam create-access-key --user-name "${CLUSTER_NAME}-external-dns-operator")
+$ SECRET_ACCESS_KEY=$(aws iam create-access-key --user-name "${CLUSTER}-external-dns-operator")
 ----
 . Create static credentials:
 +
@@ -220,6 +253,13 @@ EOF
 [id="cloud-experts-external-dns-install-external-dns-operator"]
 == Installing the External DNS Operator
 
+. Create a new project:
++
+[source,terminal]
+----
+$ oc new-project external-dns-operator
+----
+
 . Install the `External DNS` Operator from OperatorHub:
 +
 [source,terminal]
@@ -262,6 +302,7 @@ $ oc rollout status deploy external-dns-operator --timeout=300s
 $ oc -n external-dns-operator create secret generic external-dns \
   --from-file "${SCRATCH}/credentials"
 ----
++
 . Deploy the `ExternalDNS` controller:
 +
 [source,terminal]
@@ -283,7 +324,7 @@ spec:
     type: AWS
   source:
     openshiftRouteOptions:
-      routerName: external-dns
+      routerName: external-dns-ingress
     type: OpenShiftRoute
   zones:
     - ${ZONE_ID}
@@ -341,9 +382,17 @@ $ aws route53 list-resource-record-sets --hosted-zone-id ${ZONE_ID} \
 $ aws route53 list-resource-record-sets --hosted-zone-id ${ZONE_ID} \
    --query "ResourceRecordSets[?Type == 'TXT']" | grep ${DOMAIN}
 ----
-. Navigate to your custom console domain in the browser where you see the OpenShift login:
++
+. Curl the newly created DNS record to your sample application to verify the hello world application is accessible:
 +
 [source,terminal]
 ----
-$ echo console.${DOMAIN}
+$ curl https://hello-openshift.${DOMAIN}
 ----
++
+.Example output
+[source,terminal]
+----
+Hello OpenShift!
+----
+
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.adoc
index 654468d59139..93c57f476b76 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.adoc
@@ -9,9 +9,9 @@ toc::[]
 //rosaworkshop.io content metadata
 //Brought into ROSA product docs 2023-11-30
 
-Administration (admin) privileges are not automatically granted to users that you add to your cluster. If you want to grant admin-level privileges to certain users, you will need to manually grant them to each user. You can grant admin privileges from either the ROSA command line interface (CLI) or the Red Hat OpenShift Cluster Manager web user interface (UI).
+Administration (admin) privileges are not automatically granted to users that you add to your cluster. If you want to grant admin-level privileges to certain users, you will need to manually grant them to each user. You can grant admin privileges from either the ROSA command line interface (CLI) or the Red{nbsp}Hat OpenShift Cluster Manager web user interface (UI).
 
-Red Hat offers two types of admin privileges:
+Red{nbsp}Hat offers two types of admin privileges:
 
 * `cluster-admin`: `cluster-admin` privileges give the admin user full privileges within the cluster.
 
@@ -64,7 +64,7 @@ image:cloud-experts-getting-started-admin-rights-admin-panel.png[]
 $ oc get all -n openshift-apiserver
 ----
 
-== Using the Red Hat OpenShift Cluster Manager UI
+== Using the Red{nbsp}Hat OpenShift Cluster Manager UI
 
 . Log in to the {cluster-manager-url}.
 . Select your cluster.
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deleting.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deleting.adoc
index 5d224f59dce5..085c2014367c 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deleting.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deleting.adoc
@@ -78,7 +78,7 @@ $ rosa delete account-roles --prefix <prefix> --mode auto --yes
 
 == Deleting a ROSA cluster using the UI
 
-. Log in to the Red Hat OpenShift Cluster Manager, and locate the cluster you want to delete.
+. Log in to the {cluster-manager-url}, and locate the cluster you want to delete.
 
 . Click the three dots to the right of the cluster.
 +
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-ui.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-ui.adoc
index 01e1dfb58995..7f3e42d7aa12 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-ui.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-ui.adoc
@@ -9,14 +9,14 @@ toc::[]
 //rosaworkshop.io content metadata
 //Brought into ROSA product docs 2023-11-20
 
-This tutorial outlines the detailed steps to deploy a {product-title} (ROSA) cluster using the Red Hat OpenShift Cluster Manager user interface (UI).
+This tutorial outlines the detailed steps to deploy a {product-title} (ROSA) cluster using the Red{nbsp}Hat OpenShift Cluster Manager user interface (UI).
 
 == Deployment workflow
 The overall deployment workflow follows these steps:
 
 . Create the account wide roles and policies.
-. Associate your AWS account with your Red Hat account.
-.. Create and link the Red Hat OpenShift Cluster Manager role.
+. Associate your AWS account with your Red{nbsp}Hat account.
+.. Create and link the Red{nbsp}Hat OpenShift Cluster Manager role.
 .. Create and link the user role.
 . Create the cluster.
 
@@ -56,7 +56,7 @@ I: To create a cluster with these roles, run the following command:
 rosa create cluster --sts
 ----
 
-== Associating your AWS account with your Red Hat account
+== Associating your AWS account with your Red{nbsp}Hat account
 This step tells the OpenShift Cluster Manager what AWS account you want to use when deploying ROSA.
 
 [NOTE]
@@ -64,7 +64,7 @@ This step tells the OpenShift Cluster Manager what AWS account you want to use w
 If you have already associated your AWS accounts, skip this step.
 ====
 
-. Open the {hybrid-console} by visiting the {cluster-manager-url} and logging in to your Red Hat account.
+. Open the {hybrid-console} by visiting the {cluster-manager-url} and logging in to your Red{nbsp}Hat account.
 
 . Click *Create Cluster*.
 
@@ -115,7 +115,7 @@ For the purposes of this tutorial, use the *Admin OpenShift Cluster Manager role
 $ rosa create ocm-role --mode auto --admin --yes
 ----
 +
-This command creates the OpenShift Cluster Manager role and associates it with your Red Hat account.
+This command creates the OpenShift Cluster Manager role and associates it with your Red{nbsp}Hat account.
 +
 .Example output
 +
@@ -159,7 +159,7 @@ As defined in the xref:../../../rosa_architecture/rosa-sts-about-iam-resources.a
 $ rosa list user-role
 ----
 
-. Run the following command to create the user role and to link it to your Red Hat account:
+. Run the following command to create the user role and to link it to your Red{nbsp}Hat account:
 +
 [source,terminal]
 ----
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc
index b73acfbfb992..19c72b095f92 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc
@@ -11,7 +11,7 @@ toc::[]
 
 This tutorial outlines deploying a {hcp-title-first} cluster.  
 
-With {hcp-title}, you can decouple the control plane from the data plane. This is a new deployment model for ROSA in which the control plane is hosted in a Red Hat-owned AWS account. The control plane is no longer hosted in your AWS account, reducing your AWS infrastructure expenses. The control plane is dedicated to a single cluster and is highly available. For more information, see the xref:../../../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[{hcp-title} documentation].
+With {hcp-title}, you can decouple the control plane from the data plane. This is a new deployment model for ROSA in which the control plane is hosted in a Red{nbsp}Hat-owned AWS account. The control plane is no longer hosted in your AWS account, reducing your AWS infrastructure expenses. The control plane is dedicated to a single cluster and is highly available. For more information, see the xref:../../../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[{hcp-title} documentation].
 
 == Prerequisites
 
@@ -31,11 +31,115 @@ In this tutorial, we will create these resources first. We will also set up some
 rosa list regions --hosted-cp
 ----
     
-. Create the VPC. For this tutorial, the following script will create the VPC and its required components for you. It will use the region configured for the `aws` CLI.
+. Create the VPC. For this tutorial, the following link:https://github.com/openshift-cs/rosaworkshop/blob/master/rosa-workshop/rosa/resources/setup-vpc.sh[script] creates the VPC and its required components for you. It uses the region configured for the `aws` CLI.
 +
-[source,terminal]
+[source,bash]
 ----
-curl https://raw.githubusercontent.com/openshift-cs/rosaworkshop/master/rosa-workshop/rosa/resources/setup-vpc.sh | bash
+#!/bin/bash
+
+set -e
+##########
+# This script will create the network requirements for a ROSA cluster. This will be
+# a public cluster. This creates:
+# - VPC
+# - Public and private subnets
+# - Internet Gateway
+# - Relevant route tables
+# - NAT Gateway
+#
+# This will automatically use the region configured for the aws cli
+#
+##########
+
+VPC_CIDR=10.0.0.0/16
+PUBLIC_CIDR_SUBNET=10.0.1.0/24
+PRIVATE_CIDR_SUBNET=10.0.0.0/24
+
+# Create VPC
+echo -n "Creating VPC..."
+VPC_ID=$(aws ec2 create-vpc --cidr-block $VPC_CIDR --query Vpc.VpcId --output text)
+
+# Create tag name
+aws ec2 create-tags --resources $VPC_ID --tags Key=Name,Value=$CLUSTER_NAME
+
+# Enable dns hostname
+aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-hostnames
+echo "done."
+
+# Create Public Subnet
+echo -n "Creating public subnet..."
+PUBLIC_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block $PUBLIC_CIDR_SUBNET --query Subnet.SubnetId --output text)
+
+aws ec2 create-tags --resources $PUBLIC_SUBNET_ID --tags Key=Name,Value=$CLUSTER_NAME-public
+echo "done."
+
+# Create private subnet
+echo -n "Creating private subnet..."
+PRIVATE_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block $PRIVATE_CIDR_SUBNET --query Subnet.SubnetId --output text)
+
+aws ec2 create-tags --resources $PRIVATE_SUBNET_ID --tags Key=Name,Value=$CLUSTER_NAME-private
+echo "done."
+
+# Create an internet gateway for outbound traffic and attach it to the VPC.
+echo -n "Creating internet gateway..."
+IGW_ID=$(aws ec2 create-internet-gateway --query InternetGateway.InternetGatewayId --output text)
+echo "done."
+
+aws ec2 create-tags --resources $IGW_ID --tags Key=Name,Value=$CLUSTER_NAME
+
+aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID > /dev/null 2>&1
+echo "Attached IGW to VPC."
+
+# Create a route table for outbound traffic and associate it to the public subnet.
+echo -n "Creating route table for public subnet..."
+PUBLIC_ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
+
+aws ec2 create-tags --resources $PUBLIC_ROUTE_TABLE_ID --tags Key=Name,Value=$CLUSTER_NAME
+echo "done."
+
+aws ec2 create-route --route-table-id $PUBLIC_ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID > /dev/null 2>&1
+echo "Created default public route."
+
+aws ec2 associate-route-table --subnet-id $PUBLIC_SUBNET_ID --route-table-id $PUBLIC_ROUTE_TABLE_ID > /dev/null 2>&1
+echo "Public route table associated"
+
+# Create a NAT gateway in the public subnet for outgoing traffic from the private network.
+echo -n "Creating NAT Gateway..."
+NAT_IP_ADDRESS=$(aws ec2 allocate-address --domain vpc --query AllocationId --output text)
+
+NAT_GATEWAY_ID=$(aws ec2 create-nat-gateway --subnet-id $PUBLIC_SUBNET_ID --allocation-id $NAT_IP_ADDRESS --query NatGateway.NatGatewayId --output text)
+
+aws ec2 create-tags --resources $NAT_IP_ADDRESS --resources $NAT_GATEWAY_ID --tags Key=Name,Value=$CLUSTER_NAME
+sleep 10
+echo "done."
+
+# Create a route table for the private subnet to the NAT gateway.
+echo -n "Creating a route table for the private subnet to the NAT gateway..."
+PRIVATE_ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
+
+aws ec2 create-tags --resources $PRIVATE_ROUTE_TABLE_ID $NAT_IP_ADDRESS --tags Key=Name,Value=$CLUSTER_NAME-private
+ 
+aws ec2 create-route --route-table-id $PRIVATE_ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $NAT_GATEWAY_ID > /dev/null 2>&1
+
+aws ec2 associate-route-table --subnet-id $PRIVATE_SUBNET_ID --route-table-id $PRIVATE_ROUTE_TABLE_ID > /dev/null 2>&1
+
+echo "done."
+
+# echo "***********VARIABLE VALUES*********"
+# echo "VPC_ID="$VPC_ID
+# echo "PUBLIC_SUBNET_ID="$PUBLIC_SUBNET_ID
+# echo "PRIVATE_SUBNET_ID="$PRIVATE_SUBNET_ID
+# echo "PUBLIC_ROUTE_TABLE_ID="$PUBLIC_ROUTE_TABLE_ID
+# echo "PRIVATE_ROUTE_TABLE_ID="$PRIVATE_ROUTE_TABLE_ID
+# echo "NAT_GATEWAY_ID="$NAT_GATEWAY_ID
+# echo "IGW_ID="$IGW_ID
+# echo "NAT_IP_ADDRESS="$NAT_IP_ADDRESS
+
+echo "Setup complete."
+echo ""
+echo "To make the cluster create commands easier, please run the following commands to set the environment variables:"
+echo "export PUBLIC_SUBNET_ID=$PUBLIC_SUBNET_ID"
+echo "export PRIVATE_SUBNET_ID=$PRIVATE_SUBNET_ID"
 ----
 +
 For more about VPC requirements, see the xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[VPC documentation].
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-simple-ui-guide.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-simple-ui-guide.adoc
index 867676bed0ee..475398617955 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-simple-ui-guide.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-simple-ui-guide.adoc
@@ -28,7 +28,7 @@ Run the following command _once_ for each AWS account and y-stream OpenShift ver
 rosa create account-roles --mode auto --yes
 ----
 
-== Creating Red Hat OpenShift Cluster Manager roles
+== Creating Red{nbsp}Hat OpenShift Cluster Manager roles
 . Create one OpenShift Cluster Manager role for each AWS account by running the following command:
 +
 [source,terminal]
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-support.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-support.adoc
index 2820a0e45148..1d2728434ec2 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-support.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-support.adoc
@@ -18,29 +18,29 @@ You can add additional email addresses for communications about your cluster.
 . Click the *Support* tab.
 . Click *Add notification contact*, and enter the additional email addresses.
 
-== Contacting Red Hat for support using the UI
+== Contacting Red{nbsp}Hat for support using the UI
 
 . On the {cluster-manager} UI, click the *Support* tab.
 . Click *Open support case*.
 
-== Contacting Red Hat for support using the support page
+== Contacting Red{nbsp}Hat for support using the support page
 
-. Go to the link:https://support.redhat.com[Red Hat support page].
+. Go to the link:https://support.redhat.com[Red{nbsp}Hat support page].
 . Click *Open a new Case*.
 +
 image::obtain-support-case.png[]
 
-. Log in to your Red Hat account.
+. Log in to your Red{nbsp}Hat account.
 . Select the reason for contacting support.
 +
 image::obtain-support-reason.png[]
 
-. Select *Red Hat OpenShift Service on AWS*.
+. Select *Red{nbsp}Hat OpenShift Service on AWS*.
 
 image::obtain-support-select-rosa.png[]
 
 . Click *continue*.
-. Enter a summary of the issue and the details of your request. Upload any files, logs, and screenshots. The more details you provide, the better Red Hat support can help your case.
+. Enter a summary of the issue and the details of your request. Upload any files, logs, and screenshots. The more details you provide, the better Red{nbsp}Hat support can help your case.
 +
 [NOTE]
 ====
@@ -54,11 +54,11 @@ image::obtain-support-summary.png[]
 . Click *Continue*.
 . Enter the following information about your case:
 .. *Support level:* Premium
-.. *Severity:* Review the Red Hat Support Severity Level Definitions to choose the correct one.
+.. *Severity:* Review the Red{nbsp}Hat Support Severity Level Definitions to choose the correct one.
 .. *Group:* If this is related to a few other cases you can select the corresponding group.
 .. *Language*
 .. *Send notifications:* Add any additional email addresses to keep notified of activity.
-.. *Red Hat associates:* If you are working with anyone from Red Hat and want to keep them in the loop you can enter their email address here.
+.. *Red{nbsp}Hat associates:* If you are working with anyone from Red{nbsp}Hat and want to keep them in the loop you can enter their email address here.
 .. *Alternate Case ID:* If you want to attach your own ID to it you can enter it here.
 . Click *Continue*.
 . On the review screen make sure you select the correct cluster ID that you are contacting support about.
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-upgrading.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-upgrading.adoc
index 7f08181e10c6..3fb8ec434822 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-upgrading.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-upgrading.adoc
@@ -14,7 +14,7 @@ toc::[]
 Ways to schedule a cluster upgrade include:
 
 * *Manually using the command line interface (CLI)*: Start a one-time immediate upgrade or schedule a one-time upgrade for a future date and time.
-* *Manually using the Red Hat OpenShift Cluster Manager user interface (UI)*: Start a one-time immediate upgrade or schedule a one-time upgrade for a future date and time.
+* *Manually using the Red{nbsp}Hat OpenShift Cluster Manager user interface (UI)*: Start a one-time immediate upgrade or schedule a one-time upgrade for a future date and time.
 * *Automated upgrades*: Set an upgrade window for recurring y-stream upgrades whenever a new version is available without needing to manually schedule it. Minor versions have to be manually scheduled.
 
 For more details about cluster upgrades, run the following command:
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc
index 79dc36a55e0d..5af345f388d1 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc
@@ -9,16 +9,16 @@ toc::[]
 //rosaworkshop.io content metadata
 //Brought into ROSA product docs 2024-01-18
 
-Red Hat OpenShift Service on AWS (ROSA) is a fully-managed turnkey application platform that allows you to focus on what matters most, delivering value to your customers by building and deploying applications. Red Hat and AWS SRE experts manage the underlying platform so you do not have to worry about infrastructure management. ROSA provides seamless integration with a wide range of AWS compute, database, analytics, machine learning, networking, mobile, and other services to further accelerate the building and delivering of differentiating experiences to your customers.
+Red{nbsp}Hat OpenShift Service on AWS (ROSA) is a fully-managed turnkey application platform that allows you to focus on what matters most, delivering value to your customers by building and deploying applications. Red{nbsp}Hat and AWS SRE experts manage the underlying platform so you do not have to worry about infrastructure management. ROSA provides seamless integration with a wide range of AWS compute, database, analytics, machine learning, networking, mobile, and other services to further accelerate the building and delivering of differentiating experiences to your customers.
 
 ROSA makes use of AWS Security Token Service (STS) to obtain credentials to manage infrastructure in your AWS account. AWS STS is a global web service that creates temporary credentials for IAM users or federated users. ROSA uses this to assign short-term, limited-privilege, security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls. This method aligns with the principals of least privilege and secure practices in cloud service resource management. The ROSA command line interface (CLI) tool manages the STS credentials that are assigned for unique tasks and takes action on AWS resources as part of OpenShift functionality.
 //For a detailed explanation, see "ROSA with STS Explained" (add xref when page is migrated).
 
 == Key features of ROSA
-* *Native AWS service:* Access and use Red Hat OpenShift on-demand with a self-service onboarding experience through the AWS management console.
+* *Native AWS service:* Access and use Red{nbsp}Hat OpenShift on-demand with a self-service onboarding experience through the AWS management console.
 * *Flexible, consumption-based pricing:* Scale to your business needs and pay as you go with flexible pricing and an on-demand hourly or annual billing model.
-* *Single bill for Red Hat OpenShift and AWS usage:* Customers will receive a single bill from AWS for both Red Hat OpenShift and AWS consumption.
-* *Fully integrated support experience:* Installation, management, maintenance, and upgrades are performed by Red Hat site reliability engineers (SREs) with joint Red Hat and Amazon support and a 99.95% service-level agreement (SLA).
+* *Single bill for Red{nbsp}Hat OpenShift and AWS usage:* Customers will receive a single bill from AWS for both Red{nbsp}Hat OpenShift and AWS consumption.
+* *Fully integrated support experience:* Installation, management, maintenance, and upgrades are performed by Red{nbsp}Hat site reliability engineers (SREs) with joint Red{nbsp}Hat and Amazon support and a 99.95% service-level agreement (SLA).
 * *AWS service integration:* AWS has a robust portfolio of cloud services, such as compute, storage, networking, database, analytics, and machine learning. All of these services are directly accessible through ROSA. This makes it easier to build, operate, and scale globally and on-demand through a familiar management interface.
 * *Maximum Availability:* Deploy clusters across multiple availability zones in supported regions to maximize availability and maintain high availability for your most demanding mission-critical applications and data.
 * *Cluster node scaling:* Easily add or remove compute nodes to match resource demand.
@@ -29,7 +29,7 @@ ROSA makes use of AWS Security Token Service (STS) to obtain credentials to mana
 In ROSA, everything you need to deploy and manage containers is bundled, including container management, Operators, networking, load balancing, service mesh, CI/CD, firewall, monitoring, registry, authentication, and authorization capabilities. These components are tested together for unified operations as a complete platform. Automated cluster operations, including over-the-air platform upgrades, further enhance your Kubernetes experience.
 
 == Basic responsibilities
-In general, cluster deployment and upkeep is Red Hat's or AWS's responsibility, while applications, users, and data is the customer's responsibility. For a more detailed breakdown of responsibilities, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibility-matrix[responsibility matrix].
+In general, cluster deployment and upkeep is Red{nbsp}Hat's or AWS's responsibility, while applications, users, and data is the customer's responsibility. For a more detailed breakdown of responsibilities, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibility-matrix[responsibility matrix].
 
 == Roadmap and feature requests
 Visit the link:https://github.com/openshift-cs/managed-openshift/projects/2[ROSA roadmap] to stay up-to-date with the status of features currently in development. Open a new issue if you have any suggestions for the product team.
@@ -48,7 +48,7 @@ All nodes in a ROSA cluster must be located in the same AWS region. For clusters
 For a ROSA cluster, the minimum is 2 worker nodes for single availability zone and 3 worker nodes for multiple availability zones.
 
 === Underlying node operating system
-As with all OpenShift v4.x offerings, the control plane, infra and worker nodes run Red Hat Enterprise Linux CoreOS (RHCOS).
+As with all OpenShift v4.x offerings, the control plane, infra and worker nodes run Red{nbsp}Hat Enterprise Linux CoreOS (RHCOS).
 
 === Node hibernation or shut-down
 At this time, ROSA does not have a hibernation or shut-down feature for nodes. The shutdown and hibernation feature is an OpenShift platform feature that is not yet mature enough for widespread cloud services use.
@@ -75,13 +75,13 @@ Customers can upgrade to the newest version of OpenShift and use the features fr
 == Support
 You can open a ticket directly from the {cluster-manager-url}. See the xref:../../support/getting-support.adoc#getting-support[ROSA support documentation] for more details about obtaining support.
 
-You can also visit the link:http://access.redhat.com/[Red Hat Customer Portal] to search or browse through the Red Hat knowledge base of articles and solutions relating to Red Hat products or submit a support case to Red Hat Support.
+You can also visit the link:http://access.redhat.com/[Red{nbsp}Hat Customer Portal] to search or browse through the Red{nbsp}Hat knowledge base of articles and solutions relating to Red{nbsp}Hat products or submit a support case to Red{nbsp}Hat Support.
 
 === Limited support
 If a ROSA cluster is not upgraded before the "end of life" date, the cluster continues to operate in a limited support status. The SLA for that cluster will no longer be applicable, but you can still get support for that cluster. See the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-life-cycle.adoc#rosa-life-cycle[limited support status] documentation for more details.
 
 .Additional support resources
-* link:https://access.redhat.com/[Red Hat Support]
+* link:https://access.redhat.com/[Red{nbsp}Hat Support]
 * link:https://aws.amazon.com/premiumsupport/[AWS Support]
 +
 AWS support customers must have a valid AWS support contract
@@ -90,7 +90,7 @@ AWS support customers must have a valid AWS support contract
 Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-sla_rosa-service-definition[ROSA SLA] page for details.
 
 == Notifications and communication
-Red Hat will provide notifications regarding new Red Hat and AWS features, updates, and scheduled maintenance through email and the {hybrid-console-second} service log.
+Red{nbsp}Hat will provide notifications regarding new Red{nbsp}Hat and AWS features, updates, and scheduled maintenance through email and the {hybrid-console-second} service log.
 
 == Open Service Broker for AWS (OBSA)
 You can use OSBA with ROSA. However, the preferred method is the more recent link:https://github.com/aws-controllers-k8s/community[AWS Controller for Kubernetes]. See link:https://aws.amazon.com/partners/servicebroker/[Open Service Broker for AWS] for more information on OSBA.
@@ -135,16 +135,16 @@ Currently, the ROSA CLI does not accept multi-region KMS keys for EBS encryption
 ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[AWS prerequisites].
 
 == Credential methods
-There are two credential methods to grant Red Hat the permissions needed to perform the required actions in your AWS account: AWS with STS or an IAM user with admin permissions. AWS with STS is the preferred method, and the IAM user method will eventually be deprecated. AWS with STS better aligns with the principles of least privilege and secure practices in cloud service resource management.
+There are two credential methods to grant Red{nbsp}Hat the permissions needed to perform the required actions in your AWS account: AWS with STS or an IAM user with admin permissions. AWS with STS is the preferred method, and the IAM user method will eventually be deprecated. AWS with STS better aligns with the principles of least privilege and secure practices in cloud service resource management.
 //See the section [ROSA with STS Explained] section for a detailed explanation.
 
 == Prerequisite permission or failure errors
-Check for a newer version of the ROSA CLI. Every release of the ROSA CLI is located in two places: link:https://github.com/openshift/rosa/releases[Github] and the link:https://www.openshift.com/products/rosa/download[Red Hat signed binary releases].
+Check for a newer version of the ROSA CLI. Every release of the ROSA CLI is located in two places: link:https://github.com/openshift/rosa/releases[Github] and the link:https://www.openshift.com/products/rosa/download[Red{nbsp}Hat signed binary releases].
 
 == Storage
 Refer to the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-storage_rosa-service-definition[storage] section of the service definition.
 
-OpenShift includes the CSI driver for AWS EFS. For more information, see xref:../../storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc#osd-persistent-storage-aws-efs-csi[Setting up AWS EFS for Red Hat OpenShift Service on AWS].
+OpenShift includes the CSI driver for AWS EFS. For more information, see xref:../../storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc#osd-persistent-storage-aws-efs-csi[Setting up AWS EFS for Red{nbsp}Hat OpenShift Service on AWS].
 
 == Using a VPC
 At installation you can select to deploy to an existing VPC or bring your own VPC. You can then select the required subnets and provide a valid CIDR range that encompasses the subnets for the installation program when using those subnets.
@@ -155,7 +155,7 @@ ROSA allows multiple clusters to share the same VPC. The number of clusters on o
 ROSA uses the OpenShift OVN-Kubernetes default CNI network provider.
 
 == Cross-namespace networking
-Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#nw-networkpolicy-multitenant-isolation_multitenant-network-policy[Configuring multitenant isolation with network policy] for more information.
+Cluster admins can customize, and deny, cross-namespace on a project basis using NetworkPolicy objects. Refer to xref:../../networking/network_security/network_policy/multitenant-network-policy.adoc#nw-networkpolicy-multitenant-isolation_multitenant-network-policy[Configuring multitenant isolation with network policy] for more information.
 
 == Using Prometheus and Grafana
 You can use Prometheus and Grafana to monitor containers and manage capacity using OpenShift User Workload Monitoring. This is a check-box option in the {cluster-manager-url}.
@@ -176,11 +176,11 @@ ROSA STS clusters do not have backups. Users must have their own backup policies
 You can define a custom domain for your applications. See xref:../../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Configuring custom domains for applications] for more information.
 
 == ROSA domain certificates
-Red Hat infrastructure (Hive) manages certificate rotation for default application ingress.
+Red{nbsp}Hat infrastructure (Hive) manages certificate rotation for default application ingress.
 
 == Disconnected environments
 ROSA does not support an air-gapped, disconnected environment. The ROSA cluster must have egress to the internet to access our registry, S3, and send metrics. The service requires a number of egress endpoints.
-Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer access.
+Ingress can be limited to a PrivateLink for Red{nbsp}Hat SREs and a VPN for customer access.
 
 //== Creating your first ROSA cluster
 
@@ -190,9 +190,9 @@ Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer
 .Additional Resources
 
 * ROSA product pages:
-** link:https://www.openshift.com/products/amazon-openshift[Red Hat product page]
+** link:https://www.openshift.com/products/amazon-openshift[Red{nbsp}Hat product page]
 ** link:https://aws.amazon.com/rosa/[AWS product page]
-** link:https://access.redhat.com/products/red-hat-openshift-service-aws[Red Hat customer portal]
+** link:https://access.redhat.com/products/red-hat-openshift-service-aws[Red{nbsp}Hat Customer Portal]
 * ROSA specific resources
 ** link:https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started.html[AWS ROSA getting started guide]
 ** xref:../../welcome/index.adoc#welcome-index[ROSA documentation]
@@ -205,4 +205,4 @@ Ingress can be limited to a PrivateLink for Red Hat SREs and a VPN for customer
 ** link:https://red.ht/rosa-roadmap[ROSA roadmap]
 * link:https://learn.openshift.com[Learn about OpenShift]
 * {cluster-manager-url}
-* link:https://support.redhat.com[Red Hat Support]
+* link:https://support.redhat.com[Red{nbsp}Hat Support]
diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc
index 91755f5752f2..10c83c203915 100644
--- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc
+++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc
@@ -27,7 +27,7 @@ This tutorial will:
 
 [id="different-credential-methods-rosa"]
 == Different credential methods to deploy ROSA
-As part of ROSA, Red Hat manages infrastructure resources in your AWS account and must be granted the necessary permissions. There are currently two supported methods for granting those permissions:
+As part of ROSA, Red{nbsp}Hat manages infrastructure resources in your AWS account and must be granted the necessary permissions. There are currently two supported methods for granting those permissions:
 
 * Using static IAM user credentials with an `AdministratorAccess` policy
 +
@@ -120,7 +120,7 @@ The roles and policies can be created automatically by the ROSA CLI, or they can
 
 [id="sts-process"]
 == ROSA with STS workflow
-The user creates the required account-wide roles and account-wide policies. For more information, see the components section in this tutorial. During role creation, a trust policy, known as a cross-account trust policy, is created which allows a Red Hat-owned role to assume the roles. Trust policies are also created for the EC2 service, which allows workloads on EC2 instances to assume roles and obtain credentials. The user can then assign a corresponding permissions policy to each role.
+The user creates the required account-wide roles and account-wide policies. For more information, see the components section in this tutorial. During role creation, a trust policy, known as a cross-account trust policy, is created which allows a Red{nbsp}Hat-owned role to assume the roles. Trust policies are also created for the EC2 service, which allows workloads on EC2 instances to assume roles and obtain credentials. The user can then assign a corresponding permissions policy to each role.
 
 After the account-wide roles and policies are created, the user can create a cluster. Once cluster creation is initiated, the Operator roles are created so that cluster Operators can make AWS API calls. These roles are then assigned to the corresponding permission policies that were created earlier and a trust policy with an OIDC provider. The Operator roles differ from the account-wide roles in that they ultimately represent the pods that need access to AWS resources. Because a user cannot attach IAM roles to pods, they must create a trust policy with an OIDC provider so that the Operator, and therefore the pods, can access the roles they need.
 
@@ -128,7 +128,7 @@ Once the user assigns the roles to the corresponding policy permissions, the fin
 
 image::cloud-experts-sts-explained_creation_flow.png[]
 
-When a new role is needed, the workload currently using the Red Hat role will assume the role in the AWS account, obtain temporary credentials from AWS STS, and begin performing the actions using API calls within the customer's AWS account as permitted by the assumed role's permissions policy. The credentials are temporary and have a maximum duration of one hour.
+When a new role is needed, the workload currently using the Red{nbsp}Hat role will assume the role in the AWS account, obtain temporary credentials from AWS STS, and begin performing the actions using API calls within the customer's AWS account as permitted by the assumed role's permissions policy. The credentials are temporary and have a maximum duration of one hour.
 
 image::cloud-experts-sts-explained_highlevel.png[]
 
@@ -144,9 +144,9 @@ image::cloud-experts-sts-explained_oidc_op_roles.png[]
 == ROSA with STS use cases
 
 .Creating nodes at cluster install
-The Red Hat installation program uses the `RH-Managed-OpenShift-Installer` role and a trust policy to assume the `Managed-OpenShift-Installer-Role` role in the customer's account. This process returns temporary credentials from AWS STS. The installation program begins making the required API calls with the temporary credentials just received from STS. The installation program creates the required infrastructure in AWS. The credentials expire within an hour and the installation program no longer has access to the customer's account. 
+The Red{nbsp}Hat installation program uses the `RH-Managed-OpenShift-Installer` role and a trust policy to assume the `Managed-OpenShift-Installer-Role` role in the customer's account. This process returns temporary credentials from AWS STS. The installation program begins making the required API calls with the temporary credentials just received from STS. The installation program creates the required infrastructure in AWS. The credentials expire within an hour and the installation program no longer has access to the customer's account. 
 
-The same process also applies for support cases. In support cases, a Red Hat site reliability engineer (SRE) replaces the installation program.
+The same process also applies for support cases. In support cases, a Red{nbsp}Hat site reliability engineer (SRE) replaces the installation program.
 
 .Scaling the cluster
 The `machine-api-operator` uses link:https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html[AssumeRoleWithWebIdentity] to assume the `machine-api-aws-cloud-credentials` role. This launches the sequence for the cluster Operators to receive the credentials. The `machine-api-operator` role can now make the relevant API calls to add more EC2 instances to the cluster.
\ No newline at end of file
diff --git a/cloud_experts_tutorials/cloud-experts-rosa-cloudwatch-sts.adoc b/cloud_experts_tutorials/cloud-experts-rosa-cloudwatch-sts.adoc
deleted file mode 100644
index c4d731d360d8..000000000000
--- a/cloud_experts_tutorials/cloud-experts-rosa-cloudwatch-sts.adoc
+++ /dev/null
@@ -1,308 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="cloud-experts-rosa-cloudwatch-sts"]
-= Configuring log forwarding for CloudWatch logs and STS
-include::_attributes/attributes-openshift-dedicated.adoc[]
-:context: cloud-experts-rosa-cloudwatch-sts
-
-toc::[]
-
-//Mobb content metadata
-//Brought into ROSA product docs 2023-09-18
-//---
-// date: '2022-08-19'
-// date:
-// title: Configuring the Cluster Log Forwarder for CloudWatch Logs and STS
-// tags: ["AWS", "ROSA"]
-// authors:
-//   - Paul Czarkowski
-//   - Connor Wooley
-// ---
-
-Use this tutorial to deploy the {clo} and configure it to use Security Token Services (STS) authentication to forward logs to CloudWatch.
-
-[id="cloud-experts-rosa-cloudwatch-sts-prerequisites"]
-.Prerequisites
-
-* A {product-title} (ROSA) Classic cluster
-* The `jq` command-line interface (CLI)
-* The Amazon Web Services (AWS) CLI (`aws`)
-
-[id="cloud-experts-rosa-cloudwatch-sts-environment-setup"]
-== Setting up your environment
-
-. Configure the following environment variables, changing the cluster name to suit your cluster:
-+
-[NOTE]
-====
-You must be logged in as an administrator.
-====
-+
-[source,terminal]
-----
-$ export ROSA_CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
-$ export REGION=$(rosa describe cluster -c ${ROSA_CLUSTER_NAME} --output json | jq -r .region.id)
-$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed  's|^https://||')
-$ export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
-$ export AWS_PAGER=""
-$ export SCRATCH="/tmp/${ROSA_CLUSTER_NAME}/clf-cloudwatch-sts"
-$ mkdir -p ${SCRATCH}
-----
-
-. Ensure all fields output correctly before moving to the next section:
-+
-[source,terminal]
-----
-$ echo "Cluster: ${ROSA_CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
-----
-
-[id="cloud-experts-rosa-cloudwatch-sts-prep-aws"]
-== Preparing your AWS account
-
-. Create an Identity Access Management (IAM) policy for {logging}:
-+
-[source,terminal]
-----
-$ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaCloudWatch'].{ARN:Arn}" --output text)
-$ if [[ -z "${POLICY_ARN}" ]]; then
-cat << EOF > ${SCRATCH}/policy.json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-     {
-           "Effect": "Allow",
-           "Action": [
-              "logs:CreateLogGroup",
-              "logs:CreateLogStream",
-              "logs:DescribeLogGroups",
-              "logs:DescribeLogStreams",
-              "logs:PutLogEvents",
-              "logs:PutRetentionPolicy"
-           ],
-           "Resource": "arn:aws:logs:*:*:*"
-     }
-]
-}
-EOF
-POLICY_ARN=$(aws iam create-policy --policy-name "RosaCloudWatch" \
---policy-document file:///${SCRATCH}/policy.json --query Policy.Arn --output text)
-fi
-$ echo ${POLICY_ARN}
-----
-
-. Create an IAM role trust policy for the cluster:
-+
-[source,terminal]
-----
-$ cat <<EOF > ${SCRATCH}/trust-policy.json
-{
-   "Version": "2012-10-17",
-   "Statement": [{
-     "Effect": "Allow",
-     "Principal": {
-       "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
-     },
-     "Action": "sts:AssumeRoleWithWebIdentity",
-     "Condition": {
-       "StringEquals": {
-         "${OIDC_ENDPOINT}:sub": "system:serviceaccount:openshift-logging:logcollector"
-       }
-     }
-   }]
-}
-EOF
-$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-RosaCloudWatch" \
-      --assume-role-policy-document file://${SCRATCH}/trust-policy.json \
-      --query Role.Arn --output text)
-$ echo ${ROLE_ARN}
-----
-
-. Attach the IAM policy to the IAM role:
-+
-[source,terminal]
-----
-$ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-RosaCloudWatch" \
-   --policy-arn ${POLICY_ARN}
-----
-
-[id="cloud-experts-rosa-cloudwatch-sts-deploy-Os"]
-== Deploying Operators
-
-. Deploy the {clo}:
-+
-[source,terminal]
-----
-$  cat << EOF | oc apply -f -
-   apiVersion: operators.coreos.com/v1alpha1
-   kind: Subscription
-   metadata:
-     labels:
-      operators.coreos.com/cluster-logging.openshift-logging: ""
-     name: cluster-logging
-     namespace: openshift-logging
-   spec:
-     channel: stable
-     installPlanApproval: Automatic
-     name: cluster-logging
-     source: redhat-operators
-     sourceNamespace: openshift-marketplace
-EOF
-----
-
-. Create a secret:
-+
-[source,terminal]
-----
-$  cat << EOF | oc apply -f -
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: cloudwatch-credentials
-    namespace: openshift-logging
-  stringData:
-    role_arn: $ROLE_ARN
-EOF
-----
-
-[id="cloud-experts-rosa-cloudwatch-sts-configure-cluster-logging"]
-== Configuring cluster logging
-
-. Create a `ClusterLogForwarder` custom resource (CR):
-+
-[source,terminal]
-----
-$ cat << EOF | oc apply -f -
-  apiVersion: "logging.openshift.io/v1"
-  kind: ClusterLogForwarder
-  metadata:
-    name: instance
-    namespace: openshift-logging
-  spec:
-    outputs:
-      - name: cw
-        type: cloudwatch
-        cloudwatch:
-          groupBy: namespaceName
-          groupPrefix: rosa-${ROSA_CLUSTER_NAME}
-          region: ${REGION}
-        secret:
-          name: cloudwatch-credentials
-    pipelines:
-      - name: to-cloudwatch
-        inputRefs:
-          - infrastructure
-          - audit
-          - application
-        outputRefs:
-          - cw
-EOF
-----
-
-. Create a `ClusterLogging` CR:
-+
-[source,terminal]
-----
-$ cat << EOF | oc apply -f -
-  apiVersion: logging.openshift.io/v1
-  kind: ClusterLogging
-  metadata:
-    name: instance
-    namespace: openshift-logging
-  spec:
-    collection:
-      logs:
-         type: vector
-    managementState: Managed
-EOF
-----
-
-[id="cloud-experts-rosa-cloudwatch-sts-check-aws"]
-== Checking CloudWatch for logs
-
-* Use either the AWS console or the AWS CLI to validate that there are log streams from the cluster.
-** To validate the logs in the AWS CLI, run the following command:
-+
-[source,terminal]
-----
-$ aws logs describe-log-groups --log-group-name-prefix rosa-${ROSA_CLUSTER_NAME}
-----
-+
-.Sample output
-+
-[source,c]
-----
-{
-  "logGroups": [
-      {
-        "logGroupName": "rosa-xxxx.audit",
-        "creationTime": 1661286368369,
-        "metricFilterCount": 0,
-        "arn": "arn:aws:logs:us-east-2:xxxx:log-group:rosa-xxxx.audit:*",
-        "storedBytes": 0
-      },
-      {
-        "logGroupName": "rosa-xxxx.infrastructure",
-        "creationTime": 1661286369821,
-        "metricFilterCount": 0,
-        "arn": "arn:aws:logs:us-east-2:xxxx:log-group:rosa-xxxx.infrastructure:*",
-        "storedBytes": 0
-      }
-  ]
-}
-----
-+
-[NOTE]
-====
-If this is a new cluster, you might not see a log group for `application` logs as applications are not yet running.
-====
-
-[id="cloud-experts-rosa-cloudwatch-sts-clean-up"]
-== Cleaning up your resources
-
-. Delete the `ClusterLogForwarder` CR:
-+
-[source,terminal]
-----
-$ oc delete -n openshift-logging clusterlogforwarder instance
-----
-
-. Delete the `ClusterLogging` CR:
-+
-[source,terminal]
-----
-$ oc delete -n openshift-logging clusterlogging instance
-----
-
-. Detach the IAM policy to the IAM role:
-+
-[source,terminal]
-----
-$ aws iam detach-role-policy --role-name "${ROSA_CLUSTER_NAME}-RosaCloudWatch" \
-   --policy-arn "${POLICY_ARN}"
-----
-
-. Delete the IAM role:
-+
-[source,terminal]
-----
-$ aws iam delete-role --role-name "${ROSA_CLUSTER_NAME}-RosaCloudWatch"
-----
-
-. Delete the IAM policy:
-+
-[IMPORTANT]
-====
-Only delete the IAM policy if there are no other resources using the policy.
-====
-+
-[source,terminal]
-----
-$ aws iam delete-policy --policy-arn "${POLICY_ARN}"
-----
-
-. Delete the CloudWatch log groups:
-+
-[source,terminal]
-----
-$ aws logs delete-log-group --log-group-name "rosa-${ROSA_CLUSTER_NAME}.audit"
-$ aws logs delete-log-group --log-group-name "rosa-${ROSA_CLUSTER_NAME}.infrastructure"
-----
diff --git a/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.adoc b/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.adoc
index 77804f757a99..a365020dacda 100644
--- a/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.adoc
+++ b/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.adoc
@@ -24,9 +24,9 @@ If you have received a private offer for the product, make sure to proceed accor
 
 == Prerequisites
 
-* Make sure to log into the Red Hat account that you plan to associate with the AWS account where you have activated {hcp-title} in previous steps.
-* Only a single AWS account that will be used for service billing can be associated with a Red Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.
-* Red Hat accounts belonging to the same Red Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating {hcp-title} clusters on the Red Hat organization account level.
+* Make sure to log in to the Red{nbsp}Hat account that you plan to associate with the AWS account where you have activated {hcp-title} in previous steps.
+* Only a single AWS account that will be used for service billing can be associated with a Red{nbsp}Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.
+* Red{nbsp}Hat accounts belonging to the same Red{nbsp}Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating {hcp-title} clusters on the Red{nbsp}Hat organization account level.
 
 == Subscription enablement and AWS account setup
 
@@ -36,7 +36,7 @@ image::rosa-get-started.png[]
 +
 If you have activated ROSA before but did not complete the process, you can click the button and complete the account linking as described in the following steps.
 
-. Confirm that you want your contact information to be shared with Red Hat and enable the service:
+. Confirm that you want your contact information to be shared with Red{nbsp}Hat and enable the service:
 +
 image::rosa-enable-2.png[]
 +
@@ -58,31 +58,31 @@ image::rosa-prereq-5.png[]
 +
 The ELB service-linked role is created for you automatically. You can click any of the small *Info* blue links to get contextual help and resources.
 
-== AWS and Red Hat account and subscription linking
+== AWS and Red{nbsp}Hat account and subscription linking
 
-. Click the orange *Continue to Red Hat* button to proceed with account linking:
+. Click the orange *Continue to Red{nbsp}Hat* button to proceed with account linking:
 +
 image::rosa-continue-rh-6.png[]
 
-. If you are not already logged in to your Red Hat account in your current browser's session, you will be asked to log in to your account:
+. If you are not already logged in to your Red{nbsp}Hat account in your current browser's session, you will be asked to log in to your account:
 +
 image::rosa-login-rh-account-7.png[]
 +
-* You can also register for a new Red Hat account or reset your password on this page. 
-* Make sure to log into the Red Hat account that you plan to associate with the AWS account where you have activated {hcp-title} in previous steps.
-* Only a single AWS account that will be used for service billing can be associated with a Red Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.
-* Red Hat accounts belonging to the same Red Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating {hcp-title} clusters on the Red Hat organization account level.
+* You can also register for a new Red{nbsp}Hat account or reset your password on this page.
+* Make sure to log in to the Red{nbsp}Hat account that you plan to associate with the AWS account where you have activated {hcp-title} in previous steps.
+* Only a single AWS account that will be used for service billing can be associated with a Red{nbsp}Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.
+* Red{nbsp}Hat accounts belonging to the same Red{nbsp}Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating {hcp-title} clusters on the Red{nbsp}Hat organization account level.
 
-. Complete the Red Hat account linking after reviewing the terms and conditions:
+. Complete the Red{nbsp}Hat account linking after reviewing the terms and conditions:
 +
 [NOTE]
 ====
-This step is available only if the logged-in Red Hat account, or the Red Hat organization managing the Red Hat account, was not linked to an AWS account before.
+This step is available only if the logged-in Red{nbsp}Hat account, or the Red{nbsp}Hat organization managing the Red{nbsp}Hat account, was not linked to an AWS account before.
 ====
 +
 image::rosa-rh-account-connection-8.png[]
 +
-Both the Red Hat and AWS account numbers are shown on this screen.
+Both the Red{nbsp}Hat and AWS account numbers are shown on this screen.
 
 . Click the *Connect accounts* button if you agree with the service terms.
 +
@@ -105,7 +105,7 @@ image::rosa-cluster-create-10.png[]
 image::rosa-deploy-11.png[]
 +
 * It is possible that these steps will be performed on a different machine than where the service enablement and account linking were completed.
-* As mentioned previously, any Red Hat account belonging to the Red Hat organization that was linked with the AWS account that activated the ROSA service will have access to creating a cluster and will be able to select the billing AWS account that was linked under this Red Hat organization previously.
+* As mentioned previously, any Red{nbsp}Hat account belonging to the Red{nbsp}Hat organization that was linked with the AWS account that activated the ROSA service will have access to creating a cluster and will be able to select the billing AWS account that was linked under this Red{nbsp}Hat organization previously.
 +
 The last section of this page shows cluster deployment options, either using the `rosa` CLI or through the web console:
 +
@@ -133,7 +133,7 @@ Do not share your unique token.
 
 . The final prerequisite before your first cluster deployment is making sure the necessary account-wide roles and policies are created. The `rosa` CLI can help with that by using the command shown under step _2.2. To create the necessary account-wide roles and policies quickly…_ on the web console. The alternative to that is manual creation of these roles and policies.
 
-. After logging in, creating the account roles, and verifying your identity using the `rosa whoami` command, your terminal will look similar to this: 
+. After logging in, creating the account roles, and verifying your identity using the `rosa whoami` command, your terminal will look similar to this:
 +
 image::rosa-whoami-14.png[]
 
@@ -153,7 +153,7 @@ image::rosa-create-cli-16.png[]
 +
 image::rosa-create-cli-billing-17.png[]
 +
-* Only AWS accounts that were linked to the Red Hat organization that is currently used will be shown.
+* Only AWS accounts that were linked to the Red{nbsp}Hat organization that is currently used will be shown.
 * The specified AWS account will be charged for using the ROSA service, regardless of whether the infrastructure AWS account is linked to it in the same AWS organization.
 * You can see an indicator of whether the ROSA contract is enabled for a given AWS billing account or not.
 * To select an AWS account that does not have the contract enabled, refer to the first few steps in this tutorial to enable the contract and allow the service charging, which is required for a successful cluster deployment.
@@ -174,7 +174,7 @@ image::rosa-deploy-ui-19.png[]
 +
 image::rosa-deploy-ui-hcp-20.png[]
 
-. The next step *Accounts and roles* allows you specifying the infrastructure AWS account, into which the the ROSA cluster will be deployed and where the resources will be consumed and managed:
+. The next step *Accounts and roles* allows you specifying the infrastructure AWS account, into which the ROSA cluster will be deployed and where the resources will be consumed and managed:
 +
 image::rosa-ui-account-21.png[]
 +
@@ -186,17 +186,14 @@ image::rosa-ui-account-21.png[]
 +
 image::rosa-ui-billing-22.png[]
 +
-* Only AWS accounts that were linked to the Red Hat organization that is currently used will be shown.
+* Only AWS accounts that were linked to the Red{nbsp}Hat organization that is currently used will be shown.
 * The specified AWS account will be charged for using the ROSA service, regardless of whether the infrastructure AWS account is linked to it in the same AWS organization.
 * You can see an indicator whether the ROSA contract is enabled for a given AWS billing account or not.
 * In case you would like to use an AWS account that does not have a contract enabled yet, you can either use the _Connect ROSA to a new AWS billing account_ to reach the ROSA AWS console page, where you can activate it after logging in using the respective AWS account by following steps described earlier in this tutorial, or ask the administrator of the AWS account to do that for you.
 
-The following steps past the billing AWS account selection are beyond the scope of this tutorial. 
+The following steps past the billing AWS account selection are beyond the scope of this tutorial.
 
 .Additional resources
 
 * For information on using the CLI to create a cluster, see xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-cli_rosa-hcp-sts-creating-a-cluster-quickly[Creating a ROSA with HCP cluster using the CLI].
 * See link:https://cloud.redhat.com/learning/learn:getting-started-red-hat-openshift-service-aws-rosa/resource/resources:how-deploy-cluster-red-hat-openshift-service-aws-using-console-ui[this learning path] for more details on how to complete ROSA cluster deployment using the web console.
-
-
-
diff --git a/cloud_experts_tutorials/cloud-experts-update-component-routes.adoc b/cloud_experts_tutorials/cloud-experts-update-component-routes.adoc
new file mode 100644
index 000000000000..4092df9c9578
--- /dev/null
+++ b/cloud_experts_tutorials/cloud-experts-update-component-routes.adoc
@@ -0,0 +1,258 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cloud-experts-update-component-routes"]
+= Tutorial: Updating component routes with custom domains and TLS certificates
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: cloud-experts-update-component-routes
+
+toc::[]
+
+:fn-supported-versions: footnote:[Modifying these routes on {product-title} ROSA versions prior to 4.14 is not typically supported. However, if you have a cluster using version 4.13, you can request for Red Hat Support to enable support for this feature on your version 4.13 cluster by link:https://access.redhat.com/support/cases/new[opening a support case].]
+:fn-term-component-routes: footnote:[We use the term "component routes" to refer to the OAuth, Console, and Downloads routes that are provided when ROSA are first installed.]
+
+//Article text
+This guide demonstrates how to modify the hostname and TLS certificate of the Web console, OAuth server, and Downloads component routes in {product-title} (ROSA) version 4.14 and above.{fn-supported-versions}
+
+The changes that we make to the component routes{fn-term-component-routes} in this guide are described in greater detail in the customizing the link:https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#customizing-the-oauth-server-url_configuring-internal-oauth[internal OAuth server URL], link:https://docs.openshift.com/container-platform/latest/web_console/customizing-the-web-console.html#customizing-the-console-route_customizing-web-console[console route], and link:https://docs.openshift.com/container-platform/latest/web_console/customizing-the-web-console.html#customizing-the-download-route_customizing-web-console[download route] OpenShift Container Platform documentation. 
+
+[id="prerequisites_{context}"]
+== Prerequisites
+* ROSA CLI (`rosa`) version 1.2.37 or higher
+* AWS CLI (`aws`)
+* A ROSA Classic cluster version 4.14 or higher
++
+[NOTE]
+====
+ROSA with HCP is not supported at this time.
+====
++
+* OpenShift CLI (`oc`)
+* `jq` CLI
+* Access to the cluster as a user with the `cluster-admin` role.
+* OpenSSL (for generating the demonstration SSL/TLS certificates)
+
+[id="environment-setup_{context}"]
+== Setting up your environment
+
+. Log in to your cluster using an account with `cluster-admin` privileges.
++
+. Configure an environment variable for your cluster name:
++
+[source,terminal]
+----
+$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
+----
+
+. Ensure all fields output correctly before moving to the next section:
++
+[source,terminal]
+----
+$ echo "Cluster: ${CLUSTER_NAME}"
+----
++
+.Example output
++
+[source,text]
+----
+Cluster: my-rosa-cluster
+----
+
+[id="find-current-component-routes_{context}"]
+== Find the current routes
+
+. Verify that you can reach the component routes on their default hostnames.
++
+You can find the hostnames by querying the lists of routes in the `openshift-console` and `openshift-authentication` projects.
++
+[source,bash]
+----
+$ oc get routes -n openshift-console
+$ oc get routes -n openshift-authentication
+----
++
+.Example output
++
+[source,text]
+----
+NAME        HOST/PORT                                                                          PATH       SERVICES    PORT    TERMINATION          WILDCARD
+console     console-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com    ... 1 more  console    https   reencrypt/Redirect   None
+downloads   downloads-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com  ... 1 more  downloads  http    edge/Redirect        None
+NAME              HOST/PORT                                                             PATH        SERVICES          PORT   TERMINATION            WILDCARD
+oauth-openshift   oauth-openshift.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com ... 1 more  oauth-openshift   6443   passthrough/Redirect   None
+----
++
+From this output you can see that our base hostname is `z9a9.p1.openshiftapps.com`.
++
+. Get the ID of the default ingress by running the following command:
++
+[source,bash]
+----
+$ export INGRESS_ID=$(rosa list ingress -c ${CLUSTER_NAME} -o json | jq -r '.[] | select(.default == true) | .id')
+----
++
+. Ensure all fields output correctly before moving to the next section:
++
+[source,terminal]
+----
+$ echo "Ingress ID: ${INGRESS_ID}"
+----
++
+.Example output
++
+[source,text]
+----
+Ingress ID: r3l6
+----
++
+By running these commands you can see that the default component routes for our cluster are:
+
+* `console-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for Console
+* `downloads-openshift-console.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for Downloads
+* `oauth-openshift.apps.my-example-cluster-aws.z9a9.p1.openshiftapps.com` for OAuth
+
+We can use the `rosa edit ingress` command to change the hostname of each service and add a TLS certificate for all of our component routes. The relevant parameters are shown in this excerpt of the command line help for the `rosa edit ingress` command:
+
+[source,bash]
+----
+$ rosa edit ingress -h
+Edit a cluster ingress for a cluster. Usage:
+  rosa edit ingress ID [flags]
+  [...]
+  --component-routes string                Component routes settings. Available keys [oauth, console, downloads]. For each key a pair of hostname and tlsSecretRef is expected to be supplied. Format should be a comma separate list 'oauth: hostname=example-hostname;tlsSecretRef=example-secret-ref,downloads:...'
+----
+
+For this example, we'll use the following custom component routes:
+
+* `console.my-new-domain.dev` for Console
+* `downloads.my-new-domain.dev` for Downloads
+* `oauth.my-new-domain.dev` for OAuth
+
+[id="create-tls-certificates_{context}"]
+== Create a valid TLS certificate for each component route
+
+In this section, we create three separate self-signed certificate key pairs and then trust them to verify that we can access our new component routes using a real web browser.
+
+[WARNING]
+====
+This is for demonstration purposes only, and is not recommended as a solution for production workloads. Consult your certificate authority to understand how to create certificates with similar attributes for your production workloads.
+====
+
+[IMPORTANT]
+====
+To prevent issues with HTTP/2 connection coalescing, you must use a separate individual certificate for each endpoint. Using a wildcard or SAN certificate is not supported.
+====
+
+. Generate a certificate for each component route, taking care to set our certificate's subject (`-subj`) to the custom domain of the component route we want to use: 
++
+.Example
++
+[source,bash]
+----
+$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-console.pem -out cert-console.pem -subj "/CN=console.my-new-domain.dev"
+$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-downloads.pem -out cert-downloads.pem -subj "/CN=downloads.my-new-domain.dev"
+$ openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout key-oauth.pem -out cert-oauth.pem -subj "/CN=oauth.my-new-domain.dev"
+----
++
+This generates three pairs of `.pem` files, `key-<component>.pem` and `cert-<component>.pem`.
+
+[id="add-certificates-as-secrets_{context}"]
+== Add the certificates to the cluster as secrets
+
+. Create three TLS secrets in the `openshift-config` namespace.
++
+These become your secret reference when you update the component routes later in this guide.
++
+[source,bash]
+----
+$ oc create secret tls console-tls --cert=cert-console.pem --key=key-console.pem -n openshift-config
+$ oc create secret tls downloads-tls --cert=cert-downloads.pem --key=key-downloads.pem -n openshift-config
+$ oc create secret tls oauth-tls --cert=cert-oauth.pem --key=key-oauth.pem -n openshift-config
+----
+
+[id="find-lb-hostname_{context}"]
+== Find the hostname of the load balancer in your cluster
+
+When you create a cluster, the service creates a load balancer and generates a hostname for that load balancer. We need to know the load balancer hostname in order to create DNS records for our cluster.
+
+You can find the hostname by running the `oc get svc` command against the `openshift-ingress` namespace. The hostname of the load balancer is the `EXTERNAL-IP` associated with the `router-default` service in the `openshift-ingress` namespace.
+
+[source,bash]
+----
+$ oc get svc -n openshift-ingress
+NAME            TYPE          CLUSTER-IP     EXTERNAL-IP                                             PORT(S)                     AGE
+router-default  LoadBalancer  172.30.237.88  a234gsr3242rsfsfs-1342r624.us-east-1.elb.amazonaws.com  80:31175/TCP,443:31554/TCP  76d
+----
+
+In our case, the hostname is `a234gsr3242rsfsfs-1342r624.us-east-1.elb.amazonaws.com`.
+
+Save this value for later, as we will need it to configure DNS records for our new component route hostnames.
+
+[id="add-component-routes-to-dns_{context}"]
+== Add component route DNS records to your hosting provider
+
+In your hosting provider, add DNS records that map the `CNAME` of your new component route hostnames to the load balancer hostname we found in the previous step.
+
+//.Need an image for this
+//image::[Picture goes here]
+
+[id="update-component-routes-tls-using-rosa-cli_{context}"]
+== Update the component routes and TLS secret using the ROSA CLI
+
+When your DNS records have been updated, you can use the ROSA CLI to change the component routes.
+
+. Use the `rosa edit ingress` command to update your default ingress route with the new base domain and the secret reference associated with it, taking care to update the hostnames for each component route.
++
+[source,bash]
+----
+$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname=console.my-new-domain.dev;tlsSecretRef=console-tls,downloads: hostname=downloads.my-new-domain.dev;tlsSecretRef=downloads-tls,oauth: hostname=oauth.my-new-domain.dev;tlsSecretRef=oauth-tls'
+----
++
+[NOTE]
+====
+You can also edit only a subset of the component routes by leaving the component routes you do not want to change set to an empty string. For example, if you only want to change the Console and OAuth server hostnames and TLS certificates, you would run the following command:
+[source,bash]
+----
+$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname=console.my-new-domain.dev;tlsSecretRef=console-tls,downloads: hostname="";tlsSecretRef="", oauth: hostname=oauth.my-new-domain.dev;tlsSecretRef=oauth-tls'
+----
+====
++
+. Run the `rosa list ingress` command to verify that your changes were successfully made:
++
+[source,bash]
+----
+$ rosa list ingress -c ${CLUSTER_NAME} -ojson | jq ".[] | select(.id == \"${INGRESS_ID}\") | .component_routes"
+----
++
+.Example output
++
+[source,text]
+----
+{
+  "console": {
+    "kind": "ComponentRoute",
+    "hostname": "console.my-new-domain.dev",
+    "tls_secret_ref": "console-tls"
+  },
+  "downloads": {
+    "kind": "ComponentRoute",
+    "hostname": "downloads.my-new-domain.dev",
+    "tls_secret_ref": "downloads-tls"
+  },
+  "oauth": {
+    "kind": "ComponentRoute",
+    "hostname": "oauth.my-new-domain.dev",
+    "tls_secret_ref": "oauth-tls"
+  }
+}
+----
++
+. Add your certificate to the truststore on your local system, then confirm that you can access your components at their new routes using your local web browser.
+
+[id="reset-component-routes-to-default_{context}"]
+== Reset the component routes to the default using the ROSA CLI
+
+If you want to reset the component routes to the default configuration, run the following `rosa edit ingress` command:
+
+[source,bash]
+----
+$ rosa edit ingress -c ${CLUSTER_NAME} ${INGRESS_ID} --component-routes 'console: hostname="";tlsSecretRef="",downloads: hostname="";tlsSecretRef="", oauth: hostname="";tlsSecretRef=""'
+----
\ No newline at end of file
diff --git a/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.adoc b/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.adoc
index 2c9eaf8eca66..b8bb7ec618aa 100644
--- a/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.adoc
+++ b/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.adoc
@@ -21,24 +21,21 @@ AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS r
 
 You can use an AWS Application Load Balancer (ALB) to add a Web Application Firewall (WAF) to your {product-title} (ROSA) workloads. Using an external solution protects ROSA resources from experiencing denial of service due to handling the WAF.
 
-[NOTE]
+[IMPORTANT]
 ====
-It is recommended that you use the xref:../cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc#cloud-experts-using-cloudfront-and-waf[CloudFront method] unless you absolutely must use an ALB based solution.
+It is recommended that you use the more flexible xref:../cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc#cloud-experts-using-cloudfront-and-waf[CloudFront method] unless you absolutely must use an ALB based solution.
 ====
 
-//[Here](https://iamondemand.com/blog/elb-vs-alb-vs-nlb-choosing-the-best-aws-load-balancer-for-your-needs/)'s a good overview of AWS LB types and what they support
-
-// Loosely based off EKS instructions here - https://aws.amazon.com/premiumsupport/knowledge-center/eks-alb-ingress-aws-waf/
-
 [id="prerequisites_{context}"]
 == Prerequisites
 
+* Multiple availability zone (AZ) ROSA (HCP or Classic) cluster.
++
 [NOTE]
 ====
-AWS ALBs require a multi-AZ cluster, as well as three public subnets split across three AZs in the same VPC as the cluster.
+AWS ALBs require at least two _public_ subnets across AZs, link:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#availability-zones[per the AWS documentation]. For this reason, only multiple AZ ROSA clusters can be used with ALBs.
 ====
-
-* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A multi-AZ ROSA Classic cluster].
++
 * You have access to the OpenShift CLI (`oc`).
 * You have access to the AWS CLI (`aws`).
 
@@ -50,13 +47,13 @@ AWS ALBs require a multi-AZ cluster, as well as three public subnets split acros
 [source,terminal]
 ----
 $ export AWS_PAGER=""
-$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
+$ export CLUSTER=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}")
 $ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
 $ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed  's|^https://||')
 $ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-$ export SCRATCH="/tmp/${CLUSTER_NAME}/alb-waf"
+$ export SCRATCH="/tmp/${CLUSTER}/alb-waf"
 $ mkdir -p ${SCRATCH}
-$ echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
+$ echo "Cluster: $(echo ${CLUSTER} | sed 's/-[a-z0-9]\{5\}$//'), Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
 ----
 
 [id="aws-vpc-and-subnets_{context}"]
@@ -71,16 +68,20 @@ This section only applies to clusters that were deployed into existing VPCs. If
 +
 [source,terminal]
 ----
-$ export VPC_ID=<vpc-id>
-$ export PUBLIC_SUBNET_IDS=<public-subnets>
-$ export PRIVATE_SUBNET_IDS=<private-subnets>
+$ export VPC_ID=<vpc-id> <1>
+$ export PUBLIC_SUBNET_IDS=(<space-separated-list-of-ids>) <2>
+$ export PRIVATE_SUBNET_IDS=(<space-separated-list-of-ids>) <3>
 ----
+<1> Replace with the VPC ID of the cluster, for example: `export VPC_ID=vpc-04c429b7dbc4680ba`.
+<2> Replace with a space-separated list of the private subnet IDs of the cluster, making sure to preserve the `()`. For example: `export PUBLIC_SUBNET_IDS=(subnet-056fd6861ad332ba2 subnet-08ce3b4ec753fe74c subnet-071aa28228664972f)`.
+<3> Replace with a space-separated list of the private subnet IDs of the cluster, making sure to preserve the `()`. For example: `export PRIVATE_SUBNET_IDS=(subnet-0b933d72a8d72c36a subnet-0817eb72070f1d3c2 subnet-0806e64159b66665a)`.
 +
-. Add a tag to your cluster's VPC with the cluster name:
+. Add a tag to your cluster's VPC with the cluster identifier:
 +
 [source,terminal]
 ----
-$ aws ec2 create-tags --resources ${VPC_ID} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value=owned --region ${REGION}
+$ aws ec2 create-tags --resources ${VPC_ID} \
+  --tags Key=kubernetes.io/cluster/${CLUSTER},Value=shared --region ${REGION}
 ----
 +
 . Add a tag to your public subnets:
@@ -88,9 +89,10 @@ $ aws ec2 create-tags --resources ${VPC_ID} --tags Key=kubernetes.io/cluster/${C
 [source,terminal]
 ----
 $ aws ec2 create-tags \
-     --resources ${PUBLIC_SUBNET_IDS} \
-     --tags Key=kubernetes.io/role/elb,Value='' \
-     --region ${REGION}
+  --resources ${PUBLIC_SUBNET_IDS} \
+  --tags Key=kubernetes.io/role/elb,Value='1' \
+        Key=kubernetes.io/cluster/${CLUSTER},Value=shared \
+  --region ${REGION}
 ----
 +
 . Add a tag to your private subnets:
@@ -98,9 +100,10 @@ $ aws ec2 create-tags \
 [source,terminal]
 ----
 $ aws ec2 create-tags \
-     --resources "${PRIVATE_SUBNET_IDS}" \
-     --tags Key=kubernetes.io/role/internal-elb,Value='' \
-     --region ${REGION}
+  --resources ${PRIVATE_SUBNET_IDS} \
+  --tags Key=kubernetes.io/role/internal-elb,Value='1' \
+        Key=kubernetes.io/cluster/${CLUSTER},Value=shared \
+  --region ${REGION}
 ----
 
 [id="deploy-aws-load-balancer-operator_{context}"]
@@ -108,28 +111,37 @@ $ aws ec2 create-tags \
 
 The link:https://github.com/openshift/aws-load-balancer-operator[AWS Load Balancer Operator] is used to used to install, manage and configure an instance of `aws-load-balancer-controller` in a ROSA cluster. To deploy ALBs in ROSA, we need to first deploy the AWS Load Balancer Operator.
 
-. Create an AWS IAM policy for the AWS Load Balancer Controller:
+. Create a new project to deploy the AWS Load Balancer Operator into by running the following command:
++
+[source,terminal]
+----
+$ oc new-project aws-load-balancer-operator
+----
++
+. Create an AWS IAM policy for the AWS Load Balancer Controller if one does not already exist by running the following command:
 +
 [NOTE]
 ====
-The policy is sourced from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy] plus permission to create tags on subnets. This is required by the operator to function.
+The policy is sourced from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy]. This is required by the operator to function.
 ====
 +
 [source,terminal]
 ----
-$ oc new-project aws-load-balancer-operator
 $ POLICY_ARN=$(aws iam list-policies --query \
      "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \
      --output text)
+----
++
+[source,terminal]
+----
 $ if [[ -z "${POLICY_ARN}" ]]; then
     wget -O "${SCRATCH}/load-balancer-operator-policy.json" \
-       https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+       https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
      POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
      --output text iam create-policy \
      --policy-name aws-load-balancer-operator-policy \
      --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json")
 fi
-$ echo $POLICY_ARN
 ----
 +
 . Create an AWS IAM trust policy for AWS Load Balancer Operator:
@@ -161,13 +173,17 @@ EOF
 +
 [source,terminal]
 ----
-$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
+$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER}-alb-operator" \
    --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
    --query Role.Arn --output text)
-$ echo $ROLE_ARN
-
-$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-alb-operator" \
-     --policy-arn $POLICY_ARN
+----
++
+. Attach the AWS Load Balancer Operator policy to the IAM role we created previously by running the following command:
++
+[source,terminal]
+----
+$ aws iam attach-role-policy --role-name "${CLUSTER}-alb-operator" \
+     --policy-arn ${POLICY_ARN}
 ----
 +
 . Create a secret for the AWS Load Balancer Operator to assume our newly created AWS IAM role:
@@ -183,12 +199,12 @@ metadata:
 stringData:
   credentials: |
     [default]
-    role_arn = $ROLE_ARN
+    role_arn = ${ROLE_ARN}
     web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 EOF
 ----
 +
-. Install the Red Hat AWS Load Balancer Operator:
+. Install the AWS Load Balancer Operator:
 +
 [source,terminal]
 ----
@@ -382,11 +398,11 @@ This will enable the Core (Common) and SQL AWS Managed Rule Sets.
 [source,terminal]
 ----
 $ WAF_ARN=$(aws wafv2 create-web-acl \
-  --name ${CLUSTER_NAME}-waf \
+  --name ${CLUSTER}-waf \
   --region ${REGION} \
   --default-action Allow={} \
   --scope REGIONAL \
-  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=${CLUSTER_NAME}-waf-metrics \
+  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=${CLUSTER}-waf-metrics \
   --rules file://${SCRATCH}/waf-rules.json \
   --query 'Summary.ARN' \
   --output text)
@@ -433,11 +449,15 @@ $ curl -X POST "http://${INGRESS}" \
 </html
 ----
 +
+[NOTE]
+====
+Activation of the AWS WAF integration can sometimes take several minutes. If you do not receive a `403 Forbidden` error, please wait a few seconds and try again.
+====
++
 The expected result is a `403 Forbidden` error, which means the AWS WAF is protecting your application.
 
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
 
-* link:https://docs.openshift.com/rosa/applications/deployments/osd-config-custom-domains-applications.html[Custom domains for applications] in the Red Hat documentation
 * link:https://youtu.be/-HorEsl2ho4[Adding Extra Security with AWS WAF, CloudFront and ROSA | Amazon Web Services] on YouTube
\ No newline at end of file
diff --git a/cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc b/cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc
index 8794d65e538c..e4c2c06acca4 100644
--- a/cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc
+++ b/cloud_experts_tutorials/cloud-experts-using-cloudfront-and-waf.adoc
@@ -24,7 +24,7 @@ You can use an Amazon CloudFront to add a Web Application Firewall (WAF) to your
 [id="prerequisites_{context}"]
 == Prerequisites
 
-* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A ROSA Classic cluster].
+* A ROSA (HCP or Classic) cluster.
 * You have access to the OpenShift CLI (`oc`).
 * You have access to the AWS CLI (`aws`).
 
@@ -35,85 +35,100 @@ You can use an Amazon CloudFront to add a Web Application Firewall (WAF) to your
 +
 [source,terminal]
 ----
+$ export DOMAIN=apps.example.com <1>
 $ export AWS_PAGER=""
 $ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
 $ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
 $ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-$ export SCRATCH="/tmp/${CLUSTER_NAME}/cloudfront-waf"
+$ export SCRATCH="/tmp/${CLUSTER}/cloudfront-waf"
 $ mkdir -p ${SCRATCH}
-$ echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, AWS Account ID: ${AWS_ACCOUNT_ID}"
+$ echo "Cluster: ${CLUSTER}, Region: ${REGION}, AWS Account ID: ${AWS_ACCOUNT_ID}"
 ----
+<1> Replace with the custom domain you want to use for the `IngressController`.
++
+[NOTE]
+====
+The "Cluster" output from the previous command might be the name of your cluster, the internal ID of your cluster, or the cluster's domain prefix. If you prefer to use another identifier, you can manually set this value by running the following command:
+[source,terminal]
+----
+$ export CLUSTER=my-custom-value
+----
+====
 
-[id="custom_domain_setup{context}"]
-== Custom domain setup
+[id="secondary_ingress_controller_setup_{context}"]
+== Setting up the secondary ingress controller
 
-It is necessary to configure a secondary ingress controller to segment your external WAF-protected traffic from your standard (and default) cluster ingress controller. In ROSA, we do this using the Custom Domain Operator.
+It is necessary to configure a secondary ingress controller to segment your external WAF-protected traffic from your standard (and default) cluster ingress controller. 
 
 .Prerequisites
 
-* A unique domain, such as `*.apps.<company_name>.io`
-* A custom SAN or wildcard certificate, such as `CN=*.apps.<company_name>.io`
+* A publicly trusted SAN or wildcard certificate for your custom domain, such as `CN=*.apps.example.com`
++
+[IMPORTANT]
+====
+Amazon CloudFront uses HTTPS to communicate with your cluster's secondary ingress controller. As explained in the link:https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html[Amazon CloudFront documentation], you cannot use a self-signed certificate for HTTPS communication between CloudFront and your cluster. Amazon CloudFront verifies that the certificate was issued by a trusted certificate authority.
+====
 
 .Procedure
 
-. Create a new project
-+
-[source,terminal]
-----
-$ oc new-project waf-demo
-----
-
 . Create a new TLS secret from a private key and a public certificate, where `fullchain.pem` is your full wildcard certificate chain (including any intermediaries) and `privkey.pem` is your wildcard certificate's private key.
 +
 .Example
 [source,terminal]
 ----
-$ oc -n waf-demo create secret tls waf-tls --cert=fullchain.pem --key=privkey.pem
+$ oc -n openshift-ingress create secret tls waf-tls --cert=fullchain.pem --key=privkey.pem
 ----
 
-. Create a new `CustomDomain` custom resource (CR):
+. Create a new `IngressController` resource:
 +
-.Example `waf-custom-domain.yaml`
+.Example `waf-ingress-controller.yaml`
 [source,yaml]
 ----
-apiVersion: managed.openshift.io/v1alpha1
-kind: CustomDomain
+apiVersion: operator.openshift.io/v1
+kind: IngressController
 metadata:
   name: cloudfront-waf
+  namespace: openshift-ingress-operator
 spec:
-  domain: apps.<company_name>.io <1>
-  scope: External
-  loadBalancerType: NLB
-  certificate:
+  domain: apps.example.com <1>
+  defaultCertificate:
     name: waf-tls
-    namespace: waf-demo
+  endpointPublishingStrategy:
+    loadBalancer:
+      dnsManagementPolicy: Unmanaged
+      providerParameters:
+        aws:
+          type: NLB
+        type: AWS
+      scope: External
+    type: LoadBalancerService
   routeSelector: <2>
     matchLabels:
      route: waf
 ----
-<1> The custom domain.
-<2> Filters the set of routes serviced by the CustomDomain ingress. In this tutorial, we will use the `waf` route selector, but if no value was to be provided, no filtering would occur.
+<1> Replace with the custom domain you want to use for the `IngressController`.
+<2> Filters the set of routes serviced by the Ingress Controller. In this tutorial, we will use the `waf` route selector, but if no value was to be provided, no filtering would occur.
 
-. Apply the CR:
+. Apply the `IngressController`:
 +
 .Example
 [source,terminal]
 ----
-$ oc apply -f waf-custom-domain.yaml
+$ oc apply -f waf-ingress-controller.yaml
 ----
 
-. Verify that your custom domain ingress controller has been deployed and is `Ready`:
+. Verify that your IngressController has successfully created an external load balancer:
 +
 [source,terminal]
 ----
-$ oc get customdomains
+$ oc -n openshift-ingress get service/router-cloudfront-waf
 ----
 +
 .Example output
 [source,terminal]
 ----
-NAME               ENDPOINT                                                    DOMAIN                       STATUS
-cloudfront-waf     xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.com  *.apps.<company_name>.io     Ready
+NAME                    TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
+router-cloudfront-waf   LoadBalancer   172.30.16.141   a68a838a7f26440bf8647809b61c4bc8-4225395f488830bd.elb.us-east-1.amazonaws.com   80:30606/TCP,443:31065/TCP   2m19s
 ----
 
 [id="configure-aws-waf_{context}"]
@@ -178,7 +193,7 @@ $ WAF_WACL=$(aws wafv2 create-web-acl \
   --region ${REGION} \
   --default-action Allow={} \
   --scope CLOUDFRONT \
-  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=${CLUSTER_NAME}-waf-metrics \
+  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=${CLUSTER}-waf-metrics \
   --rules file://${SCRATCH}/waf-rules.json \
   --query 'Summary.Name' \
   --output text)
@@ -187,13 +202,12 @@ $ WAF_WACL=$(aws wafv2 create-web-acl \
 [id="configure_amazon_cloudfront_{context}"]
 == Configure Amazon CloudFront
 
-. Retrieve the newly created custom domain ingress controller's NLB hostname:
+. Retrieve the newly created custom ingress controller's NLB hostname:
 +
 [source,terminal]
 ----
 $ NLB=$(oc -n openshift-ingress get service router-cloudfront-waf \
   -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
-$ echo "Origin domain: ${NLB}"
 ----
 
 . Import your certificate into Amazon Certificate Manager, where `cert.pem` is your wildcard certificate, `fullchain.pem` is your wildcard certificate's chain and `privkey.pem` is your wildcard certificate’s private key.
@@ -227,7 +241,7 @@ If an option is not specified in the table below, leave them the default (which
 |Value
 
 |Origin domain
-|Output from the command above ^[1]^
+|Output from the previous command ^[1]^
 
 |Name
 |rosa-waf-ingress ^[2]^
@@ -254,7 +268,7 @@ If an option is not specified in the table below, leave them the default (which
 |`cloudfront-waf`
 
 |Alternate domain name (CNAME)
-|*.apps.<company_name>.io ^[3]^
+|*.apps.example.com ^[3]^
 
 |Custom SSL certificate
 |Select the certificate you imported from the step above ^[4]^
@@ -264,7 +278,7 @@ If an option is not specified in the table below, leave them the default (which
 --
 1. Run `echo ${NLB}` to get the origin domain.
 2. If you have multiple clusters, ensure the origin name is unique.
-3. This should match the wildcard domain you used to create the custom domain ingress controller.
+3. This should match the wildcard domain you used to create the custom ingress controller.
 4. This should match the alternate domain name entered above.
 --
 +
@@ -280,17 +294,24 @@ $ aws cloudfront list-distributions --query "DistributionList.Items[?Origins.Ite
 .Example
 [source,text]
 ----
-*.apps.<company_name>.io CNAME d1b2c3d4e5f6g7.cloudfront.net
+*.apps.example.com CNAME d1b2c3d4e5f6g7.cloudfront.net
 ----
 
 [id="deploy-sample-application_{context}"]
 == Deploy a sample application
 
+. Create a new project for your sample application by running the following command:
++
+[source,terminal]
+----
+$ oc new-project hello-world
+----
++
 . Deploy a hello world application:
 +
 [source,terminal]
 ----
-$ oc -n waf-demo new-app --image=docker.io/openshift/hello-openshift
+$ oc -n hello-world new-app --image=docker.io/openshift/hello-openshift
 ----
 +
 . Create a route for the application specifying your custom domain name:
@@ -298,15 +319,15 @@ $ oc -n waf-demo new-app --image=docker.io/openshift/hello-openshift
 .Example
 [source,terminal]
 ----
-$ oc -n waf-demo create route edge --service=hello-openshift hello-openshift-tls \
---hostname hello-openshift.apps.<company_name>.io
+$ oc -n hello-world create route edge --service=hello-openshift hello-openshift-tls \
+--hostname hello-openshift.${DOMAIN}
 ----
 +
-. Label the route to admit it to your custom domain ingress controller:
+. Label the route to admit it to your custom ingress controller:
 +
 [source,terminal]
 ----
-$ oc -n waf-demo label route.route.openshift.io/hello-openshift-tls route=waf
+$ oc -n hello-world label route.route.openshift.io/hello-openshift-tls route=waf
 ----
 
 [id="test-waf_{context}"]
@@ -318,7 +339,7 @@ $ oc -n waf-demo label route.route.openshift.io/hello-openshift-tls route=waf
 +
 [source,terminal]
 ----
-$ curl "https://hello-openshift.apps.<company_name>.io"
+$ curl "https://hello-openshift.${DOMAIN}"
 ----
 +
 .Example output
@@ -333,7 +354,7 @@ Hello OpenShift!
 +
 [source,terminal]
 ----
-$ curl -X POST "https://hello-openshift.apps.<company_name>.io" \
+$ curl -X POST "https://hello-openshift.${DOMAIN}" \
   -F "user='<script><alert>Hello></alert></script>'"
 ----
 +
@@ -341,19 +362,32 @@ $ curl -X POST "https://hello-openshift.apps.<company_name>.io" \
 +
 [source,text]
 ----
-<html>
-<head><title>403 Forbidden</title></head>
-<body>
-<center><h1>403 Forbidden</h1></center>
-</body>
-</html
-----
-+
-The expected result is a `403 Forbidden` error, which means the AWS WAF is protecting your application.
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+<TITLE>ERROR: The request could not be satisfied</TITLE>
+</HEAD><BODY>
+<H1>403 ERROR</H1>
+<H2>The request could not be satisfied.</H2>
+<HR noshade size="1px">
+Request blocked.
+We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
+<BR clear="all">
+If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
+<BR clear="all">
+<HR noshade size="1px">
+<PRE>
+Generated by cloudfront (CloudFront)
+Request ID: nFk9q2yB8jddI6FZOTjdliexzx-FwZtr8xUQUNT75HThPlrALDxbag==
+</PRE>
+<ADDRESS>
+</ADDRESS>
+</BODY></HTML>
+----
++
+The expected result is a `403 ERROR`, which means the AWS WAF is protecting your application.
 
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
 
-* link:https://docs.openshift.com/rosa/applications/deployments/rosa-config-custom-domains-applications.html[Custom domains for applications] in the Red Hat documentation
 * link:https://youtu.be/-HorEsl2ho4[Adding Extra Security with AWS WAF, CloudFront and ROSA | Amazon Web Services] on YouTube
\ No newline at end of file
diff --git a/cloud_experts_tutorials/index.adoc b/cloud_experts_tutorials/index.adoc
index e70e1207ee41..0e79a967853b 100644
--- a/cloud_experts_tutorials/index.adoc
+++ b/cloud_experts_tutorials/index.adoc
@@ -4,6 +4,6 @@
 include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: tutorials-overview
 
-Step-by-step tutorials from Red Hat experts to help you get the most out of your Managed OpenShift cluster.
+Step-by-step tutorials from Red{nbsp}Hat experts to help you get the most out of your Managed OpenShift cluster.
 
 In an effort to make this Cloud Expert tutorial content available quickly, it may not yet be tested on every supported configuration.
diff --git a/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc b/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc
index a1474b9faf81..8b20a1de78da 100644
--- a/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc
+++ b/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc
@@ -107,7 +107,7 @@ $ aws configure
 $ aws configure
 ----
 +
-.Sample output
+.Example output
 [source,terminal]
 ----
 AWS Access Key ID []:
@@ -127,7 +127,7 @@ $ aws sts get-caller-identity
 +
 You should receive output similar to the following:
 +
-.Sample output
+.Example output
 [source,terminal]
 ----
 {
diff --git a/contributing_to_docs/doc_guidelines.adoc b/contributing_to_docs/doc_guidelines.adoc
index cc05155ae37d..747d3c9b4a54 100644
--- a/contributing_to_docs/doc_guidelines.adoc
+++ b/contributing_to_docs/doc_guidelines.adoc
@@ -9,7 +9,7 @@ link:https://redhat-documentation.github.io/modular-docs/[_Red Hat modular docs
 
 [NOTE]
 ====
-These _Documentation guidelines_ are primarily concerned with the modular structure and AsciiDoc / AsciiBinder requirements for building OpenShift documentation. For general style guidelines in OpenShift docs, see the following:
+These _Documentation guidelines_ are primarily concerned with the modular structure and AsciiDoc/AsciiBinder requirements for building OpenShift documentation. For general style guidelines in OpenShift docs, see the following:
 
 * Primary source: link:https://www.ibm.com/docs/en/ibm-style[_IBM Style_]
 * Supplementary source: link:https://redhat-documentation.github.io/supplementary-style-guide/[_Red Hat supplementary style guide for product documentation_]
@@ -36,17 +36,17 @@ In the Pulsar editor, you can use `Ctrl`+`J` to undo hard wrapping on a paragrap
 Every assembly file should contain the following metadata at the top, with no line spacing in between, except where noted:
 
 ----
-:_mod-docs-content-type: ASSEMBLY                                        <1>
-[id="<unique-heading-for-assembly>"]                            <2>
+:_mod-docs-content-type: ASSEMBLY                               <1>
+[id="<unique_heading_for_assembly>"]                            <2>
 = Assembly title                                                <3>
 include::_attributes/common-attributes.adoc[]                   <4>
-:context: <unique-context-for-assembly>                         <5>
+:context: <unique_context_for_assembly>                         <5>
                                                                 <6>
 toc::[]                                                         <7>
 ----
 <1> The content type for the file. For assemblies, always use `:_mod-docs-content-type: ASSEMBLY`. Place this attribute before the anchor ID or, if present, the conditional that contains the anchor ID.
-<2> A unique (within OpenShift docs) anchor ID for this assembly. Use lowercase. Example: cli-developer-commands
-<3> Human readable title (notice the `=` top-level header)
+<2> A unique (within OpenShift docs) anchor ID for this assembly. Use lowercase and hyphens, for example: `cli-developer-commands`.
+<3> Human readable title (notice the `=` top-level header).
 <4> Includes attributes common to OpenShift docs.
 +
 [NOTE]
@@ -66,8 +66,8 @@ toc::[]
 ----
 ====
 +
-<5> Context used for identifying headers in modules that is the same as the anchor ID. Example: cli-developer-commands.
-<6> A blank line. You *must* have a blank line here before the toc.
+<5> Context used for identifying headers in modules that is the same as the anchor ID. Use lowercase and hyphens, for example `cli-developer-commands`.
+<6> A blank line. You *must* have a blank line here before the `toc::[]`.
 <7> The table of contents for the current assembly.
 
 [NOTE]
@@ -269,7 +269,7 @@ If you accidentally create an incorrect symbolic link, you can remove that link
 [openshift_cli ~]$ unlink images
 ----
 
-== Assembly/Module titles and section headings
+== Assembly/module titles and section headings
 
 Use sentence case in all titles and section headings. See http://www.titlecase.com/ or https://convertcase.net/ for a conversion tool.
 
@@ -287,32 +287,39 @@ Do not use backticks or other markup in assembly or module headings.
 
 Do not use special characters or symbols in titles. Symbols and special characters in titles can cause rendering errors in the HTML output.
 
-Use only one level 1 heading (`=`) in any file.
+Use only one link:https://docs.asciidoctor.org/asciidoc/latest/sections/titles-and-levels/#section-level-syntax[Level 0] heading (`=`) in any file.
 
-=== Discrete headings
+=== Anchoring titles and section headings
 
-If you have a section heading that you do not want to appear in the TOC (like if you think that some section is not worth showing up or if there are already too many nested levels), you can use a discrete (or floating) heading:
+All titles and section headings must have an anchor ID. The anchor ID must be similar to the title or section heading. Do not include line spaces between the anchor ID and the section title.
 
-https://docs.asciidoctor.org/asciidoc/latest/blocks/discrete-headings/
+.Example anchor ID and heading
+----
+[id="configuring-alert-notifications"] <1>
+= Configuring alert notifications <2>
+----
+<1> Anchor ID
+<2> Title/section heading
 
-A discrete heading also will not get a section number in the Customer Portal build of the doc. Previously, we would use plain bold mark-up around a heading like this, but discrete headings also allow you to ignore section nesting rules (like jumping from a `==` section level to a `====` level if you wanted for some style reason).
+The following anchor IDs also require use of the `_{context}` variable:
 
-To use a discrete heading, just add `[discrete]` to the line before your unique ID. For example:
+* **All** headings in module files
+* **Only** subsections in assembly files (but not the link:https://docs.asciidoctor.org/asciidoc/latest/sections/titles-and-levels/#section-level-syntax[Level 0] heading/main title)
 
-----
-[discrete]
-[id="managing-authorization-policies_{context}"]
-== Managing authorization policies
-----
+When called, the `_{context}` variable is resolved into the value declared in the `:context:` attribute in the corresponding assembly file. This enables cross-referencing of IDs in context to a specific assembly and is useful when a module is included in multiple assemblies.
 
-== Anchoring titles and section headings
+[NOTE]
+====
+The `{context}` variable must be preceded by an underscore (`_`) when declared in an anchor ID.
+====
 
-All titles and section headings must have an anchor ID. The anchor ID must be similar to the title or section heading.
+==== Anchoring in assembly files
 
-=== Anchoring in assembly files
+===== Assembly titles (Level 0 headings)
 
-The following is an example anchor ID in an assembly file:
+For the single link:https://docs.asciidoctor.org/asciidoc/latest/sections/titles-and-levels/#section-level-syntax[Level 0] heading (`=`) of an assembly file, **do not** add a `_{context}` variable to the end of the anchor ID.
 
+.Example anchor ID for the Level 0 heading of an assembly file
 ----
 [id="configuring-alert-notifications"]
 = Configuring alert notifications
@@ -320,27 +327,34 @@ The following is an example anchor ID in an assembly file:
 
 [NOTE]
 ====
-Do not include line spaces between the anchor ID and the section title.
+This guideline includes an exception to the link:https://redhat-documentation.github.io/modular-docs/#nesting-assemblies[_Red Hat modular docs reference guide_], which shows including the `{context}` variable for Level 0 headings of assemblies as well.
 ====
 
-=== Anchoring in module files
+The anchor ID for the assembly title should match the `:context:` set in the xref:assembly-file-metadata[assembly file metadata].
 
-You must add the `{context}` variable to the end of each anchor ID in module files. When called, the `{context}` variable is resolved into the value declared in the `:context:` attribute in the corresponding assembly file. This enables cross-referencing to module IDs in context to a specific assembly and is useful when a module is included in multiple assemblies.
+===== Assembly subsections (Level 1 and lower headings)
 
-[NOTE]
-====
-The `{context}` variable must be preceded by an underscore (`_`) when declared in an anchor ID.
-====
+For any Level 1 or lower _subsections_ in an assembly (for example, `==`, `===`, etc.), add a `_{context}` variable to the end of anchor IDs:
+
+.Example anchor ID for a Level 1 heading (subsection) of an assembly file
+----
+[id="editing-alerts_{context}"]
+== Editing alerts
+----
 
-The following is an example of an anchor ID for a module file title:
+This ensures a unique anchor ID across the repo.
 
+==== Anchoring in module files
+
+You must add the `_{context}` variable to the end of each anchor ID in module files, for any section level:
+
+.Example anchor ID for a module file Level 0 (`=`) heading/main title
 ----
 [id="sending-notifications-to-external-systems_{context}"]
 = Sending notifications to external systems
 ----
 
-The following is an example of an anchor ID for a second level (`==`) heading:
-
+.Example anchor ID for a Level 1 (`==`) subsection heading
 ----
 [id="deployment-scaling-benefits_{context}"]
 == Deployment and scaling benefits
@@ -348,37 +362,51 @@ The following is an example of an anchor ID for a second level (`==`) heading:
 
 === Anchoring "Prerequisites", "Additional resources", and "Next steps" titles in assemblies
 
-Use unique IDs for "Prerequisites", "Additional resources", and "Next steps" titles in assemblies. You can add the prefixes `prerequisites_`, `additional-resources_`, or `next-steps_` to a unique string that describes the assembly topic. The unique string can match the value assigned to the `:context:` attribute in the assembly.
-
-[NOTE]
-====
-The `prerequisites_`, `additional-resources_`, and `next-steps_` prefixes must end with an underscore (`_`) when declared in an anchor ID in an assembly.
-====
-
-The following examples include IDs that are unique to the "Configuring alert notifications" assembly:
-
-*Example unique ID for a "Prerequisites" title*
+For anchor IDs of "Prerequisites", "Additional resources", and "Next steps" titles in assemblies, use the prefixes `prerequisites_`, `additional-resources_`, or `next-steps_` followed by the `{context}` variable. Using this variable automatically matches the value assigned to the `:context:` attribute in the assembly, which ensures a unique ID across the repo. Use an underscore (`_`) between the prefix and `{context}` variable.
 
+.Example unique anchor ID for a "Prerequisites" title
 ----
-[id="prerequisites_configuring-alert-notifications"]
+[id="prerequisites_{context}"]
 == Prerequisites
 ----
 
-*Example unique ID for an "Additional resources" title*
-
+.Example unique anchor ID for an "Additional resources" title
 ----
 [role="_additional-resources"]
-[id="additional-resources_configuring-alert-notifications"]
+[id="additional-resources_{context}"]
 == Additional resources
 ----
 
-*Example unique ID for a "Next steps" title*
-
+.Example unique anchor ID for a "Next steps" title
 ----
-[id="next-steps_configuring-alert-notifications"]
+[id="next-steps_{context}"]
 == Next steps
 ----
 
+=== Discrete headings
+
+If you have a section heading that you do not want to appear in the TOC (for example, if you think that some section is not worth showing up or if there are already too many nested levels), you can use a discrete (or floating) heading:
+
+https://docs.asciidoctor.org/asciidoc/latest/blocks/discrete-headings/
+
+A discrete heading also will not get a section number in the Customer Portal build of the doc. Previously, we would use plain bold mark-up around a heading like this, but discrete headings also allow you to ignore section nesting rules (like jumping from a `==` section level to a `====` level if you wanted for some style reason).
+
+To use a discrete heading, add `[discrete]` to the line before your unique ID:
+
+.Example in a module
+----
+[discrete]
+[id="managing-authorization-policies_{context}"]
+== Managing authorization policies
+----
+
+.Example in an assembly
+----
+[discrete]
+[id="olm-restricted-networks-mirroring-catalog"]
+== Mirroring a catalog
+----
+
 == Writing assemblies
 An _assembly_ is a collection of modules that describes how to accomplish a user story. Module content is added to an assembly using the `include` directive. The `include` directive includes contents from another file in the current document. Files can be modules or snippets formatted in AsciiDoc, or another text format such as YAML.
 
@@ -748,7 +776,7 @@ Some provider-formatted hostnames include IPv4 addresses. An OpenShift Container
 
 == IP addresses
 
-You may include IPv4 addresses from test clusters in examples in the documentation, as long as they are private. Private IPv4 addresses fall into one of the following ranges:
+You may include IPv4 addresses from test clusters in examples in the documentation, provided that they are private. Private IPv4 addresses fall into one of the following ranges:
 
 * 10.0.0.0 to 10.255.255.255 (class A address block 10.0.0.0/8)
 * 172.16.0.0 to 172.31.255.255 (class B address block 172.16.0.0/12)
@@ -1173,7 +1201,7 @@ docker-registry     <none>                                    name=registrypod
 ....
 +
 This renders as:
-
++
 > In the following example, the `oc get` operation returns a complete list of services that are currently defined:
 >
 > ----
@@ -1391,14 +1419,17 @@ The following example shows a more complex use of user-chosen elements and presc
 
 [[backslash-for-long-code-line]]
 ==== Backslash for long lines of code
-For long lines of code that you want to break up among multiple lines, use a backslash to show the line break. For example:
+For long lines of code that you want to break up among multiple lines, use a backslash to show the line break and indent all lines under the first with two spaces. For example:
 
+....
+[source,terminal]
 ----
 $ oc get endpoints --all-namespaces --template \
-    '{{ range .items }}{{ .metadata.namespace }}:{{ .metadata.name }} \
-    {{ range .subsets }}{{ range .addresses }}{{ .ip }} \
-    {{ end }}{{ end }}{{ "\n" }}{{ end }}' | awk '/ 172\.30\./ { print $1 }'
+  '{{ range .items }}{{ .metadata.namespace }}:{{ .metadata.name }} \
+  {{ range .subsets }}{{ range .addresses }}{{ .ip }} \
+  {{ end }}{{ end }}{{ "\n" }}{{ end }}' | awk '/ 172\.30\./ { print $1 }'
 ----
+....
 
 [[callouts-in-codeblocks]]
 ==== Callouts in code blocks
@@ -1886,7 +1917,7 @@ Additionally, in an assembly, use `==` formatting for the section heading (`== A
 
 ----
 [role="_additional-resources"]
-[id="additional-resources_configuring-alert-notifications"]
+[id="additional-resources_{context}"]
 == Additional resources
 * link:example.com[IANA example domain for documentation]
 * xref:../installation/installing-the-product.adoc#installing-the-product[Installing the product]
@@ -2202,7 +2233,7 @@ a|
 >
 > `oc apply -f <path_to_configuration_file>/<filename>.yaml`
 
-|Use single asterisks for web console / GUI items (menus, buttons, page titles, etc.).
+|Use single asterisks for web console/GUI items (menus, buttons, page titles, etc.).
 Use two characters to form the arrow in a series of menu items (`$$->$$`).
 
 a|
diff --git a/edge_computing/cnf-talm-for-cluster-upgrades.adoc b/edge_computing/cnf-talm-for-cluster-upgrades.adoc
index 107dad139be7..9193a96ef027 100644
--- a/edge_computing/cnf-talm-for-cluster-upgrades.adoc
+++ b/edge_computing/cnf-talm-for-cluster-upgrades.adoc
@@ -8,12 +8,18 @@ toc::[]
 
 You can use the {cgu-operator-first} to manage the software lifecycle of multiple clusters. {cgu-operator} uses {rh-rhacm-first} policies to perform changes on the target clusters.
 
-:FeatureName: {cgu-operator-full}
+:Featurename: Using PolicyGenerator resources with {ztp}
+include::snippets/technology-preview.adoc[]
 
 include::modules/cnf-about-topology-aware-lifecycle-manager-config.adoc[leveloffset=+1]
 
 include::modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policygenerator[About the PolicyGenerator CRD]
+
 include::modules/cnf-topology-aware-lifecycle-manager-installation-web-console.adoc[leveloffset=+1]
 
 include::modules/cnf-topology-aware-lifecycle-manager-installation-cli.adoc[leveloffset=+1]
@@ -27,7 +33,7 @@ include::modules/cnf-topology-aware-lifecycle-manager-policies-concept.adoc[leve
 [role="_additional-resources"]
 .Additional resources
 
-For more information about the `PolicyGenTemplate` CRD, see xref:../edge_computing/ztp-configuring-managed-clusters-policies.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policies[About the PolicyGenTemplate CRD].
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policygenerator[About the PolicyGenerator CRD]
 
 include::modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc[leveloffset=+2]
 
@@ -50,8 +56,8 @@ include::modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc[level
 [role="_additional-resources"]
 .Additional resources
 
-* For information about troubleshooting, see xref:../support/troubleshooting/troubleshooting-operator-issues.adoc#troubleshooting-operator-issues[OpenShift Container Platform Troubleshooting Operator Issues].
+* xref:../support/troubleshooting/troubleshooting-operator-issues.adoc#troubleshooting-operator-issues[{product-title} Troubleshooting Operator Issues]
 
-* For more information about using {cgu-operator-full} in the ZTP workflow, see xref:../edge_computing/ztp-talm-updating-managed-policies.adoc#ztp-topology-aware-lifecycle-manager[Updating managed policies with {cgu-operator-full}].
+* xref:../edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc#ztp-topology-aware-lifecycle-manager[Updating managed policies with {cgu-operator-full}]
 
-* For more information about the `PolicyGenTemplate` CRD, see xref:../edge_computing/ztp-configuring-managed-clusters-policies.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policies[About the PolicyGenTemplate CRD]
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policygenerator[About the PolicyGenerator CRD]
diff --git a/networking/openshift_network_security/_attributes b/edge_computing/image_based_upgrade/_attributes
similarity index 100%
rename from networking/openshift_network_security/_attributes
rename to edge_computing/image_based_upgrade/_attributes
diff --git a/edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc b/edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc
new file mode 100644
index 000000000000..982edef2fd35
--- /dev/null
+++ b/edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc
@@ -0,0 +1,30 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cnf-image-based-upgrade-for-sno"]
+= Performing an image-based upgrade for {sno} clusters
+include::_attributes/common-attributes.adoc[]
+:context: cnf-image-based-upgrade
+
+toc::[]
+
+You can use the {lcao} to do a manual image-based upgrade of a {sno} cluster.
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created.
+You update this CR to specify the image repository of the seed image and to move through the different stages.
+
+include::modules/cnf-image-based-upgrade-prep.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-prep-resources.adoc#cnf-image-based-upgrade-prep-resources[Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent]
+
+include::modules/cnf-image-based-upgrade-with-backup.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc#ztp-image-based-upgrade-rollback_cnf-image-based-upgrade[(Optional) Moving to the Rollback stage of the image-based upgrade with Lifecycle Agent]
+
+include::modules/cnf-image-based-upgrade-rollback.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-troubleshooting.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/cnf-understanding-image-based-upgrade.adoc b/edge_computing/image_based_upgrade/cnf-understanding-image-based-upgrade.adoc
new file mode 100644
index 000000000000..42271eac05b0
--- /dev/null
+++ b/edge_computing/image_based_upgrade/cnf-understanding-image-based-upgrade.adoc
@@ -0,0 +1,122 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="understanding-image-based-upgrade-for-sno"]
+= Understanding the image-based upgrade for {sno} clusters
+include::_attributes/common-attributes.adoc[]
+:context: understanding-image-based-upgrade
+
+toc::[]
+
+From {product-title} 4.14.13, the {lcao} provides you with an alternative way to upgrade the platform version of a {sno} cluster.
+The image-based upgrade is faster than the standard upgrade method and allows you to directly upgrade from {product-title} <4.y> to <4.y+2>, and <4.y.z> to <4.y.z+n>.
+
+// Lifecycle Agent (LCAO)
+
+This upgrade method utilizes a generated OCI image from a dedicated seed cluster that is installed on the target {sno} cluster as a new `ostree` stateroot.
+A seed cluster is a {sno} cluster deployed with the target {product-title} version, Day 2 Operators, and configurations that are common to all target clusters.
+
+You can use the seed image, which is generated from the seed cluster, to upgrade the platform version on any {sno} cluster that has the same combination of hardware, Day 2 Operators, and cluster configuration as the seed cluster.
+
+[IMPORTANT]
+====
+The image-based upgrade uses custom images that are specific to the hardware platform that the clusters are running on.
+Each different hardware platform requires a separate seed image.
+====
+
+The {lcao} uses two custom resources (CRs) on the participating clusters to orchestrate the upgrade:
+
+* On the seed cluster, the `SeedGenerator` CR allows for the seed image generation. This CR specifies the repository to push the seed image to.
+* On the target cluster, the `ImageBasedUpgrade` CR specifies the seed image for the upgrade of the target cluster and the backup configurations for your workloads.
+
+.Example SeedGenerator CR
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: SeedGenerator
+metadata:
+  name: seedimage
+spec:
+  seedImage: <seed_image>
+----
+
+.Example ImageBasedUpgrade CR
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: ImageBasedUpgrade
+metadata:
+  name: upgrade
+spec:
+  stage: Idle <1>
+  seedImageRef: <2>
+    version: <target_version>
+    image: <seed_container_image>
+    pullSecretRef:
+      name: <seed_pull_secret>
+  autoRollbackOnFailure: {}
+#    initMonitorTimeoutSeconds: 1800 <3>
+  extraManifests: <4>
+  - name: example-extra-manifests
+    namespace: openshift-lifecycle-agent
+  oadpContent: <5>
+  - name: oadp-cm-example
+    namespace: openshift-adp
+----
+<1> Defines the desired stage for the `ImageBasedUpgrade` CR. The value can be `Idle`, `Prep`, `Upgrade`, or `Rollback`.
+<2> Defines the target platform version, the seed image to be used, and the secret required to access the image.
+<3> (Optional) Specify the time frame in seconds to roll back when the upgrade does not complete within that time frame after the first reboot. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
+<4> (Optional) Specify the list of `ConfigMap` resources that contain your custom catalog sources to retain after the upgrade, and your extra manifests to apply to the target cluster that are not part of the seed image.
+<5> Specify the list of `ConfigMap` resources that contain the OADP `Backup` and `Restore` CRs.
+
+include::modules/cnf-image-based-upgrade.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc#cnf-image-based-upgrade-for-sno[Performing an image-based upgrade with Lifecycle Agent]
+
+* xref:../../edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc#ztp-image-based-upgrade-for-sno[Performing an image-based upgrade with Lifecycle Agent and GitOps ZTP]
+
+* xref:../../edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc#ztp-image-based-upgrade-rollback_cnf-image-based-upgrade[(Optional) Moving to the Rollback stage of the image-based upgrade with Lifecycle Agent]
+
+* xref:../../edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc#ztp-image-based-upgrade-with-talm-rollback_ztp-image-based-upgrade[(Optional) Moving to the Rollback stage of the image-based upgrade with Lifecycle Agent and GitOps ZTP]
+
+include::modules/cnf-image-based-upgrade-guidelines.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[Mirroring images for a disconnected installation]
+
+include::modules/ztp-image-based-upgrade-cluster-validated-software.adoc[leveloffset=+2]
+
+include::modules/ztp-image-based-upgrade-hub-cluster-guide.adoc[leveloffset=+2]
+
+include::modules/ztp-image-based-upgrade-seed-image-guide.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#cnf-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-generate-seed.adoc#ztp-image-based-seed-image-config_generate-seed[Seed image configuration]
+
+include::modules/ztp-image-based-upgrade-backup-guide.adoc[leveloffset=+2]
+
+include::modules/ztp-image-based-upgrade-extra-manifests-guide.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc#cnf-image-based-upgrade-for-sno[Performing an image-based upgrade with Lifecycle Agent]
+
+* xref:../../edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc#ztp-image-based-upgrade-for-sno[Performing an image-based upgrade with Lifecycle Agent and GitOps ZTP]
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-hub-cluster[Preparing the hub cluster for ZTP]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-prep-resources.adoc#cnf-image-based-upgrade-creating-backup-oadp-resources_nongitops[Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc#ztp-image-based-upgrade-prep-resources[Creating ConfigMap objects for the image-based upgrade with GitOps ZTP]
+
+* xref:../../backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.adoc#about-installing-oadp[About installing OADP]
\ No newline at end of file
diff --git a/networking/openshift_network_security/images b/edge_computing/image_based_upgrade/images
similarity index 100%
rename from networking/openshift_network_security/images
rename to edge_computing/image_based_upgrade/images
diff --git a/networking/openshift_network_security/modules b/edge_computing/image_based_upgrade/modules
similarity index 100%
rename from networking/openshift_network_security/modules
rename to edge_computing/image_based_upgrade/modules
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/_attributes b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/_attributes
new file mode 120000
index 000000000000..bf7c2529fdb4
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/_attributes
@@ -0,0 +1 @@
+../../../_attributes/
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-generate-seed.adoc b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-generate-seed.adoc
new file mode 100644
index 000000000000..d495c70382b6
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-generate-seed.adoc
@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cnf-image-based-upgrade-seed-image"]
+= Generating a seed image for the image-based upgrade with {lcao}
+include::_attributes/common-attributes.adoc[]
+:context: generate-seed
+
+toc::[]
+
+Use the {lcao} to generate the seed image with the `SeedGenerator` custom resource (CR).
+
+:FeatureName: The Lifecycle Agent
+
+
+include::modules/cnf-image-based-upgrade-seed-image-config.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-generate-seed-image.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#cnf-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots]
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-install-operators.adoc b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-install-operators.adoc
new file mode 100644
index 000000000000..6d676e233450
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-install-operators.adoc
@@ -0,0 +1,30 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cnf-image-based-upgrade-install-operators"]
+= Installing Operators for the image-based upgrade
+include::_attributes/common-attributes.adoc[]
+:context: install-operators
+
+toc::[]
+
+Prepare your clusters for the upgrade by installing the {lcao} and the OADP Operator.
+
+To install the OADP Operator with the non-GitOps method, see "Installing the OADP Operator".
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../backup_and_restore/application_backup_and_restore/installing/oadp-installing-operator.adoc#oadp-installing-operator-doc[Installing the OADP Operator]
+
+* xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-about-backup-snapshot-locations_installing-oadp-ocs[About backup and snapshot locations and their secrets]
+
+* xref:../../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-cr.adoc#oadp-creating-backup-cr-doc[Creating a Backup CR]
+
+* xref:../../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#oadp-creating-restore-cr_restoring-applications[Creating a Restore CR]
+
+include::modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc[leveloffset=+1]
+
+include::modules/ztp-image-based-upgrade-installing-lcao-with-gitops.adoc[leveloffset=+1]
+
+include::modules/ztp-image-based-upgrade-installing-oadp-with-gitops.adoc[leveloffset=+1]
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-prep-resources.adoc b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-prep-resources.adoc
new file mode 100644
index 000000000000..7bdbe39a0bef
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-prep-resources.adoc
@@ -0,0 +1,29 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cnf-image-based-upgrade-prep-resources"]
+= Creating ConfigMap objects for the image-based upgrade with {lcao}
+include::_attributes/common-attributes.adoc[]
+:context: nongitops
+
+toc::[]
+
+The {lcao} needs all your OADP resources, extra manifests, and custom catalog sources wrapped in a `ConfigMap` object to process them for the image-based upgrade.
+
+include::modules/cnf-image-based-upgrade-prep-oadp.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#cnf-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots]
+
+* xref:../../../backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.adoc[About installing OADP]
+
+include::modules/cnf-image-based-upgrade-prep-extramanifests.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-prep-catalogsource.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../operators/understanding/olm/olm-understanding-olm.adoc#olm-catalogsource_olm-understanding-olm[Catalog source]
+
+* xref:../../../edge_computing/image_based_upgrade/cnf-image-based-upgrade-base.adoc#cnf-image-based-upgrade-for-sno[Performing an image-based upgrade with Lifecycle Agent]
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc
new file mode 100644
index 000000000000..00caab43e78b
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc
@@ -0,0 +1,16 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cnf-image-based-upgrade-shared-varlibcontainers"]
+= Configuring a shared container directory for the image-based upgrade
+include::_attributes/common-attributes.adoc[]
+:context: shared-container-directory
+
+toc::[]
+
+Your {sno} clusters need to have a shared `var/lib/containers` partition for the image-based upgrade.
+You can do this at install time.
+
+:FeatureName: The Lifecycle Agent
+
+include::modules/cnf-image-based-upgrade-shared-container-directory.adoc[leveloffset=+1]
+
+include::modules/ztp-image-based-upgrade-shared-container-directory.adoc[leveloffset=+1]
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/images b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/images
new file mode 120000
index 000000000000..4399cbb3c0f3
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/images
@@ -0,0 +1 @@
+../../../images/
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/modules b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/modules
new file mode 120000
index 000000000000..7e8b50bee77a
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/modules
@@ -0,0 +1 @@
+../../../modules/
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/snippets b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/snippets
new file mode 120000
index 000000000000..ce62fd7c41e2
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/snippets
@@ -0,0 +1 @@
+../../../snippets/
\ No newline at end of file
diff --git a/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc
new file mode 100644
index 000000000000..ae77ba3cc135
--- /dev/null
+++ b/edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc
@@ -0,0 +1,27 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-image-based-upgrade-prep-resources"]
+= Creating ConfigMap objects for the image-based upgrade with {lcao} using {ztp}
+include::_attributes/common-attributes.adoc[]
+:context: ztp-gitops
+
+toc::[]
+
+Create your OADP resources, extra manifests, and custom catalog sources wrapped in a `ConfigMap` object to prepare for the image-based upgrade.
+
+include::modules/ztp-image-based-upgrade-prep-oadp.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-install-operators#ztp-image-based-upgrade-installing-oadp-with-gitops_install-operators[Installing and configuring the OADP Operator with GitOps ZTP]
+
+include::modules/ztp-image-based-upgrade-prep-label-extramanifests.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
+
+* xref:../../../edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc#ztp-image-based-upgrade-for-sno[Performing an image-based upgrade for {sno} clusters using GitOps ZTP]
\ No newline at end of file
diff --git a/networking/openshift_network_security/network_policy/snippets b/edge_computing/image_based_upgrade/snippets
similarity index 100%
rename from networking/openshift_network_security/network_policy/snippets
rename to edge_computing/image_based_upgrade/snippets
diff --git a/edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc b/edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc
new file mode 100644
index 000000000000..0b17a983c562
--- /dev/null
+++ b/edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc
@@ -0,0 +1,42 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-image-based-upgrade-for-sno"]
+= Performing an image-based upgrade for {sno} clusters using {ztp}
+:context: ztp-image-based-upgrade
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+You can upgrade your managed {sno} cluster with the image-based upgrade through {ztp-first}.
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created.
+You update this CR to specify the image repository of the seed image and to move through the different stages.
+
+// Lifecycle Agent (LCAO)
+
+include::modules/ztp-image-based-upgrade-talm-prep.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository-ver-ind_ztp-preparing-the-hub-cluster[Preparing the GitOps ZTP site configuration repository for version independence]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/ztp-image-based-upgrade-prep-resources.adoc#ztp-image-based-upgrade-prep-resources[Creating ConfigMap objects for the image-based upgrade with Lifecycle Agent using GitOps ZTP]
+
+* xref:../../edge_computing/image_based_upgrade/preparing_for_image_based_upgrade/cnf-image-based-upgrade-shared-container-image.adoc#ztp-image-based-upgrade-shared-container-directory_shared-container-directory[Configuring a shared container directory between ostree stateroots when using GitOps ZTP]
+
+* xref:../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-about-backup-snapshot-locations_installing-oadp-ocs[About backup and snapshot locations and their secrets]
+
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-cr.adoc#oadp-creating-backup-cr-doc[Creating a Backup CR]
+
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#oadp-creating-restore-cr_restoring-applications[Creating a Restore CR]
+
+include::modules/ztp-image-based-upgrade-talm-upgrade.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/image_based_upgrade/ztp-image-based-upgrade.adoc#ztp-image-based-upgrade-with-talm-rollback_ztp-image-based-upgrade[(Optional) Moving to the Rollback stage of the image-based upgrade with Lifecycle Agent and {ztp}]
+
+include::modules/ztp-image-based-upgrade-talm-rollback.adoc[leveloffset=+1]
+
+include::modules/cnf-image-based-upgrade-troubleshooting.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/networking/openshift_network_security/network_policy/_attributes b/edge_computing/policygenerator_for_ztp/_attributes
similarity index 100%
rename from networking/openshift_network_security/network_policy/_attributes
rename to edge_computing/policygenerator_for_ztp/_attributes
diff --git a/networking/openshift_network_security/network_policy/images b/edge_computing/policygenerator_for_ztp/images
similarity index 100%
rename from networking/openshift_network_security/network_policy/images
rename to edge_computing/policygenerator_for_ztp/images
diff --git a/networking/openshift_network_security/network_policy/modules b/edge_computing/policygenerator_for_ztp/modules
similarity index 100%
rename from networking/openshift_network_security/network_policy/modules
rename to edge_computing/policygenerator_for_ztp/modules
diff --git a/networking/openshift_network_security/snippets b/edge_computing/policygenerator_for_ztp/snippets
similarity index 100%
rename from networking/openshift_network_security/snippets
rename to edge_computing/policygenerator_for_ztp/snippets
diff --git a/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc b/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc
new file mode 100644
index 000000000000..bfba8214cea2
--- /dev/null
+++ b/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc
@@ -0,0 +1,129 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-advanced-policygenerator-config"]
+= Advanced managed cluster configuration with PolicyGenerator resources
+include::_attributes/common-attributes.adoc[]
+:context: ztp-advanced-policygenerator-config
+:policy-gen-cr: PolicyGenerator
+:policy-prefix: acm-
+:rangen-yaml-path: policies.manifests
+:argocd-folder: out/argocd/example/acmpolicygenerator/
+
+toc::[]
+
+You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters.
+
+:Featurename: Using PolicyGenerator resources with {ztp}
+include::snippets/technology-preview.adoc[]
+
+[NOTE]
+====
+For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/integrate-third-party-policy-controllers#policy-generator[Policy Generator] documentation.
+====
+
+include::modules/ztp-deploying-additional-changes-to-clusters.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-advanced-install-ztp.adoc#ztp-customizing-the-install-extra-manifests_ztp-advanced-install-ztp[Customizing extra installation manifests in the {ztp} pipeline]
+
+include::modules/ztp-using-pgt-to-update-source-crs.adoc[leveloffset=+1]
+
+include::modules/ztp-adding-new-content-to-gitops-ztp.adoc[leveloffset=+1]
+
+include::modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc[leveloffset=+1]
+
+include::modules/ztp-creating-a-validator-inform-policy.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}]
+
+include::modules/ztp-using-pgt-to-configure-power-states.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#configuring-workload-hints_cnf-low-latency-perf-profile[Configuring node power consumption and realtime processing with workload hints]
+
+include::modules/ztp-using-pgt-to-configure-performance-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-using-pgt-to-configure-high-performance-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-using-pgt-to-configure-power-saving-mode.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes that run colocated high and low priority workloads]
+
+* xref:../../edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance]
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
+
+include::modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-provisioning-lvm-storage.adoc[leveloffset=+1]
+
+[id="ztp-advanced-policy-config-ptp_{context}"]
+== Configuring PTP events with {policy-gen-cr} CRs
+
+You can use the {ztp} pipeline to configure PTP events that use HTTP or AMQP transport.
+
+include::snippets/ptp-amq-interconnect-eol.adoc[]
+
+include::modules/ztp-configuring-ptp-fast-events.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc#ztp-using-pgt-to-update-source-crs_ztp-advanced-policygenerator-config[Using {policy-gen-cr} CRs to override source CRs content]
+
+include::modules/ztp-configuring-ptp-fast-events-amqp.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../networking/ptp/using-ptp-events.adoc#cnf-installing-amq-interconnect-messaging-bus_using-ptp-events[Installing the AMQ messaging bus]
+
+* xref:../../registry/index.adoc#registry-overview[{product-registry} overview]
+
+[id="ztp-advanced-policy-config-bare-metal_{context}"]
+== Configuring bare-metal events with {policy-gen-cr} CRs
+
+You can use the {ztp} pipeline to configure bare-metal events that use HTTP or AMQP transport.
+
+include::snippets/ptp-amq-interconnect-eol.adoc[]
+
+include::modules/ztp-configuring-hwevents-using-pgt.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/using-rfhe.adoc#nw-rfhe-installing-operator-cli_using-rfhe[Installing the {redfish-operator} using the CLI]
+
+* xref:../../scalability_and_performance/using-rfhe.adoc#nw-rfhe-creating-hardware-event_using-rfhe[Creating the bare-metal event and Secret CRs]
+
+include::modules/ztp-creating-hwevents-amqp.adoc[leveloffset=+2]
+
+include::modules/ztp-add-local-reg-for-sno-duprofile.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../registry/index.adoc#registry-overview[{product-title} registry overview]
+
+include::modules/ztp-configuring-disk-partitioning.adoc[leveloffset=+2]
+
+include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../registry/accessing-the-registry.adoc#accessing-the-registry[Accessing the registry]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!rangen-yaml-path:
+:!argocd-folder:
diff --git a/edge_computing/ztp-configuring-managed-clusters-policies.adoc b/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc
similarity index 50%
rename from edge_computing/ztp-configuring-managed-clusters-policies.adoc
rename to edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc
index e52160f22384..eab3f613d171 100644
--- a/edge_computing/ztp-configuring-managed-clusters-policies.adoc
+++ b/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc
@@ -1,12 +1,27 @@
 :_mod-docs-content-type: ASSEMBLY
-[id="ztp-configuring-managed-clusters-policies"]
-= Configuring managed clusters with policies and PolicyGenTemplate resources
+[id="ztp-configuring-managed-clusters-policygenerator"]
+= Configuring managed cluster policies by using PolicyGenerator resources
 include::_attributes/common-attributes.adoc[]
-:context: ztp-configuring-managed-clusters-policies
+:context: ztp-configuring-managed-clusters-policygenerator
+:policy-gen-cr: PolicyGenerator
+:policy-prefix: acm-
+:argocd-folder: out/argocd/example/acmpolicygenerator/
+:placement-rule-cr: Placement
+:binding-field: policyDefaults.placement.labelSelector
 
 toc::[]
 
-Applied policy custom resources (CRs) configure the managed clusters that you provision. You can customize how {rh-rhacm-first} uses `PolicyGenTemplate` CRs to generate the applied policy CRs.
+Applied `Policy` custom resources (CRs) configure the managed clusters that you provision. You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate the applied `Policy` CRs.
+
+:Featurename: Using PolicyGenerator resources with {ztp}
+include::snippets/technology-preview.adoc[]
+
+[NOTE]
+====
+For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/integrate-third-party-policy-controllers#policy-generator[Policy Generator] documentation.
+====
+
+include::modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc[leveloffset=+1]
 
 include::modules/ztp-the-policygentemplate.adoc[leveloffset=+1]
 
@@ -29,15 +44,14 @@ include::modules/ztp-policygentemplates-for-ran.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
 
 include::modules/ztp-customizing-a-managed-site-using-pgt.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../edge_computing/ztp-advanced-policy-config.adoc#ztp-creating-a-validator-inform-policy_ztp-advanced-policy-config[Signalling ZTP cluster deployment completion with validator inform policies]
-
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc#ztp-creating-a-validator-inform-policy_ztp-advanced-policy-config[Signalling {ztp} cluster deployment completion with validator inform policies]
 
 include::modules/ztp-monitoring-policy-deployment-progress.adoc[leveloffset=+1]
 
@@ -48,8 +62,14 @@ include::modules/ztp-restarting-policies-reconciliation.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* For information about using {cgu-operator-first} to construct your own `ClusterGroupUpgrade` CR, see xref:../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-about-cgu-crs_cnf-topology-aware-lifecycle-manager[About the ClusterGroupUpgrade CR].
+* For information about using {cgu-operator-first} to construct your own `ClusterGroupUpgrade` CR, see xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-about-cgu-crs_cnf-topology-aware-lifecycle-manager[About the ClusterGroupUpgrade CR].
 
 include::modules/ztp-removing-content-from-managed-clusters.adoc[leveloffset=+1]
 
 include::modules/ztp-definition-of-done-for-ztp-installations.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!argocd-folder:
+:!placement-rule-cr:
+:!binding-field:
diff --git a/edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc b/edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc
new file mode 100644
index 000000000000..a8c66bf742f3
--- /dev/null
+++ b/edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc
@@ -0,0 +1,70 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-topology-aware-lifecycle-manager-pg"]
+= Updating managed clusters in a disconnected environment with PolicyGenerator resources and TALM
+include::_attributes/common-attributes.adoc[]
+:context: ztp-talm-pg
+:policy-gen-cr: PolicyGenerator
+:policy-prefix: acm-
+:rangen-yaml-path: policies.manifests
+
+toc::[]
+You can use the {cgu-operator-first} to manage the software lifecycle of managed clusters that you have deployed using {ztp-first} and {cgu-operator-first}.
+{cgu-operator} uses {rh-rhacm-first} {policy-gen-cr} policies to manage and control changes applied to target clusters.
+
+:Featurename: Using PolicyGenerator resources with {ztp}
+include::snippets/technology-preview.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about the {cgu-operator-full}, see xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#cnf-about-topology-aware-lifecycle-manager-config_cnf-topology-aware-lifecycle-manager[About the {cgu-operator-full}].
+
+include::modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about how to update {ztp-first}, see xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}].
+
+* For more information about how to mirror an {product-title} image repository, see xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installation-mirror-repository_installing-mirroring-installation-images[Mirroring the {product-title} image repository].
+
+* For more information about how to mirror Operator catalogs for disconnected clusters, see xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#olm-mirror-catalog_installing-mirroring-installation-images[Mirroring Operator catalogs for use with disconnected clusters].
+
+* For more information about how to prepare the disconnected environment and mirroring the desired image repository, see xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-hub-cluster[Preparing the disconnected environment].
+
+* For more information about update channels and releases, see xref:../../updating/understanding_updates/understanding-update-channels-release.adoc#understanding-update-channels-releases[Understanding update channels and releases].
+
+include::modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about mirroring the images in a disconnected environment, see xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-acm-adding-images-to-mirror-registry_ztp-preparing-the-hub-cluster[Preparing the disconnected environment].
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about updating {ztp}, see xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}].
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-precache-user-spec-images.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information about the {cgu-operator} precaching workflow, see xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-precache-feature-concept_cnf-topology-aware-lifecycle-manager[Using the container image precache feature].
+
+include::modules/cnf-topology-aware-lifecycle-manager-autocreate-cgu-cr-ztp.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!rangen-yaml-path:
diff --git a/edge_computing/policygentemplate_for_ztp/_attributes b/edge_computing/policygentemplate_for_ztp/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/edge_computing/policygentemplate_for_ztp/images b/edge_computing/policygentemplate_for_ztp/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/edge_computing/policygentemplate_for_ztp/modules b/edge_computing/policygentemplate_for_ztp/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/edge_computing/policygentemplate_for_ztp/snippets b/edge_computing/policygentemplate_for_ztp/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc b/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc
new file mode 100644
index 000000000000..b4b1f10e61e7
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc
@@ -0,0 +1,125 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-advanced-policy-config"]
+= Advanced managed cluster configuration with PolicyGenTemplate resources
+include::_attributes/common-attributes.adoc[]
+:context: ztp-advanced-policy-config
+:policy-gen-cr: PolicyGenTemplate
+:policy-prefix:
+:rangen-yaml-path: spec.sourceFiles
+:argocd-folder: out/argocd/example/policygentemplates/
+
+toc::[]
+
+You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters.
+
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+include::modules/ztp-deploying-additional-changes-to-clusters.adoc[leveloffset=+1]
+
+include::modules/ztp-using-pgt-to-update-source-crs.adoc[leveloffset=+1]
+
+include::modules/ztp-adding-new-content-to-gitops-ztp.adoc[leveloffset=+1]
+
+include::modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc[leveloffset=+1]
+
+include::modules/ztp-creating-a-validator-inform-policy.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}]
+
+include::modules/ztp-using-pgt-to-configure-power-states.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#configuring-workload-hints_cnf-low-latency-perf-profile[Configuring node power consumption and realtime processing with workload hints]
+
+include::modules/ztp-using-pgt-to-configure-performance-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-using-pgt-to-configure-high-performance-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-using-pgt-to-configure-power-saving-mode.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes that run colocated high and low priority workloads]
+
+* xref:../../edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance]
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
+
+include::modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc[leveloffset=+2]
+
+include::modules/ztp-provisioning-lvm-storage.adoc[leveloffset=+1]
+
+[id="ztp-advanced-policy-config-ptp_{context}"]
+== Configuring PTP events with PolicyGenTemplate CRs
+
+You can use the {ztp} pipeline to configure PTP events that use HTTP or AMQP transport.
+
+include::snippets/ptp-amq-interconnect-eol.adoc[]
+
+include::modules/ztp-configuring-ptp-fast-events.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc#ztp-using-pgt-to-update-source-crs_ztp-advanced-policy-config[Using PolicyGenTemplate CRs to override source CRs content]
+
+include::modules/ztp-configuring-ptp-fast-events-amqp.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../networking/ptp/using-ptp-events.adoc#cnf-installing-amq-interconnect-messaging-bus_using-ptp-events[Installing the AMQ messaging bus]
+
+* xref:../../registry/index.adoc#registry-overview[{product-registry} overview]
+
+[id="ztp-advanced-policy-config-bare-metal_{context}"]
+== Configuring bare-metal events with PolicyGenTemplate CRs
+
+You can use the {ztp} pipeline to configure bare-metal events that use HTTP or AMQP transport.
+
+include::snippets/ptp-amq-interconnect-eol.adoc[]
+
+include::modules/ztp-configuring-hwevents-using-pgt.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../scalability_and_performance/using-rfhe.adoc#nw-rfhe-installing-operator-cli_using-rfhe[Installing the {redfish-operator} using the CLI]
+
+* xref:../../scalability_and_performance/using-rfhe.adoc#nw-rfhe-creating-hardware-event_using-rfhe[Creating the bare-metal event and Secret CRs]
+
+include::modules/ztp-creating-hwevents-amqp.adoc[leveloffset=+2]
+
+include::modules/ztp-add-local-reg-for-sno-duprofile.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../registry/index.adoc#registry-overview[{product-title} registry overview]
+
+include::modules/ztp-configuring-disk-partitioning.adoc[leveloffset=+2]
+
+include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../registry/accessing-the-registry.adoc#accessing-the-registry[Accessing the registry]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!rangen-yaml-path:
+:!argocd-folder:
diff --git a/edge_computing/policygentemplate_for_ztp/ztp-configuring-managed-clusters-policies.adoc b/edge_computing/policygentemplate_for_ztp/ztp-configuring-managed-clusters-policies.adoc
new file mode 100644
index 000000000000..52af15ba607a
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/ztp-configuring-managed-clusters-policies.adoc
@@ -0,0 +1,74 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-configuring-managed-clusters-policies"]
+= Configuring managed cluster policies by using PolicyGenTemplate resources
+include::_attributes/common-attributes.adoc[]
+:context: ztp-configuring-managed-clusters-policies
+:policy-gen-cr: PolicyGenTemplate
+:policy-prefix:
+:argocd-folder: out/argocd/example/policygentemplates
+:placement-rule-cr: PlacementRule
+:binding-field: spec.bindingRules
+
+toc::[]
+
+Applied `Policy` custom resources (CRs) configure the managed clusters that you provision. You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate the applied `Policy` CRs.
+
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+include::modules/ztp-the-policygentemplate.adoc[leveloffset=+1]
+
+include::modules/ztp-pgt-config-best-practices.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For recommendations about scaling clusters with {rh-rhacm}, see link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#performance-and-scalability[Performance and scalability].
+
+[NOTE]
+====
+When managing large numbers of spoke clusters on the hub cluster, minimize the number of policies to reduce resource consumption.
+
+Grouping multiple configuration CRs into a single or limited number of policies is one way to reduce the overall number of policies on the hub cluster. When using the common, group, and site hierarchy of policies for managing site configuration, it is especially important to combine site-specific configurations into a single policy.
+====
+
+include::modules/ztp-policygentemplates-for-ran.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
+
+include::modules/ztp-customizing-a-managed-site-using-pgt.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc#ztp-creating-a-validator-inform-policy_ztp-advanced-policy-config[Signalling {ztp} cluster deployment completion with validator inform policies]
+
+include::modules/ztp-monitoring-policy-deployment-progress.adoc[leveloffset=+1]
+
+include::modules/ztp-validating-the-generation-of-configuration-policy-crs.adoc[leveloffset=+1]
+
+include::modules/ztp-restarting-policies-reconciliation.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For information about using {cgu-operator-first} to construct your own `ClusterGroupUpgrade` CR, see xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-about-cgu-crs_cnf-topology-aware-lifecycle-manager[About the ClusterGroupUpgrade CR].
+
+include::modules/ztp-removing-content-from-managed-clusters.adoc[leveloffset=+1]
+
+include::modules/ztp-definition-of-done-for-ztp-installations.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!argocd-folder:
+:!placement-rule-cr:
+:!binding-field:
diff --git a/edge_computing/policygentemplate_for_ztp/ztp-talm-updating-managed-policies.adoc b/edge_computing/policygentemplate_for_ztp/ztp-talm-updating-managed-policies.adoc
new file mode 100644
index 000000000000..6b9309e3c458
--- /dev/null
+++ b/edge_computing/policygentemplate_for_ztp/ztp-talm-updating-managed-policies.adoc
@@ -0,0 +1,74 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-topology-aware-lifecycle-manager"]
+= Updating managed clusters in a disconnected environment with PolicyGenTemplate resources and TALM
+include::_attributes/common-attributes.adoc[]
+:context: ztp-talm
+:policy-gen-cr: PolicyGenTemplate
+:policy-prefix:
+:rangen-yaml-path: spec.sourceFiles
+
+toc::[]
+
+You can use the {cgu-operator-first} to manage the software lifecycle of managed clusters that you have deployed by using {ztp-first} and {cgu-operator-first}.
+{cgu-operator} uses {rh-rhacm-first} {policy-gen-cr} policies to manage and control changes applied to target clusters.
+
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+* xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#cnf-about-topology-aware-lifecycle-manager-config_cnf-topology-aware-lifecycle-manager[About the {cgu-operator-full}]
+
+include::modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}]
+
+* xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installation-mirror-repository_installing-mirroring-installation-images[Mirroring the {product-title} image repository]
+
+* xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#olm-mirror-catalog_installing-mirroring-installation-images[Mirroring Operator catalogs for use with disconnected clusters]
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-hub-cluster[Preparing the disconnected environment]
+
+* xref:../../updating/understanding_updates/understanding-update-channels-release.adoc#understanding-update-channels-releases[Understanding update channels and releases]
+
+include::modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-acm-adding-images-to-mirror-registry_ztp-preparing-the-hub-cluster[Preparing the disconnected environment]
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}]
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-precache-user-spec-images.adoc[leveloffset=+1]
+
+include::modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-precache-feature-concept_cnf-topology-aware-lifecycle-manager[Using the container image precache feature]
+
+include::modules/cnf-topology-aware-lifecycle-manager-autocreate-cgu-cr-ztp.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
+:!policy-prefix:
+:!rangen-yaml-path:
diff --git a/edge_computing/ztp-advanced-install-ztp.adoc b/edge_computing/ztp-advanced-install-ztp.adoc
index f6cc2dc9a98a..0374aea69c97 100644
--- a/edge_computing/ztp-advanced-install-ztp.adoc
+++ b/edge_computing/ztp-advanced-install-ztp.adoc
@@ -12,4 +12,4 @@ include::modules/ztp-customizing-the-install-extra-manifests.adoc[leveloffset=+1
 
 include::modules/ztp-filtering-ai-crs-using-siteconfig.adoc[leveloffset=+1]
 
-include::modules/ztp-deleting-node-using-siteconfig.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/ztp-deleting-node-using-siteconfig.adoc[leveloffset=+1]
diff --git a/edge_computing/ztp-advanced-policy-config.adoc b/edge_computing/ztp-advanced-policy-config.adoc
deleted file mode 100644
index 8a41c0707c96..000000000000
--- a/edge_computing/ztp-advanced-policy-config.adoc
+++ /dev/null
@@ -1,124 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="ztp-advanced-policy-config"]
-= Advanced managed cluster configuration with PolicyGenTemplate resources
-include::_attributes/common-attributes.adoc[]
-:context: ztp-advanced-policy-config
-
-toc::[]
-
-You can use `PolicyGenTemplate` CRs to deploy custom functionality in your managed clusters.
-
-include::modules/ztp-deploying-additional-changes-to-clusters.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../edge_computing/ztp-advanced-install-ztp.adoc#ztp-customizing-the-install-extra-manifests_ztp-advanced-install-ztp[Customizing extra installation manifests in the {ztp} pipeline]
-
-include::modules/ztp-using-pgt-to-update-source-crs.adoc[leveloffset=+1]
-
-include::modules/ztp-adding-new-content-to-gitops-ztp.adoc[leveloffset=+1]
-
-include::modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc[leveloffset=+1]
-
-include::modules/ztp-creating-a-validator-inform-policy.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}]
-
-include::modules/ztp-using-pgt-to-configure-power-states.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#configuring-workload-hints_cnf-low-latency-perf-profile[Configuring node power consumption and realtime processing with workload hints]
-
-include::modules/ztp-using-pgt-to-configure-performance-mode.adoc[leveloffset=+2]
-
-include::modules/ztp-using-pgt-to-configure-high-performance-mode.adoc[leveloffset=+2]
-
-include::modules/ztp-using-pgt-to-configure-power-saving-mode.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.adoc#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes that run colocated high and low priority workloads]
-
-* xref:../edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance]
-
-* xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository]
-
-include::modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc[leveloffset=+2]
-
-include::modules/ztp-provisioning-lvm-storage.adoc[leveloffset=+1]
-
-[id="ztp-advanced-policy-config-ptp_{context}"]
-== Configuring PTP events with PolicyGenTemplate CRs
-
-You can use the {ztp} pipeline to configure PTP events that use HTTP or AMQP transport.
-
-include::snippets/ptp-amq-interconnect-eol.adoc[]
-
-include::modules/ztp-configuring-ptp-fast-events.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../edge_computing/ztp-advanced-policy-config.adoc#ztp-using-pgt-to-update-source-crs_ztp-advanced-policy-config[Using PolicyGenTemplate CRs to override source CRs content]
-
-include::modules/ztp-configuring-ptp-fast-events-amqp.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../networking/ptp/using-ptp-events.adoc#cnf-installing-amq-interconnect-messaging-bus_using-ptp-events[Installing the AMQ messaging bus]
-* For more information about container image registries, see xref:../registry/index.adoc#registry-overview[{product-registry} overview].
-
-[id="ztp-advanced-policy-config-bare-metal_{context}"]
-== Configuring bare-metal events with PolicyGenTemplate CRs
-
-You can use the {ztp} pipeline to configure bare-metal events that use HTTP or AMQP transport.
-
-include::snippets/ptp-amq-interconnect-eol.adoc[]
-
-include::modules/ztp-configuring-hwevents-using-pgt.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../scalability_and_performance/using-rfhe.adoc#nw-rfhe-installing-operator-cli_using-rfhe[Installing the {redfish-operator} using the CLI]
-
-* xref:../scalability_and_performance/using-rfhe.adoc#nw-rfhe-creating-hardware-event_using-rfhe[Creating the bare-metal event and Secret CRs]
-
-include::modules/ztp-creating-hwevents-amqp.adoc[leveloffset=+2]
-
-include::modules/ztp-add-local-reg-for-sno-duprofile.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../registry/index.adoc#registry-overview[{product-title} registry overview].
-
-include::modules/ztp-configuring-disk-partitioning.adoc[leveloffset=+2]
-
-include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../registry/accessing-the-registry.adoc#accessing-the-registry[Accessing the registry]
-
-include::modules/ztp-using-hub-cluster-templates.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#hub-templates[{rh-rhacm} support for hub cluster templates in configuration policies]
-
-include::modules/ztp-example-hub-template-functions.adoc[leveloffset=+2]
-
-include::modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc[leveloffset=+2]
-
-include::modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc[leveloffset=+2]
diff --git a/edge_computing/ztp-deploying-far-edge-clusters-at-scale.adoc b/edge_computing/ztp-deploying-far-edge-clusters-at-scale.adoc
index 1d6dfe112e60..706fc291add5 100644
--- a/edge_computing/ztp-deploying-far-edge-clusters-at-scale.adoc
+++ b/edge_computing/ztp-deploying-far-edge-clusters-at-scale.adoc
@@ -3,6 +3,7 @@
 = Challenges of the network far edge
 include::_attributes/common-attributes.adoc[]
 :context: ztp-deploying-far-edge-clusters-at-scale
+:policy-gen-cr: PolicyGenerator
 
 toc::[]
 
@@ -16,7 +17,15 @@ include::modules/ztp-creating-ztp-crs-for-multiple-managed-clusters.adoc[levelof
 
 include::modules/ztp-configuring-cluster-policies.adoc[leveloffset=+1]
 
+include::snippets/pgt-deprecation-notice.adoc[]
+
 [role="_additional-resources"]
 .Additional resources
 
-* For more information about extracting the reference `SiteConfig` and `PolicyGenTemplate` CRs from the `ztp-site-generate` container image, see xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the ZTP Git repository].
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+* xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the {ztp} Git repository]
+
+:!policy-gen-cr:
diff --git a/edge_computing/ztp-deploying-far-edge-sites.adoc b/edge_computing/ztp-deploying-far-edge-sites.adoc
index 09b2caedd8bf..bb4a4a49745b 100644
--- a/edge_computing/ztp-deploying-far-edge-sites.adoc
+++ b/edge_computing/ztp-deploying-far-edge-sites.adoc
@@ -8,6 +8,15 @@ toc::[]
 
 You can provision {product-title} clusters at scale with {rh-rhacm-first} using the assisted service and the GitOps plugin policy generator with core-reduction technology enabled. The {ztp-first} pipeline performs the cluster installations. {ztp} can be used in a disconnected environment.
 
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
 include::modules/ztp-talo-integration.adoc[leveloffset=+1]
 
 include::modules/ztp-ztp-building-blocks.adoc[leveloffset=+1]
@@ -28,6 +37,19 @@ include::modules/ztp-deploying-a-site.adoc[leveloffset=+1]
 
 * xref:../edge_computing/ztp-deploying-far-edge-sites.adoc#ztp-sno-siteconfig-config-reference_ztp-deploying-far-edge-sites[{sno-caps} SiteConfig CR installation reference]
 
+include::modules/ztp-sno-accelerated-ztp.adoc[leveloffset=+2]
+
+include::modules/ztp-configuring-ipsec-using-ztp-and-siteconfig.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../networking/network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
+
+* xref:../networking/network_security/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-encryption_configuring-ipsec-ovn[Encryption protocol and IPsec mode]
+
+* xref:../edge_computing/ztp-deploying-far-edge-sites.adoc#ztp-deploying-far-edge-sites[Installing managed clusters with {rh-rhacm} and SiteConfig resources]
+
 include::modules/ztp-sno-siteconfig-config-reference.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -39,7 +61,7 @@ include::modules/ztp-sno-siteconfig-config-reference.adoc[leveloffset=+2]
 
 * xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-configuring-hub-cluster-with-argocd_ztp-preparing-the-hub-cluster[Configuring the hub cluster with ArgoCD]
 
-* xref:../edge_computing/ztp-advanced-policy-config.adoc#ztp-creating-a-validator-inform-policy_ztp-advanced-policy-config[Signalling ZTP cluster deployment completion with validator inform policies]
+* xref:../edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc#ztp-creating-a-validator-inform-policy_ztp-advanced-policy-config[Signalling {ztp} cluster deployment completion with validator inform policies]
 
 * xref:../edge_computing/ztp-manual-install.adoc#ztp-creating-the-site-secrets_ztp-manual-install[Creating the managed bare-metal host secrets]
 
diff --git a/edge_computing/ztp-image-based-upgrade.adoc b/edge_computing/ztp-image-based-upgrade.adoc
deleted file mode 100644
index 22ba2a1610d0..000000000000
--- a/edge_computing/ztp-image-based-upgrade.adoc
+++ /dev/null
@@ -1,73 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="ztp-image-based-upgrade-for-sno"]
-= Image-based upgrade for {sno} clusters
-include::_attributes/common-attributes.adoc[]
-:context: ztp-image-based-upgrade
-
-toc::[]
-
-You can use the {lcao} to perform an image-based upgrade on managed {sno} clusters.
-
-:FeatureName: The Lifecycle Agent
-
-// Lifecycle Agent (LCAO)
-
-include::modules/ztp-image-based-upgrade.adoc[leveloffset=+1]
-
-include::modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc[leveloffset=+2]
-
-include::modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc[leveloffset=+2]
-
-include::modules/ztp-image-based-upgrade-share-container-directory.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://www.redhat.com/en/blog/a-guide-to-creating-a-separate-disk-partition-at-installation-time[A Guide for Creating a Separate-disk Partition at Installation Time]
-
-include::modules/ztp-image-based-upgrade-generate-seed-image.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://www.redhat.com/en/blog/a-guide-to-creating-a-separate-disk-partition-at-installation-time[A Guide for Creating a Separate-disk Partition at Installation Time]
-
-* xref:../edge_computing/ztp-talm-updating-managed-policies.adoc#ztp-image-based-upgrade-shared-container-directory_ztp-image-based-upgrade[Sharing the container directory between `ostree` stateroots]
-
-* xref:../backup_and_restore/application_backup_and_restore/installing/oadp-installing-operator.adoc#oadp-installing-operator-doc[Installing the OADP Operator]
-
-include::modules/ztp-image-based-upgrade-prep.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://www.redhat.com/en/blog/a-guide-to-creating-a-separate-disk-partition-at-installation-time[A Guide for Creating a Separate-disk Partition at Installation Time]
-
-* xref:../scalability_and_performance/scalability_and_performance/ztp_far_edge/ztp-image-based-upgrade#ztp-image-based-upgrade-shared-container-directory_ztp-image-based-upgrade[Sharing the container directory between `ostree` stateroots]
-
-* xref:../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-about-backup-snapshot-locations_installing-oadp-ocs[About backup and snapshot locations and their secrets]
-
-* xref:../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-cr.adoc#oadp-creating-backup-cr-doc[Creating a Backup CR]
-
-* xref:../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#oadp-creating-restore-cr_restoring-applications[Creating a Restore CR]
-
-include::modules/ztp-image-based-upgrade-with-backup.adoc[leveloffset=+2]
-
-include::modules/ztp-image-based-upgrade-rollback.adoc[leveloffset=+2]
-
-include::modules/ztp-image-based-upgrade-talm.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-ztp-git-repository-ver-ind_ztp-preparing-the-hub-cluster[Preparing the GitOps ZTP site configuration repository for version independence]
-
-* xref:../edge_computing/ztp_far_edge/ztp-image-based-upgrade#ztp-image-based-upgrade-prep_ztp-image-based-upgrade[Preparing the single-node OpenShift cluster for the image-based upgrade]
-
-* xref:../edge_computing/ztp_far_edge/ztp-image-based-upgrade#ztp-image-based-upgrade-shared-container-directory_ztp-image-based-upgrade[Sharing the container directory between `ostree` stateroots]
-
-* xref:../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-about-backup-snapshot-locations_installing-oadp-ocs[About backup and snapshot locations and their secrets]
-
-* xref:../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-cr.adoc#oadp-creating-backup-cr-doc[Creating a Backup CR]
-
-* xref:../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#oadp-creating-restore-cr_restoring-applications[Creating a Restore CR]
diff --git a/edge_computing/ztp-manual-install.adoc b/edge_computing/ztp-manual-install.adoc
index e78d675a99b2..e686f8dd3c5f 100644
--- a/edge_computing/ztp-manual-install.adoc
+++ b/edge_computing/ztp-manual-install.adoc
@@ -1,8 +1,10 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="ztp-manual-install"]
-= Manually installing a {sno} cluster with ZTP
+= Manually installing a {sno} cluster with {ztp}
 include::_attributes/common-attributes.adoc[]
 :context: ztp-manual-install
+:policy-gen-cr: PolicyGenerator
+:policy-prefix: acm-
 
 toc::[]
 
@@ -42,12 +44,15 @@ include::modules/ztp-manually-install-a-single-managed-cluster.adoc[leveloffset=
 
 * xref:../edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc#ztp-managed-cluster-network-prereqs_sno-configure-for-vdu[Connectivity prerequisites for managed cluster networks]
 
-* xref:../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-preface-sno-ran_logical-volume-manager-storage[Deploying LVM Storage on single-node OpenShift clusters]
+* xref:../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-preface-sno-ran_logical-volume-manager-storage[Deploying LVM Storage on {sno} clusters]
 
-* xref:../edge_computing/ztp-advanced-policy-config.adoc#ztp-provisioning-lvm-storage_ztp-advanced-policy-config[Configuring LVM Storage using PolicyGenTemplate CRs]
+* xref:../edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc#ztp-provisioning-lvm-storage_ztp-advanced-policy-config[Configuring {lvms} using {policy-gen-cr} CRs]
 
 include::modules/ztp-checking-the-managed-cluster-status.adoc[leveloffset=+1]
 
 include::modules/ztp-troubleshooting-the-managed-cluster.adoc[leveloffset=+1]
 
 include::modules/ztp-installation-crs.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
+:!policy-prefix:
diff --git a/edge_computing/ztp-preparing-the-hub-cluster.adoc b/edge_computing/ztp-preparing-the-hub-cluster.adoc
index 1674ae386c3a..ae27b2f852e1 100644
--- a/edge_computing/ztp-preparing-the-hub-cluster.adoc
+++ b/edge_computing/ztp-preparing-the-hub-cluster.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="ztp-preparing-the-hub-cluster"]
-= Preparing the hub cluster for ZTP
+= Preparing the hub cluster for {ztp}
 include::_attributes/common-attributes.adoc[]
 :context: ztp-preparing-the-hub-cluster
 
@@ -52,4 +52,13 @@ include::modules/ztp-preparing-the-hub-cluster-for-ztp.adoc[leveloffset=+1]
 
 include::modules/ztp-preparing-the-ztp-git-repository.adoc[leveloffset=+1]
 
-include::modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc[leveloffset=+2]
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+include::modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc[leveloffset=+1]
diff --git a/edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc b/edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc
index 47d0b3c0bb85..98e2c95a1718 100644
--- a/edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc
+++ b/edge_computing/ztp-reference-cluster-configuration-for-vdu.adoc
@@ -48,8 +48,6 @@ include::modules/ztp-sno-du-configuring-the-container-mountspace.adoc[leveloffse
 
 include::modules/ztp-sno-du-enabling-sctp.adoc[leveloffset=+2]
 
-include::modules/ztp-sno-du-accelerating-container-startup.adoc[leveloffset=+2]
-
 include::modules/ztp-sno-du-setting-rcu-normal.adoc[leveloffset=+2]
 
 include::modules/ztp-sno-du-enabling-kdump.adoc[leveloffset=+2]
diff --git a/edge_computing/ztp-sno-additional-worker-node.adoc b/edge_computing/ztp-sno-additional-worker-node.adoc
index 27e0839e0598..e795be90ea74 100644
--- a/edge_computing/ztp-sno-additional-worker-node.adoc
+++ b/edge_computing/ztp-sno-additional-worker-node.adoc
@@ -1,4 +1,3 @@
-:_mod-docs-content-type: ASSEMBLY
 [id="ztp-sno-additional-worker-node"]
 = Expanding {sno} clusters with {ztp}
 include::_attributes/common-attributes.adoc[]
@@ -36,6 +35,12 @@ include::modules/ztp-worker-node-daemon-selector-compatibility.adoc[leveloffset=
 
 include::modules/ztp-worker-node-node-selector-compatibility.adoc[leveloffset=+1]
 
+:policy-gen-cr: PolicyGenerator
+include::modules/ztp-worker-node-preparing-policies.adoc[leveloffset=+1]
+
+:policy-gen-cr: PolicyGenTemplate
 include::modules/ztp-worker-node-preparing-policies.adoc[leveloffset=+1]
 
 include::modules/ztp-adding-worker-nodes.adoc[leveloffset=+1]
+
+:!policy-gen-cr:
diff --git a/edge_computing/ztp-talm-updating-managed-policies.adoc b/edge_computing/ztp-talm-updating-managed-policies.adoc
deleted file mode 100644
index 1058b61673c8..000000000000
--- a/edge_computing/ztp-talm-updating-managed-policies.adoc
+++ /dev/null
@@ -1,64 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="ztp-topology-aware-lifecycle-manager"]
-= Updating managed clusters in a disconnected environment with the {cgu-operator-full}
-include::_attributes/common-attributes.adoc[]
-:context: ztp-talm
-
-toc::[]
-
-You can use the {cgu-operator-first} to manage the software lifecycle of {product-title} managed clusters. {cgu-operator} uses {rh-rhacm-first} policies to perform changes on the target clusters.
-
-:FeatureName: The Topology Aware Lifecycle Manager
-
-[role="_additional-resources"]
-.Additional resources
-
-* For more information about the {cgu-operator-full}, see xref:../edge_computing/cnf-talm-for-cluster-upgrades.adoc#cnf-about-topology-aware-lifecycle-manager-config_cnf-topology-aware-lifecycle-manager[About the {cgu-operator-full}].
-
-include::modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* For more information about how to update {ztp-first}, see xref:../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}].
-
-* For more information about how to mirror an {product-title} image repository, see xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installation-mirror-repository_installing-mirroring-installation-images[Mirroring the {product-title} image repository].
-
-* For more information about how to mirror Operator catalogs for disconnected clusters, see xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#olm-mirror-catalog_installing-mirroring-installation-images[Mirroring Operator catalogs for use with disconnected clusters].
-
-* For more information about how to prepare the disconnected environment and mirroring the desired image repository, see xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-preparing-the-hub-cluster[Preparing the disconnected environment].
-
-* For more information about update channels and releases, see xref:../updating/understanding_updates/understanding-update-channels-release.adoc#understanding-update-channels-releases[Understanding update channels and releases].
-
-include::modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* For more information about mirroring the images in a disconnected environment, see xref:../edge_computing/ztp-preparing-the-hub-cluster.adoc#ztp-acm-adding-images-to-mirror-registry_ztp-preparing-the-hub-cluster[Preparing the disconnected environment].
-
-include::modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* For more information about updating {ztp}, see xref:../edge_computing/ztp-updating-gitops.adoc#ztp-updating-gitops[Upgrading {ztp}].
-
-* xref:../edge_computing/ztp-talm-updating-managed-policies.adoc#cnf-topology-aware-lifecycle-manager-operator-troubleshooting_ztp-talm[Troubleshooting missed Operator updates due to out-of-date policy compliance states].
-
-include::modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc[leveloffset=+3]
-
-include::modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc[leveloffset=+2]
-
-include::modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc[leveloffset=+2]
-
-include::modules/cnf-topology-aware-lifecycle-manager-precache-user-spec-images.adoc[leveloffset=+2]
-
-include::modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* For more information about the {cgu-operator} precaching workflow, see xref:../edge_computing/cnf-talm-for-cluster-upgrades.adoc#talo-precache-feature-concept_cnf-topology-aware-lifecycle-manager[Using the container image precache feature].
-
-include::modules/cnf-topology-aware-lifecycle-manager-autocreate-cgu-cr-ztp.adoc[leveloffset=+1]
diff --git a/edge_computing/ztp-updating-gitops.adoc b/edge_computing/ztp-updating-gitops.adoc
index 04e62409ec1f..5f1091e355f5 100644
--- a/edge_computing/ztp-updating-gitops.adoc
+++ b/edge_computing/ztp-updating-gitops.adoc
@@ -13,6 +13,15 @@ You can update the {ztp-first} infrastructure independently from the hub cluster
 You can update the {gitops-title} Operator when new versions become available. When updating the {ztp} plugin, review the updated files in the reference configuration and ensure that the changes meet your requirements.
 ====
 
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
 include::modules/ztp-updating-gitops-ztp.adoc[leveloffset=+1]
 
 include::modules/ztp-preparing-for-the-gitops-ztp-upgrade.adoc[leveloffset=+1]
@@ -32,4 +41,4 @@ include::modules/ztp-roll-out-the-configuration-changes.adoc[leveloffset=+1]
 
 * For information about the {cgu-operator-first}, see xref:../edge_computing/cnf-talm-for-cluster-upgrades.adoc#cnf-about-topology-aware-lifecycle-manager-config_cnf-topology-aware-lifecycle-manager[About the {cgu-operator-full} configuration].
 
-* For information about creating `ClusterGroupUpgrade` CRs, see xref:../edge_computing/ztp-talm-updating-managed-policies.adoc#talo-precache-autocreated-cgu-for-ztp_ztp-talm[About the auto-created ClusterGroupUpgrade CR for ZTP].
+* For information about creating `ClusterGroupUpgrade` CRs, see xref:../edge_computing/policygentemplate_for_ztp/ztp-talm-updating-managed-policies.adoc#talo-precache-autocreated-cgu-for-ztp_ztp-talm[About the auto-created ClusterGroupUpgrade CR for {ztp}].
diff --git a/edge_computing/ztp-using-hub-cluster-templates.adoc b/edge_computing/ztp-using-hub-cluster-templates.adoc
new file mode 100644
index 000000000000..b4057d5d02b3
--- /dev/null
+++ b/edge_computing/ztp-using-hub-cluster-templates.adoc
@@ -0,0 +1,40 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ztp-using-hub-cluster-templates-pgt"]
+= Using hub templates in PolicyGenerator or PolicyGenTemplate CRs
+include::_attributes/common-attributes.adoc[]
+:context: hub-cluster-templates-pgt
+
+toc::[]
+
+{cgu-operator-full} supports partial {rh-rhacm-first} hub cluster template functions in configuration policies used with {ztp-first}.
+
+Hub-side cluster templates allow you to define configuration policies that can be dynamically customized to the target clusters.
+This reduces the need to create separate policies for many clusters with similiar configurations but with different values.
+
+[IMPORTANT]
+====
+Policy templates are restricted to the same namespace as the namespace where the policy is defined.
+This means you must create the objects referenced in the hub template in the same namespace where the policy is created.
+====
+
+include::snippets/pgt-deprecation-notice.adoc[]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-configuring-managed-clusters-policygenerator[Configuring managed cluster policies by using PolicyGenerator resources]
+
+* xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-comparing-pgt-and-rhacm-pg-patching-strategies_ztp-configuring-managed-clusters-policygenerator[Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching]
+
+include::modules/ztp-using-rhacm-hub-cluster-templates.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#hub-templates[{rh-rhacm} support for hub cluster templates in configuration policies]
+
+include::modules/ztp-example-hub-template-functions.adoc[leveloffset=+1]
+
+include::modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc[leveloffset=+1]
+
+include::modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc[leveloffset=+1]
diff --git a/getting_started/openshift-overview.adoc b/getting_started/openshift-overview.adoc
index 41c30a3663c3..77287976f9c7 100644
--- a/getting_started/openshift-overview.adoc
+++ b/getting_started/openshift-overview.adoc
@@ -91,7 +91,7 @@ of the {product-title} {product-version} control plane. See how {product-title}
 works in {product-title}. {product-title} supports multiple identity providers.
 
 * **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses iptables rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. Using
-xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
+xref:../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
 
 * **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: {product-title} allows cluster administrators to configure persistent storage.
 
diff --git a/hardware_enablement/kmm-kernel-module-management.adoc b/hardware_enablement/kmm-kernel-module-management.adoc
index 78e8cb3eaef0..4caaed881243 100644
--- a/hardware_enablement/kmm-kernel-module-management.adoc
+++ b/hardware_enablement/kmm-kernel-module-management.adoc
@@ -51,10 +51,13 @@ include::modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc[lev
 
 [role="_additional-resources"]
 .Additional resources
-
 * link:https://fastbitlab.com/building-a-linux-kernel-module/[Building a linux kernel module]
 
 include::modules/kmm-example-module-cr.adoc[leveloffset=+2]
+// Added for MGMT-16631
+[role="_additional-resources"]
+.Additional resources
+* xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-replacing_updating-ca-bundle[Replacing the CA Bundle certificate]
 
 // Added for TELCODOCS-1827
 include::modules/kmm-symbolic-links-for-in-tree-dependencies.adoc[leveloffset=+1]
@@ -64,7 +67,6 @@ include::modules/kmm-running-depmod.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-
 * xref:../hardware_enablement/psap-driver-toolkit.adoc#driver-toolkit[Driver Toolkit]
 
 include::modules/kmm-building-in-cluster.adoc[leveloffset=+2]
@@ -131,7 +133,7 @@ include::modules/kmm-customizing-upgrades-for-kernel-modules.adoc[leveloffset=+1
 include::modules/kmm-day1-kernel-module-loading.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
-* link:https://docs.openshift.com/container-platform/4.13/post_installation_configuration/machine-configuration-tasks.html#machine-config-operator_post-install-machine-configuration-tasks[Machine Config Operator]
+* xref:../machine_configuration/index.adoc#machine-config-index[Machine Config Operator]
 
 include::modules/kmm-day1-supported-use-cases.adoc[leveloffset=+2]
 include::modules/kmm-day1-oot-kernel-module-loading-flow.adoc[leveloffset=+2]
@@ -157,7 +159,7 @@ include::modules/kmm-firmware-support.adoc[leveloffset=+1]
 include::modules/kmm-configuring-the-lookup-path-on-nodes.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
-* xref:../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Machine Config Operator]
+* xref:../machine_configuration/index.adoc#machine-config-operator_machine-config-overview[Machine Config Operator].
 
 include::modules/kmm-building-a-kmod-image.adoc[leveloffset=+2]
 include::modules/kmm-tuning-the-module-resource.adoc[leveloffset=+2]
diff --git a/hosted_control_planes/hcp-machine-config.adoc b/hosted_control_planes/hcp-machine-config.adoc
new file mode 100644
index 000000000000..de00c2fc213e
--- /dev/null
+++ b/hosted_control_planes/hcp-machine-config.adoc
@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="hcp-machine-config"]
+include::_attributes/common-attributes.adoc[]
+= Handling a machine configuration for {hcp}
+:context: hcp-machine-config
+
+toc::[]
+
+In a standalone {product-title} cluster, a machine config pool manages a set of nodes. You can handle a machine configuration by using the `MachineConfigPool` custom resource (CR).
+
+In {hcp}, the `MachineConfigPool` CR does not exist. A node pool contains a set of compute nodes. You can handle a machine configuration by using node pools.
+
+include::modules/configuring-node-pools-for-hcp.adoc[leveloffset=+1]
+
+include::modules/node-tuning-hosted-cluster.adoc[leveloffset=+1]
+
+include::modules/sriov-operator-hosted-control-planes.adoc[leveloffset=+1]
diff --git a/hosted_control_planes/hcp-observability.adoc b/hosted_control_planes/hcp-observability.adoc
index 2d51b05550f6..4feb1ea49725 100644
--- a/hosted_control_planes/hcp-observability.adoc
+++ b/hosted_control_planes/hcp-observability.adoc
@@ -8,6 +8,5 @@ toc::[]
 
 You can gather metrics for {hcp} by configuring metrics sets. The HyperShift Operator can create or delete monitoring dashboards in the management cluster for each hosted cluster that it manages.
 
-//using service-level DNS for control plane services
 include::modules/hosted-control-planes-metrics-sets.adoc[leveloffset=+1]
 include::modules/hosted-control-planes-monitoring-dashboard.adoc[leveloffset=+1]
diff --git a/hosted_control_planes/hcp-troubleshooting.adoc b/hosted_control_planes/hcp-troubleshooting.adoc
index 51d2b7d8260c..ba60c914e46e 100644
--- a/hosted_control_planes/hcp-troubleshooting.adoc
+++ b/hosted_control_planes/hcp-troubleshooting.adoc
@@ -9,10 +9,8 @@ toc::[]
 If you encounter issues with {hcp}, see the following information to guide you through troubleshooting.
 
 include::modules/hosted-control-planes-troubleshooting.adoc[leveloffset=+1]
-
-//restarting hosted control plane components
+include::modules/hosted-restart-hcp-components.adoc[leveloffset=+1]
 include::modules/hosted-control-planes-pause-reconciliation.adoc[leveloffset=+1]
-
 include::modules/scale-down-data-plane.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/images/334_OpenShift_cluster_updating_and_CCO_workflows_0523_4.11_B_AliCloud_patch.png b/images/334_OpenShift_cluster_updating_and_CCO_workflows_0523_4.11_B_AliCloud_patch.png
new file mode 100644
index 000000000000..284240f342d8
Binary files /dev/null and b/images/334_OpenShift_cluster_updating_and_CCO_workflows_0523_4.11_B_AliCloud_patch.png differ
diff --git a/images/4-cli-login.png b/images/4-cli-login.png
new file mode 100644
index 000000000000..425d9327b34a
Binary files /dev/null and b/images/4-cli-login.png differ
diff --git a/images/4-createnewproj.png b/images/4-createnewproj.png
new file mode 100644
index 000000000000..641f1f170338
Binary files /dev/null and b/images/4-createnewproj.png differ
diff --git a/images/4-ostoy-homepage.png b/images/4-ostoy-homepage.png
new file mode 100644
index 000000000000..ff2231ab2c4d
Binary files /dev/null and b/images/4-ostoy-homepage.png differ
diff --git a/images/684_OpenShift_Installing_on_OCI_0624-connected.png b/images/684_OpenShift_Installing_on_OCI_0624-connected.png
new file mode 100644
index 000000000000..ba1c78d96056
Binary files /dev/null and b/images/684_OpenShift_Installing_on_OCI_0624-connected.png differ
diff --git a/images/684_OpenShift_Installing_on_OCI_0624-disconnected.png b/images/684_OpenShift_Installing_on_OCI_0624-disconnected.png
new file mode 100644
index 000000000000..c0bcb2bf9cf8
Binary files /dev/null and b/images/684_OpenShift_Installing_on_OCI_0624-disconnected.png differ
diff --git a/images/693_OpenShift_QinQ_SR-IOV_CNI_0624.png b/images/693_OpenShift_QinQ_SR-IOV_CNI_0624.png
new file mode 100644
index 000000000000..7fd62b6f3887
Binary files /dev/null and b/images/693_OpenShift_QinQ_SR-IOV_CNI_0624.png differ
diff --git a/images/695_OpenShift MetalLB_FRRK8s integration_0624.png b/images/695_OpenShift MetalLB_FRRK8s integration_0624.png
new file mode 100644
index 000000000000..301f53b56d91
Binary files /dev/null and b/images/695_OpenShift MetalLB_FRRK8s integration_0624.png differ
diff --git a/images/695_OpenShift_MetalLB_FRRK8s_integration_0624.png b/images/695_OpenShift_MetalLB_FRRK8s_integration_0624.png
new file mode 100644
index 000000000000..301f53b56d91
Binary files /dev/null and b/images/695_OpenShift_MetalLB_FRRK8s_integration_0624.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_0.png b/images/696_OpenShift_Lifecycle_Agent_0624_0.png
new file mode 100644
index 000000000000..153ea58e597b
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_0.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_1.png b/images/696_OpenShift_Lifecycle_Agent_0624_1.png
new file mode 100644
index 000000000000..72fb94cc30ef
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_1.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_2.png b/images/696_OpenShift_Lifecycle_Agent_0624_2.png
new file mode 100644
index 000000000000..b6ae2e9b1c9d
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_2.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_3.png b/images/696_OpenShift_Lifecycle_Agent_0624_3.png
new file mode 100644
index 000000000000..52db05e6726e
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_3.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_4.png b/images/696_OpenShift_Lifecycle_Agent_0624_4.png
new file mode 100644
index 000000000000..fcadd8fae77c
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_4.png differ
diff --git a/images/696_OpenShift_Lifecycle_Agent_0624_5.png b/images/696_OpenShift_Lifecycle_Agent_0624_5.png
new file mode 100644
index 000000000000..98fa95d63bbc
Binary files /dev/null and b/images/696_OpenShift_Lifecycle_Agent_0624_5.png differ
diff --git a/images/715_OpenShift_Bare_Metal_Operator_updates_0624.png b/images/715_OpenShift_Bare_Metal_Operator_updates_0624.png
new file mode 100644
index 000000000000..3237213e76b0
Binary files /dev/null and b/images/715_OpenShift_Bare_Metal_Operator_updates_0624.png differ
diff --git a/images/cloud-experts-storage-ostoy-createfile.png b/images/cloud-experts-storage-ostoy-createfile.png
new file mode 100644
index 000000000000..c00ae0660608
Binary files /dev/null and b/images/cloud-experts-storage-ostoy-createfile.png differ
diff --git a/images/cloud-experts-storage-ostoy-existingfile.png b/images/cloud-experts-storage-ostoy-existingfile.png
new file mode 100644
index 000000000000..30fde8c02b37
Binary files /dev/null and b/images/cloud-experts-storage-ostoy-existingfile.png differ
diff --git a/images/cloud-experts-storage-ostoy-viewfile.png b/images/cloud-experts-storage-ostoy-viewfile.png
new file mode 100644
index 000000000000..f6820cfe0b8c
Binary files /dev/null and b/images/cloud-experts-storage-ostoy-viewfile.png differ
diff --git a/images/deploying-networking-arch.png b/images/deploying-networking-arch.png
new file mode 100644
index 000000000000..31bd0393efda
Binary files /dev/null and b/images/deploying-networking-arch.png differ
diff --git a/images/deploying-networking-dns.png b/images/deploying-networking-dns.png
new file mode 100644
index 000000000000..321062961dbd
Binary files /dev/null and b/images/deploying-networking-dns.png differ
diff --git a/images/deploying-networking-example.png b/images/deploying-networking-example.png
new file mode 100644
index 000000000000..e7168c7d2103
Binary files /dev/null and b/images/deploying-networking-example.png differ
diff --git a/images/hcp-rosa-machine-pools.png b/images/hcp-rosa-machine-pools.png
new file mode 100644
index 000000000000..4e239d1c009e
Binary files /dev/null and b/images/hcp-rosa-machine-pools.png differ
diff --git a/images/monitoring-architecture.png b/images/monitoring-architecture.png
index b3d15f0cbbeb..5f2be05da69e 100644
Binary files a/images/monitoring-architecture.png and b/images/monitoring-architecture.png differ
diff --git a/images/rbac.png b/images/rbac.png
index 04dea8840569..393a6ac9f79c 100644
Binary files a/images/rbac.png and b/images/rbac.png differ
diff --git a/installing/cluster-capabilities.adoc b/installing/cluster-capabilities.adoc
index 3fdd4f32dbfc..9d0792548b71 100644
--- a/installing/cluster-capabilities.adoc
+++ b/installing/cluster-capabilities.adoc
@@ -40,6 +40,9 @@ include::modules/cluster-bare-metal-operator.adoc[leveloffset=+2]
 // Build capability
 include::modules/build-config-capability.adoc[leveloffset=+2]
 
+// Cloud controller manager capability
+include::modules/cluster-cloud-controller-manager-operator.adoc[leveloffset=+2]
+
 // Cloud credential capability
 include::modules/cloud-credential-operator.adoc[leveloffset=+2]
 
@@ -67,6 +70,9 @@ include::modules/cluster-csi-snapshot-controller-operator.adoc[leveloffset=+2]
 // DeploymentConfig capability
 include::modules/deployment-config-capability.adoc[leveloffset=+2]
 
+// Insights capability
+include::modules/ingress-operator.adoc[leveloffset=+2]
+
 // Insights capability
 include::modules/insights-operator.adoc[leveloffset=+2]
 
diff --git a/installing/disconnected_install/about-installing-oc-mirror-v2.adoc b/installing/disconnected_install/about-installing-oc-mirror-v2.adoc
new file mode 100644
index 000000000000..5e94e36cab78
--- /dev/null
+++ b/installing/disconnected_install/about-installing-oc-mirror-v2.adoc
@@ -0,0 +1,117 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="about-installing-oc-mirror-v2"]
+= Mirroring images for a disconnected installation by using the oc-mirror plugin v2
+include::_attributes/common-attributes.adoc[]
+:context: about-installing-oc-mirror-v2
+
+toc::[]
+
+You can run your cluster in a restricted network without direct internet connectivity if you install the cluster from a mirrored set of {product-title} container images in a private registry. This registry must be running whenever your cluster is running.
+
+Just as you can use the `oc-mirror` OpenShift CLI (`oc`) plugin, you can also use oc-mirror plugin v2 to mirror images to a mirror registry in your fully or partially disconnected environments. To download the required images from the official Red Hat registries, you must run oc-mirror plugin v2 from a system with internet connectivity.
+
+:FeatureName: oc-mirror plugin v2
+include::snippets/technology-preview.adoc[]
+
+[id="prerequisites_oc-mirror-v2_{context}"]
+== Prerequisites
+
+* You must have a container image registry that supports link:https://docs.docker.com/registry/spec/manifest-v2-2[Docker V2-2] in the location that hosts the {product-title} cluster, such as {quay}.
++
+[NOTE]
+====
+If you use {quay}, use version 3.6 or later with the oc-mirror plugin. See the documentation on link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/deploying_the_red_hat_quay_operator_on_openshift_container_platform/index[Deploying the Red Hat Quay Operator on OpenShift Container Platform (Red Hat Quay documentation)]. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
+====
+
+[Optional]
+* If you do not have an existing solution for a container image registry, {product-title} subscribers receive a mirror registry for Red Hat OpenShift. This mirror registry is included with your subscription and serves as a small-scale container registry. You can use this registry to mirror the necessary container images of {product-title} for disconnected installations.
+
+* Every machine in the provisioned clusters must have access to the mirror registry. If the registry is unreachable, tasks like installation, updating, or routine operations such as workload relocation, might fail. Mirror registries must be operated in a highly available manner, ensuring their availability aligns with the production availability of your {product-title} clusters.
+
+.High level workflow
+
+The following steps outline the high-level workflow on how to mirror images to a mirror registry by using the oc-mirror plugin v2:
+
+. Create an image set configuration file.
+
+. Mirror the image set to the target mirror registry by using one of the following workflows:
+
+* Mirror an image set directly to the target mirror registry (mirror to mirror).
+
+** Mirror an image set to disk (Mirror-to-Disk), transfer the `tar` file to the target environment, then mirror the image set to the target mirror registry (Disk-to-Mirror).
+
+. Configure your cluster to use the resources generated by the oc-mirror plugin v2.
+
+. Repeat these steps to update your target mirror registry as necessary.
+
+
+// About oc-mirror plugin v2
+include::modules/oc-mirror-v2-about.adoc[leveloffset=+1]
+
+// oc-mirror compatibility and support
+include::modules/oc-mirror-v2-support.adoc[leveloffset=+2]
+
+//Preparing your mirror hosts
+include::modules/oc-mirror-preparing-mirror-hosts.adoc[leveloffset=+1]
+
+//Installing oc-mirror plugin v2
+include::modules/oc-mirror-installing-plugin.adoc[leveloffset=+2]
+
+//Configuring credentials that enable image mirroring
+include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2]
+
+[id="using-oc-mirror_{context}"]
+== Mirroring an image set to a mirror registry
+
+Mirroring an image set to a mirror registry ensures that the required images are available in a secure and controlled environment, facilitating smoother deployments, updates, and maintenance tasks.
+
+//Building the image set configuration
+include::modules/oc-mirror-building-image-set-config-v2.adoc[leveloffset=+2]
+
+//oc-mirror-workflows: mirroring in partially disconnected environment
+include::modules/oc-mirror-workflows-partially-disconnected-v2.adoc[leveloffset=+2]
+
+//Mirroring an image set in a fully disconnected environment:
+include::modules/oc-mirror-workflows-fully-disconnected-v2.adoc[leveloffset=+2]
+include::modules/oc-mirror-mirror-to-disk-v2.adoc[leveloffset=+2]
+include::modules/oc-mirror-disk-to-mirror-v2.adoc[leveloffset=+2]
+
+[id="additional-resources"]
+== Additional resources
+
+* xref:../../updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.html[Updating a cluster in a disconnected environment using the OpenShift Update Service].
+
+// About custom resources generated by v2
+include::modules/oc-mirror-IDMS-ITMS-about.adoc[leveloffset=+1]
+
+// Configuring your cluster to use the resources generated by oc-mirror
+include::modules/oc-mirror-updating-cluster-manifests-v2.adoc[leveloffset=+2]
+
+//Delete Feature
+// workflows of delete feature
+include::modules/oc-mirror-workflows-delete-v2.adoc[leveloffset=+1]
+
+// procedure for delete feature
+include::modules/oc-mirror-procedure-delete-v2.adoc[leveloffset=+2]
+
+// About dry-run
+include::modules/oc-mirror-v2-about-dry-run.adoc[leveloffset=+1]
+
+// Performing Dry-run for V2
+include::modules/oc-mirror-dry-run-v2.adoc[leveloffset=+2]
+
+//oc-mirror-enclave-support-about
+include::modules//oc-mirror-enclave-support-about.adoc[leveloffset=+1]
+
+// How to mirror to an Enclave
+include::modules/oc-mirror-enclave-support.adoc[leveloffset=+2]
+
+//operator catalog filtering
+include::modules/oc-mirror-operator-catalog-filtering.adoc[leveloffset=+1]
+
+//Image set configuration parameters
+include::modules/oc-mirror-imageset-config-parameters-v2.adoc[leveloffset=+1]
+
+// Command reference for oc-mirror v2
+include::modules/oc-mirror-command-reference-v2.adoc[leveloffset=+1]
+* xref:../../installing/disconnected_install/about-installing-oc-mirror-v2.adoc#oc-mirror-updating-cluster-manifests-v2_about-installing-oc-mirror-v2[Configuring your cluster to use the resources generated by oc-mirror]
diff --git a/installing/install_config/configuring-firewall.adoc b/installing/install_config/configuring-firewall.adoc
index 03c1931e717f..f3ce8f1205f7 100644
--- a/installing/install_config/configuring-firewall.adoc
+++ b/installing/install_config/configuring-firewall.adoc
@@ -14,4 +14,6 @@ include::modules/configuring-firewall.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-auth-flow-aws-oidc_cco-short-term-creds[OpenID Connect requirements for AWS STS]
\ No newline at end of file
+* xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-auth-flow-aws-oidc_cco-short-term-creds[OpenID Connect requirements for AWS STS]
+
+include::modules/network-flow-matrix.adoc[leveloffset=+1]
diff --git a/installing/install_config/enabling-cgroup-v1.adoc b/installing/install_config/enabling-cgroup-v1.adoc
index f9df5f7c689a..9824f23511ed 100644
--- a/installing/install_config/enabling-cgroup-v1.adoc
+++ b/installing/install_config/enabling-cgroup-v1.adoc
@@ -7,7 +7,7 @@ include::_attributes/common-attributes.adoc[]
 toc::[]
 
 
-As of {product-title} 4.14, {product-title} uses link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control group version 2] (cgroup v2) in your cluster. If you are using cgroup v1 on {product-title} 4.13 or earlier, migrating to {product-title} 4.15 will not automatically update your cgroup configuration to version 2. A fresh installation of {product-title} 4.14 or later will use cgroup v2 by default. However, you can enable link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/index.html[Linux control group version 1] (cgroup v1) upon installation. Enabling cgroup v1 in {product-title} disables all cgroup v2 controllers and hierarchies in your cluster.
+As of {product-title} 4.14, {product-title} uses link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control group version 2] (cgroup v2) in your cluster. If you are using cgroup v1 on {product-title} 4.13 or earlier, migrating to {product-title} {product-version} will not automatically update your cgroup configuration to version 2. A fresh installation of {product-title} 4.14 or later will use cgroup v2 by default. However, you can enable link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/index.html[Linux control group version 1] (cgroup v1) upon installation. Enabling cgroup v1 in {product-title} disables all cgroup v2 controllers and hierarchies in your cluster.
 
 :FeatureName: cgroup v1
 include::snippets/deprecated-feature.adoc[]
diff --git a/installing/install_config/installing-customizing.adoc b/installing/install_config/installing-customizing.adoc
index 45d5d8cf1ba2..1b380a79b52a 100644
--- a/installing/install_config/installing-customizing.adoc
+++ b/installing/install_config/installing-customizing.adoc
@@ -45,6 +45,7 @@ endif::openshift-webscale[]
 include::modules/installation-special-config-kmod.adoc[leveloffset=+1]
 include::modules/installation-special-config-storage.adoc[leveloffset=+1]
 include::modules/installation-special-config-raid.adoc[leveloffset=+1]
+include::modules/installation-special-config-raid-intel-vroc.adoc[leveloffset=+1]
 include::modules/installation-special-config-chrony.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/installing/installing-fips.adoc b/installing/installing-fips.adoc
index c5ced1c8b3a8..a1536a99fd61 100644
--- a/installing/installing-fips.adoc
+++ b/installing/installing-fips.adoc
@@ -14,19 +14,28 @@ For more information about the NIST validation program, see link:https://csrc.ni
 
 [IMPORTANT]
 ====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} 8 computer that is configured to operate in FIPS mode. Running {op-system-base} 9 with FIPS mode enabled to install an {product-title} cluster is not possible.
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} 9 computer that is configured to operate in FIPS mode, and you must use a FIPS-capable version of the installation program. See the section titled _Obtaining a FIPS-capable installation program using `oc adm extract`_.
 
-For more information about configuring FIPS mode on {op-system-base}, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening[Installing the system in FIPS mode].
+For more information about configuring FIPS mode on {op-system-base}, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
 ====
 
 For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With {op-system-base-full} machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines.
 
 Because FIPS must be enabled before the operating system that your cluster uses boots for the first time, you cannot enable FIPS after you deploy a cluster.
 
+include::modules/installation-obtaining-fips-installer-oc.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#retrieving-the-openshift-installer_ipi-install-installation-workflow[Extracting the OpenShift Container Platform installation program]
+
+include::modules/installation-obtaining-fips-installer-mirror.adoc[leveloffset=+1]
+
 [id="installation-about-fips-validation_{context}"]
 == FIPS validation in {product-title}
 
-{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL8 core crypto components]. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted.
+{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL core crypto components]. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted.
 
 {product-title} components are written in Go and built with Red Hat's golang compiler. When you enable FIPS mode for your cluster, all {product-title} components that require cryptographic signing call {op-system-base} and {op-system} cryptographic libraries.
 
@@ -37,14 +46,12 @@ Because FIPS must be enabled before the operating system that your cluster uses
 |Attributes
 |Limitations
 
-|FIPS support in {op-system-base} 8 and {op-system} operating systems.
-.3+|The FIPS implementation does not offer a single function that both computes hash functions and validates the keys that are based on that hash. This limitation will continue to be evaluated and improved in future {product-title} releases.
+|FIPS support in {op-system-base} 9 and {op-system} operating systems.
+.4+|The FIPS implementation does not use a function that performs hash computation and signature generation or validation in a single step. This limitation will continue to be evaluated and improved in future {product-title} releases.
 
 |FIPS support in CRI-O runtimes.
 |FIPS support in {product-title} services.
-
-|FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 8 and {op-system} binaries and images.
-|
+|FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 9 and {op-system} binaries and images.
 
 |Use of FIPS compatible golang compiler.
 |TLS FIPS support is not complete but is planned for future {product-title} releases.
@@ -87,7 +94,6 @@ To enable FIPS mode for your cluster, you must run the installation program from
 ====
 
 * xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Amazon Web Services]
-* xref:../installing/installing_alibaba/installing-alibaba-customizations.adoc#installing-alibaba-customizations[Alibaba Cloud]
 * xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Microsoft Azure]
 * xref:../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Bare metal]
 * xref:../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-customizations[Google Cloud Platform]
@@ -105,4 +111,4 @@ If you are using Azure File storage, you cannot enable FIPS mode.
 
 To apply `AES CBC` encryption to your etcd data store, follow the xref:../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster.
 
-If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies[Enabling FIPS Mode] in the {op-system-base} 8 documentation.
+If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
diff --git a/installing/installing-preparing.adoc b/installing/installing-preparing.adoc
index 877c7672782f..43b80aca9def 100644
--- a/installing/installing-preparing.adoc
+++ b/installing/installing-preparing.adoc
@@ -17,7 +17,6 @@ Before you install an {product-title} cluster, you need to select the best insta
 
 If you want to install and manage {product-title} yourself, you can install it on the following platforms:
 
-* Alibaba Cloud
 * Amazon Web Services (AWS) on 64-bit x86 instances
 ifndef::openshift-origin[]
 * Amazon Web Services (AWS) on 64-bit ARM instances
@@ -54,9 +53,9 @@ Because you need to provision machines as part of the {product-title} cluster in
 
 Because the operating system is integral to {product-title}, it is easier to let the installation program for {product-title} stand up all of the infrastructure. These are called _installer provisioned infrastructure_ installations. In this type of installation, you can provide some existing infrastructure to the cluster, but the installation program deploys all of the machines that your cluster initially needs.
 
-You can deploy an installer-provisioned infrastructure cluster without specifying any customizations to the cluster or its underlying machines to xref:../installing/installing_alibaba/installing-alibaba-default.adoc#installing-alibaba-default[Alibaba Cloud], xref:../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[AWS], xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[Azure], xref:../installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc#installing-azure-stack-hub-default[Azure Stack Hub], xref:../installing/installing_gcp/installing-gcp-default.adoc#installing-gcp-default[GCP], xref:../installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc#installing-nutanix-installer-provisioned[Nutanix].
+You can deploy an installer-provisioned infrastructure cluster without specifying any customizations to the cluster or its underlying machines to xref:../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[AWS], xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[Azure], xref:../installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc#installing-azure-stack-hub-default[Azure Stack Hub], xref:../installing/installing_gcp/installing-gcp-default.adoc#installing-gcp-default[GCP], xref:../installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc#installing-nutanix-installer-provisioned[Nutanix].
 
-If you need to perform basic configuration for your installer-provisioned infrastructure cluster, such as the instance type for the cluster machines, you can customize an installation for xref:../installing/installing_alibaba/installing-alibaba-customizations.adoc#installing-alibaba-customizations[Alibaba Cloud], xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[AWS], xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Azure], xref:../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-customizations[GCP], xref:../installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc#installing-nutanix-installer-provisioned[Nutanix].
+If you need to perform basic configuration for your installer-provisioned infrastructure cluster, such as the instance type for the cluster machines, you can customize an installation for xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[AWS], xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Azure], xref:../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-customizations[GCP], xref:../installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc#installing-nutanix-installer-provisioned[Nutanix].
 
 For installer-provisioned infrastructure installations, you can use an existing xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[VPC in AWS], xref:../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-vnet[vNet in Azure], or xref:../installing/installing_gcp/installing-gcp-vpc.adoc#installing-gcp-vpc[VPC in GCP]. You can also reuse part of your networking infrastructure so that your cluster in xref:../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[AWS], xref:../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Azure], xref:../installing/installing_gcp/installing-gcp-network-customizations.adoc#installing-gcp-network-customizations[GCP] can coexist with existing IP address allocations in your environment and integrate with existing MTU and VXLAN configurations. If you have existing accounts and credentials on these clouds, you can re-use them, but you might need to modify the accounts to have the required permissions to install {product-title} clusters on them.
 
@@ -131,10 +130,9 @@ Not all installation options are supported for all platforms, as shown in the fo
 //This table is for all flavors of OpenShift, except OKD. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifndef::openshift-origin[]
 |===
-||Alibaba |AWS (64-bit x86) |AWS (64-bit ARM) |Azure (64-bit x86) |Azure (64-bit ARM)|Azure Stack Hub |GCP (64-bit x86) |GCP (64-bit ARM) |Nutanix |{rh-openstack} |Bare metal (64-bit x86) |Bare metal (64-bit ARM) |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name} |{ibm-power-server-name}
+||AWS (64-bit x86) |AWS (64-bit ARM) |Azure (64-bit x86) |Azure (64-bit ARM)|Azure Stack Hub |GCP (64-bit x86) |GCP (64-bit ARM) |Nutanix |{rh-openstack} |Bare metal (64-bit x86) |Bare metal (64-bit ARM) |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name} |{ibm-power-server-name}
 
 |Default
-|xref:../installing/installing_alibaba/installing-alibaba-default.adoc#installing-alibaba-default[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[&#10003;]
 |xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[&#10003;]
@@ -153,7 +151,6 @@ ifndef::openshift-origin[]
 |
 
 |Custom
-|xref:../installing/installing_alibaba/installing-alibaba-customizations.adoc#installing-alibaba-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[&#10003;]
 |xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[&#10003;]
@@ -173,7 +170,6 @@ ifndef::openshift-origin[]
 
 
 |Network customization
-|xref:../installing/installing_alibaba/installing-alibaba-network-customizations.adoc#installing-alibaba-network-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[&#10003;]
 |xref:../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-network-customizations[&#10003;]
@@ -192,7 +188,6 @@ ifndef::openshift-origin[]
 |
 
 |Restricted network
-|
 |xref:../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[&#10003;]
 |xref:../installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc#installing-restricted-networks-azure-installer-provisioned[&#10003;]
@@ -211,7 +206,6 @@ ifndef::openshift-origin[]
 |xref:../installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc#installing-restricted-networks-ibm-power-vs[&#10003;]
 
 |Private clusters
-|
 |xref:../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[&#10003;]
 |xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[&#10003;]
@@ -230,7 +224,6 @@ ifndef::openshift-origin[]
 |xref:../installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc#installing-ibm-power-vs-private-cluster[&#10003;]
 
 |Existing virtual private networks
-|
 |xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[&#10003;]
 |xref:../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-vnet[&#10003;]
@@ -249,7 +242,6 @@ ifndef::openshift-origin[]
 |xref:../installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc#installing-ibm-powervs-vpc[&#10003;]
 
 |Government regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-government-region.adoc#installing-aws-government-region[&#10003;]
 |
 |xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[&#10003;]
@@ -268,7 +260,6 @@ ifndef::openshift-origin[]
 |
 
 |Secret regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-secret-region.adoc#installing-aws-secret-region[&#10003;]
 |
 |
@@ -287,7 +278,6 @@ ifndef::openshift-origin[]
 |
 
 |China regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-china.adoc#installing-aws-china-region[&#10003;]
 |
 |
@@ -310,11 +300,10 @@ endif::openshift-origin[]
 //This table is for OKD only. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifdef::openshift-origin[]
 |===
-||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack} |Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name}
+||AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack} |Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name}
 
 
 |Default
-|xref:../installing/installing_alibaba/installing-alibaba-default.adoc#installing-alibaba-default[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[&#10003;]
 |xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[&#10003;]
 |xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[&#10003;]
@@ -328,7 +317,6 @@ ifdef::openshift-origin[]
 |
 
 |Custom
-|xref:../installing/installing_alibaba/installing-alibaba-customizations.adoc#installing-alibaba-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[&#10003;]
 |xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[&#10003;]
 |xref:../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[&#10003;]
@@ -342,7 +330,6 @@ ifdef::openshift-origin[]
 |
 
 |Network customization
-|xref:../installing/installing_alibaba/installing-alibaba-network-customizations.adoc#installing-alibaba-network-customizations[&#10003;]
 |xref:../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[&#10003;]
 |xref:../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-network-customizations[&#10003;]
 |xref:../installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc#installing-azure-stack-hub-network-customizations[&#10003;]
@@ -356,7 +343,6 @@ ifdef::openshift-origin[]
 |
 
 |Restricted network
-|
 |xref:../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[&#10003;]
 |
 |
@@ -370,7 +356,6 @@ ifdef::openshift-origin[]
 |
 
 |Private clusters
-|
 |xref:../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[&#10003;]
 |xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[&#10003;]
 |
@@ -384,7 +369,6 @@ ifdef::openshift-origin[]
 |
 
 |Existing virtual private networks
-|
 |xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[&#10003;]
 |xref:../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-vnet[&#10003;]
 |
@@ -398,7 +382,6 @@ ifdef::openshift-origin[]
 |
 
 |Government regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-government-region.adoc#installing-aws-government-region[&#10003;]
 |xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[&#10003;]
 |
@@ -412,7 +395,6 @@ ifdef::openshift-origin[]
 |
 
 |Secret regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-secret-region.adoc#installing-aws-secret-region[&#10003;]
 |
 |
@@ -426,7 +408,6 @@ ifdef::openshift-origin[]
 |
 
 |China regions
-|
 |xref:../installing/installing_aws/ipi/installing-aws-china.adoc#installing-aws-china-region[&#10003;]
 |
 |
@@ -445,11 +426,10 @@ endif::openshift-origin[]
 //This table is for all flavors of OpenShift, except OKD. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifndef::openshift-origin[]
 |===
-||Alibaba |AWS (64-bit x86) |AWS (64-bit ARM) |Azure (64-bit x86) |Azure (64-bit ARM) |Azure Stack Hub |GCP (64-bit x86) |GCP (64-bit ARM) |Nutanix |{rh-openstack} |Bare metal (64-bit x86) |Bare metal (64-bit ARM) |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
+||AWS (64-bit x86) |AWS (64-bit ARM) |Azure (64-bit x86) |Azure (64-bit ARM) |Azure Stack Hub |GCP (64-bit x86) |GCP (64-bit ARM) |Nutanix |{rh-openstack} |Bare metal (64-bit x86) |Bare metal (64-bit ARM) |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
 
 
 |Custom
-|
 |xref:../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[&#10003;]
 |xref:../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[&#10003;]
 |xref:../installing/installing_azure/installing-azure-user-infra.adoc#installing-azure-user-infra[&#10003;]
@@ -479,7 +459,6 @@ ifndef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc#installing-bare-metal-network-customizations[&#10003;]
 |xref:../installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc#installing-bare-metal-network-customizations[&#10003;]
 |xref:../installing/installing_vsphere/upi/installing-vsphere-network-customizations.adoc#installing-vsphere-network-customizations[&#10003;]
@@ -490,7 +469,6 @@ ifndef::openshift-origin[]
 |
 
 |Restricted network
-|
 |xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[&#10003;]
 |xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[&#10003;]
 |
@@ -515,7 +493,6 @@ ifndef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_gcp/installing-gcp-user-infra-vpc.adoc#installing-gcp-user-infra-vpc[&#10003;]
 |xref:../installing/installing_gcp/installing-gcp-user-infra-vpc.adoc#installing-gcp-user-infra-vpc[&#10003;]
 |
@@ -535,11 +512,10 @@ endif::openshift-origin[]
 //This table is for OKD only. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifdef::openshift-origin[]
 |===
-||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack}|Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
+||AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack}|Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
 
 
 |Custom
-|
 |xref:../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[&#10003;]
 |xref:../installing/installing_azure/installing-azure-user-infra.adoc#installing-azure-user-infra[&#10003;]
 |xref:../installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc#installing-azure-stack-hub-user-infra[&#10003;]
@@ -562,7 +538,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc#installing-bare-metal-network-customizations[&#10003;]
 |xref:../installing/installing_vsphere/upi/installing-vsphere-network-customizations.adoc#installing-vsphere-network-customizations[&#10003;]
 |
@@ -572,7 +547,6 @@ ifdef::openshift-origin[]
 |
 
 |Restricted network
-|
 |xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[&#10003;]
 |
 |
@@ -591,7 +565,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_gcp/installing-gcp-user-infra-vpc.adoc#installing-gcp-user-infra-vpc[&#10003;]
 |
 |
diff --git a/installing/installing_alibaba/installation-config-parameters-alibaba.adoc b/installing/installing_alibaba/installation-config-parameters-alibaba.adoc
deleted file mode 100644
index 98d3191343fc..000000000000
--- a/installing/installing_alibaba/installation-config-parameters-alibaba.adoc
+++ /dev/null
@@ -1,12 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installation-config-parameters-alibaba"]
-= Installation configuration parameters for Alibaba Cloud
-include::_attributes/common-attributes.adoc[]
-:context: installation-config-parameters-alibaba
-:platform: Alibaba Cloud
-
-toc::[]
-
-Before you deploy an {product-title} cluster on Alibaba Cloud, you provide parameters to customize your cluster and the platform that hosts it. When you create the `install-config.yaml` file, you provide values for the required parameters through the command line. You can then modify the `install-config.yaml` file to customize your cluster further.
-
-include::modules/installation-configuration-parameters.adoc[leveloffset=+1]
diff --git a/installing/installing_alibaba/installing-alibaba-assisted-installer.adoc b/installing/installing_alibaba/installing-alibaba-assisted-installer.adoc
new file mode 100644
index 000000000000..2fb3ecaa65a0
--- /dev/null
+++ b/installing/installing_alibaba/installing-alibaba-assisted-installer.adoc
@@ -0,0 +1,20 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="installing-alibaba-assisted-installer"]
+= Installing a cluster on Alibaba Cloud by using the Assisted Installer
+include::_attributes/common-attributes.adoc[]
+:context: installing-alibaba-assisted-installer
+
+toc::[]
+
+From {product-title} 4.16 and later, you can use the {ai-full} to install an {product-title} cluster on {alibaba}. {alibaba} provides a broad range of cloud computing and data storage services to online businesses and global enterprises.
+
+:FeatureName: Installing {alibaba} with {ai-full}
+include::snippets/technology-preview.adoc[]
+
+include::modules/alibaba-ai-installing.adoc[leveloffset=+1]
+
+.Additional resources
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/installing_openshift_container_platform_with_the_assisted_installer/index[Installing {product-title} with the {ai-full}]
+
+include::modules/alibaba-ai-converting-image-to-qcow2.adoc[leveloffset=+1]
diff --git a/installing/installing_alibaba/installing-alibaba-customizations.adoc b/installing/installing_alibaba/installing-alibaba-customizations.adoc
deleted file mode 100644
index 2fa910eb7a9c..000000000000
--- a/installing/installing_alibaba/installing-alibaba-customizations.adoc
+++ /dev/null
@@ -1,72 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installing-alibaba-customizations"]
-= Installing a cluster on Alibaba Cloud with customizations
-include::_attributes/common-attributes.adoc[]
-:context: installing-alibaba-customizations
-
-toc::[]
-
-In {product-title} version {product-version}, you can install a customized cluster on infrastructure that the installation program provisions on Alibaba Cloud. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster.
-
-[NOTE]
-====
-The scope of the {product-title} installation configurations is intentionally narrow. It is designed for simplicity and ensured success. You can complete many more {product-title} configuration tasks after an installation completes.
-====
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-[id="prerequisites_installing-alibaba-customizations"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../installing/installing_alibaba/preparing-to-install-on-alibaba.adoc#installation-alibaba-dns_preparing-to-install-on-alibaba[registered your domain].
-* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If the cloud Resource Access Management (RAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[manually create and maintain Resource Access Management (RAM) credentials].
-
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
-include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
-
-include::modules/installation-initializing.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../../installing/installing_alibaba/installation-config-parameters-alibaba.adoc#installation-config-parameters-alibaba[Installation configuration parameters for Alibaba Cloud]
-
-include::modules/manually-creating-alibaba-manifests.adoc[leveloffset=+2]
-
-include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2]
-
-include::modules/installation-alibaba-config-yaml.adoc[leveloffset=+2]
-
-include::modules/installation-configure-proxy.adoc[leveloffset=+2]
-
-include::modules/installation-launching-installer.adoc[leveloffset=+1]
-
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
-include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
-
-include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
-
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
-
-[id="next-steps_installing-alibaba-customizations"]
-== Next steps
-
-* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
-* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-//Given that manual mode is required to install on Alibaba Cloud, I do not believe this xref is necessary.
-//* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
diff --git a/installing/installing_alibaba/installing-alibaba-default.adoc b/installing/installing_alibaba/installing-alibaba-default.adoc
deleted file mode 100644
index 37cd45b2c858..000000000000
--- a/installing/installing_alibaba/installing-alibaba-default.adoc
+++ /dev/null
@@ -1,60 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installing-alibaba-default"]
-= Installing a cluster quickly on Alibaba Cloud
-include::_attributes/common-attributes.adoc[]
-:context: installing-alibaba-default
-
-toc::[]
-
-In {product-title} version {product-version}, you can install a cluster on
-Alibaba Cloud that uses the default configuration options.
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-[id="prerequisites_installing-alibaba-default"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../installing/installing_alibaba/preparing-to-install-on-alibaba.adoc#installation-alibaba-dns_preparing-to-install-on-alibaba[registered your domain].
-* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* You have xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[created the required Alibaba Cloud resources].
-* If the cloud Resource Access Management (RAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system namespace, you can xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[manually create and maintain Resource Access Management (RAM) credentials].
-
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
-include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
-
-include::modules/installation-initializing.adoc[leveloffset=+1]
-
-include::modules/manually-creating-alibaba-manifests.adoc[leveloffset=+1]
-
-include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+1]
-
-include::modules/installation-launching-installer.adoc[leveloffset=+1]
-
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
-include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
-
-include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
-
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
-* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
-
-[id="next-steps_installing-alibaba-default"]
-== Next steps
-
-* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
-* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-//Given that manual mode is required to install on Alibaba Cloud, I do not believe this xref is necessary.
-//* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials]
diff --git a/installing/installing_alibaba/installing-alibaba-network-customizations.adoc b/installing/installing_alibaba/installing-alibaba-network-customizations.adoc
deleted file mode 100644
index d0e2fc1358a8..000000000000
--- a/installing/installing_alibaba/installing-alibaba-network-customizations.adoc
+++ /dev/null
@@ -1,82 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installing-alibaba-network-customizations"]
-= Installing a cluster on Alibaba Cloud with network customizations
-include::_attributes/common-attributes.adoc[]
-:context: installing-alibaba-network-customizations
-
-toc::[]
-
-In {product-title} {product-version}, you can install a cluster on Alibaba Cloud with customized network configuration options. By customizing your network configuration, your cluster can coexist with existing IP address allocations in your environment and integrate with existing MTU and
-VXLAN configurations.
-
-You must set most of the network configuration parameters during installation, and you can modify only `kubeProxy` configuration parameters in a running cluster.
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-[id="prerequisites_installing-alibaba-network-customizations"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../installing/installing_alibaba/preparing-to-install-on-alibaba.adoc#installation-alibaba-dns_preparing-to-install-on-alibaba[registered your domain].
-* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If the cloud Resource Access Management (RAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[manually create and maintain Resource Access Management (RAM) credentials].
-
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
-include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
-
-//Networking-specific customization module
-include::modules/nw-network-config.adoc[leveloffset=+1]
-
-include::modules/installation-initializing.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../../installing/installing_alibaba/installation-config-parameters-alibaba.adoc#installation-config-parameters-alibaba[Installation configuration parameters for Alibaba Cloud]
-
-include::modules/manually-creating-alibaba-manifests.adoc[leveloffset=+2]
-
-include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2]
-
-include::modules/installation-alibaba-config-yaml.adoc[leveloffset=+2]
-
-include::modules/installation-configure-proxy.adoc[leveloffset=+2]
-
-//Networking-specific customization module
-include::modules/nw-operator-cr.adoc[leveloffset=+1]
-
-//Networking-specific customization module
-include::modules/nw-modifying-operator-install-config.adoc[leveloffset=+1]
-
-//Networking-specific customization module
-include::modules/configuring-hybrid-ovnkubernetes.adoc[leveloffset=+1]
-
-include::modules/installation-launching-installer.adoc[leveloffset=+1]
-
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
-include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
-
-include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
-
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
-
-[id="next-steps_installing-alibaba-network-customizations"]
-== Next steps
-
-* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation].
-* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-//Given that manual mode is required to install on Alibaba Cloud, I do not believe this xref is necessary.
-//* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
diff --git a/installing/installing_alibaba/installing-alibaba-vpc.adoc b/installing/installing_alibaba/installing-alibaba-vpc.adoc
deleted file mode 100644
index 08696b1d51ff..000000000000
--- a/installing/installing_alibaba/installing-alibaba-vpc.adoc
+++ /dev/null
@@ -1,73 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installing-alibaba-vpc"]
-= Installing a cluster on Alibaba Cloud into an existing VPC
-include::_attributes/common-attributes.adoc[]
-:context: installing-alibaba-vpc
-
-toc::[]
-
-In {product-title} version {product-version}, you can install a cluster into an existing Alibaba Virtual Private Cloud (VPC) on Alibaba Cloud Services. The installation program provisions the required infrastructure, which can then be customized. To customize the VPC installation, modify the parameters in the 'install-config.yaml' file before you install the cluster.
-
-[NOTE]
-====
-The scope of the {product-title} installation configurations is intentionally narrow. It is designed for simplicity and ensured success. You can complete many more {product-title} configuration tasks after an installation completes.
-====
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-[id="prerequisites_installing-alibaba-vpc"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../installing/installing_alibaba/preparing-to-install-on-alibaba.adoc#installation-alibaba-dns_preparing-to-install-on-alibaba[registered your domain].
-* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If the cloud Resource Access Management (RAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[manually create and maintain Resource Access Management (RAM) credentials].
-
-include::modules/installation-custom-alibaba-vpc.adoc[leveloffset=+1]
-
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
-include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
-
-include::modules/installation-initializing.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../../installing/installing_alibaba/installation-config-parameters-alibaba.adoc#installation-config-parameters-alibaba[Installation configuration parameters for Alibaba Cloud]
-
-include::modules/installation-alibaba-config-yaml.adoc[leveloffset=+2]
-
-include::modules/manually-creating-alibaba-manifests.adoc[leveloffset=+2]
-
-include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2]
-
-include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2]
-
-include::modules/installation-launching-installer.adoc[leveloffset=+1]
-
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
-include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
-
-include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
-
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
-* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console
-
-[id="next-steps_installing-alibaba-vpc"]
-== Next steps
-
-* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
-* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-//Given that manual mode is required to install on Alibaba Cloud, I do not believe this xref is necessary.
-//* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
diff --git a/installing/installing_alibaba/manually-creating-alibaba-ram.adoc b/installing/installing_alibaba/manually-creating-alibaba-ram.adoc
deleted file mode 100644
index a2c28e3f6bc8..000000000000
--- a/installing/installing_alibaba/manually-creating-alibaba-ram.adoc
+++ /dev/null
@@ -1,34 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="manually-creating-alibaba-ram"]
-= Creating the required Alibaba Cloud resources
-include::_attributes/common-attributes.adoc[]
-:context: manually-creating-alibaba-ram
-
-toc::[]
-
-Before you install {product-title}, you must use the Alibaba Cloud console to create a Resource Access Management (RAM) user that has sufficient permissions to install {product-title} into your Alibaba Cloud. This user must also have permissions to create new RAM users. You can also configure and use the `ccoctl` tool to create new credentials for the {product-title} components with the permissions that they require.
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-//Task part 1: Manually creating the required RAM user
-include::modules/manually-creating-alibaba-ram-user.adoc[leveloffset=+1]
-
-//Task part 2: Configuring the Cloud Credential Operator utility
-include::modules/cco-ccoctl-configuring.adoc[leveloffset=+1]
-[role="_additional-resources"]
-.Additional resources
-* xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#preparing-manual-creds-update[Preparing to update a cluster with manually maintained credentials]
-
-//Task part 3: Creating Alibaba resources with a single command
-// modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+1]
-
-[id="next-steps_manually-creating-alibaba-ram"]
-== Next steps
-
-* Install a cluster on Alibaba Cloud infrastructure that is provisioned by the {product-title} installation program, by using one of the following methods:
-
-** **xref:../../installing/installing_alibaba/installing-alibaba-default.adoc#installing-alibaba-default[Installing a cluster quickly on Alibaba Cloud]**: You can install a cluster quickly by using the default configuration options.
-
-** **xref:../../installing/installing_alibaba/installing-alibaba-customizations.adoc#installing-alibaba-customizations[Installing a customized cluster on Alibaba Cloud]**: The installation program allows for some customization to be applied at the installation stage. Many other customization options are available xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[post-installation].
-
diff --git a/installing/installing_alibaba/preparing-to-install-on-alibaba.adoc b/installing/installing_alibaba/preparing-to-install-on-alibaba.adoc
deleted file mode 100644
index f38489249b90..000000000000
--- a/installing/installing_alibaba/preparing-to-install-on-alibaba.adoc
+++ /dev/null
@@ -1,35 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="preparing-to-install-on-alibaba"]
-= Preparing to install on Alibaba Cloud
-include::_attributes/common-attributes.adoc[]
-:context: preparing-to-install-on-alibaba
-
-toc::[]
-
-:FeatureName: Alibaba Cloud on {product-title}
-include::snippets/technology-preview.adoc[]
-
-[id="prerequisites_preparing-to-install-on-alibaba"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-
-[id="requirements-for-installing-ocp-on-alibaba"]
-== Requirements for installing {product-title} on Alibaba Cloud
-
-Before installing {product-title} on Alibaba Cloud, you must configure and register your domain, create a Resource Access Management (RAM) user for the installation, and review the supported Alibaba Cloud data center regions and zones for the installation.
-
-include::modules/installation-alibaba-dns.adoc[leveloffset=+1]
-
-// include modules/installation-alibaba-limits.adoc[leveloffset=+1]
-
-// include modules/installation-alibaba-ram-user.adoc[leveloffset=+1]
-
-include::modules/installation-alibaba-regions.adoc[leveloffset=+1]
-
-[id="next-steps_preparing-to-install-on-alibaba"]
-== Next steps
-
-* xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[Create the required Alibaba Cloud resources].
-
diff --git a/installing/installing_alibaba/uninstall-cluster-alibaba.adoc b/installing/installing_alibaba/uninstall-cluster-alibaba.adoc
deleted file mode 100644
index 84a9b2665bd4..000000000000
--- a/installing/installing_alibaba/uninstall-cluster-alibaba.adoc
+++ /dev/null
@@ -1,11 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="uninstalling-cluster-alibaba"]
-= Uninstalling a cluster on Alibaba Cloud
-include::_attributes/common-attributes.adoc[]
-:context: uninstall-cluster-alibaba
-
-toc::[]
-
-You can remove a cluster that you deployed to Alibaba Cloud.
-
-include::modules/installation-uninstall-clouds.adoc[leveloffset=+1]
diff --git a/installing/installing_aws/ipi/installing-aws-china.adoc b/installing/installing_aws/ipi/installing-aws-china.adoc
index bf47bba7f9a2..77c2bcb1d784 100644
--- a/installing/installing_aws/ipi/installing-aws-china.adoc
+++ b/installing/installing_aws/ipi/installing-aws-china.adoc
@@ -111,4 +111,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-customizations.adoc b/installing/installing_aws/ipi/installing-aws-customizations.adoc
index 1984b94d1082..7ce7e3474383 100644
--- a/installing/installing_aws/ipi/installing-aws-customizations.adoc
+++ b/installing/installing_aws/ipi/installing-aws-customizations.adoc
@@ -108,4 +108,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-default.adoc b/installing/installing_aws/ipi/installing-aws-default.adoc
index 60b8d2ed1840..7fee3f3ab8ce 100644
--- a/installing/installing_aws/ipi/installing-aws-default.adoc
+++ b/installing/installing_aws/ipi/installing-aws-default.adoc
@@ -42,4 +42,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-government-region.adoc b/installing/installing_aws/ipi/installing-aws-government-region.adoc
index e9c1823fd94a..13675e838ce1 100644
--- a/installing/installing_aws/ipi/installing-aws-government-region.adoc
+++ b/installing/installing_aws/ipi/installing-aws-government-region.adoc
@@ -112,4 +112,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-network-customizations.adoc b/installing/installing_aws/ipi/installing-aws-network-customizations.adoc
index d4fae17f6ee5..9461aa5748b1 100644
--- a/installing/installing_aws/ipi/installing-aws-network-customizations.adoc
+++ b/installing/installing_aws/ipi/installing-aws-network-customizations.adoc
@@ -126,4 +126,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-private.adoc b/installing/installing_aws/ipi/installing-aws-private.adoc
index 7bcf6eeeb279..43335975de84 100644
--- a/installing/installing_aws/ipi/installing-aws-private.adoc
+++ b/installing/installing_aws/ipi/installing-aws-private.adoc
@@ -106,4 +106,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-secret-region.adoc b/installing/installing_aws/ipi/installing-aws-secret-region.adoc
index 8f7700d9802b..9dd1627ab370 100644
--- a/installing/installing_aws/ipi/installing-aws-secret-region.adoc
+++ b/installing/installing_aws/ipi/installing-aws-secret-region.adoc
@@ -13,6 +13,13 @@ In {product-title} version {product-version}, you can install a cluster on Amazo
 
 To configure a cluster in either region, you change parameters in the `install config.yaml` file before you install the cluster.
 
+[WARNING]
+====
+In {product-title} {product-version}, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on AWS. Installing a cluster on AWS into a secret or top-secret region by using the Cluster API implementation has not been tested as of the release of {product-title} {product-version}. This document will be updated when installation into a secret region has been tested.
+
+There is a known issue with Network Load Balancers' support for security groups in secret or top secret regions that causes installations in these regions to fail. For more information, see link:https://issues.redhat.com/browse/OCPBUGS-33311[OCPBUGS-33311].
+====
+
 [id="prerequisites_installing-aws-secret-region"]
 == Prerequisites
 
@@ -105,4 +112,4 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/ipi/installing-aws-vpc.adoc b/installing/installing_aws/ipi/installing-aws-vpc.adoc
index 9c3263e89369..cce3443c4b6d 100644
--- a/installing/installing_aws/ipi/installing-aws-vpc.adoc
+++ b/installing/installing_aws/ipi/installing-aws-vpc.adoc
@@ -104,5 +104,5 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
 * After installing a cluster on AWS into an existing VPC, you can xref:../../../post_installation_configuration/configuring-aws-outposts.adoc#configuring-aws-outposts[extend the AWS VPC cluster into an AWS Outpost].
\ No newline at end of file
diff --git a/installing/installing_aws/upi/installing-aws-user-infra.adoc b/installing/installing_aws/upi/installing-aws-user-infra.adoc
index 3261096b5a5d..a6bae794b192 100644
--- a/installing/installing_aws/upi/installing-aws-user-infra.adoc
+++ b/installing/installing_aws/upi/installing-aws-user-infra.adoc
@@ -26,6 +26,7 @@ The steps for performing a user-provisioned infrastructure installation are prov
 ====
 If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
 ====
+* You xref:../../../installing/installing_aws/upi/upi-aws-installation-reqs#upi-aws-installation-reqs[prepared the user-provisioned infrastructure.]
 * You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX)] in the AWS documentation.
 * If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
 +
@@ -35,38 +36,6 @@ Be sure to also review this site list if you are configuring a proxy.
 ====
 * If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually create and maintain long-term credentials].
 
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-[id="installation-requirements-user-infra_{context}"]
-== Requirements for a cluster with user-provisioned infrastructure
-
-For a cluster that contains user-provisioned infrastructure, you must deploy all
-of the required machines.
-
-This section describes the requirements for deploying {product-title} on user-provisioned infrastructure.
-
-include::modules/installation-machine-requirements.adoc[leveloffset=+2]
-include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
-
-include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2]
-include::modules/installation-aws-arm-tested-machine-types.adoc[leveloffset=+2]
-include::modules/csr-management.adoc[leveloffset=+2]
-
-include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1]
-
-include::modules/installation-aws-permissions.adoc[leveloffset=+2]
-
-include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1]
-
-include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
 include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 
 include::modules/installation-disk-partitioning-upi-templates.adoc[leveloffset=+2]
@@ -175,8 +144,6 @@ include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1]
 
 * You can view details about the running instances that are created by using the link:https://console.aws.amazon.com/ec2[AWS EC2 console].
 
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
 
 include::modules/installation-approve-csrs.adoc[leveloffset=+1]
@@ -204,13 +171,6 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 
 * See xref:../../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
 
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
-
 [role="_additional-resources"]
 [id="installing-aws-user-infra-additional-resources"]
 == Additional resources
@@ -223,4 +183,4 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 * xref:../../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/upi/installing-restricted-networks-aws.adoc b/installing/installing_aws/upi/installing-restricted-networks-aws.adoc
index edaf54a0e803..8a5aa665e94d 100644
--- a/installing/installing_aws/upi/installing-restricted-networks-aws.adoc
+++ b/installing/installing_aws/upi/installing-restricted-networks-aws.adoc
@@ -42,6 +42,7 @@ Because the installation media is on the mirror host, you can use that computer
 ====
 If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
 ====
+* You xref:../../../installing/installing_aws/upi/upi-aws-installation-reqs#upi-aws-installation-reqs[prepared the user-provisioned infrastructure.]
 * You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX)] in the AWS documentation.
 * If you use a firewall and plan to use the Telemetry service, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to.
 +
@@ -53,36 +54,8 @@ Be sure to also review this site list if you are configuring a proxy.
 
 include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
 
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-[id="installation-requirements-user-infra_{context}"]
-== Requirements for a cluster with user-provisioned infrastructure
-
-For a cluster that contains user-provisioned infrastructure, you must deploy all
-of the required machines.
-
-This section describes the requirements for deploying {product-title} on user-provisioned infrastructure.
-
-include::modules/installation-machine-requirements.adoc[leveloffset=+2]
-include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
-
-include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2]
-include::modules/installation-aws-arm-tested-machine-types.adoc[leveloffset=+2]
-include::modules/csr-management.adoc[leveloffset=+2]
-
-include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1]
-
-include::modules/installation-aws-permissions.adoc[leveloffset=+2]
-
 //You extract the installation program from the mirrored content.
 
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
 include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 
 include::modules/installation-disk-partitioning-upi-templates.adoc[leveloffset=+2]
@@ -163,8 +136,6 @@ include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1]
 
 //You can install the CLI on the mirror host.
 
-include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
-
 include::modules/installation-approve-csrs.adoc[leveloffset=+1]
 
 include::modules/installation-operators-config.adoc[leveloffset=+1]
@@ -183,6 +154,8 @@ include::modules/installation-create-ingress-dns-records.adoc[leveloffset=+1]
 
 include::modules/installation-aws-user-infra-installation.adoc[leveloffset=+1]
 
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
 include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
@@ -190,8 +163,6 @@ include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
 
 * See xref:../../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
 
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
 [role="_additional-resources"]
 .Additional resources
 
@@ -213,4 +184,4 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 * If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
 * If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
 * If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
-* If necessary, you can xref:../../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_aws/upi/upi-aws-installation-reqs.adoc b/installing/installing_aws/upi/upi-aws-installation-reqs.adoc
new file mode 100644
index 000000000000..6364d09d344b
--- /dev/null
+++ b/installing/installing_aws/upi/upi-aws-installation-reqs.adoc
@@ -0,0 +1,32 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="upi-aws-installation-reqs"]
+= Installation requirements for user-provisioned infrastructure on AWS
+include::_attributes/common-attributes.adoc[]
+:context: upi-aws-installation-reqs
+
+toc::[]
+
+Before you begin an installation on infrastructure that you provision, be sure that your AWS environment meets the following installation requirements.
+
+For a cluster that contains user-provisioned infrastructure, you must deploy all
+of the required machines.
+
+
+include::modules/installation-machine-requirements.adoc[leveloffset=+1]
+include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
+
+include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2]
+include::modules/installation-aws-arm-tested-machine-types.adoc[leveloffset=+2]
+
+include::modules/csr-management.adoc[leveloffset=+1]
+
+include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1]
+
+include::modules/installation-aws-permissions.adoc[leveloffset=+1]
+
+include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/installing/installing_aws/upi/upi-aws-preparing-to-install.adoc b/installing/installing_aws/upi/upi-aws-preparing-to-install.adoc
new file mode 100644
index 000000000000..60228d484170
--- /dev/null
+++ b/installing/installing_aws/upi/upi-aws-preparing-to-install.adoc
@@ -0,0 +1,46 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="upi-aws-preparing-to-install"]
+= Preparing to install a cluster on AWS
+include::_attributes/common-attributes.adoc[]
+:context: upi-aws-preparing-to-install
+
+toc::[]
+
+You prepare to install an {product-title} cluster on AWS by completing the following steps:
+
+* Verifying internet connectivity for your cluster.
+
+* xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configuring an AWS account].
+
+* Downloading the installation program.
++
+[NOTE]
+====
+If you are installing in a disconnected environment, you extract the installation program from the mirrored content. For more information, see xref:../../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[Mirroring images for a disconnected installation].
+====
+* Installing the {oc-first}.
++
+[NOTE]
+====
+If you are installing in a disconnected environment, install `oc` to the mirror host.
+====
+* Generating an SSH key pair. You can use this key pair to authenticate into the {product-title} cluster's nodes after it is deployed.
+
+* xref:../../../installing/installing_aws/upi/upi-aws-installation-reqs#upi-aws-installation-reqs[Preparing the user-provisioned infrastructure.]
+
+* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually creating long-term credentials for AWS] or xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[configuring an AWS cluster to use short-term credentials] with Amazon Web Services Security Token Service (AWS STS).
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/cluster-telemetry.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* See xref:../../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
\ No newline at end of file
diff --git a/installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc b/installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
index cee27a3c7559..12a579d9fef8 100644
--- a/installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
+++ b/installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
@@ -73,4 +73,4 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 * xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc b/installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc
index 559ede047a71..d43a78ef8ebe 100644
--- a/installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc
+++ b/installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc
@@ -89,4 +89,4 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 * xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials].
+* If necessary, you can xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].
diff --git a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
index 6836b2e97d1f..554864af34ac 100644
--- a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
+++ b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
@@ -141,6 +141,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -153,6 +157,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -160,6 +168,11 @@ include::modules/installation-user-infra-machines-static-network.adoc[leveloffse
 
 include::modules/rhcos-enabling-multipath.adoc[leveloffset=+2]
 
+//iscsi using `coreos-installer install`
+include::modules/rhcos-install-iscsi-manual.adoc[leveloffset=+2]
+
+include::modules/rhcos-install-iscsi-ibft.adoc[leveloffset=+2]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/installing/installing_bare_metal/installing-bare-metal.adoc b/installing/installing_bare_metal/installing-bare-metal.adoc
index a7fb0ba2a3bf..113ce699abd2 100644
--- a/installing/installing_bare_metal/installing-bare-metal.adoc
+++ b/installing/installing_bare_metal/installing-bare-metal.adoc
@@ -169,6 +169,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -181,6 +185,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -188,6 +196,11 @@ include::modules/installation-user-infra-machines-static-network.adoc[leveloffse
 
 include::modules/rhcos-enabling-multipath.adoc[leveloffset=+2]
 
+//iscsi using `coreos-installer install`
+include::modules/rhcos-install-iscsi-manual.adoc[leveloffset=+2]
+
+include::modules/rhcos-install-iscsi-ibft.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 
diff --git a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
index 6d208664d674..a7779da1a826 100644
--- a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+++ b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
@@ -162,6 +162,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -174,6 +178,10 @@ include::modules/installation-user-infra-machines-advanced-customizing-live-seri
 include::modules/installation-user-infra-machines-advanced-customizing-live-ca-certs.adoc[leveloffset=+4]
 
 include::modules/installation-user-infra-machines-advanced-customizing-live-network-config.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc[leveloffset=+4]
+
+include::modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc[leveloffset=+4]
 :boot-media!:
 :boot!:
 
@@ -181,6 +189,11 @@ include::modules/installation-user-infra-machines-static-network.adoc[leveloffse
 
 include::modules/rhcos-enabling-multipath.adoc[leveloffset=+2]
 
+//iscsi using `coreos-installer install`
+include::modules/rhcos-install-iscsi-manual.adoc[leveloffset=+2]
+
+include::modules/rhcos-install-iscsi-ibft.adoc[leveloffset=+2]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc b/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc
index fd5559aa191f..f5c2585cfe8d 100644
--- a/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc
+++ b/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc
@@ -6,10 +6,13 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+// Installing {op-system-base} on the provisioner node
 include::modules/ipi-install-installing-rhel-on-the-provisioner-node.adoc[leveloffset=+1]
 
+// Preparing the provisioner node for {product-title} installation
 include::modules/ipi-install-preparing-the-provisioner-node-for-openshift-install.adoc[leveloffset=+1]
 
+// Checking NTP server synchronization
 include::modules/ipi-install-checking-ntp-sync.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
@@ -19,15 +22,19 @@ include::modules/ipi-install-checking-ntp-sync.adoc[leveloffset=+1]
 
 * xref:../../installing/installing_bare_metal_ipi/ipi-install-prerequisites.adoc#network-requirements-ntp_ipi-install-prerequisites[Network Time Protocol (NTP)]
 
+// Configuring networking
 include::modules/ipi-install-configuring-networking.adoc[leveloffset=+1]
 
 // Establishing communication between subnets
 include::modules/ipi-install-establishing-communication-between-subnets.adoc[leveloffset=+1]
 
+// Retrieving the {product-title} installer
 include::modules/ipi-install-retrieving-the-openshift-installer.adoc[leveloffset=+1]
 
+// Extracting the {product-title} installer
 include::modules/ipi-install-extracting-the-openshift-installer.adoc[leveloffset=+1]
 
+// Optional: Creating an {op-system} images cache
 include::modules/ipi-install-creating-an-rhcos-images-cache.adoc[leveloffset=+1]
 
 // Services for a user-managed load balancer
@@ -36,38 +43,61 @@ include::modules/nw-osp-services-external-load-balancer.adoc[leveloffset=+1]
 // Configuring a user-managed load balancer
 include::modules/nw-osp-configuring-external-load-balancer.adoc[leveloffset=+2]
 
+// Setting the cluster node hostnames through DHCP
 include::modules/ipi-install-setting-cluster-node-hostnames-dhcp.adoc[leveloffset=+1]
 
 [id="ipi-install-configuration-files"]
 [id="additional-resources_config"]
 == Configuring the install-config.yaml file
 
+// Configuring the install-config.yaml file
 include::modules/ipi-install-configuring-the-install-config-file.adoc[leveloffset=+2]
 
+// Additional `install-config` parameters
 include::modules/ipi-install-additional-install-config-parameters.adoc[leveloffset=+2]
 
+// BMC addressing
 include::modules/ipi-install-bmc-addressing.adoc[leveloffset=+2]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../post_installation_configuration/bare-metal-configuration.adoc#editing-a-baremetalhost-resource_post-install-bare-metal-configuration[Editing a BareMetalHost resource]
+
+// Verifying support for the Redfish API
+include::modules/ipi-install-verifying-support-for-redfish-apis.adoc[leveloffset=+2]
+
+// BMC addressing for Dell iDRAC
 include::modules/ipi-install-bmc-addressing-for-dell-idrac.adoc[leveloffset=+2]
 
+// BMC addressing for HPE iLO
 include::modules/ipi-install-bmc-addressing-for-hpe-ilo.adoc[leveloffset=+2]
 
+// BMC addressing for Fujitsu iRMC
 include::modules/ipi-install-bmc-addressing-for-fujitsu-irmc.adoc[leveloffset=+2]
 
+// Root device hints
 include::modules/ipi-install-root-device-hints.adoc[leveloffset=+2]
 
+// Optional: Setting proxy settings
 include::modules/ipi-install-setting-proxy-settings-within-install-config.adoc[leveloffset=+2]
 
+// Optional: Deploying with no provisioning network
 include::modules/ipi-install-modifying-install-config-for-no-provisioning-network.adoc[leveloffset=+2]
 
+// Optional: Deploying with dual-stack networking
 include::modules/ipi-install-modifying-install-config-for-dual-stack-network.adoc[leveloffset=+2]
 
+// Optional: Configuring host network interfaces
 include::modules/ipi-install-configuring-host-network-interfaces-in-the-install-config.yaml-file.adoc[leveloffset=+2]
 
+// Configuring host network interfaces for subnets
 include::modules/ipi-install-configuring-host-network-interfaces-for-subnets.adoc[leveloffset=+2]
 
+// Optional: Configuring address generation modes for SLAAC in dual-stack networks
 include::modules/ipi-install-modifying-install-config-for-slaac-dual-stack-network.adoc[leveloffset=+2]
 
+// Optional: Configuring host network interfaces for dual port NIC
 include::modules/ipi-install-configuring-host-dual-network-interfaces-in-the-install-config.yaml-file.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -75,21 +105,28 @@ include::modules/ipi-install-configuring-host-dual-network-interfaces-in-the-ins
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_networking/configuring-network-bonding_configuring-and-managing-networking[Configuring network bonding]
 
+// Configuring multiple cluster nodes
 include::modules/ipi-install-configure-multiple-cluster-nodes.adoc[leveloffset=+2]
 
+// Optional: Configuring managed Secure Boot
 include::modules/ipi-install-configuring-managed-secure-boot-in-the-install-config-file.adoc[leveloffset=+2]
 
 [id="ipi-install-manifest-configuration-files"]
 == Manifest configuration files
 
+// Creating the {product-title} manifests
 include::modules/ipi-install-creating-the-openshift-manifests.adoc[leveloffset=+2]
 
+// Optional: Configuring NTP for disconnected clusters
 include::modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc[leveloffset=+2]
 
+// Configuring network components to run on the control plane
 include::modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc[leveloffset=+2]
 
+// Optional: Deploying routers on worker nodes
 include::modules/ipi-install-deploying-routers-on-worker-nodes.adoc[leveloffset=+2]
 
+// Optional: Configuring the BIOS
 include::modules/ipi-install-configuring-the-bios.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -98,8 +135,10 @@ include::modules/ipi-install-configuring-the-bios.adoc[leveloffset=+2]
 
 * xref:../../post_installation_configuration/bare-metal-configuration.adoc#post-install-bare-metal-configuration[Bare metal configuration]
 
+// Optional: Configuring the RAID
 include::modules/ipi-install-configuring-the-raid.adoc[leveloffset=+2]
 
+// Optional: Configuring storage on nodes
 include::modules/ipi-install-configuring-storage-on-nodes.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -110,6 +149,7 @@ include::modules/ipi-install-configuring-storage-on-nodes.adoc[leveloffset=+2]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_storage_devices/index#partition-naming-scheme_disk-partitions[Partition naming scheme]
 
+// Creating a disconnected registry
 include::modules/ipi-install-creating-a-disconnected-registry.adoc[leveloffset=+1]
 
 [discrete]
@@ -118,20 +158,28 @@ include::modules/ipi-install-creating-a-disconnected-registry.adoc[leveloffset=+
 
 * If you have already prepared a mirror registry for xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#prerequisites_installing-mirroring-installation-images[Mirroring images for a disconnected installation], you can skip directly to xref:../../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#ipi-modify-install-config-for-a-disconnected-registry_ipi-install-installation-workflow[Modify the install-config.yaml file to use the disconnected registry].
 
+// Preparing the registry node to host the mirrored registry
 include::modules/ipi-install-preparing-a-disconnected-registry.adoc[leveloffset=+2]
 
+// Mirroring the {product-title} image repository for a disconnected registry
 include::modules/ipi-install-mirroring-for-disconnected-registry.adoc[leveloffset=+2]
 
+// Modify the install-config.yaml file to use the disconnected registry
 include::modules/ipi-modify-install-config-for-a-disconnected-registry.adoc[leveloffset=+2]
 
+// Validation checklist for installation
 include::modules/ipi-install-validation-checklist-for-installation.adoc[leveloffset=+1]
 
+// Deploying the cluster via the {product-title} installer
 include::modules/ipi-install-deploying-the-cluster-via-the-openshift-installer.adoc[leveloffset=+1]
 
+// Following the installation
 include::modules/ipi-install-following-the-installation.adoc[leveloffset=+1]
 
+// Verifying static IP address configuration
 include::modules/ipi-install-verifying-static-ip-address-configuration.adoc[leveloffset=+1]
 
+// Preparing to reinstall a cluster on bare metal
 include::modules/ipi-preparing-reinstall-cluster-bare-metal.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/installing/installing_bare_metal_ipi/ipi-install-overview.adoc b/installing/installing_bare_metal_ipi/ipi-install-overview.adoc
index 6ff56c306638..fec42feb3b84 100644
--- a/installing/installing_bare_metal_ipi/ipi-install-overview.adoc
+++ b/installing/installing_bare_metal_ipi/ipi-install-overview.adoc
@@ -21,7 +21,7 @@ In phase 2 of the deployment, the provisioner destroys the bootstrap VM automati
 
 The `keepalived.conf` file sets the control plane machines with a lower Virtual Router Redundancy Protocol (VRRP) priority than the bootstrap VM, which ensures that the API on the control plane machines is fully functional before the API VIP moves from the bootstrap VM to the control plane. Once the API VIP moves to one of the control plane nodes, traffic sent from external clients to the API VIP routes to an `haproxy` load balancer running on that control plane node. This instance of `haproxy` load balances the API VIP traffic across the control plane nodes.
 
-The Ingress VIP moves to the worker nodes. The `keepalived` instance also manages the Ingress VIP.
+The Ingress VIP moves to the compute nodes. The `keepalived` instance also manages the Ingress VIP.
 
 The following diagram illustrates phase 2 of deployment:
 
diff --git a/installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc b/installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc
index c5922fef95b1..f1258c079556 100644
--- a/installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc
+++ b/installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc
@@ -12,8 +12,3 @@ include::modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc[leve
 
 include::modules/nw-enabling-a-provisioning-network-after-installation.adoc[leveloffset=+1]
 
-// Configuring a user-managed load balancer
-include::modules/nw-osp-services-external-load-balancer.adoc[leveloffset=+1]
-
-// Services for a user-managed load balancer
-include::modules/nw-osp-configuring-external-load-balancer.adoc[leveloffset=+2]
diff --git a/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc b/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
index 2dc2ffffe3c3..27b172d62283 100644
--- a/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
+++ b/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
@@ -20,7 +20,7 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+1]
 [role="_additional-resources"]
 [id="additional-resources_configuring-iam-ibm-cloud-refreshing-ids"]
 .Additional resources
-* xref:../../post_installation_configuration/cluster-tasks.adoc#refreshing-service-ids-ibm-cloud_post-install-cluster-tasks[Rotating API keys for {ibm-cloud-name}]
+* xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#refreshing-service-ids-ibm-cloud_changing-cloud-credentials-configuration[Rotating API keys for {ibm-cloud-name}]
 
 [id="next-steps_configuring-iam-ibm-cloud"]
 == Next steps
diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc
index 3890e8edffd1..de9c14a5a522 100644
--- a/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc
+++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc
@@ -38,6 +38,8 @@ include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
 
 * xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
 
+include::modules/installation-ibm-cloud-tested-machine-types.adoc[leveloffset=+2]
+
 include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2]
 
 //.Additional resources
diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
index 6b75c0629917..20c757be472c 100644
--- a/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
+++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
@@ -36,6 +36,8 @@ include::modules/installation-initializing.adoc[leveloffset=+1]
 
 include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
 
+include::modules/installation-ibm-cloud-tested-machine-types.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 
diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
index 5132bdaf08c9..717b5489e0cf 100644
--- a/installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
+++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
@@ -44,6 +44,8 @@ include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
 
 * xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
 
+include::modules/installation-ibm-cloud-tested-machine-types.adoc[leveloffset=+2]
+
 include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2]
 
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
index 8bfe4c05ddb6..a61f572ef382 100644
--- a/installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
+++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
@@ -44,13 +44,17 @@ include::modules/installation-ibm-cloud-download-rhcos.adoc[leveloffset=+1]
 
 include::modules/installation-initializing-manual.adoc[leveloffset=+1]
 
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 * xref:../../installing/installing_ibm_cloud_public/installation-config-parameters-ibm-cloud-vpc.adoc#installation-config-parameters-ibm-cloud-vpc[Installation configuration parameters for {ibm-cloud-name}]
 
 include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
+
+include::modules/installation-ibm-cloud-tested-machine-types.adoc[leveloffset=+2]
+
 include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2]
-include::modules/installation-configure-proxy.adoc[leveloffset=+2]
 
 include::modules/cli-installing-cli.adoc[leveloffset=+1]
 
diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
index b93bf3b009b5..dfb61652784f 100644
--- a/installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
+++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
@@ -35,6 +35,8 @@ include::modules/installation-initializing.adoc[leveloffset=+1]
 
 include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
 
+include::modules/installation-ibm-cloud-tested-machine-types.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 
diff --git a/installing/installing_ibm_power/installing-ibm-power.adoc b/installing/installing_ibm_power/installing-ibm-power.adoc
index 056c9091392f..ce30aa1d55d9 100644
--- a/installing/installing_ibm_power/installing-ibm-power.adoc
+++ b/installing/installing_ibm_power/installing-ibm-power.adoc
@@ -127,7 +127,7 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 == Next steps
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#rhcos-enabling-multipath_post-install-machine-configuration-tasks[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If necessary, you can
 xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
diff --git a/installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc b/installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
index afbd36841292..b5b10f664387 100644
--- a/installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
+++ b/installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
@@ -132,7 +132,7 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 == Next steps
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#rhcos-enabling-multipath_post-install-machine-configuration-tasks[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 * If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
 * If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
diff --git a/installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.adoc b/installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.adoc
index 119accb79b2d..4cad47812e6a 100644
--- a/installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.adoc
+++ b/installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.adoc
@@ -48,7 +48,7 @@ include::modules/cco-ccoctl-configuring.adoc[leveloffset=+1]
 [id="additional-resources_configuring-ibm-cloud-refreshing-ids"]
 
 .Additional resources
-* xref:../../post_installation_configuration/cluster-tasks.adoc#refreshing-service-ids-ibm-cloud_post-install-cluster-tasks[Rotating API keys]
+* xref:../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#refreshing-service-ids-ibm-cloud_changing-cloud-credentials-configuration[Rotating API keys]
 
 [id="next-steps_preparing-to-install-on-ibm-power-vs"]
 == Next steps
diff --git a/installing/installing_ibm_z/installing-ibm-z-lpar.adoc b/installing/installing_ibm_z/installing-ibm-z-lpar.adoc
index ef78f9982553..d5f6ce61f8c8 100644
--- a/installing/installing_ibm_z/installing-ibm-z-lpar.adoc
+++ b/installing/installing_ibm_z/installing-ibm-z-lpar.adoc
@@ -141,7 +141,7 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 [id="next-steps_installing-ibm-z-lpar"]
 == Next steps
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#rhcos-enabling-multipath_post-install-machine-configuration-tasks[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
 
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 
diff --git a/installing/installing_ibm_z/installing-ibm-z.adoc b/installing/installing_ibm_z/installing-ibm-z.adoc
index daa3bb89c52a..73e94843a3bd 100644
--- a/installing/installing_ibm_z/installing-ibm-z.adoc
+++ b/installing/installing_ibm_z/installing-ibm-z.adoc
@@ -147,7 +147,7 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 [id="next-steps_ibmz-vm"]
 == Next steps
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#rhcos-enabling-multipath_post-install-machine-configuration-tasks[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
 
 * xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
 
diff --git a/installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc b/installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
index a378b0d9e1ad..813ef5d88cef 100644
--- a/installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+++ b/installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
@@ -56,6 +56,13 @@ include::modules/manually-configure-iam-nutanix.adoc[leveloffset=+1]
 
 include::modules/installation-nutanix-ccm.adoc[leveloffset=+1]
 
+// Services for a user-managed load balancer
+include::modules/nw-osp-services-external-load-balancer.adoc[leveloffset=+1]
+
+// Configuring a user-managed load balancer
+include::modules/nw-osp-configuring-external-load-balancer.adoc[leveloffset=+2]
+
+// Deploying the cluster
 include::modules/installation-launching-installer.adoc[leveloffset=+1]
 
 include::modules/registry-configuring-storage-nutanix.adoc[leveloffset=+1]
diff --git a/installing/installing_on_prem_assisted/assisted-installer-installing.adoc b/installing/installing_on_prem_assisted/assisted-installer-installing.adoc
deleted file mode 100644
index d04370a13312..000000000000
--- a/installing/installing_on_prem_assisted/assisted-installer-installing.adoc
+++ /dev/null
@@ -1,57 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="installing-with-ai"]
-= Installing with the Assisted Installer
-include::_attributes/common-attributes.adoc[]
-:context: assisted-installer-installing
-
-toc::[]
-
-After you ensure the cluster nodes and network requirements are met, you can begin installing the cluster.
-
-include::modules/assisted-installer-pre-installation-considerations.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-setting-the-cluster-details.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-configuring-host-network-interfaces.adoc[leveloffset=+1]
-
-[role="_additional_resources"]
-.Additional resources
-* xref:../installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#configuring-host-network-interfaces-in-the-install-config-yaml-file_ipi-install-installation-workflow[Configuring network interfaces]
-
-* link:http://nmstate.io[NMState version 2.1.4]
-
-include::modules/assisted-installer-adding-hosts-to-the-cluster.adoc[leveloffset=+1]
-
-include::modules/installing-with-usb-media.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-booting-with-a-usb-drive.adoc[leveloffset=+1]
-
-include::modules/install-booting-from-an-iso-over-http-redfish.adoc[leveloffset=+1]
-
-[role="_additional_resources"]
-.Additional resources
-
-* xref:../installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#bmc-addressing_ipi-install-installation-workflow[BMC addressing].
-
-* xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#ipi-install-firmware-requirements-for-installing-with-virtual-media_ipi-install-prerequisites[Firmware requirements for installing with virtual media]
-
-include::modules/assisted-installer-configuring-hosts.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-configuring-networking.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-installing-the-cluster.adoc[leveloffset=+1]
-
-include::modules/assisted-installer-completing-the-installation.adoc[leveloffset=+1]
-
-
-[role="_additional_resources"]
-[id="ai-saas-installing-additional-resources_{context}"]
-== Additional resources
-
-* xref:../../cli_reference/openshift_cli/getting-started-cli.adoc#cli-installing-cli_cli-developer-commands[Installing the OpenShift CLI].
-
-* xref:../../cli_reference/openshift_cli/getting-started-cli.adoc#cli-logging-in_cli-developer-commands[Logging in to the OpenShift CLI]
-
-* xref:../../post_installation_configuration/preparing-for-users.adoc#creating-cluster-admin_post-install-preparing-for-users[Creating a cluster admin]
-
-* xref:../../post_installation_configuration/preparing-for-users.adoc#removing-kubeadmin_post-install-preparing-for-users[Removing the kubeadmin user]
diff --git a/installing/installing_on_prem_assisted/assisted-installer-preparing-to-install.adoc b/installing/installing_on_prem_assisted/assisted-installer-preparing-to-install.adoc
deleted file mode 100644
index 19242e82a7ce..000000000000
--- a/installing/installing_on_prem_assisted/assisted-installer-preparing-to-install.adoc
+++ /dev/null
@@ -1,26 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="preparing-to-install-with-ai"]
-= Preparing to install with the Assisted Installer
-include::_attributes/common-attributes.adoc[]
-:context: assisted-installer-preparing-to-install
-
-toc::[]
-
-Before installing a cluster, you must ensure the cluster nodes and network meet the requirements.
-
-[id="assisted-installer-prerequisites"]
-== Prerequisites
-
-* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* If you use a firewall, you must xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it] so that {ai-full} can access the resources it requires to function.
-
-include::modules/assisted-installer-assisted-installer-prerequisites.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-[id="ai-saas-preparing--to-install-additional-resources_{context}"]
-== Additional resources
-
-* xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#ipi-install-firmware-requirements-for-installing-with-virtual-media_ipi-install-prerequisites[Firmware requirements for installing with virtual media]
-
-* xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#network-requirements-increase-mtu_ipi-install-prerequisites[Increase the network MTU]
diff --git a/installing/installing_sno/install-sno-installing-sno.adoc b/installing/installing_sno/install-sno-installing-sno.adoc
index adaabae15519..c0d80b15745b 100644
--- a/installing/installing_sno/install-sno-installing-sno.adoc
+++ b/installing/installing_sno/install-sno-installing-sno.adoc
@@ -139,7 +139,11 @@ include::modules/creating-custom-live-rhcos-iso.adoc[leveloffset=+1]
 [id="install-sno-with-ibmz"]
 == Installing {sno} with {ibm-z-title} and {ibm-linuxone-title}
 
-Installing a single-node cluster on {ibm-z-name} and {ibm-linuxone-name} requires user-provisioned installation using either the "Installing a cluster with {op-system-base} KVM on {ibm-z-name} and {ibm-linuxone-name}" or the "Installing a cluster with z/VM on {ibm-z-name} and {ibm-linuxone-name}" procedure.
+Installing a single-node cluster on {ibm-z-name} and {ibm-linuxone-name} requires user-provisioned installation using one of the following procedures:
+
+* xref:../../installing/installing_ibm_z/installing-ibm-z.adoc#installing-ibm-z[Installing a cluster with z/VM on {ibm-z-name} and {ibm-linuxone-name}]
+* xref:../../installing/installing_ibm_z/installing-ibm-z-kvm.adoc#installing-ibm-z-kvm[Installing a cluster with {op-system-base} KVM on {ibm-z-name} and {ibm-linuxone-name}]
+* xref:../../installing/installing_ibm_z/installing-ibm-z-lpar.adoc#installing-ibm-z-lpar[Installing a cluster in an LPAR on {ibm-z-name} and {ibm-linuxone-name}]
 
 [NOTE]
 ====
@@ -157,16 +161,12 @@ Installing a single-node cluster on {ibm-z-name} simplifies installation for dev
 You can use dedicated or shared IFLs to assign sufficient compute resources. Resource sharing is one of the key strengths of {ibm-z-name}. However, you must adjust capacity correctly on each hypervisor layer and ensure sufficient resources for every {product-title} cluster.
 ====
 
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../installing/installing_ibm_z/installing-ibm-z.adoc#installing-ibm-z[Installing a cluster with z/VM on {ibm-z-name} and {ibm-linuxone-name}]
-* xref:../../installing/installing_ibm_z/installing-ibm-z-kvm.adoc#installing-ibm-z-kvm[Installing a cluster with {op-system-base} KVM on {ibm-z-name} and{ibm-linuxone-name}]
-
 include::modules/install-sno-ibm-z.adoc[leveloffset=+2]
 
 include::modules/install-sno-ibm-z-kvm.adoc[leveloffset=+2]
 
+include::modules/install-sno-ibm-z-lpar.adoc[leveloffset=+2]
+
 [id="installing-sno-with-ibmpower"]
 == Installing {sno} with {ibm-power-title}
 
diff --git a/installing/installing_vsphere/installing-vsphere-assisted-installer.adoc b/installing/installing_vsphere/installing-vsphere-assisted-installer.adoc
index 09bcc9c374cd..ce5606915f42 100644
--- a/installing/installing_vsphere/installing-vsphere-assisted-installer.adoc
+++ b/installing/installing_vsphere/installing-vsphere-assisted-installer.adoc
@@ -8,11 +8,7 @@ toc::[]
 
 You can install {product-title} on on-premise hardware or on-premise VMs by using the {ai-full}. Installing {product-title} by using the {ai-full} supports `x86_64`, `AArch64`, `ppc64le`, and `s390x` CPU architectures.
 
-The {ai-full} is a user-friendly installation solution offered on the Red{nbsp}Hat Hybrid Cloud Console. The {ai-full} supports the various deployment platforms with a focus on the following infrastructures:
-
-* Bare metal
-* Nutanix
-* vSphere
+The {ai-full} is a user-friendly installation solution offered on the Red{nbsp}Hat Hybrid Cloud Console.
 
 [role="_additional-resources"]
 [id="additional-resources_installing-vsphere-assisted-installer"]
diff --git a/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc b/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc
index 784bdc49f1df..8c695833123e 100644
--- a/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc
+++ b/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc
@@ -25,12 +25,16 @@ The following procedures deploy a single-node {product-title} in a disconnected
 // Downloading the Agent-based Installer
 include::modules/installing-ocp-agent-download.adoc[leveloffset=+2]
 
+//Verifying architectures
+include::modules/agent-installer-architectures.adoc[leveloffset=+2]
+
 // Creating the preferred configuration inputs
 include::modules/installing-ocp-agent-inputs.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 * xref:../../installing/installing_vsphere/ipi/installing-vsphere-installer-provisioned-customizations.adoc#configuring-vsphere-regions-zones_installing-vsphere-installer-provisioned-customizations[Configuring regions and zones for a VMware vCenter]
+* xref:../../installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc#agent-install-verifying-architectures_installing-with-agent-based-installer[Verifying the supported architecture for installing an Agent-based installer cluster]
 
 [id="installing-ocp-agent-opt-manifests_{context}"]
 === Optional: Creating additional manifest files
@@ -42,7 +46,7 @@ include::modules/installing-ocp-agent-manifest-folder.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#using-machineconfigs-to-change-machines[Using MachineConfig objects to configure nodes]
+* xref:../../machine_configuration/machine-configs-configure.adoc#machine-configs-configure[Using MachineConfig objects to configure nodes]
 
 // Partitioning the disk
 include::modules/installation-user-infra-machines-advanced.adoc[leveloffset=+3]
@@ -67,6 +71,9 @@ include::modules/installing-ocp-agent-encrypt.adoc[leveloffset=+2]
 // Creating and booting the agent image
 include::modules/installing-ocp-agent-boot.adoc[leveloffset=+2]
 
+// Adding {ibm-z-name} agents with {op-system-base} KVM
+include::modules/installing-ocp-agent-ibm-z-kvm.adoc[leveloffset=+2]
+
 // Verifying that the current installation host can pull release images
 include::modules/installing-ocp-agent-tui.adoc[leveloffset=+2]
 
@@ -88,6 +95,5 @@ include::modules/sample-ztp-custom-resources.adoc[leveloffset=+1]
 
 * See xref:../../edge_computing/ztp-deploying-far-edge-clusters-at-scale.adoc#ztp-deploying-far-edge-clusters-at-scale[Challenges of the network far edge] to learn more about {ztp-first}.
 
-
 // Gathering log data from a failed Agent-based installation
 include::modules/installing-ocp-agent-gather-log.adoc[leveloffset=+1]
diff --git a/installing/installing_with_agent_based_installer/preparing-to-install-with-agent-based-installer.adoc b/installing/installing_with_agent_based_installer/preparing-to-install-with-agent-based-installer.adoc
index aa1ff9148d9d..1b3e47f0ba3e 100644
--- a/installing/installing_with_agent_based_installer/preparing-to-install-with-agent-based-installer.adoc
+++ b/installing/installing_with_agent_based_installer/preparing-to-install-with-agent-based-installer.adoc
@@ -18,27 +18,23 @@ The Agent-based Installer can also optionally generate or accept Zero Touch Prov
 
 .Agent-based Installer supported architectures
 |===
-|CPU architecture |Connected installation |Disconnected installation |Comments
+|CPU architecture |Connected installation |Disconnected installation
 
 |`64-bit x86`
 |&#10003;
 |&#10003;
-|
 
 |`64-bit ARM`
 |&#10003;
 |&#10003;
-|
 
 |`ppc64le`
 |&#10003;
 |&#10003;
-|
 
 |`s390x`
 |&#10003;
 |&#10003;
-|ISO boot is not supported. Instead, use PXE assets.
 |===
 
 //Understanding Agent-based Installer
@@ -67,6 +63,15 @@ include::modules/agent-installer-configuring-fips-compliance.adoc[leveloffset=+1
 
 * xref:../../installing/installing-fips.adoc#installing-fips[Support for FIPS cryptography]
 
+// Host configuration
+include::modules/agent-host-config.adoc[leveloffset=+1]
+
+// Host roles
+include::modules/agent-host-roles.adoc[leveloffset=+2]
+
+// About root device hints
+include::modules/agent-install-ipi-install-root-device-hints.adoc[leveloffset=+2]
+
 //About networking
 include::modules/agent-install-networking.adoc[leveloffset=+1]
 
@@ -103,9 +108,6 @@ include::modules/installation-bare-metal-agent-installer-config-yaml.adoc[levelo
 //Validation checks before agent ISO creation
 include::modules/validations-before-agent-iso-creation.adoc[leveloffset=+1]
 
-//About root device hints
-include::modules/agent-install-ipi-install-root-device-hints.adoc[leveloffset=+1]
-
 [id="agent-based-installation-next-steps"]
 == Next steps
 
diff --git a/machine_configuration/_attributes b/machine_configuration/_attributes
new file mode 120000
index 000000000000..f27fd275ea6b
--- /dev/null
+++ b/machine_configuration/_attributes
@@ -0,0 +1 @@
+../_attributes/
\ No newline at end of file
diff --git a/machine_configuration/images b/machine_configuration/images
new file mode 120000
index 000000000000..5e67573196d8
--- /dev/null
+++ b/machine_configuration/images
@@ -0,0 +1 @@
+../images
\ No newline at end of file
diff --git a/machine_configuration/index.adoc b/machine_configuration/index.adoc
new file mode 100644
index 000000000000..cea4790eaf6b
--- /dev/null
+++ b/machine_configuration/index.adoc
@@ -0,0 +1,42 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: machine-config-overview
+[id="machine-config-index"]
+= Machine configuration overview
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+
+
+There are times when you need to make changes to the operating systems running on {product-title} nodes. This can include changing settings for network time service, adding kernel arguments, or configuring journaling in a specific way.
+
+Aside from a few specialized features, most changes to operating systems on {product-title} nodes can be done by creating what are referred to as `MachineConfig` objects that are managed by the Machine Config Operator. For example, you can use the Machine Config Operator (MCO) and machine configs to manage update to systemd, CRI-O and kubelet, the kernel, Network Manager and other system features. 
+
+Tasks in this section describe how to use features of the Machine Config Operator to configure operating system features on {product-title} nodes.
+
+[IMPORTANT]
+====
+NetworkManager stores new network configurations to `/etc/NetworkManager/system-connections/` in a key file format.
+
+Previously, NetworkManager stored new network configurations to `/etc/sysconfig/network-scripts/` in the `ifcfg` format. Starting with RHEL 9.0, RHEL stores new network configurations at `/etc/NetworkManager/system-connections/` in a key file format. The connections configurations stored to `/etc/sysconfig/network-scripts/` in the old format still work uninterrupted. Modifications in existing profiles continue updating the older files.
+====
+
+include::modules/understanding-machine-config-operator.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin]
+
+include::modules/machine-config-overview.adoc[leveloffset=+1]
+
+include::modules/machine-config-drift-detection.adoc[leveloffset=+1]
+
+include::modules/checking-mco-status.adoc[leveloffset=+1]
+include::modules/checking-mco-node-status.adoc[leveloffset=+1]
+
+[id="machine-config-operator-certificates_{context}"]
+== Understanding Machine Config Operator certificates
+
+Machine Config Operator certificates are used to secure connections between the Red Hat Enterprise Linux CoreOS (RHCOS) nodes and the Machine Config Server. For more information, see xref:../security/certificate_types_descriptions/machine-config-operator-certificates.adoc#cert-types-machine-config-operator-certificates[Machine Config Operator certificates].
+
+include::modules/checking-mco-status-certs.adoc[leveloffset=+2]
diff --git a/nodes/nodes/nodes-nodes-machine-config-daemon-metrics.adoc b/machine_configuration/machine-config-daemon-metrics.adoc
similarity index 56%
rename from nodes/nodes/nodes-nodes-machine-config-daemon-metrics.adoc
rename to machine_configuration/machine-config-daemon-metrics.adoc
index 12fb16e32e5c..f2e2c9d42397 100644
--- a/nodes/nodes/nodes-nodes-machine-config-daemon-metrics.adoc
+++ b/machine_configuration/machine-config-daemon-metrics.adoc
@@ -1,20 +1,21 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="machine-config-daemon-metrics"]
-= Machine Config Daemon metrics
+= Machine Config Daemon metrics overview
 include::_attributes/common-attributes.adoc[]
 :context: machine-config-operator
 
+toc::[]
+
 The Machine Config Daemon is a part of the Machine Config Operator. It runs on every node in the cluster. The Machine Config Daemon manages configuration changes and updates on each of the nodes.
 
-include::modules/machine-config-daemon-metrics.adoc[leveloffset=+1]
+include::modules/machine-config-daemon-metrics-understanding.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-
 ifndef::openshift-rosa,openshift-dedicated[]
-* xref:../../observability/monitoring/monitoring-overview.adoc#monitoring-overview[Monitoring overview]
-* xref:../../support/gathering-cluster-data.adoc#gathering-cluster-data[Gathering data about your cluster]
+* xref:../observability/monitoring/monitoring-overview.adoc#monitoring-overview[Monitoring overview]
+* xref:../support/gathering-cluster-data.adoc#gathering-cluster-data[Gathering data about your cluster]
 endif::openshift-rosa,openshift-dedicated[]
 ifdef::openshift-rosa,openshift-dedicated[]
-* xref:../../observability/monitoring/monitoring-overview.adoc#monitoring-overview[Understanding the monitoring stack]
+* xref:../observability/monitoring/monitoring-overview.adoc#monitoring-overview[Understanding the monitoring stack]
 endif::openshift-rosa,openshift-dedicated[]
diff --git a/machine_configuration/machine-config-node-disruption.adoc b/machine_configuration/machine-config-node-disruption.adoc
new file mode 100644
index 000000000000..fbcb287e0bd7
--- /dev/null
+++ b/machine_configuration/machine-config-node-disruption.adoc
@@ -0,0 +1,41 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: machine-configs-configure
+[id="machine-config-node-disruption_{context}"]
+= Using node disruption policies to minimize disruption from machine config changes
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+By default, when you make certain changes to the fields in a `MachineConfig` object, the Machine Config Operator (MCO) drains and reboots the nodes associated with that machine config. However, you can create a _node disruption policy_ that defines a set of changes to some Ignition config objects that would require little or no disruption to your workloads.
+
+A node disruption policy allows you to define the configuration changes that cause a disruption to your cluster, and which changes do not. This allows you to reduce node downtime when making small machine configuration changes in your cluster. To configure the policy, you modify the `MachineConfiguration` object, which is in the `openshift-machine-config-operator` namespace. See the example node disruption policies in the `MachineConfiguration` objects that follow.
+
+[NOTE]
+====
+There are machine configuration changes that always require a reboot, regardless of any node disruption policies. For more information, see _About the Machine Config Operator_.
+====
+
+After you create the node disruption policy, the MCO validates the policy to search for potential issues in the file, such as problems with formatting. The MCO then merges the policy with the cluster defaults and populates the `status.nodeDisruptionPolicyStatus` fields in the machine config with the actions to be performed upon future changes to the machine config. The configurations in your policy always overwrite the cluster defaults.
+
+[IMPORTANT]
+====
+The MCO does not validate whether a change can be successfully applied by your node disruption policy. Therefore, you are responsible to ensure the accuracy of your node disruption policies.
+====
+
+For example, you can configure a node disruption policy so that sudo configurations do not require a node drain and reboot. Or, you can configure your cluster so that updates to `sshd` are applied with only a reload of that one service.
+
+:FeatureName: The node disruption policy feature
+include::snippets/technology-preview.adoc[]
+
+You can control the behavior of the MCO when making the changes to the following Ignition configuration objects:
+
+// I used this wording for the objects to match the previous section in the assembly: file:///home/mburke/openshift-docs/_preview/openshift-enterprise/mco-node-disruption-policy/post_installation_configuration/machine-configuration-tasks.html#what-can-you-change-with-machine-configs.
+* *configuration files*: You add to or update the files in the `/var` or `/etc` directory.
+* *systemd units*: You create and set the status of a systemd service or modify an existing systemd service.
+* *users and groups*: You change SSH keys in the `passwd` section postinstallation.
+* *ICSP*, *ITMS*, *IDMS* objects: You can remove mirroring rules from an `ImageContentSourcePolicy` (ICSP), `ImageTagMirrorSet` (ITMS), and `ImageDigestMirrorSet` (IDMS) object.
+
+include::snippets/machine-config-node-disruption-actions.adoc[]
+
+include::modules/machine-config-node-disruption-example.adoc[leveloffset=+1]
+include::modules/machine-config-node-disruption-config.adoc[leveloffset=+1]
diff --git a/machine_configuration/machine-configs-configure.adoc b/machine_configuration/machine-configs-configure.adoc
new file mode 100644
index 000000000000..058637e1fd1c
--- /dev/null
+++ b/machine_configuration/machine-configs-configure.adoc
@@ -0,0 +1,53 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: machine-configs-configure
+[id="machine-configs-configure"]
+= Using machine config objects to configure nodes
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+You can use the tasks in this section to create `MachineConfig` objects that modify files, systemd unit files, and other operating system features running on {product-title} nodes. For more ideas on working with machine configs, see content related to link:https://access.redhat.com/solutions/3868301[updating] SSH authorized keys, link:https://access.redhat.com/verify-images-ocp4[verifying image signatures], link:https://access.redhat.com/solutions/4727321[enabling SCTP], and link:https://access.redhat.com/solutions/5170251[configuring iSCSI initiatornames] for {product-title}.
+
+{product-title} supports link:https://coreos.github.io/ignition/configuration-v3_2/[Ignition specification version 3.2]. All new machine configs you create going forward should be based on Ignition specification version 3.2. If you are upgrading your {product-title} cluster, any existing Ignition specification version 2.x machine configs will be translated automatically to specification version 3.2.
+
+There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called _configuration drift_. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node `degraded` until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see xref:../machine_configuration/index.adoc#machine-config-drift-detection_machine-config-overview[Understanding configuration drift detection].
+
+[TIP]
+====
+Use the following "Configuring chrony time service" procedure as a model for how to go about adding other configuration files to {product-title} nodes.
+====
+
+include::modules/installation-special-config-chrony.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../installing/install_config/installing-customizing.adoc#installation-special-config-butane_installing-customizing[Creating machine configs with Butane]
+
+include::modules/cnf-disable-chronyd.adoc[leveloffset=+1]
+include::modules/nodes-nodes-kernel-arguments.adoc[leveloffset=+1]
+include::modules/rhcos-enabling-multipath-day-2.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* See xref:../installing/installing_bare_metal/installing-bare-metal.adoc#rhcos-enabling-multipath_installing-bare-metal[Enabling multipathing with kernel arguments on RHCOS] for more information about enabling multipathing during installation time.
+
+include::modules/nodes-nodes-rtkernel-arguments.adoc[leveloffset=+1]
+include::modules/machineconfig-modify-journald.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../installing/install_config/installing-customizing.adoc#installation-special-config-butane_installing-customizing[Creating machine configs with Butane]
+
+include::modules/rhcos-add-extensions.adoc[leveloffset=+1]
+include::modules/rhcos-load-firmware-blobs.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../installing/install_config/installing-customizing.adoc#installation-special-config-butane_installing-customizing[Creating machine configs with Butane]
+
+include::modules/core-user-password.adoc[leveloffset=+1]
+
diff --git a/machine_configuration/machine-configs-custom.adoc b/machine_configuration/machine-configs-custom.adoc
new file mode 100644
index 000000000000..35f8165510b5
--- /dev/null
+++ b/machine_configuration/machine-configs-custom.adoc
@@ -0,0 +1,16 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: machine-configs-custom
+[id="machine-configs-custom"]
+= Configuring MCO-related custom resources
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+
+Besides managing `MachineConfig` objects, the MCO manages two custom resources (CRs): `KubeletConfig` and `ContainerRuntimeConfig`. Those CRs let you change node-level settings impacting how the kubelet and CRI-O container runtime services behave.
+
+include::modules/create-a-kubeletconfig-crd-to-edit-kubelet-parameters.adoc[leveloffset=+1]
+include::modules/create-a-containerruntimeconfig-crd.adoc[leveloffset=+1]
+include::modules/set-the-default-max-container-root-partition-size-for-overlay-with-crio.adoc[leveloffset=+1]
+
+
diff --git a/modules/machineconfig-garbage-collect.adoc b/machine_configuration/machine-configs-garbage-collection.adoc
similarity index 83%
rename from modules/machineconfig-garbage-collect.adoc
rename to machine_configuration/machine-configs-garbage-collection.adoc
index 9f3cb6e48615..e0b166f79fa5 100644
--- a/modules/machineconfig-garbage-collect.adoc
+++ b/machine_configuration/machine-configs-garbage-collection.adoc
@@ -1,10 +1,11 @@
-// Module included in the following assemblies:
-//
-// * post_installation_configuration/machine-configuration-tasks.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="machineconfig-garbage-collect_{context}"]
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="machine-configs-garbage-collection"]
 = Managing unused rendered machine configs
+:context: machine-configs-garbage-collection
+
+toc::[]
+
 
 The Machine Config Operator (MCO) does not perform any garbage collection activities. This means that all rendered machine configs remain in the cluster. Each time a user or controller applies a new machine config, the MCO creates new rendered configs for each affected machine config pool. Over time, this can lead to a large number of rendered machine configs, which can make working with machine configs confusing. Having too many rendered machine configs can also contribute to disk space issues and performance issues with etcd. 
 
@@ -18,3 +19,6 @@ Use the `list` subcommand to display all the rendered machine configs in the clu
 ====
 The `oc adm prune renderedmachineconfigs` command deletes only rendered machine configs that are not in use. If a rendered machine configs are in use by a machine config pool, the rendered machine config is not deleted. In this case, the command output specifies the reason that the rendered machine config was not deleted.
 ====
+
+include::modules/machineconfig-garbage-collect-viewing.adoc[leveloffset=+1]
+include::modules/machineconfig-garbage-collect-removing.adoc[leveloffset=+1]
diff --git a/post_installation_configuration/coreos-layering.adoc b/machine_configuration/mco-coreos-layering.adoc
similarity index 52%
rename from post_installation_configuration/coreos-layering.adoc
rename to machine_configuration/mco-coreos-layering.adoc
index cf1bac6897c9..7763654be9fe 100644
--- a/post_installation_configuration/coreos-layering.adoc
+++ b/machine_configuration/mco-coreos-layering.adoc
@@ -1,15 +1,20 @@
 :_mod-docs-content-type: ASSEMBLY
-[id="coreos-layering"]
-= {op-system} image layering
 include::_attributes/common-attributes.adoc[]
-:context: coreos-layering
+[id="mco-coreos-layering"]
+= {op-system} image layering
+:context: mco-coreos-layering
 
 toc::[]
 
 
 {op-system-first} image layering allows you to easily extend the functionality of your base {op-system} image by _layering_ additional images onto the base image. This layering does not modify the base {op-system} image. Instead, it creates a _custom layered image_ that includes all {op-system} functionality and adds additional functionality to specific nodes in the cluster.
 
-You create a custom layered image by using a Containerfile and applying it to nodes by using a `MachineConfig` object. The Machine Config Operator overrides the base {op-system} image, as specified by the `osImageURL` value in the associated machine config, and boots the new image. You can remove the custom layered image by deleting the machine config, The MCO reboots the nodes back to the base {op-system} image.
+[id="coreos-layering-about_{context}"]
+== About {op-system} image layering
+
+Image layering allows you to customize the underlying node operating system on any of your cluster worker nodes. This helps keep everything up-to-date, including the node operating system and any added customizations such as specialized software.
+
+You create a custom layered image by using a Containerfile and applying it to nodes by using a custom object. At any time, you can remove the custom layered image by deleting that custom object.
 
 With {op-system} image layering, you can install RPMs into your base image, and your custom content will be booted alongside {op-system}. The Machine Config Operator (MCO) can roll out these custom layered images and monitor these custom containers in the same way it does for the default {op-system} image. {op-system} image layering gives you greater flexibility in how you manage your {op-system} nodes.
 
@@ -22,13 +27,25 @@ Installing realtime kernel and extensions RPMs as custom layered content is not
 
 As soon as you apply the custom layered image to your cluster, you effectively _take ownership_ of your custom layered images and those nodes. While Red Hat remains responsible for maintaining and updating the base {op-system} image on standard nodes, you are responsible for maintaining and updating images on nodes that use a custom layered image. You assume the responsibility for the package you applied with the custom layered image and any issues that might arise with the package.
 
-To apply a custom layered image, you create a Containerfile that references an {product-title} image and the RPM that you want to apply. You then push the resulting custom layered image to an image registry. In a non-production {product-title} cluster, create a `MachineConfig` object for the targeted node pool that points to the new image.
+There are two methods for deploying a custom layered image onto your nodes:
+
+On-cluster layering:: With xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on_mco-coreos-layering[on-cluster layering], you create a `MachineOSConfig` object where you include the Containerfile and other parameters. The build is performed on your cluster and the resulting custom layered image is automatically pushed to your repository and applied to the machine config pool that you specified in the `MachineOSConfig` object. The entire process is performed completely within your cluster.
++
+--
+:FeatureName: On-cluster image layering
+include::snippets/technology-preview.adoc[]
+--
 
-[NOTE]
+Out-of-cluster layering:: With xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring_mco-coreos-layering[out-of-cluster layering], you create a Containerfile that references an {product-title} image and the RPM that you want to apply, build the layered image in your own environment, and push the image to your repository. Then, in your cluster, create a `MachineConfig` object for the targeted node pool that points to the new image. The Machine Config Operator overrides the base {op-system} image, as specified by the `osImageURL` value in the associated machine config, and boots the new image.
+
+[IMPORTANT]
 ====
-Use the same base {op-system} image installed on the rest of your cluster. Use the `oc adm release info --image-for rhel-coreos` command to obtain the base image used in your cluster.
+For both methods, use the same base {op-system} image installed on the rest of your cluster. Use the `oc adm release info --image-for rhel-coreos` command to obtain the base image used in your cluster.
 ====
 
+[id="coreos-layering-examples_{context}"]
+== Example Containerfiles
+
 {op-system} image layering allows you to use the following types of images to create custom layered images:
 
 * *{product-title} Hotfixes*. You can work with Customer Experience and Engagement (CEE) to obtain and apply link:https://access.redhat.com/solutions/2996001[Hotfix packages] on top of your {op-system} image. In some instances, you might want a bug fix or enhancement before it is included in an official {product-title} release. {op-system} image layering allows you to easily add the Hotfix before it is officially released and remove the Hotfix when the underlying {op-system} image incorporates the fix.
@@ -38,9 +55,22 @@ Use the same base {op-system} image installed on the rest of your cluster. Use t
 Some Hotfixes require a Red Hat Support Exception and are outside of the normal scope of {product-title} support coverage or life cycle policies.
 ====
 +
-In the event you want a Hotfix, it will be provided to you based on link:https://access.redhat.com/solutions/2996001[Red Hat Hotfix policy]. Apply it on top of the base image and test that new custom layered image in a non-production environment. When you are satisfied that the custom layered image is safe to use in production, you can roll it out on your own schedule to specific node pools. For any reason, you can easily roll back the custom layered image and return to using the default {op-system}.
+Hotfixes are provided to you based on link:https://access.redhat.com/solutions/2996001[Red Hat Hotfix policy]. Apply it on top of the base image and test that new custom layered image in a non-production environment. When you are satisfied that the custom layered image is safe to use in production, you can roll it out on your own schedule to specific node pools. For any reason, you can easily roll back the custom layered image and return to using the default {op-system}.
++
+.Example on-cluster Containerfile to apply a Hotfix
+[source,yaml]
+----
+# Using a 4.12.0 image
+containerfileArch: noarch
+content: |-
+  FROM configs AS final
+  #Install hotfix rpm
+  RUN rpm-ostree override replace https://example.com/myrepo/haproxy-1.0.16-5.el8.src.rpm && \
+      rpm-ostree cleanup -m && \
+      ostree container commit
+----
 +
-.Example Containerfile to apply a Hotfix
+.Example out-of-cluster Containerfile to apply a Hotfix
 [source,yaml]
 ----
 # Using a 4.12.0 image
@@ -53,24 +83,13 @@ RUN rpm-ostree override replace https://example.com/myrepo/haproxy-1.0.16-5.el8.
 
 * *{op-system-base} packages*. You can download {op-system-base-full} packages from the link:https://access.redhat.com/downloads/content/479/ver=/rhel---9/9.1/x86_64/packages[Red Hat Customer Portal], such as chrony, firewalld, and iputils.
 +
-.Example Containerfile to apply the firewalld utility
-[source,yaml]
-----
-FROM quay.io/openshift-release-dev/ocp-release@sha256...
-ADD configure-firewall-playbook.yml .
-RUN rpm-ostree install firewalld ansible && \
-    ansible-playbook configure-firewall-playbook.yml && \
-    rpm -e ansible && \
-    ostree container commit
-----
-+
-.Example Containerfile to apply the libreswan utility
+.Example out-of-cluster Containerfile to apply the libreswan utility
 [source,yaml]
 ----
 include::https://raw.githubusercontent.com/openshift/rhcos-image-layering-examples/master/libreswan/Containerfile[]
 ----
 +
-Because libreswan requires additional RHEL packages, the image must be built on an entitled {op-system-base} host.
+Because libreswan requires additional {op-system-base} packages, the image must be built on an entitled {op-system-base} host. For RHEL entitlements to work, you must copy the `etc-pki-entitlement` secret into the `openshift-machine-api` namespace. 
 
 * *Third-party packages*. You can download and install RPMs from third-party organizations, such as the following types of packages:
 +
@@ -82,19 +101,41 @@ Because libreswan requires additional RHEL packages, the image must be built on
 ** SSH Key management packages.
 --
 +
-.Example Containerfile to apply a third-party package from EPEL
+.Example on-cluster Containerfile to apply a third-party package from EPEL
+[source,yaml]
+----
+FROM configs AS final
+
+#Enable EPEL (more info at https://docs.fedoraproject.org/en-US/epel/ ) and install htop
+RUN rpm-ostree install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    rpm-ostree install htop && \
+    ostree container commit
+----
++
+.Example out-of-cluster Containerfile to apply a third-party package from EPEL
 [source,yaml]
 ----
 include::https://raw.githubusercontent.com/openshift/rhcos-image-layering-examples/master/htop/Containerfile[]
 ----
 +
-.Example Containerfile to apply a third-party package that has {op-system-base} dependencies
+This Containerfile installs the {op-system-base} fish program. Because fish requires additional {op-system-base} packages, the image must be built on an entitled {op-system-base} host. For {op-system-base} entitlements to work, you must copy the `etc-pki-entitlement` secret into the `openshift-machine-api` namespace. 
++
+.Example on-cluster Containerfile to apply a third-party package that has {op-system-base} dependencies
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/rhcos-image-layering-examples/master/fish/Containerfile[]
+FROM configs AS final
+
+# RHEL entitled host is needed here to access RHEL packages
+# Install fish as third party package from EPEL
+RUN rpm-ostree install https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/f/fish-3.3.1-3.el9.x86_64.rpm && \
+    ostree container commit
 ----
 +
-This Containerfile installs the Linux fish program. Because fish requires additional RHEL packages, the image must be built on an entitled {op-system-base} host.
+.Example out-of-cluster Containerfile to apply a third-party package that has {op-system-base} dependencies
+[source,yaml]
+----
+include::https://raw.githubusercontent.com/openshift/rhcos-image-layering-examples/master/fish/Containerfile[]
+----
 
 After you create the machine config, the Machine Config Operator (MCO) performs the following steps:
 
@@ -109,10 +150,15 @@ After you create the machine config, the Machine Config Operator (MCO) performs
 It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster.
 ====
 
+include::modules/coreos-layering-configuring-on.adoc[leveloffset=+1]
+
+.Additional resources
+* xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+
 include::modules/coreos-layering-configuring.adoc[leveloffset=+1]
 
 .Additional resources
-xref:../post_installation_configuration/coreos-layering.adoc#coreos-layering-updating_coreos-layering[Updating with a {op-system} custom layered image]
+xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-updating_mco-coreos-layering[Updating with a {op-system} custom layered image]
 
 include::modules/coreos-layering-removing.adoc[leveloffset=+1]
 include::modules/coreos-layering-updating.adoc[leveloffset=+1]
diff --git a/machine_configuration/mco-update-boot-images.adoc b/machine_configuration/mco-update-boot-images.adoc
new file mode 100644
index 000000000000..d080beae4f04
--- /dev/null
+++ b/machine_configuration/mco-update-boot-images.adoc
@@ -0,0 +1,61 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: machine-configs-configure
+[id="mco-update-boot-images"]
+= Updated boot images
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+The Machine Config Operator (MCO) uses a boot image to start a {op-system-first} node. By default, {product-title} does not manage the boot image.
+
+This means that the boot image in your cluster is not updated along with your cluster. For example, if your cluster was originally created with {product-title} 4.12, the boot image that the cluster uses to create nodes is the same 4.12 version, even if your cluster is at a later version. If the cluster is later upgraded to 4.13 or later, new nodes continue to scale with the same 4.12 image.
+
+This process could cause the following issues:
+
+* Extra time to start nodes
+* Certificate expiration issues
+* Version skew issues
+
+To avoid these issues, you can configure your cluster to update the boot image whenever you update your cluster. By modifying the `MachineConfiguration` object, you can enable this feature. Currently, the ability to update the boot image is available for only Google Cloud Platform (GCP) clusters and is not supported for clusters managed by the Cluster API.
+
+:FeatureName: The updating boot image feature
+include::snippets/technology-preview.adoc[]
+
+To view the current boot image used in your cluster, examine a machine set:
+
+.Example machine set with the boot image reference
+
+[source,yaml]
+----
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+metadata:
+  name: ci-ln-hmy310k-72292-5f87z-worker-a
+  namespace: openshift-machine-api
+spec:
+# ...
+  template:
+# ...
+    spec:
+# ...
+      providerSpec:
+# ...
+        value:
+          disks:
+          - autoDelete: true
+            boot: true
+            image: projects/rhcos-cloud/global/images/rhcos-412-85-202203181601-0-gcp-x86-64 <1>
+# ...
+----
+<1> This boot image is the same as the originally-installed {product-title} version, in this example {product-title} 4.12, regardless of the current version of the cluster. The way that the boot image is represented in the machine set depends on the platform, as the structure of the `providerSpec` field differs from platform to platform.
+
+If you configure your cluster to update your boot images, the boot image referenced in your machine sets matches the current version of the cluster.
+
+include::modules/mco-update-boot-images-configuring.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+
+include::modules/mco-update-boot-images-disable.adoc[leveloffset=+1]
diff --git a/machine_configuration/modules b/machine_configuration/modules
new file mode 120000
index 000000000000..464b823aca16
--- /dev/null
+++ b/machine_configuration/modules
@@ -0,0 +1 @@
+../modules
\ No newline at end of file
diff --git a/machine_configuration/snippets b/machine_configuration/snippets
new file mode 120000
index 000000000000..9f5bc7e4dde0
--- /dev/null
+++ b/machine_configuration/snippets
@@ -0,0 +1 @@
+../snippets
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster-api-about.adoc b/machine_management/cluster_api_machine_management/cluster-api-about.adoc
index 9e9973fadced..6fa385b29864 100644
--- a/machine_management/cluster_api_machine_management/cluster-api-about.adoc
+++ b/machine_management/cluster_api_machine_management/cluster-api-about.adoc
@@ -9,7 +9,7 @@ toc::[]
 :FeatureName: Managing machines with the Cluster API
 include::snippets/technology-preview.adoc[]
 
-The link:https://cluster-api.sigs.k8s.io/[Cluster API] is an upstream project that is integrated into {product-title} as a Technology Preview for Amazon Web Services (AWS) and Google Cloud Platform (GCP).
+The link:https://cluster-api.sigs.k8s.io/[Cluster API] is an upstream project that is integrated into {product-title} as a Technology Preview for {aws-first}, {gcp-first}, and {vmw-first}.
 
 //Cluster API overview
 include::modules/capi-overview.adoc[leveloffset=+1]
@@ -31,15 +31,15 @@ include::modules/capi-limitations.adoc[leveloffset=+2]
 [id="cluster-api-architecture_{context}"]
 == Cluster API architecture
 
-The {product-title} integration of the upstream Cluster API is implemented and managed by the Cluster CAPI Operator.
-The Cluster CAPI Operator and its operands are provisioned in the `openshift-cluster-api` namespace, in contrast to the Machine API, which uses the `openshift-machine-api` namespace.
+The {product-title} integration of the upstream Cluster API is implemented and managed by the {cluster-capi-operator}.
+The {cluster-capi-operator} and its operands are provisioned in the `openshift-cluster-api` namespace, in contrast to the Machine API, which uses the `openshift-machine-api` namespace.
 
-//The Cluster CAPI Operator
+//The {cluster-capi-operator}
 include::modules/capi-arch-operator.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../operators/operator-reference.adoc#cluster-capi-operator_cluster-operators-ref[Cluster CAPI Operator]
+* xref:../../operators/operator-reference.adoc#cluster-capi-operator_cluster-operators-ref[{cluster-capi-operator}]
 
 //Cluster API primary resources
 include::modules/capi-arch-resources.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster-api-configuration.adoc b/machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
index 9b021072efb7..088719c6fc9b 100644
--- a/machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+++ b/machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
@@ -22,4 +22,6 @@ For provider-specific configuration options for your cluster, see the following
 
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#cluster-api-config-options-aws[Cluster API configuration options for {aws-full}]
 
-* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#cluster-api-config-options-gcp[Cluster API configuration options for {gcp-full}]
\ No newline at end of file
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#cluster-api-config-options-gcp[Cluster API configuration options for {gcp-full}]
+
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#cluster-api-config-options-vsphere[Cluster API configuration options for {vmw-full}]
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster-api-getting-started.adoc b/machine_management/cluster_api_machine_management/cluster-api-getting-started.adoc
index 9c7642f201fd..d1a4748f996f 100644
--- a/machine_management/cluster_api_machine_management/cluster-api-getting-started.adoc
+++ b/machine_management/cluster_api_machine_management/cluster-api-getting-started.adoc
@@ -33,6 +33,7 @@ include::modules/capi-creating-infrastructure-resource.adoc[leveloffset=+2]
 .Additional resources
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#capi-yaml-infrastructure-aws_cluster-api-config-options-aws[Sample YAML for a Cluster API infrastructure resource on {aws-full}]
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-infrastructure-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API infrastructure resource on {gcp-full}]
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#capi-yaml-infrastructure-vsphere_cluster-api-config-options-vsphere[Sample YAML for a Cluster API infrastructure resource on {vmw-full}]
 
 //Creating a Cluster API machine template
 include::modules/capi-creating-machine-template.adoc[leveloffset=+2]
@@ -40,10 +41,12 @@ include::modules/capi-creating-machine-template.adoc[leveloffset=+2]
 .Additional resources
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#capi-yaml-machine-template-aws_cluster-api-config-options-aws[Sample YAML for a Cluster API machine template resource on {aws-full}]
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-template-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API machine template resource on {gcp-full}]
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#capi-yaml-machine-template-vsphere_cluster-api-config-options-vsphere[Sample YAML for a Cluster API machine template resource on {vmw-full}]
 
 //Creating a Cluster API compute machine set
 include::modules/capi-creating-machine-set.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#capi-yaml-machine-set-aws_cluster-api-config-options-aws[Sample YAML for a Cluster API compute machine set resource on {aws-full}]
-* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-set-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API compute machine set resource on {gcp-full}]
\ No newline at end of file
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-set-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API compute machine set resource on {gcp-full}]
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#capi-yaml-machine-set-vsphere_cluster-api-config-options-vsphere[Sample YAML for a Cluster API compute machine set resource on {vmw-full}]
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster-api-managing-machines.adoc b/machine_management/cluster_api_machine_management/cluster-api-managing-machines.adoc
index d912fb4bbe8b..606fcad55482 100644
--- a/machine_management/cluster_api_machine_management/cluster-api-managing-machines.adoc
+++ b/machine_management/cluster_api_machine_management/cluster-api-managing-machines.adoc
@@ -15,6 +15,7 @@ include::modules/capi-modifying-machine-template.adoc[leveloffset=+1]
 .Additional resources
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#capi-yaml-machine-template-aws_cluster-api-config-options-aws[Sample YAML for a Cluster API machine template resource on {aws-full}]
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-template-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API machine template resource on {gcp-full}]
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#capi-yaml-machine-template-vsphere_cluster-api-config-options-vsphere[Sample YAML for a Cluster API machine template resource on {vmw-full}]
 * xref:../../machine_management/cluster_api_machine_management/cluster-api-managing-machines.adoc#machineset-modifying_cluster-api-managing-machines[Modifying a compute machine set by using the CLI]
 
 //Modifying a compute machine set by using the CLI
@@ -23,4 +24,5 @@ include::modules/machineset-modifying.adoc[leveloffset=+1,tag=!MAPI]
 [role="_additional-resources"]
 .Additional resources
 * xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc#capi-yaml-machine-set-aws_cluster-api-config-options-aws[Sample YAML for a Cluster API compute machine set resource on {aws-full}]
-* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-set-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API compute machine set resource on {gcp-full}]
\ No newline at end of file
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc#capi-yaml-machine-set-gcp_cluster-api-config-options-gcp[Sample YAML for a Cluster API compute machine set resource on {gcp-full}]
+* xref:../../machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc#capi-yaml-machine-set-vsphere_cluster-api-config-options-vsphere[Sample YAML for a Cluster API compute machine set resource on {vmw-full}]
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster-api-troubleshooting.adoc b/machine_management/cluster_api_machine_management/cluster-api-troubleshooting.adoc
index 9b2591cb8de0..91eb85cf1cd9 100644
--- a/machine_management/cluster_api_machine_management/cluster-api-troubleshooting.adoc
+++ b/machine_management/cluster_api_machine_management/cluster-api-troubleshooting.adoc
@@ -12,7 +12,7 @@ include::snippets/technology-preview.adoc[]
 Use the information in this section to understand and recover from issues you might encounter.
 Generally, troubleshooting steps for problems with the Cluster API are similar to those steps for problems with the Machine API.
 
-The Cluster CAPI Operator and its operands are provisioned in the `openshift-cluster-api` namespace, whereas the Machine API uses the `openshift-machine-api` namespace. When using `oc` commands that reference a namespace, be sure to reference the correct one.
+The {cluster-capi-operator} and its operands are provisioned in the `openshift-cluster-api` namespace, whereas the Machine API uses the `openshift-machine-api` namespace. When using `oc` commands that reference a namespace, be sure to reference the correct one.
 
 //Returning the intended machines when using the CLI
 include::modules/ts-capi-cli-reference-intended-objects.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc b/machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc
new file mode 100644
index 000000000000..d3eb50c59ae9
--- /dev/null
+++ b/machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc
@@ -0,0 +1,37 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="cluster-api-config-options-vsphere"]
+= Cluster API configuration options for VMware vSphere
+include::_attributes/common-attributes.adoc[]
+:context: cluster-api-config-options-vsphere
+
+toc::[]
+
+:FeatureName: Managing machines with the Cluster API
+include::snippets/technology-preview.adoc[]
+
+You can change the configuration of your {vmw-first} Cluster API machines by updating values in the Cluster API custom resource manifests.
+
+[id="cluster-api-sample-yaml-vsphere_{context}"]
+== Sample YAML for configuring {vmw-full} clusters
+
+The following example YAML files show configurations for a {vmw-full} cluster.
+
+//Sample YAML for a CAPI vSphere infrastructure resource
+include::modules/capi-yaml-infrastructure-vsphere.adoc[leveloffset=+2]
+
+//Sample YAML for CAPI vSphere machine template resource
+include::modules/capi-yaml-machine-template-vsphere.adoc[leveloffset=+2]
+
+//Sample YAML for a CAPI vSphere compute machine set resource
+include::modules/capi-yaml-machine-set-vsphere.adoc[leveloffset=+2]
+// This additional resources section can be added if this configuration is validated. (see also: callout in capi-yaml-machine-set-vsphere.adoc)
+// [role="_additional-resources"]
+// .Additional resources
+// * xref:../../../post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc#post-install-vsphere-zones-regions-configuration[Multiple regions and zones configuration for a cluster on {vmw-full}]
+
+// [id="cluster-api-supported-features-vsphere_{context}"]
+// == Enabling {vmw-full} features with the Cluster API
+
+// You can enable the following features by updating values in the Cluster API custom resource manifests.
+
+//Not sure what, if anything, we can add here at this time.
\ No newline at end of file
diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc
index 7de57e1b9b22..ac95a9be1dd1 100644
--- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc
+++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="cpmso-config-options-aws"]
-= Control plane configuration options for {aws-full}
+= Control plane configuration options for Amazon Web Services
 include::_attributes/common-attributes.adoc[]
 :context: cpmso-config-options-aws
 
@@ -23,7 +23,7 @@ include::modules/cpmso-yaml-failure-domain-aws.adoc[leveloffset=+2]
 [id="cpmso-supported-features-aws_{context}"]
 == Enabling {aws-full} features for control plane machines
 
-You can enable the following features by updating values in the control plane machine set.
+You can enable features by updating values in the control plane machine set.
 
 //Restricting the API server to private (AWS control plane machine set version)
 include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2]
diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc
index 61c77c8dd3d0..160468139d6d 100644
--- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc
+++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="cpmso-config-options-azure"]
-= Control plane configuration options for {azure-full}
+= Control plane configuration options for Microsoft Azure
 include::_attributes/common-attributes.adoc[]
 :context: cpmso-config-options-azure
 
@@ -23,7 +23,7 @@ include::modules/cpmso-yaml-failure-domain-azure.adoc[leveloffset=+2]
 [id="cpmso-supported-features-azure_{context}"]
 == Enabling {azure-full} features for control plane machines
 
-You can enable the following features by updating values in the control plane machine set.
+You can enable features by updating values in the control plane machine set.
 
 include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2]
 [role="_additional-resources"]
diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-gcp.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-gcp.adoc
index 33f44b73f43d..8b61d2d5601e 100644
--- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-gcp.adoc
+++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-gcp.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="cpmso-config-options-gcp"]
-= Control plane configuration options for {gcp-full}
+= Control plane configuration options for Google Cloud Platform
 include::_attributes/common-attributes.adoc[]
 :context: cpmso-config-options-gcp
 
@@ -23,7 +23,7 @@ include::modules/cpmso-yaml-failure-domain-gcp.adoc[leveloffset=+2]
 [id="cpmso-supported-features-gcp_{context}"]
 == Enabling {gcp-full} features for control plane machines
 
-You can enable the following features by updating values in the control plane machine set.
+You can enable features by updating values in the control plane machine set.
 
 //Note: GCP GPU features should be compatible with CPMS, but dev cannot think of a use case. Leaving them out to keep things less cluttered. If a customer use case emerges, we can just add the necessary modules in here.
 
diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-openstack.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-openstack.adoc
index a5c4ad21845a..4a3fe6f74782 100644
--- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-openstack.adoc
+++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-openstack.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="cpmso-config-options-openstack"]
-= Control plane configuration options for {rh-openstack}
+= Control plane configuration options for Red Hat OpenStack Platform
 include::_attributes/common-attributes.adoc[]
 :context: cpmso-config-options-openstack
 
@@ -23,7 +23,7 @@ include::modules/cpmso-yaml-failure-domain-openstack.adoc[leveloffset=+2]
 [id="cpmso-supported-features-openstack_{context}"]
 == Enabling {rh-openstack-first} features for control plane machines
 
-You can enable the following features by updating values in the control plane machine set.
+You can enable features by updating values in the control plane machine set.
 
 //Changing the OpenStack Nova flavor by using a control plane machine set
 include::modules/cpms-changing-openstack-flavor-type.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-vsphere.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-vsphere.adoc
index f50d49b2350c..eb08fe832330 100644
--- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-vsphere.adoc
+++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-vsphere.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="cpmso-config-options-vsphere"]
-= Control plane configuration options for {vmw-full}
+= Control plane configuration options for VMware vSphere
 include::_attributes/common-attributes.adoc[]
 :context: cpmso-config-options-vsphere
 
@@ -22,4 +22,12 @@ include::modules/cpmso-yaml-failure-domain-vsphere.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../../post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc#specifying-regions-zones-infrastructure-vsphere_post-install-vsphere-zones-regions-configuration[Specifying multiple regions and zones for your cluster on {vmw-short}]
\ No newline at end of file
+* xref:../../../post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc#specifying-regions-zones-infrastructure-vsphere_post-install-vsphere-zones-regions-configuration[Specifying multiple regions and zones for your cluster on {vmw-short}]
+
+[id="cpmso-supported-features-vsphere_{context}"]
+== Enabling {vmw-full} features for control plane machines
+
+You can enable features by updating values in the control plane machine set.
+
+//Adding tags to machines by using machine sets
+include::modules/machine-api-vmw-add-tags.adoc[leveloffset=+2,tag=!compute]
\ No newline at end of file
diff --git a/machine_management/creating-infrastructure-machinesets.adoc b/machine_management/creating-infrastructure-machinesets.adoc
index a8e0200e1420..a1e485e0a245 100644
--- a/machine_management/creating-infrastructure-machinesets.adoc
+++ b/machine_management/creating-infrastructure-machinesets.adoc
@@ -97,6 +97,7 @@ include::modules/binding-infra-node-workloads-using-taints-tolerations.adoc[leve
 
 * See xref:../nodes/scheduling/nodes-scheduler-about.adoc#nodes-scheduler-about[Controlling pod placement using the scheduler] for general information on scheduling a pod to a node.
 * See xref:moving-resources-to-infrastructure-machinesets[Moving resources to infrastructure machine sets] for instructions on scheduling pods to infra nodes.
+* See xref:../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] for more details about different effects of taints.
 
 [id="moving-resources-to-infrastructure-machinesets"]
 == Moving resources to infrastructure machine sets
@@ -128,6 +129,8 @@ include::modules/infrastructure-moving-registry.adoc[leveloffset=+2]
 
 include::modules/infrastructure-moving-monitoring.adoc[leveloffset=+2]
 
+include::modules/nodes-pods-vertical-autoscaler-moving-vpa.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 * xref:../observability/monitoring/configuring-the-monitoring-stack.adoc#moving-monitoring-components-to-different-nodes_configuring-the-monitoring-stack[Moving monitoring components to different nodes]
diff --git a/machine_management/creating_machinesets/creating-machineset-vsphere.adoc b/machine_management/creating_machinesets/creating-machineset-vsphere.adoc
index c08f91b5e180..7ed435ae6df6 100644
--- a/machine_management/creating_machinesets/creating-machineset-vsphere.adoc
+++ b/machine_management/creating_machinesets/creating-machineset-vsphere.adoc
@@ -32,8 +32,11 @@ include::modules/machineset-upi-reqs-vsphere-creds.adoc[leveloffset=+2]
 include::modules/machineset-upi-reqs-ignition-config.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Understanding the Machine Config Operator]
+* xref:../../machine_configuration/index.adoc#machine-config-operator_machine-config-overview[Understanding the Machine Config Operator]
 * xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installation-vsphere-machines_installing-vsphere[Installing {op-system} and starting the {product-title} bootstrap process]
 
 //Creating a compute machine set
 include::modules/machineset-creating.adoc[leveloffset=+1]
+
+//Adding tags to machines by using machine sets
+include::modules/machine-api-vmw-add-tags.adoc[leveloffset=+1,tag=!controlplane]
\ No newline at end of file
diff --git a/machine_management/index.adoc b/machine_management/index.adoc
index 9d63052526a4..0bcbb6c38d1f 100644
--- a/machine_management/index.adoc
+++ b/machine_management/index.adoc
@@ -99,7 +99,7 @@ You can automatically scale your {product-title} cluster to ensure flexibility f
 
 [id="machine-mgmt-intro-add-for-upi_{context}"]
 == Adding compute machines on user-provisioned infrastructure
-User-provisioned infrastructure is an environment where you can deploy infrastructure such as compute, network, and storage resources that host the {product-title}. You can xref:../machine_management//user_infra/adding-compute-user-infra-general.adoc#adding-compute-user-infra-general[add compute machines] to a cluster on user-provisioned infrastructure during or after the installation process.
+User-provisioned infrastructure is an environment where you can deploy infrastructure such as compute, network, and storage resources that host the {product-title}. You can xref:../machine_management/user_infra/adding-compute-user-infra-general.adoc#adding-compute-user-infra-general[add compute machines] to a cluster on user-provisioned infrastructure during or after the installation process.
 
 [id="machine-mgmt-intro-add-rhel_{context}"]
 == Adding RHEL compute machines to your cluster
diff --git a/microshift_backup_and_restore/microshift-backup-and-restore.adoc b/microshift_backup_and_restore/microshift-backup-and-restore.adoc
index 9494c3ba3d14..3af862c2ddc5 100644
--- a/microshift_backup_and_restore/microshift-backup-and-restore.adoc
+++ b/microshift_backup_and_restore/microshift-backup-and-restore.adoc
@@ -29,7 +29,7 @@ include::modules/microshift-backing-up-manually.adoc[leveloffset=+1]
 
 include::modules/microshift-restoring-data-backups.adoc[leveloffset=+1]
 
-include::modules/microshift-service-starting.adoc[leveloffset=+1]
+//include::modules/microshift-service-starting.adoc[leveloffset=+1]
 
 //additional resources for restoring-data module
 [role="_additional-resources"]
diff --git a/microshift_cli_ref/microshift-cli-tools-introduction.adoc b/microshift_cli_ref/microshift-cli-tools-introduction.adoc
index 892df03d33b5..bff9a0e0a50c 100644
--- a/microshift_cli_ref/microshift-cli-tools-introduction.adoc
+++ b/microshift_cli_ref/microshift-cli-tools-introduction.adoc
@@ -24,6 +24,6 @@ Commands for multi-node deployments, projects, and developer tooling are not sup
 == Additional resources
 
 * xref:..//microshift_cli_ref/microshift-oc-cli-install.adoc#microshift-oc-cli-install[Installing the OpenShift CLI tool for MicroShift].
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/cli_tools/openshift-cli-oc[Detailed description of the OpenShift CLI (oc)].
+* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html/cli_tools/openshift-cli-oc[Detailed description of the OpenShift CLI (oc)].
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9[Red Hat Enterprise Linux (RHEL) documentation for specific use cases].
 * xref:../microshift_configuring/microshift-cluster-access-kubeconfig.adoc#microshift-kubeconfig[Cluster access with kubeconfig]
\ No newline at end of file
diff --git a/microshift_configuring/microshift-audit-logs-config.adoc b/microshift_configuring/microshift-audit-logs-config.adoc
index fcd0b63c79ec..288dab6f1f52 100644
--- a/microshift_configuring/microshift-audit-logs-config.adoc
+++ b/microshift_configuring/microshift-audit-logs-config.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="microshift-audit-logs-config"]
-= Customizing audit logging policies
+= Configuring audit logging policies
 include::_attributes/attributes-microshift.adoc[]
 :context: microshift-audit-logs-config
 
diff --git a/microshift_configuring/microshift-custom-ca.adoc b/microshift_configuring/microshift-custom-ca.adoc
index 0de387f98b18..8b7961218cac 100644
--- a/microshift_configuring/microshift-custom-ca.adoc
+++ b/microshift_configuring/microshift-custom-ca.adoc
@@ -16,12 +16,14 @@ include::modules/microshift-custom-ca-reserved-names.adoc[leveloffset=+1]
 
 include::modules/microshift-custom-ca-troubleshooting.adoc[leveloffset=+1]
 
+include::modules/microshift-custom-ca-cert-cleaning.adoc[leveloffset=+1]
+
 [id="Additional-resources_microshift-custom-ca_{context}"]
 == Additional resources
 * link:https://docs.openshift.com/container-platform/{ocp-version}/security/certificates/api-server.html#customize-certificates-api-add-named_api-server-certificates[OpenShift: Add an API server named certificate]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/creating-and-managing-tls-keys-and-certificates_securing-networks#doc-wrapper[RHEL: Creating and managing TLS keys and certificates]
 
-* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#the-system-wide-trust-store_using-shared-system-certificates[The system-wide truststore] for details.
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#the-system-wide-trust-store_using-shared-system-certificates[The system-wide truststore]
 
 * link:https://docs.openshift.com/container-platform/{ocp-version}/cli_reference/openshift_cli/managing-cli-profiles.html[OpenShift CLI Reference: oc login]
\ No newline at end of file
diff --git a/microshift_install/microshift-greenboot.adoc b/microshift_install/microshift-greenboot.adoc
index 946413ec50a3..f1f55f99a65a 100644
--- a/microshift_install/microshift-greenboot.adoc
+++ b/microshift_install/microshift-greenboot.adoc
@@ -8,7 +8,7 @@ toc::[]
 
 Greenboot is the generic health check framework for the `systemd` service on `rpm-ostree` systems such as {op-system-ostree-first}. This framework is included in {microshift-short} installations with the `microshift-greenboot` and `greenboot-default-health-checks` RPM packages.
 
-Greenboot health checks run at various times to assess system health and automate a rollback to the last healthy state in the event of software trouble, for example:
+Greenboot health checks run at various times to assess system health and automate a rollback on `rpm-ostree` systems to the last healthy state in cases of software trouble, for example:
 
 * Default health check scripts run each time the system starts.
 * In addition the to the default health checks, you can write, install, and configure application health check scripts to also run every time the system starts.
@@ -17,11 +17,6 @@ Greenboot health checks run at various times to assess system health and automat
 
 A {microshift-short} application health check script is included in the `microshift-greenboot` RPM. The `greenboot-default-health-checks` RPM includes health check scripts verifying that DNS and `ostree` services are accessible. You can create your own health check scripts for the workloads you are running. You can write one that verifies that an application has started, for example.
 
-[NOTE]
-====
-Rollback is not possible in the case of an update failure on a system not using `rpm-ostree`. This is true even though health checks might run.
-====
-
 include::modules/microshift-greenboot-dir-structure.adoc[leveloffset=+1]
 
 include::modules/microshift-greenboot-microshift-health-script.adoc[leveloffset=+1]
diff --git a/microshift_networking/microshift-cni.adoc b/microshift_networking/microshift-cni.adoc
index dcca91474cbd..0e3a1a0d7bf0 100644
--- a/microshift_networking/microshift-cni.adoc
+++ b/microshift_networking/microshift-cni.adoc
@@ -20,6 +20,8 @@ Using configuration files or custom scripts, you can configure the following net
 * You can change the maximum transmission unit (MTU) value.
 * You can configure firewall ingress and egress.
 * You can define network policies in the {microshift-short} cluster, including ingress and egress rules.
+* You can use the {microshift-short} Multus plug-in to chain other CNI plugins.
+* You can configure or remove the ingress router.
 
 include::modules/microshift-cni-customization-matrix.adoc[leveloffset=+1]
 
@@ -43,14 +45,6 @@ Networking features not available with {microshift-short} {product-version}:
 * IPsec: not supported
 * Hardware offload: not supported
 
-[id="_additional-resources_microshift-cni_{context}"]
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../microshift_configuring/microshift-using-config-tools.adoc#microshift-using-config-tools_microshift-config-yaml[Using a YAML configuration file]
-
-* xref:../microshift_networking/microshift-networking-settings.adoc#microshift-config-OVN-K_microshift-networking[Understanding networking settings]
-
 [id="microshift-ip-forward_{context}"]
 == IP forward
 The host network `sysctl net.ipv4.ip_forward` kernel parameter is automatically enabled by the `ovnkube-master` container when started. This is required to forward incoming traffic to the CNI. For example, accessing the NodePort service from outside of a cluster fails if `ip_forward` is disabled.
@@ -70,3 +64,11 @@ include::modules/microshift-nw-components-svcs.adoc[leveloffset=+1]
 Bridge mappings allow provider network traffic to reach the physical network. Traffic leaves the provider network and arrives at the `br-int` bridge. A patch port between `br-int` and `br-ex` then allows the traffic to traverse to and from the provider network and the edge network. Kubernetes pods are connected to the `br-int` bridge through virtual ethernet pair: one end of the virtual ethernet pair is attached to the pod namespace, and the other end is attached to the `br-int` bridge.
 
 include::modules/microshift-nw-topology.adoc[leveloffset=+1]
+
+[id="_additional-resources_microshift-cni_{context}"]
+== Additional resources
+
+* xref:../microshift_configuring/microshift-using-config-tools.adoc#microshift-config-yaml_microshift-configuring[Using a YAML configuration file]
+* xref:../microshift_networking/microshift-networking-settings.adoc#microshift-understanding-networking-settings[Understanding networking settings]
+* xref:../microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc#microshift-cni-multus[About using multiple networks]
+* xref:../microshift_networking/microshift_network_policy/microshift-network-policy-index.adoc#microshift-network-policies[About network policies]
\ No newline at end of file
diff --git a/microshift_networking/microshift-configuring-routes.adoc b/microshift_networking/microshift-configuring-routes.adoc
new file mode 100644
index 000000000000..2cbc5bbb4bcf
--- /dev/null
+++ b/microshift_networking/microshift-configuring-routes.adoc
@@ -0,0 +1,62 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="microshift-configuring-routes"]
+= Configuring routes
+include::_attributes/attributes-microshift.adoc[]
+:context: microshift-configuring-routes
+
+toc::[]
+
+You can configure routes for {microshift-short} for clusters.
+
+//OCP module, edit with care; Creating an insecure/http route
+include::modules/nw-creating-a-route.adoc[leveloffset=+1]
+
+//OCP module, edit with care; HTTP Strict Transport Security
+include::modules/nw-enabling-hsts.adoc[leveloffset=+2]
+
+//OCP module, edit with care; Enabling HTTP strict transport security per-route
+include::modules/nw-enabling-hsts-per-route.adoc[leveloffset=+2]
+
+//OCP module, edit with care; Disabling HTTP strict transport security per-route
+include::modules/nw-disabling-hsts.adoc[leveloffset=+2]
+
+//Enforcing HTTP strict transport security per-domain
+include::modules/microshift-nw-enforcing-hsts-per-domain.adoc[leveloffset=+2]
+
+//OCP module, edit with care; Troubleshooting Throughput Issues
+include::modules/nw-throughput-troubleshoot.adoc[leveloffset=+1]
+
+//OCP module, edit with care; Using cookies to keep route statefulness
+include::modules/nw-using-cookies-keep-route-statefulness.adoc[leveloffset=+1]
+
+//OCP module, edit with care; Using cookies to keep route statefulness
+include::modules/nw-annotating-a-route-with-a-cookie-name.adoc[leveloffset=+2]
+
+//OCP module, edit with care
+include::modules/nw-path-based-routes.adoc[leveloffset=+1]
+
+//OCP module, edit with care; just use the `Route` CR
+include::modules/nw-http-header-configuration.adoc[leveloffset=+1]
+
+//OCP module, edit with care
+include::modules/nw-route-set-or-delete-http-headers.adoc[leveloffset=+1]
+
+//OCP module, edit with care
+include::modules/nw-ingress-creating-a-route-via-an-ingress.adoc[leveloffset=+1]
+
+//OCP module, edit with care
+include::modules/nw-ingress-edge-route-default-certificate.adoc[leveloffset=+1]
+
+//OCP module, edit with care
+include::modules/nw-ingress-reencrypt-route-custom-cert.adoc[leveloffset=+1]
+
+[id="microshift-secured-routes_{context}"]
+== Secured routes
+
+Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. The following links to the {OCP} documentation describe how to create re-encrypt, edge, and passthrough routes with custom certificates.
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp-version}/html/networking/configuring-routes#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes[Creating a re-encrypt route with a custom certificate]
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/networking/configuring-routes#nw-ingress-creating-an-edge-route-with-a-custom-certificate_secured-routes[Creating an edge route with a custom certificate]
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/networking/configuring-routes#nw-ingress-creating-a-passthrough-route_secured-routes[Creating a passthrough route]
\ No newline at end of file
diff --git a/microshift_networking/microshift-networking-settings.adoc b/microshift_networking/microshift-networking-settings.adoc
index a83f61ec4fcf..5095b60ada94 100644
--- a/microshift_networking/microshift-networking-settings.adoc
+++ b/microshift_networking/microshift-networking-settings.adoc
@@ -16,11 +16,6 @@ Cluster Administrators have several options for exposing applications that run i
 
 By default, Kubernetes allocates each pod an internal IP address for applications running within the pod. Pods and their containers can have traffic between them, but clients outside the cluster do not have direct network access to pods except when exposed with a service such as NodePort.
 
-[NOTE]
-====
-To troubleshoot connection problems with the NodePort service, read about the known issue in the Release Notes.
-====
-
 include::modules/microshift-configuring-ovn.adoc[leveloffset=+1]
 
 include::modules/microshift-restart-ovnkube-master.adoc[leveloffset=+1]
@@ -33,16 +28,24 @@ include::modules/microshift-cri-o-container-runtime.adoc[leveloffset=+1]
 
 include::modules/microshift-ovs-snapshot.adoc[leveloffset=+1]
 
+[id="microshift-about-load-balancer-service_{context}"]
+== The {microshift-short} LoadBalancer service for workloads
+
+{microshift-short} has a built-in implementation of network load balancers that you can use for your workloads and applications within the cluster. You can create a `LoadBalancer` service by configuring a pod to interpret ingress rules and serve as an ingress controller. The following procedure gives an example of a deployment-based `LoadBalancer` service.
+
 include::modules/microshift-deploying-a-load-balancer.adoc[leveloffset=+1]
 
 include::modules/microshift-blocking-nodeport-access.adoc[leveloffset=+1]
 
 include::modules/microshift-mDNS.adoc[leveloffset=+1]
 
-include::modules/microshift-exposed-audit-ports.adoc[leveloffset=+1]
+[id="microshift-exposed-audit-ports_{context}"]
+== Auditing exposed network ports
+
+On {microshift-short}, the host port can be opened by a workload in the following cases. You can check logs to view the network services.
 
-include::modules/microshift-exposed-audit-ports-hostnetwork.adoc[leveloffset=+1]
+include::modules/microshift-exposed-audit-ports-hostnetwork.adoc[leveloffset=+2]
 
-include::modules/microshift-exposed-audit-ports-hostport.adoc[leveloffset=+1]
+include::modules/microshift-exposed-audit-ports-hostport.adoc[leveloffset=+2]
 
-include::modules/microshift-exposed-audit-ports-loadbalancer.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/microshift-exposed-audit-ports-loadbalancer.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/microshift_networking/microshift-nw-router.adoc b/microshift_networking/microshift-nw-router.adoc
index 6095dc8e7117..49e15401f44f 100644
--- a/microshift_networking/microshift-nw-router.adoc
+++ b/microshift_networking/microshift-nw-router.adoc
@@ -6,5 +6,26 @@ include::_attributes/attributes-microshift.adoc[]
 
 toc::[]
 
-Learn about default and custom settings for configuring the router with {microshift-short}.
+Learn about default and custom settings for configuring the router and route admission policy with {microshift-short}.
 
+include::modules/microshift-nw-router-con.adoc[leveloffset=+1]
+
+include::modules/microshift-nw-router-disable.adoc[leveloffset=+1]
+
+[id="microshift-configuring-router-ingress_{context}"]
+== Configuring router ingress
+
+If your {microshift-short} applications need to listen only for data traffic, you can configure the `listenAddress` setting to isolate your devices. You can also configure specific ports and IP addresses for network connections. Use the combination required to customize the endpoint configuration for your use case.
+
+include::modules/microshift-nw-router-config-ports.adoc[leveloffset=+2]
+
+include::modules/microshift-nw-router-config-ip-address.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_microshift-understanding-and-configuring-router_{context}"]
+== Additional resources
+* xref:../microshift_configuring/microshift-using-config-tools.adoc#microshift-yaml-default_microshift-using-config-tools[Default settings] ({microshift-short})
+
+* xref:../microshift_networking/microshift_network_policy/microshift-network-policy-index.adoc#microshift-network-policies[About network policies]
+
+include::modules/microshift-nw-config-route-admission.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/microshift_networking/microshift_multiple_networks/microshift-cni-multus-using.adoc b/microshift_networking/microshift_multiple_networks/microshift-cni-multus-using.adoc
index 7b2076f5b695..a2d55f9403ad 100644
--- a/microshift_networking/microshift_multiple_networks/microshift-cni-multus-using.adoc
+++ b/microshift_networking/microshift_multiple_networks/microshift-cni-multus-using.adoc
@@ -26,4 +26,4 @@ include::modules/microshift-cni-multus-troubleshoot.adoc[leveloffset=+1]
 == Additional resources
 * xref:../../microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc#microshift-cni-multus[About using multiple networks]
 
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/networking/multiple-networks#nw-multus-ipam-object_configuring-additional-network[Configuration of IP address assignment for an additional network]
\ No newline at end of file
+* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html/networking/multiple-networks#nw-multus-ipam-object_configuring-additional-network[Configuration of IP address assignment for an additional network]
\ No newline at end of file
diff --git a/microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc b/microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc
index 6c99de8c01d2..796ab3b44b23 100644
--- a/microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc
+++ b/microshift_networking/microshift_multiple_networks/microshift-cni-multus.adoc
@@ -6,7 +6,7 @@ include::_attributes/attributes-microshift.adoc[]
 
 toc::[]
 
-In addition to the default OVN-Kubernetes Container Network Interface (CNI) plugin, {microshift-short} uses an implementation of the Multus CNI to chain other CNI plugins.
+In addition to the default OVN-Kubernetes Container Network Interface (CNI) plugin, the {microshift-short} Multus CNI is available to chain other CNI plugins. Installing and using {microshift-short} Multus is optional.
 
 include::modules/microshift-multus-intro.adoc[leveloffset=+1]
 
diff --git a/microshift_running_apps/microshift-gitops.adoc b/microshift_running_apps/microshift-gitops.adoc
index 92c683393ff2..b14d9a1d974c 100644
--- a/microshift_running_apps/microshift-gitops.adoc
+++ b/microshift_running_apps/microshift-gitops.adoc
@@ -30,21 +30,21 @@ include::modules/microshift-gitops-adding-apps.adoc[leveloffset=+1]
 GitOps with Argo CD for {microshift-short} has the following differences from the Red Hat OpenShift GitOps Operator:
 
 * The `gitops-operator` component is not used with {microshift-short}.
-* To maintain the small resource use of {microshift-short}, the Argo CD web console is not available. You can use the Argo CD CLI or use a pull-based approach.
+* To maintain the small resource use of {microshift-short}, the Argo CD web console is not available. You can use the Argo CD CLI.
 * Because {microshift-short} is single-node, there is no multi-cluster support. Each instance of {microshift-short} is paired with a local GitOps agent.
 * The `oc adm must-gather` command is not available in {microshift-short}.
 
 [id="microshift-gitops-troubleshooting_{context}"]
 == Troubleshooting GitOps
-If you have problems with your GitOps controller, you can use either the {oc-first} tool or run an sos report.
+If you have problems with your GitOps controller, you can use the {oc-first} tool.
 
 include::modules/microshift-gitops-debug.adoc[leveloffset=+2]
 
-include::modules/microshift-gathering-sos-report.adoc[leveloffset=+2]
-
 [id="additional-resources_microshift-gitops_{context}"]
 [role="_additional-resources"]
 == Additional resources
+* xref:../microshift_install/microshift-install-rpm.adoc#microshift-installing-rpms-for-gitops_microshift-install-rpm[Installing the GitOps Argo CD manifests from an RPM package]
+
 * xref:../microshift_support/microshift-sos-report.adoc#microshift-sos-report[Using sos reports]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_openshift_gitops/1.12[Red Hat OpenShift GitOps]
diff --git a/microshift_storage/microshift-storage-plugin-overview.adoc b/microshift_storage/microshift-storage-plugin-overview.adoc
index c956da231d99..3fe7e89168a2 100644
--- a/microshift_storage/microshift-storage-plugin-overview.adoc
+++ b/microshift_storage/microshift-storage-plugin-overview.adoc
@@ -2,6 +2,7 @@
 [id="microshift-storage-plugin-overview"]
 = Dynamic storage using the LVMS plugin
 include::_attributes/attributes-microshift.adoc[]
+include::_attributes/common-attributes.adoc[]
 :context: microshift-storage-plugin-overview
 
 toc::[]
@@ -14,6 +15,9 @@ include::modules/microshift-lvms-system-requirements.adoc[leveloffset=+1]
 
 include::modules/microshift-lvms-deployment.adoc[leveloffset=+1]
 
+//OCP module with edits
+include::modules/lvms-limitations-to-configure-size-of-devices.adoc[leveloffset=+1]
+
 include::modules/microshift-lvmd-yaml-creating.adoc[leveloffset=+1]
 
 include::modules/microshift-lvms-config-example-basic.adoc[leveloffset=+1]
diff --git a/microshift_support/microshift-etcd.adoc b/microshift_support/microshift-etcd.adoc
index 4f67708944ef..87ee55268c49 100644
--- a/microshift_support/microshift-etcd.adoc
+++ b/microshift_support/microshift-etcd.adoc
@@ -6,11 +6,15 @@ include::_attributes/attributes-microshift.adoc[]
 
 toc::[]
 
-[role="_abstract"]
 The etcd service is delivered as part of the {product-title} RPM. The etcd service is run as a separate process and the etcd lifecycle is managed automatically by {microshift-short}.
 
 include::modules/microshift-observe-debug-etcd-server.adoc[leveloffset=+1]
 
-include::modules/microshift-config-etcd.adoc[leveloffset=+1]
-
 include::modules/microshift-etcd-version.adoc[leveloffset=+1]
+
+[id="microshift-troubleshooting-etcd_{context}"]
+== Troubleshooting etcd
+
+To troubleshoot etcd and improve performance, configure the memory allowance for the service.
+
+include::modules/microshift-config-etcd.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/microshift_support/microshift-getting-support.adoc b/microshift_support/microshift-getting-support.adoc
index fc7bc0b92a23..5a50d26c9940 100644
--- a/microshift_support/microshift-getting-support.adoc
+++ b/microshift_support/microshift-getting-support.adoc
@@ -8,12 +8,15 @@ toc::[]
 
 Use the following information to get more help with {op-system-bundle}, including {product-title} or {op-system-ostree-first}.
 
+//OCP module
 include::modules/support.adoc[leveloffset=+1]
 
 include::modules/microshift-provide-feedback-jira-link.adoc[leveloffset=+1]
 
+//OCP module
 include::modules/support-knowledgebase-about.adoc[leveloffset=+1]
 
+//OCP module
 include::modules/support-knowledgebase-search.adoc[leveloffset=+1]
 
 include::modules/microshift-submitting-a-case.adoc[leveloffset=+1]
diff --git a/microshift_troubleshooting/microshift-etcd-troubleshoot.adoc b/microshift_troubleshooting/microshift-etcd-troubleshoot.adoc
new file mode 100644
index 000000000000..43778db6043b
--- /dev/null
+++ b/microshift_troubleshooting/microshift-etcd-troubleshoot.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="microshift-etcd-troubleshoot"]
+= Troubleshoot etcd
+include::_attributes/attributes-microshift.adoc[]
+:context: microshift-etcd-troubleshoot
+
+toc::[]
+
+To troubleshoot etcd and improve performance, configure the memory allowance for the service.
+
+include::modules/microshift-config-etcd.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/microshift_troubleshooting/microshift-troubleshoot-backup-restore.adoc b/microshift_troubleshooting/microshift-troubleshoot-backup-restore.adoc
index ee361512c7d7..40c1f72ee396 100644
--- a/microshift_troubleshooting/microshift-troubleshoot-backup-restore.adoc
+++ b/microshift_troubleshooting/microshift-troubleshoot-backup-restore.adoc
@@ -21,7 +21,7 @@ Data backups are automatic on `rpm-ostree` systems. If you are not using an `rpm
 
 [id="troubleshoot-backup-restore-microshift-backup-logs_{context}"]
 == Backup logs
-* Logs print to the console during manual backups.
+* Logs print to the terminal console during manual backups.
 * Logs are automatically generated for `rpm-ostree` system automated backups as part of the {microshift-short} journal logs. You can check the logs by running the following command:
 +
 [source,terminal]
diff --git a/microshift_troubleshooting/microshift-troubleshoot-cluster.adoc b/microshift_troubleshooting/microshift-troubleshoot-cluster.adoc
index 172785ac1bc0..b59add857e1f 100644
--- a/microshift_troubleshooting/microshift-troubleshoot-cluster.adoc
+++ b/microshift_troubleshooting/microshift-troubleshoot-cluster.adoc
@@ -6,6 +6,6 @@ include::_attributes/attributes-microshift.adoc[]
 
 toc::[]
 
-To begin troubleshooting a {product-title} cluster, first access the cluster status.
+To begin troubleshooting a {microshift-short} cluster, first access the cluster status.
 
 include::modules/microshift-check-cluster-status.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/microshift_troubleshooting/microshift-troubleshoot-updates.adoc b/microshift_troubleshooting/microshift-troubleshoot-updates.adoc
index e162f659deea..582ea84f6322 100644
--- a/microshift_troubleshooting/microshift-troubleshoot-updates.adoc
+++ b/microshift_troubleshooting/microshift-troubleshoot-updates.adoc
@@ -8,10 +8,10 @@ toc::[]
 
 To troubleshoot {microshift-short} updates, use the following guide.
 
-[IMPORTANT]
-====
-You can only update {microshift-short} from one minor version to the next in sequence. For example, you must update 4.14 to 4.15.
-====
+//[IMPORTANT]
+//====
+//You can only update {microshift-short} from one minor version to the next in sequence. For example, you must update 4.14 to 4.15.
+//====
 
 include::modules/microshift-updates-troubleshooting.adoc[leveloffset=+1]
 
diff --git a/microshift_welcome/index.adoc b/microshift_welcome/index.adoc
index 593c9171412d..332f9e839ce6 100644
--- a/microshift_welcome/index.adoc
+++ b/microshift_welcome/index.adoc
@@ -22,4 +22,4 @@ For related information, use the following links:
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_device_edge/4/html/overview/device-edge-overview[Red Hat Device Edge overview]
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/composing_installing_and_managing_rhel_for_edge_images/index[RHEL for Edge documentation]
-* link:https://docs.openshift.com/container-platform/latest/welcome/index.html[OpenShift Container Platform documentation]
\ No newline at end of file
+* link:https://docs.openshift.com/container-platform/latest/welcome/index.html[OpenShift Container Platform documentation]
diff --git a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
index 07c4ebb19685..5aa562446d2f 100644
--- a/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
+++ b/migrating_from_ocp_3_to_4/planning-migration-3-4.adoc
@@ -155,9 +155,9 @@ Review the following networking changes to consider when transitioning from {pro
 
 The default network isolation mode for {product-title} 3.11 was `ovs-subnet`, though users frequently switched to use `ovn-multitenant`. The default network isolation mode for {product-title} {product-version} is controlled by a network policy.
 
-If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
+If your {product-title} 3.11 cluster used the `ovs-subnet` or `ovs-multitenant` mode, it is recommended to switch to a network policy for your {product-title} {product-version} cluster. Network policies are supported upstream, are more flexible, and they provide the functionality that `ovs-multitenant` does. If you want to maintain the `ovs-multitenant` behavior while using a network policy in {product-title} {product-version}, follow the steps to xref:../networking/network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[configure multitenant isolation using network policy].
 
-For more information, see xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
+For more information, see xref:../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy].
 
 [discrete]
 ==== OVN-Kubernetes as the default networking plugin in Red Hat OpenShift Networking
diff --git a/modules/about-developer-perspective.adoc b/modules/about-developer-perspective.adoc
index b063e37d76a9..7dbc79b56c1a 100644
--- a/modules/about-developer-perspective.adoc
+++ b/modules/about-developer-perspective.adoc
@@ -31,4 +31,4 @@ The *Developer* perspective provides workflows specific to developer use cases,
 You can use the *Topology* view to display applications, components, and workloads of your project. If you have no workloads in the project, the *Topology* view will show some links to create or import them. You can also use the *Quick Search* to import components directly.
 
 .Additional Resources
-See link:https://docs.openshift.com/container-platform/4.15/applications/odc-viewing-application-composition-using-topology-view.html[Viewing application composition using the Topology] view for more information on using the *Topology* view in *Developer* perspective.
+See link:https://docs.openshift.com/container-platform/4.16/applications/odc-viewing-application-composition-using-topology-view.html[Viewing application composition using the Topology] view for more information on using the *Topology* view in *Developer* perspective.
diff --git a/modules/about-manually-maintained-credentials-upgrade.adoc b/modules/about-manually-maintained-credentials-upgrade.adoc
index 06435d5a5c65..39bcece996d8 100644
--- a/modules/about-manually-maintained-credentials-upgrade.adoc
+++ b/modules/about-manually-maintained-credentials-upgrade.adoc
@@ -26,14 +26,14 @@ Some platforms only support using the CCO in one mode. For clusters that are ins
 For platforms that support using the CCO in multiple modes, you must determine which mode the cluster is configured to use and take the required actions for that configuration.
 
 .Credentials update requirements by platform type
-image::334_OpenShift_cluster_updating_and_CCO_workflows_0523_4.11_B.png[Decision tree showing the possible update paths for your cluster depending on the configured CCO credentials mode.]
+image::334_OpenShift_cluster_updating_and_CCO_workflows_0523_4.11_B_AliCloud_patch.png[Decision tree showing the possible update paths for your cluster depending on the configured CCO credentials mode.]
 
 {rh-openstack-first} and VMware vSphere::
 These platforms do not support using the CCO in manual mode. Clusters on these platforms handle changes in cloud provider resources automatically and do not require an update to the `upgradeable-to` annotation.
 +
 Administrators of clusters on these platforms should skip the manually maintained credentials section of the update process.
 
-{alibaba}, {ibm-cloud-title}, and Nutanix::
+{ibm-cloud-title} and Nutanix::
 Clusters installed on these platforms are configured using the `ccoctl` utility.
 +
 Administrators of clusters on these platforms must take the following actions:
diff --git a/modules/agent-configuration-parameters.adoc b/modules/agent-configuration-parameters.adoc
index 0e0cc3782c09..49e8d6678f00 100644
--- a/modules/agent-configuration-parameters.adoc
+++ b/modules/agent-configuration-parameters.adoc
@@ -99,7 +99,13 @@ If a `NetworkConfig` section is provided in the `agent-config.yaml` file, this t
   interfaces:
     macAddress:
 |The MAC address of an interface on the host.
-|A MAC address such as the following example: `00-B0-D0-63-C2-26`
+|A MAC address such as the following example: `00-B0-D0-63-C2-26`.
+
+|hosts:
+  role:
+|Defines whether the host is a `master` or `worker` node.
+If no role is defined in the `agent-config.yaml` file, roles will be assigned at random during cluster installation.
+|`master` or `worker`.
 
 |hosts:
   rootDeviceHints:
diff --git a/modules/agent-host-config.adoc b/modules/agent-host-config.adoc
new file mode 100644
index 000000000000..d92c801e43c8
--- /dev/null
+++ b/modules/agent-host-config.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-with-agent-based-installer/preparing-to-install-with-agent-based-installer.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="agent-host-config_{context}"]
+= Host configuration
+
+// Starting with whatever content I could find just to have something for feedback, but any additions or replacements are welcome.
+
+You can make additional configurations for each host on the cluster in the `agent-config.yaml` file, such as network configurations and root device hints.
+
+[IMPORTANT]
+====
+For each host you configure, you must provide the MAC address of an interface on the host to specify which host you are configuring.
+====
\ No newline at end of file
diff --git a/modules/agent-host-roles.adoc b/modules/agent-host-roles.adoc
new file mode 100644
index 000000000000..e3c4d3b99446
--- /dev/null
+++ b/modules/agent-host-roles.adoc
@@ -0,0 +1,53 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-with-agent-based-installer/preparing-to-install-with-agent-based-installer.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="agent-host-roles_{context}"]
+= Host roles
+
+Each host in the cluster is assigned a role of either `master` or `worker`.
+You can define the role for each host in the `agent-config.yaml` file by using the `role` parameter.
+If you do not assign a role to the hosts, the roles will be assigned at random during installation.
+
+It is recommended to explicitly define roles for your hosts.
+
+The `rendezvousIP` must be assigned to a host with the `master` role. This can be done manually or by allowing the Agent-based Installer to assign the role.
+
+[IMPORTANT]
+====
+You do not need to explicitly define the `master` role for the rendezvous host, however you cannot create configurations that conflict with this assignment.
+
+For example, if you have 4 hosts with 3 of the hosts explicitly defined to have the `master` role, the last host that is automatically assigned the `worker` role during installation cannot be configured as the rendezvous host.
+====
+
+.Sample agent-config.yaml file
+[source,yaml]
+----
+apiVersion: v1beta1
+kind: AgentConfig
+metadata:
+  name: example-cluster
+rendezvousIP: 192.168.111.80
+hosts:
+  - hostname: master-1
+    role: master
+    interfaces:
+      - name: eno1
+        macAddress: 00:ef:44:21:e6:a5
+  - hostname: master-2
+    role: master
+    interfaces:
+      - name: eno1
+        macAddress: 00:ef:44:21:e6:a6
+  - hostname: master-3
+    role: master
+    interfaces:
+      - name: eno1
+        macAddress: 00:ef:44:21:e6:a7
+  - hostname: worker-1
+    role: worker
+    interfaces:
+      - name: eno1
+        macAddress: 00:ef:44:21:e6:a8
+----
\ No newline at end of file
diff --git a/modules/agent-installer-architectures.adoc b/modules/agent-installer-architectures.adoc
new file mode 100644
index 000000000000..68afb0c3cd53
--- /dev/null
+++ b/modules/agent-installer-architectures.adoc
@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-with-agent-based-installer/preparing-to-install-with-agent-based-installer.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="agent-install-verifying-architectures_{context}"]
+= Verifying the supported architecture for installing an Agent-based Installer cluster
+
+Before installing an {product-title} cluster using the Agent-based Installer, you can verify the supported architecture on which you can install the cluster. This procedure is optional.
+
+.Prerequisites
+
+* You installed the {oc-first}.
+* You have downloaded the installation program.
+
+.Procedure
+
+. Log in to the {oc-first}.
+
+. Check your release payload by running the following command:
+[source,terminal]
++
+----
+$ ./openshift-install version
+----
++
+.Example output
+[source,terminal]
+----
+./openshift-install 4.16.0
+built from commit abc123def456
+release image quay.io/openshift-release-dev/ocp-release@sha256:123abc456def789ghi012jkl345mno678pqr901stu234vwx567yz0
+release architecture amd64
+----
++
+If you are using the release image with the `multi` payload, the `release architecture` displayed in the output of this command is the default architecture.
+
+. To check the architecture of the payload, run the following command:
+[source,terminal]
++
+----
+$ oc adm release info <release_image> -o jsonpath="{ .metadata.metadata}" <1>
+----
+<1> Replace `<release_image>` with the release image. For example: `quay.io/openshift-release-dev/ocp-release@sha256:123abc456def789ghi012jkl345mno678pqr901stu234vwx567yz0`.
++
+.Example output when the release image uses the `multi` payload:
+[source,terminal]
+----
+{"release.openshift.io architecture":"multi"}
+----
++
+If you are using the release image with the `multi` payload, you can install the cluster on different architectures such as `arm64`, `amd64`, `s390x`, and `ppc64le`. Otherwise, you can install the cluster only on the `release architecture` displayed in the output of the `openshift-install version` command.
diff --git a/modules/agent-installer-fips-compliance.adoc b/modules/agent-installer-fips-compliance.adoc
index 8f243efe62c3..bebfbabc21e6 100644
--- a/modules/agent-installer-fips-compliance.adoc
+++ b/modules/agent-installer-fips-compliance.adoc
@@ -10,7 +10,4 @@
 For many {product-title} customers, regulatory readiness, or compliance, on some level is required before any systems can be put into production. That regulatory readiness can be imposed by national standards, industry standards or the organization's corporate governance framework.
 Federal Information Processing Standards (FIPS) compliance is one of the most critical components required in highly secure environments to ensure that only supported cryptographic technologies are allowed on nodes.
 
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+include::snippets/fips-snippet.adoc[]
diff --git a/modules/alibaba-ai-converting-image-to-qcow2.adoc b/modules/alibaba-ai-converting-image-to-qcow2.adoc
new file mode 100644
index 000000000000..f9f5ace0bcd7
--- /dev/null
+++ b/modules/alibaba-ai-converting-image-to-qcow2.adoc
@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_alibaba/installing-alibaba-assisted-installer.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="alibaba-ai-converting-image-to-qcow2_{context}"]
+= Converting the discovery image to QCOW2 format
+
+Convert the generated ISO to `QCOW2` format before importing it into {alibaba}. 
+
+.Prerequisites
+
+* You have created a cluster and downloaded the discovery image in the {ai-full}.
+* You have access to a Red Hat Enterprise Linux or Fedora machine that is outside the cluster, such as your desktop machine.
+* You have ensured that the machine has virtualization flags enabled.
+
+.Procedure
+
+. Open the command line interface on your RHEL or Fedora machine.
+
+. Verify that `qemu-img` is installed on the machine by running the following command:
++
+[source,terminal]
+----
+$ sudo dnf install -y qemu-img
+----
+
+. Convert the image to `QCOW2` by running the following command:
++
+[source,terminal]
+----
+$ qemu-img convert -O qcow2 ${CLUSTER_NAME}.iso ${CLUSTER_NAME}.qcow2
+----
diff --git a/modules/alibaba-ai-installing.adoc b/modules/alibaba-ai-installing.adoc
new file mode 100644
index 000000000000..186b91206429
--- /dev/null
+++ b/modules/alibaba-ai-installing.adoc
@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_alibaba/installing-alibaba-assisted-installer.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="alibaba-ai-installing_{context}"]
+= Process outline for creating a cluster with the {ai-full} 
+
+The main steps of the installation process are as follows:
+
+. Create the cluster with the {ai-full} and download the generated image.
+
+. Convert the image to `QCOW2` format. For more information, see the following section.
+
+. Upload the image to the Object Storage Service bucket in {alibaba}.
+
+. Import the image to the Elastic Compute Service in {alibaba}.
+
+. Provision the {alibaba} resources:
+
+.. In the Virtual Private Cloud (VPC) console, set the networking configurations.
+
+.. In the {alibaba} DNS console, define the Domain Name System.
+
+.. In the Elastic Compute Service (ECS) console, provision the compute instances. 
+
+. Complete host discovery in the {ai-full}.
+
+. Complete the network configurations in {alibaba}.
+
+. Complete the cluster configuration and installation in the {ai-full}.
\ No newline at end of file
diff --git a/modules/api-support-tiers-mapping.adoc b/modules/api-support-tiers-mapping.adoc
index f556cdc551fa..d7e0439b8008 100644
--- a/modules/api-support-tiers-mapping.adoc
+++ b/modules/api-support-tiers-mapping.adoc
@@ -123,6 +123,12 @@ API groups that end with the suffix `monitoring.coreos.com` have the following m
 |`v1`
 |Tier 1
 
+|`v1alpha1`
+|Tier 1
+
+|`v1beta1`
+|Tier 1
+
 |===
 endif::microshift[]
 
diff --git a/modules/arch-platform-operators.adoc b/modules/arch-platform-operators.adoc
deleted file mode 100644
index 3e70106e974a..000000000000
--- a/modules/arch-platform-operators.adoc
+++ /dev/null
@@ -1,25 +0,0 @@
-// Module included in the following assemblies:
-//
-// * architecture/control-plane.adoc
-// * operators/admin/olm-managing-po.adoc
-
-:_mod-docs-content-type: CONCEPT
-
-ifeval::["{context}" == "control-plane"]
-[id="platform-operators_{context}"]
-= Platform Operators (Technology Preview)
-
-:FeatureName: The platform Operator type
-include::snippets/technology-preview.adoc[]
-endif::[]
-
-ifeval::["{context}" == "olm-managing-po"]
-[id="platform-operators_{context}"]
-= About platform Operators
-endif::[]
-
-Operator Lifecycle Manager (OLM) introduces a new type of Operator called _platform Operators_. A platform Operator is an OLM-based Operator that can be installed during or after an {product-title} cluster's Day 0 operations and participates in the cluster's lifecycle. As a cluster administrator, you can use platform Operators to further customize your {product-title} installation to meet your requirements and use cases.
-
-Using the existing cluster capabilities feature in {product-title}, cluster administrators can already disable a subset of Cluster Version Operator-based (CVO) components considered non-essential to the initial payload prior to cluster installation. Platform Operators iterate on this model by providing additional customization options. Through the platform Operator mechanism, which relies on resources from the RukPak component, OLM-based Operators can now be installed at cluster installation time and can block cluster rollout if the Operator fails to install successfully.
-
-In {product-title} 4.12, this Technology Preview release focuses on the basic platform Operator mechanism and builds a foundation for expanding the concept in upcoming releases. You can use the cluster-wide `PlatformOperator` API to configure Operators before or after cluster creation on clusters that have enabled the `TechPreviewNoUpgrades` feature set.
\ No newline at end of file
diff --git a/modules/assisted-installer-adding-hosts-to-the-cluster.adoc b/modules/assisted-installer-adding-hosts-to-the-cluster.adoc
deleted file mode 100644
index c0de5db33bb6..000000000000
--- a/modules/assisted-installer-adding-hosts-to-the-cluster.adoc
+++ /dev/null
@@ -1,25 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="adding-hosts-to-the-cluster_{context}"]
-= Adding hosts to the cluster
-
-You must add one or more hosts to the cluster. Adding a host to the cluster involves generating a discovery ISO. The discovery ISO runs {op-system-first} in-memory with an agent. Perform the following procedure for each host on the cluster.
-
-.Procedure
-
-. Click the *Add hosts* button and select the installation media.
-
-.. Select *Minimal image file: Provision with virtual media* to download a smaller image that will fetch the data needed to boot. The nodes must have virtual media capability. This is the recommended method.
-
-.. Select *Full image file: Provision with physical media* to download the larger full image.
-
-. Add an SSH public key so that you can connect to the cluster nodes as the `core` user. Having a login to the cluster nodes can provide you with debugging information during the installation.
-
-. Optional: If the cluster hosts are behind a firewall that requires the use of a proxy, select *Configure cluster-wide proxy settings*. Enter the username, password, IP address and port for the HTTP and HTTPS URLs of the proxy server.
-
-. Click *Generate Discovery ISO*.
-
-. Download the discovery ISO.
diff --git a/modules/assisted-installer-assisted-installer-prerequisites.adoc b/modules/assisted-installer-assisted-installer-prerequisites.adoc
deleted file mode 100644
index d689ae8c1418..000000000000
--- a/modules/assisted-installer-assisted-installer-prerequisites.adoc
+++ /dev/null
@@ -1,60 +0,0 @@
-// This is included in the following assemblies:
-//
-// installing-on-prem-assisted.adoc
-:_mod-docs-content-type: CONCEPT
-
-[id='assisted-installer-prerequisites_{context}']
-= Assisted Installer prerequisites
-
-The {ai-full} validates the following prerequisites to ensure successful installation.
-
-== Hardware
-
-For control plane nodes or the {sno} node, nodes must have at least the following resources:
-
-* 8 CPU cores
-* 16.00 GiB RAM
-* 100 GB storage
-* 10ms write speed or less for etcd `wal_fsync_duration_seconds`
-
-For worker nodes, each node must have at least the following resources:
-
-* 4 CPU cores
-* 16.00 GiB RAM
-* 100 GB storage
-
-== Networking
-
-The network must meet the following requirements:
-
-* A DHCP server unless using static IP addressing.
-* A base domain name. You must ensure that the following requirements are met:
-  - There is no wildcard, such as `*.<cluster_name>.<base_domain>`, or the installation will not proceed.
-  - A DNS A/AAAA record for `api.<cluster_name>.<base_domain>`.
-  - A DNS A/AAAA record with a wildcard for `*.apps.<cluster_name>.<base_domain>`.
-* Port `6443` is open for the API URL if you intend to allow users outside the firewall to access the cluster via the `oc` CLI tool.
-* Port `443` is open for the console if you intend to allow users outside the firewall to access the console.
-
-[IMPORTANT]
-====
-DNS A/AAAA record settings at top-level domain registrars can take significant time to update. Ensure the A/AAAA record DNS settings are working before installation to prevent installation delays.
-====
-
-The {product-title} cluster's network must also meet the following requirements:
-
-* Connectivity between all cluster nodes
-* Connectivity for each node to the internet
-* Access to an NTP server for time synchronization between the cluster nodes
-
-== Preflight validations
-
-The {ai-full} ensures the cluster meets the prerequisites before installation, because it eliminates complex postinstallation troubleshooting, thereby saving significant amounts of time and effort. Before installing software on the nodes, the {ai-full} conducts the following validations:
-
-* Ensures network connectivity
-* Ensures sufficient network bandwidth
-* Ensures connectivity to the registry
-* Ensures time synchronization between cluster nodes
-* Verifies that the cluster nodes meet the minimum hardware requirements
-* Validates the installation configuration parameters
-
-If the {ai-full} does not successfully validate the foregoing requirements, installation will not proceed.
diff --git a/modules/assisted-installer-booting-with-a-usb-drive.adoc b/modules/assisted-installer-booting-with-a-usb-drive.adoc
deleted file mode 100644
index 18480c1ec777..000000000000
--- a/modules/assisted-installer-booting-with-a-usb-drive.adoc
+++ /dev/null
@@ -1,17 +0,0 @@
-// This is included in the following assemblies:
-//
-// installing_sno/install-sno-installing-sno.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="booting-with-a-usb-drive_{context}"]
-= Booting with a USB drive
-
-To register nodes with the {ai-full} using a bootable USB drive, use the following procedure.
-
-.Procedure
-
-. Attach the {op-system} discovery ISO to the target host.
-
-. Configure the boot drive order in the server BIOS settings to boot from the attached discovery ISO, and then reboot the server.
-
-. On the administration host, return to the browser. Wait for the host to appear in the list of discovered hosts.
diff --git a/modules/assisted-installer-completing-the-installation.adoc b/modules/assisted-installer-completing-the-installation.adoc
deleted file mode 100644
index 13817ac68989..000000000000
--- a/modules/assisted-installer-completing-the-installation.adoc
+++ /dev/null
@@ -1,57 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="completing-the-installation_{context}"]
-= Completing the installation
-
-After the cluster is installed and initialized, the {ai-full} indicates that the installation is finished. The {ai-full} provides the console URL, the `kubeadmin` username and password, and the `kubeconfig` file. Additionally, the {ai-full} provides cluster details including the {product-title} version, base domain, CPU architecture, API and Ingress IP addresses, and the cluster and service network IP addresses.
-
-.Prerequisites
-
-* You have installed the `oc` CLI tool.
-
-
-.Procedure
-
-. Make a copy of the `kubeadmin` username and password.
-
-. Download the `kubeconfig` file and copy it to the `auth` directory under your working directory:
-+
-[source,terminal]
-----
-$ mkdir -p <working_directory>/auth
-----
-+
-[source,terminal]
-----
-$ cp kubeadmin <working_directory>/auth
-----
-+
-[NOTE]
-====
-The `kubeconfig` file is available for download for 24 hours after completing the installation.
-====
-
-. Add the `kubeconfig` file to your environment:
-+
-[source,terminal]
-----
-$ export KUBECONFIG=<your working directory>/auth/kubeconfig
-----
-
-. Login with the `oc` CLI tool:
-+
-[source,terminal]
-----
-$ oc login -u kubeadmin -p <password>
-----
-+
-Replace `<password>` with the password of the `kubeadmin` user.
-
-. Click on the web console URL or click *Launch OpenShift Console* to open the console.
-
-. Enter the `kubeadmin` username and password. Follow the instructions in the {product-title} console to configure an identity provider and configure alert receivers.
-
-. Add a bookmark of the {product-title} console.
diff --git a/modules/assisted-installer-configuring-host-network-interfaces.adoc b/modules/assisted-installer-configuring-host-network-interfaces.adoc
deleted file mode 100644
index ce86869d7251..000000000000
--- a/modules/assisted-installer-configuring-host-network-interfaces.adoc
+++ /dev/null
@@ -1,31 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="configuring-host-network-interfaces_{context}"]
-= Optional: Configuring host network interfaces
-
-The {ai-full} supports IPv4 networking and dual stack networking. The {ai-full} also supports configuring host network interfaces with the NMState library, a declarative network manager API for hosts. You can use NMState to deploy hosts with static IP addressing, bonds, VLANs and other advanced networking features. If you chose to configure host network interfaces, you must set network-wide configurations. Then, you must create a host-specific configuration for each host and generate the discovery ISO with the host-specific settings.
-
-.Procedure
-
-. Select the internet protocol version. Valid options are *IPv4* and *Dual stack*.
-
-. If the cluster hosts are on a shared VLAN, enter the VLAN ID.
-
-. Enter the network-wide IP addresses. If you selected *Dual stack* networking, you must enter both IPv4 and IPv6 addresses.
-
-.. Enter the cluster network's IP address range in CIDR notation.
-
-.. Enter the default gateway IP address.
-
-.. Enter the DNS server IP address.
-
-. Enter the host-specific configuration.
-
-.. If you are only setting a static IP address that uses a single network interface, use the form view to enter the IP address and the MAC address for the host.
-
-.. If you are using multiple interfaces, bonding, or other advanced networking features, use the YAML view and enter the desired network state for the host using NMState syntax.
-
-.. Add the MAC address and interface name for each interface used in your network configuration.
diff --git a/modules/assisted-installer-configuring-hosts.adoc b/modules/assisted-installer-configuring-hosts.adoc
deleted file mode 100644
index 3a89c5e0bb38..000000000000
--- a/modules/assisted-installer-configuring-hosts.adoc
+++ /dev/null
@@ -1,25 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="configuring-hosts_{context}"]
-= Configuring hosts
-
-After booting the hosts with the discovery ISO, the hosts will appear in the table at the bottom of the page. You can configure the hostname, role, and installation disk for each host.
-
-.Procedure
-
-. Select a host.
-
-. From the *Actions* list, select *Change hostname*. You must ensure each host has a valid and unique hostname. If necessary, enter a new name for the host and click *Change*.
-
-. For multi-host clusters, in the *Role* column next to the host name, you can click on the menu to change the role of the host.
-+
-If you do not select a role, the {ai-full} will assign the role automatically. The minimum hardware requirements for control plane nodes exceed that of worker nodes. If you assign a role to a host, ensure that you assign the control plane role to hosts that meet the minimum hardware requirements.
-
-. To the left of the checkbox next to a host name, click to expand the host details. If you have multiple disk drives, you can select a different disk drive to act as the installation disk.
-
-. Repeat this procedure for each host.
-
-Once all cluster hosts appear with a status of *Ready*, proceed to the next step.
diff --git a/modules/assisted-installer-configuring-networking.adoc b/modules/assisted-installer-configuring-networking.adoc
deleted file mode 100644
index 07f436301969..000000000000
--- a/modules/assisted-installer-configuring-networking.adoc
+++ /dev/null
@@ -1,51 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="configuring-networking_{context}"]
-= Configuring networking
-
-Before installing {product-title}, you must configure the cluster network.
-
-.Procedure
-
-. In the *Networking* page, select one of the following if it is not already selected for you:
-+
-** *Cluster-Managed Networking:* Selecting cluster-managed networking means that the {ai-full} will configure a standard network topology, including `keepalived` and Virtual Router Redundancy Protocol (VRRP) for managing the API and Ingress VIP addresses.
-+
-** *User-Managed Networking*: Selecting user-managed networking allows you to deploy {product-title} with a non-standard network topology. For example, if you want to deploy with an external load balancer instead of `keepalived` and VRRP, or if you intend to deploy the cluster nodes across many distinct L2 network segments.
-
-. For cluster-managed networking, configure the following settings:
-
-.. Define the *Machine network*. You can use the default network or select a subnet.
-
-.. Define an *API virtual IP*. An API virtual IP provides an endpoint for all users to interact with, and configure the platform.
-
-.. Define an *Ingress virtual IP*. An Ingress virtual IP provides an endpoint for application traffic flowing from outside the cluster.
-
-. For user-managed networking, configure the following settings:
-
-.. Select your *Networking stack type*:
-+
-** *IPv4*: Select this type when your hosts are only using IPv4.
-+
-** *Dual-stack*: You can select dual-stack when your hosts are using IPv4 together with IPv6.
-
-.. Define the *Machine network*. You can use the default network or select a subnet.
-
-.. Define an *API virtual IP*. An API virtual IP provides an endpoint for all users to interact with, and configure the platform.
-
-.. Define an *Ingress virtual IP*. An Ingress virtual IP provides an endpoint for application traffic flowing from outside the cluster.
-
-.. Optional: You can select *Allocate IPs via DHCP server* to automatically allocate the *API IP* and *Ingress IP* using the DHCP server.
-
-. Optional: Select *Use advanced networking* to configure the following advanced networking properties:
-
-** *Cluster network CIDR*: Define an IP address block from which Pod IP addresses are allocated.
-
-** *Cluster network host prefix*: Define a subnet prefix length to assign to each node.
-
-** *Service network CIDR*: Define an IP address to use for service IP addresses.
-
-** *Network type*: Select either *Software-Defined Networking (SDN)* for standard networking or *Open Virtual Networking (OVN)* for telco features.
diff --git a/modules/assisted-installer-installing-the-cluster.adoc b/modules/assisted-installer-installing-the-cluster.adoc
deleted file mode 100644
index 2fac0c22e30f..000000000000
--- a/modules/assisted-installer-installing-the-cluster.adoc
+++ /dev/null
@@ -1,15 +0,0 @@
-// This is included in the following assemblies:
-//
-// assisted-installer-installing.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="installing-the-cluster_{context}"]
-= Installing the cluster
-
-After you have completed the configuration and all the nodes are *Ready*, you can begin installation. The installation process takes a considerable amount of time, and you can monitor the installation from the {ai-full} web console. Nodes will reboot during the installation, and they will initialize after installation.
-
-.Procedure
-
-* Press *Begin installation*.
-
-. Click on the link in the *Status* column of the *Host Inventory* list to see the installation status of a particular host.
diff --git a/modules/assisted-installer-pre-installation-considerations.adoc b/modules/assisted-installer-pre-installation-considerations.adoc
deleted file mode 100644
index 366915764f72..000000000000
--- a/modules/assisted-installer-pre-installation-considerations.adoc
+++ /dev/null
@@ -1,18 +0,0 @@
-// This is included in the following assemblies:
-//
-// installing-on-prem-assisted.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id='pre-installation-considerations_{context}']
-= Preinstallation considerations
-
-Before installing {product-title} with the {ai-full}, you must consider the following configuration choices:
-
-* Which base domain to use
-* Which {product-title} product version to install
-* Whether to install a full cluster or {sno}
-* Whether to use a DHCP server or a static network configuration
-* Whether to use IPv4 or dual-stack networking
-* Whether to install {VirtProductName}
-* Whether to install {rh-storage-first}
-* Whether to integrate with vSphere when installing on vSphere
diff --git a/modules/assisted-installer-release-notes.adoc b/modules/assisted-installer-release-notes.adoc
deleted file mode 100644
index 6cd7e4692f26..000000000000
--- a/modules/assisted-installer-release-notes.adoc
+++ /dev/null
@@ -1,36 +0,0 @@
-// This is included in the following assemblies:
-//
-//installing_bare_metal_assisted/installing-bare-metal-assisted.adoc
-
-:_mod-docs-content-type: REFERENCE
-[id="assisted-installer-release-notes_{context}"]
-= {ai-full} {ai-version} release notes
-
-[id="ai-release-notes-about-this-release_{context}"]
-== About this release
-
-These release notes track the development of {ai-full} {ai-version}.
-
-This product was previously released as a Technology Preview product and is now generally available and enabled by default in the {cluster-manager-first}.
-
-[id="ai-release-notes-bug-fixes_{context}"]
-== Bug fixes
-
-*  Previously, users could define `localhost` as a valid host name for all of their hosts. As a result, host names were not unique, and {ai-full} could not install the cluster. With this release, users cannot complete the cluster installation if any of the hosts are named `localhost`. An error appears and users must rename the hosts.
-//(link:https://issues.redhat.com/browse/MGMT-8088[MGMT-8088])
-
-* Previously, in the *OpenShift Web Console troubleshooting* window, the *Optional* field remained blank when undefined instead of displaying an IP address. With this release, the *Optional* field was removed.
-//(link:https://issues.redhat.com/browse/MGMT-9283[MGMT-9283])
-
-* Previously, when installing a cluster on vSphere, the {ai-full} created machines and `MachineSet` objects for every virtual machine. With this release, {ai-full} no longer creates machines or `MachineSet` objects for user-provisioned VMs.
-//(link:https://issues.redhat.com/browse/MGMT-9559[MGMT-9559])
-
-* Previously, if Operators failed to install during an installation with {ai-full}, users received an error message and were directed to reset the cluster installation. With this release, if Operators fail to install, the cluster is automatically degraded.
-
-* Previously, after installing an Operator using {ai-full}, the Operator appeared as *available* in the cluster *Status* area in the *Installation progress* page. However, users had to check the Operator avilability in the {product-title} web console. With this release, the Operator appears as *installed* in the *Status* area.
-
-[id="ai-release-notes-known-issues_{context}"]
-== Known issues
-
-* The minimum disk size required for installing on bare metal using {ai-full} is specified as 120GB. The actual required minimum disk size is 100GB.
-//(link:https://issues.redhat.com/browse/MGMT-9682[MGMT-9682])
diff --git a/modules/assisted-installer-setting-the-cluster-details.adoc b/modules/assisted-installer-setting-the-cluster-details.adoc
deleted file mode 100644
index c39635061ec6..000000000000
--- a/modules/assisted-installer-setting-the-cluster-details.adoc
+++ /dev/null
@@ -1,47 +0,0 @@
-// This is included in the following assemblies:
-//
-// installing-on-prem-assisted.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id='setting-the-cluster-details_{context}']
-= Setting the cluster details
-
-To create a cluster with the {ai-full} web user interface, use the following procedure.
-
-.Procedure
-
-. Log in to the link:https://console.redhat.com[RedHat Hybrid Cloud Console].
-
-. In the menu, click *OpenShift*.
-
-. Click *Create cluster*.
-
-. Click the *Datacenter* tab.
-
-. Under the *{ai-full}* section, select *Create cluster*.
-
-. Enter a name for the cluster in the *Cluster name* field.
-
-. Enter a base domain for the cluster in the *Base domain* field. All subdomains for the cluster will use this base domain.
-+
-[NOTE]
-====
-The base domain must be a valid DNS name. You must not have a wild card domain set up for the base domain.
-====
-
-. Select the version of {product-title} to install.
-
-. Optional: Select *Install single node Openshift (SNO)* if you want to install {product-title} on a single node.
-
-. Optional: The {ai-full} already has the pull secret associated to your account. If you want to use a different pull secret, select *Edit pull secret*.
-
-. Optional: {ai-full} defaults to using x86_64 CPU architecture. If you are installing {product-title} on 64-bit ARM CPUs, select *Use arm64 CPU architecture*. Keep in mind, some features are not available with 64-bit ARM CPU architecture.
-
-. Optional: If you are using a static IP configuration for the cluster nodes instead of DHCP reservations, select *Static network configuration*.
-
-. Optional: If you want to enable encryption of the installation disks, select *Enable encryption of installation disks*. For multi-node clusters, you can choose to encrypt the control plane and worker node installation disks separately.
-
-[IMPORTANT]
-====
-You cannot change the base domain, the SNO checkbox, the CPU architecture, the host's network configuration, or the disk-encryption after installation begins.
-====
diff --git a/modules/binding-infra-node-workloads-using-taints-tolerations.adoc b/modules/binding-infra-node-workloads-using-taints-tolerations.adoc
index d75fd63c7288..e2e873e90e04 100644
--- a/modules/binding-infra-node-workloads-using-taints-tolerations.adoc
+++ b/modules/binding-infra-node-workloads-using-taints-tolerations.adoc
@@ -53,7 +53,7 @@ For example:
 +
 [source,terminal]
 ----
-$ oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoExecute
+$ oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoSchedule
 ----
 +
 [TIP]
@@ -71,33 +71,78 @@ metadata:
 spec:
   taints:
     - key: node-role.kubernetes.io/infra
-      effect: NoExecute
+      effect: NoSchedule
       value: reserved
   ...
 ----
 ====
 +
-This example places a taint on `node1` that has key `node-role.kubernetes.io/infra` and taint effect `NoSchedule`. Nodes with the `NoSchedule` effect schedule only pods that tolerate the taint, but allow existing pods to remain scheduled on the node.
+This example places a taint on `node1` that has key `node-role.kubernetes.io/infra` and taint effect `NoSchedule`. Nodes with the `NoSchedule` effect schedule only pods that tolerate the taint, but allow existing pods to remain scheduled on the node. 
 +
 [NOTE]
 ====
 If a descheduler is used, pods violating node taints could be evicted from the cluster.
 ====
 
+.. Add the taint with NoExecute Effect along with the above taint with NoSchedule Effect:
++
+[source,terminal]
+----
+$ oc adm taint nodes <node_name> <key>=<value>:<effect>
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoExecute
+----
++
+[TIP]
+====
+You can alternatively apply the following YAML to add the taint:
+
+[source,yaml]
+----
+kind: Node
+apiVersion: v1
+metadata:
+  name: <node_name>
+  labels:
+    ...
+spec:
+  taints:
+    - key: node-role.kubernetes.io/infra
+      effect: NoExecute
+      value: reserved
+  ...
+----
+====
++
+This example places a taint on `node1` that has the key `node-role.kubernetes.io/infra` and taint effect `NoExecute`. Nodes with the `NoExecute` effect schedule only pods that tolerate the taint. The effect will remove any existing pods from the node that do not have a matching toleration. 
++
+
+
 . Add tolerations for the pod configurations you want to schedule on the infra node, like router, registry, and monitoring workloads. Add the following code to the `Pod` object specification:
 +
 [source,yaml]
 ----
 tolerations:
-  - effect: NoExecute <1>
+  - effect: NoSchedule <1>
     key: node-role.kubernetes.io/infra <2>
-    operator: Exists <3>
-    value: reserved <4>
+    value: reserved <3>
+  - effect: NoExecute <4>
+    key: node-role.kubernetes.io/infra <5>
+    operator: Exists <6>
+    value: reserved <7>
 ----
 <1> Specify the effect that you added to the node.
 <2> Specify the key that you added to the node.
-<3> Specify the `Exists` Operator to require a taint with the key `node-role.kubernetes.io/infra` to be present on the node.
-<4> Specify the value of the key-value pair taint that you added to the node.
+<3> Specify the value of the key-value pair taint that you added to the node.
+<4> Specify the effect that you added to the node.
+<5> Specify the key that you added to the node.
+<6> Specify the `Exists` Operator to require a taint with the key `node-role.kubernetes.io/infra` to be present on the node.
+<7> Specify the value of the key-value pair taint that you added to the node.
 +
 This toleration matches the taint created by the `oc adm taint` command. A pod with this toleration can be scheduled onto the infra node.
 +
diff --git a/modules/bmo-about-the-bare-metal-operator.adoc b/modules/bmo-about-the-bare-metal-operator.adoc
index c0d7a33fd257..8ee16286262d 100644
--- a/modules/bmo-about-the-bare-metal-operator.adoc
+++ b/modules/bmo-about-the-bare-metal-operator.adoc
@@ -8,15 +8,16 @@
 
 Use the Bare Metal Operator (BMO) to provision, manage, and inspect bare-metal hosts in your cluster. 
  
-The BMO uses three resources to complete these tasks: 
+The BMO uses the following resources to complete these tasks: 
 
 * `BareMetalHost`
 * `HostFirmwareSettings`
 * `FirmwareSchema`
+* `HostFirmwareComponents`
 
 The BMO maintains an inventory of the physical hosts in the cluster by mapping each bare-metal host to an instance of the `BareMetalHost` custom resource definition. Each `BareMetalHost` resource features hardware, software, and firmware details. The BMO continually inspects the bare-metal hosts in the cluster to ensure each `BareMetalHost` resource accurately details the components of the corresponding host. 
 
-The BMO also uses the `HostFirmwareSettings` resource and the `FirmwareSchema` resource to detail firmware specifications for the bare-metal host. 
+The BMO also uses the `HostFirmwareSettings` resource, the `FirmwareSchema` resource, and the `HostFirmwareComponents` resource to detail firmware specifications and upgrade or downgrade firmware for the bare-metal host. 
 
 The BMO interfaces with bare-metal hosts in the cluster by using the Ironic API service. The Ironic service uses the Baseboard Management Controller (BMC) on the host to interface with the machine. 
 
@@ -26,4 +27,5 @@ Some common tasks you can complete by using the BMO include the following:
 * Format a host's disk contents before provisioning or after deprovisioning
 * Turn on or off a host
 * Change firmware settings
-* View the host's hardware details 
\ No newline at end of file
+* View the host's hardware details
+* Upgrade or downgrade a host's firmware to a specific version
\ No newline at end of file
diff --git a/modules/bmo-about-the-baremetalhost-resource.adoc b/modules/bmo-about-the-baremetalhost-resource.adoc
index 97e648538cf9..5887bb9e8b9b 100644
--- a/modules/bmo-about-the-baremetalhost-resource.adoc
+++ b/modules/bmo-about-the-baremetalhost-resource.adoc
@@ -71,7 +71,7 @@ image:
   checksumType:
   format:
 ----
-a| The `image` configuration setting holds the details for the image to be deployed on the host. Ironic requires the image fields. However, when the `externallyProvisioned` configuration setting is set to `true` and the external management doesn't require power control, the fields can be empty. The fields are:
+a| The `image` configuration setting holds the details for the image to be deployed on the host. Ironic requires the image fields. However, when the `externallyProvisioned` configuration setting is set to `true` and the external management does not require power control, the fields can be empty. The setting supports the following fields:
 
 * `url`: The URL of an image to deploy to the host.
 * `checksum`: The actual checksum or a URL to a file containing the checksum for the image at `image.url`.
@@ -104,7 +104,7 @@ a|  (Optional) Contains the information about the RAID configuration for bare me
 
 See the following configuration settings:
 
-* `hardwareRAIDVolumes`: Contains the list of logical drives for hardware RAID, and defines the desired volume configuration in the hardware RAID. If you don't specify `rootDeviceHints`, the first volume is the root volume. The sub-fields are:
+* `hardwareRAIDVolumes`: Contains the list of logical drives for hardware RAID, and defines the desired volume configuration in the hardware RAID. If you do not specify `rootDeviceHints`, the first volume is the root volume. The sub-fields are:
 
 ** `level`: The RAID level for the logical drive. The following levels are supported: `0`,`1`,`2`,`5`,`6`,`1+0`,`5+0`,`6+0`.
 ** `name`: The name of the volume as a string. It should be unique within the server. If not specified, the volume name will be auto-generated.
@@ -114,7 +114,7 @@ See the following configuration settings:
 ** `rotational`: If set to `true`, it will only select rotational disk drives. If set to `false`, it will only select solid-state and NVMe drives. If not set, it selects any drive types, which is the default behavior.
 ** `sizeGibibytes`: The size of the logical drive as an integer to create in GiB. If unspecified or set to `0`, it will use the maximum capacity of physical drive for the logical drive.
 
-* `softwareRAIDVolumes`: {product-title} {product-version} does not support software RAID. The following information is for reference only. This configuration contains the list of logical disks for software RAID. If you don't specify `rootDeviceHints`, the first volume is the root volume. If you set `HardwareRAIDVolumes`, this item will be invalid. Software RAIDs will always be deleted. The number of created software RAID devices must be `1` or `2`. If there is only one software RAID device, it must be `RAID-1`. If there are two RAID devices, the first device must be `RAID-1`, while the RAID level for the second device can be `0`, `1`, or `1+0`. The first RAID device will be the deployment device. Therefore, enforcing `RAID-1` reduces the risk of a non-booting node in case of a device failure. The `softwareRAIDVolume` field defines the desired configuration of the volume in the software RAID. The sub-fields are:
+* `softwareRAIDVolumes`: {product-title} {product-version} does not support software RAID. The following information is for reference only. This configuration contains the list of logical disks for software RAID. If you do not specify `rootDeviceHints`, the first volume is the root volume. If you set `HardwareRAIDVolumes`, this item will be invalid. Software RAIDs will always be deleted. The number of created software RAID devices must be `1` or `2`. If there is only one software RAID device, it must be `RAID-1`. If there are two RAID devices, the first device must be `RAID-1`, while the RAID level for the second device can be `0`, `1`, or `1+0`. The first RAID device will be the deployment device. Therefore, enforcing `RAID-1` reduces the risk of a non-booting node in case of a device failure. The `softwareRAIDVolume` field defines the desired configuration of the volume in the software RAID. The sub-fields are:
 
 ** `level`: The RAID level for the logical drive. The following levels are supported: `0`,`1`,`1+0`.
 ** `physicalDisks`: A list of device hints. The number of items should be greater than or equal to `2`.
diff --git a/modules/bmo-about-the-hostfirmwarecomponents-resource.adoc b/modules/bmo-about-the-hostfirmwarecomponents-resource.adoc
new file mode 100644
index 000000000000..994c4582567c
--- /dev/null
+++ b/modules/bmo-about-the-hostfirmwarecomponents-resource.adoc
@@ -0,0 +1,78 @@
+// This is included in the following assemblies:
+//
+// post_installation_configuration/bare-metal-configuration.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="about-the-hostfirmwarecomponents-resource_{context}"]
+= About the HostFirmwareComponents resource
+
+Metal^3^ provides the `HostFirmwareComponents` resource, which describes BIOS and baseboard management controller (BMC) firmware versions. The `HostFirmwareComponents` resource contains two sections:
+
+. The `HostFirmwareComponents` spec
+. The `HostFirmwareComponents` status
+
+== HostFirmwareComponents spec
+
+The `spec` section of the `HostFirmwareComponents` resource defines the desired state of the host's BIOS and BMC versions.
+
+.HostFirmwareComponents spec
+[options="header"]
+|====
+|Parameters |Description
+
+a|
+----
+updates:
+  component:
+  url:
+----
+a| The `updates` configuration setting contains the components to update. The fields are:
+
+* `component`: The name of the component. The valid settings are `bios` or `bmc`.
+
+* `url`: The URL to the component's firmware specification and version.
+|====
+
+
+== HostFirmwareComponents status
+
+The `status` section of the `HostFirmwareComponents` resource returns the current status of the host's BIOS and BMC versions.
+
+.HostFirmwareComponents status
+[options="header"]
+|====
+|Parameters |Description
+
+a|
+----
+components:
+  component:
+  initialVersion:
+  currentVersion:
+  lastVersionFlashed:
+  updatedAt:
+----
+a| The `components` section contains the status of the components. The fields are:
+
+* `component`: The name of the firmware component. It returns `bios` or `bmc`.
+
+* `initialVersion`: The initial firmware version of the component. Ironic retrieves this information when creating the `BareMetalHost` resource. You cannot change it.
+
+* `currentVersion`: The current firmware version of the component. Initially, the value matches the `initialVersion` value until Ironic updates the firmware on the bare-metal host.
+
+* `lastVersionFlashed`: The last firmware version of the component flashed on the bare-metal host. This field returns `null` until Ironic updates the firmware.
+
+* `updatedAt`: The timestamp when Ironic updated the bare-metal host's firmware.
+
+a|
+----
+updates:
+  component:
+  url:
+----
+a| The `updates` configuration setting contains the updated components. The fields are:
+
+* `component`: The name of the component.
+
+* `url`: The URL to the component's firmware specification and version.
+|====
\ No newline at end of file
diff --git a/modules/bmo-attaching-a-non-bootable-iso-to-a-bare-metal-node.adoc b/modules/bmo-attaching-a-non-bootable-iso-to-a-bare-metal-node.adoc
new file mode 100644
index 000000000000..85c09c4f8439
--- /dev/null
+++ b/modules/bmo-attaching-a-non-bootable-iso-to-a-bare-metal-node.adoc
@@ -0,0 +1,98 @@
+// This module is included in the following assemblies: 
+//
+// * post_installation_configuration/bare-metal-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="attaching-a-non-bootable-iso-to-a-bare-metal-node_{context}"]
+= Attaching a non-bootable ISO to a bare-metal node
+
+You can attach a generic, non-bootable ISO virtual media image to a provisioned node by using the `DataImage` resource. After you apply the resource, the ISO image becomes accessible to the operating system after it has booted. This is useful for configuring a node after provisioning the operating system and before the node boots for the first time.
+
+.Prerequisites
+
+* The node must use Redfish or drivers derived from it to support this feature.
+* The node must be in the `Provisioned` or `ExternallyProvisioned` state.
+* The `name` must be the same as the name of the node defined in its `BareMetalHost` resource.
+* You have a valid `url` to the ISO image.
+
+.Procedure
+
+. Create a `DataImage` resource:
++
+[source,yaml]
+----
+apiVersion: metal3.io/v1alpha1
+kind: DataImage
+metadata:
+  name: <node_name> # <1>
+spec:
+  url: "http://dataimage.example.com/non-bootable.iso" # <2>
+----
+<1> Specify the name of the node as defined in its `BareMetalHost` resource.
+<2> Specify the URL and path to the ISO image.
+
+. Save the `DataImage` resource to a file by running the following command:
++
+[source,terminal]
+----
+$ vim <node_name>-dataimage.yaml
+----
+
+. Apply the `DataImage` resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <node_name>-dataimage.yaml -n <node_namespace> <1>
+----
+<1> Replace `<node_namespace>` so that the namespace matches the namespace for the `BareMetalHost` resource. For example, `openshift-machine-api`.
+
+. Reboot the node. 
++
+[NOTE]
+====
+To reboot the node, attach the `reboot.metal3.io` annotation, or reset set the `online` status in the `BareMetalHost` resource. A forced reboot of the bare-metal node will change the state of the node to `NotReady` for awhile. For example, 5 minutes or more.
+====
+
+. View the `DataImage` resource by running the following command:
++
+[source,terminal]
+----
+$ oc get dataimage <node_name> -n openshift-machine-api -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: v1
+items:
+- apiVersion: metal3.io/v1alpha1
+  kind: DataImage
+  metadata:
+    annotations:
+      kubectl.kubernetes.io/last-applied-configuration: |
+        {"apiVersion":"metal3.io/v1alpha1","kind":"DataImage","metadata":{"annotations":{},"name":"bmh-node-1","namespace":"openshift-machine-api"},"spec":{"url":"http://dataimage.example.com/non-bootable.iso"}}
+    creationTimestamp: "2024-06-10T12:00:00Z"
+    finalizers:
+    - dataimage.metal3.io
+    generation: 1
+    name: bmh-node-1
+    namespace: openshift-machine-api
+    ownerReferences:
+    - apiVersion: metal3.io/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: BareMetalHost
+      name: bmh-node-1
+      uid: 046cdf8e-0e97-485a-8866-e62d20e0f0b3
+    resourceVersion: "21695581"
+    uid: c5718f50-44b6-4a22-a6b7-71197e4b7b69
+  spec:
+    url: http://dataimage.example.com/non-bootable.iso
+  status:
+    attachedImage:
+      url: http://dataimage.example.com/non-bootable.iso
+    error:
+      count: 0
+      message: ""
+    lastReconciled: "2024-06-10T12:05:00Z"
+----
diff --git a/modules/bmo-editing-a-baremetalhost-resource.adoc b/modules/bmo-editing-a-baremetalhost-resource.adoc
new file mode 100644
index 000000000000..f1bbd0df328e
--- /dev/null
+++ b/modules/bmo-editing-a-baremetalhost-resource.adoc
@@ -0,0 +1,47 @@
+// This module is included in the following assemblies: 
+//
+// post_installation_configuration/bare-metal-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="editing-a-baremetalhost-resource_{context}"]
+= Editing a BareMetalHost resource
+
+After you deploy an {product-title} cluster on bare metal, you might need to edit a node's `BareMetalHost` resource. Consider the following examples:
+
+* You deploy a cluster with the {ai-full} and need to add or edit the baseboard management controller (BMC) host name or IP address.
+* You want to move a node from one cluster to another without deprovisioning it.
+
+.Prerequisites
+
+* Ensure the node is in the `Provisioned`, `ExternallyProvisioned`, or `Available` state.
+
+.Procedure
+
+. Get the list of nodes:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get bmh -n openshift-machine-api
+----
+
+. Before editing the node's `BareMetalHost` resource, detach the node from Ironic by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc annotate baremetalhost <node_name> -n openshift-machine-api 'baremetalhost.metal3.io/detached=true' <1>
+----
+<1> Replace `<node_name>` with the name of the node.
+
+. Edit the  `BareMetalHost` resource by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc edit bmh <node_name> -n openshift-machine-api
+----
+
+. Reattach the node to Ironic by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc annotate baremetalhost <node_name> -n openshift-machine-api 'baremetalhost.metal3.io/detached'-
+----
diff --git a/modules/bmo-editing-the-hostfirmwarecomponents-resource.adoc b/modules/bmo-editing-the-hostfirmwarecomponents-resource.adoc
new file mode 100644
index 000000000000..9dcca4b22109
--- /dev/null
+++ b/modules/bmo-editing-the-hostfirmwarecomponents-resource.adoc
@@ -0,0 +1,127 @@
+// This is included in the following assemblies:
+//
+// post_installation_configuration/bare-metal-configuration.adoc
+
+[id="editing-the-hostfirmwarecomponents-resource_{context}"]
+= Editing the HostFirmwareComponents resource
+
+You can edit the `HostFirmwareComponents` resource of a node.
+
+.Procedure
+
+. Get the detailed list of `HostFirmwareComponents` resources:
++
+[source,terminal]
+----
+$ oc get hostfirmwarecomponents -n openshift-machine-api -o yaml
+----
+
+. Edit a host's `HostFirmwareComponents` resource:
++
+[source,terminal]
+----
+$ oc edit <host_name> hostfirmwarecomponents -n openshift-machine-api <1>
+----
+<1> Where `<host_name>` is the name of the host. The `HostFirmwareComponents` resource will open in the default editor for your terminal.
++
+.Example output
+[source,yaml]
+----
+---
+apiVersion: metal3.io/v1alpha1
+kind: HostFirmwareComponents
+metadata:
+  creationTimestamp: 2024-04-25T20:32:06Z"
+  generation: 1
+  name: ostest-master-2
+  namespace: openshift-machine-api
+  ownerReferences:
+  - apiVersion: metal3.io/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: BareMetalHost
+    name: ostest-master-2
+    uid: 16022566-7850-4dc8-9e7d-f216211d4195
+  resourceVersion: "2437"
+  uid: 2038d63f-afc0-4413-8ffe-2f8e098d1f6c
+spec:
+  updates:
+    - name: bios <1>
+      url: https://myurl.with.firmware.for.bios <2>
+    - name: bmc <3>
+      url: https://myurl.with.firmware.for.bmc <4>
+status:
+  components:
+  - component: bios
+    currentVersion: 1.0.0
+    initialVersion: 1.0.0
+  - component: bmc
+    currentVersion: "1.00"
+    initialVersion: "1.00"
+  conditions:
+  - lastTransitionTime: "2024-04-25T20:32:06Z"
+    message: ""
+    observedGeneration: 1
+    reason: OK
+    status: "True"
+    type: Valid
+  - lastTransitionTime: "2024-04-25T20:32:06Z"
+    message: ""
+    observedGeneration: 1
+    reason: OK
+    status: "False"
+    type: ChangeDetected
+  lastUpdated: "2024-04-25T20:32:06Z"
+----
+<1> To set a BIOS version, set the `name` attribute to `bios`.
+<2> To set a BIOS version, set the `url` attribute to the URL for the firmware version of the BIOS.
+<3> To set a BMC version, set the `name` attribute to `bmc`.
+<4> To set a BMC version, set the `url` attribute to the URL for the firmware verison of the BMC.
+
+. Save the changes and exit the editor.
+
+. Get the host’s machine name:
++
+[source,terminal]
+----
+$ oc get bmh <host_name> -n openshift-machine name <1>
+----
+<1> Where `<host_name>` is the name of the host. The machine name appears under the `CONSUMER` field.
+
+. Annotate the machine to delete it from the machine set:
++
+[source,terminal]
+----
+$ oc annotate machine <machine_name> machine.openshift.io/delete-machine=true -n openshift-machine-api <1>
+----
+<1> Where `<machine_name>` is the name of the machine to delete.
+
+. Get a list of nodes and count the number of worker nodes:
++
+[source,terminal]
+----
+$ oc get nodes
+----
+
+. Get the machine set:
++
+[source,terminal]
+----
+$ oc get machinesets -n openshift-machine-api
+----
+
+. Scale the machine set:
++
+[source,terminal]
+----
+$ oc scale machineset <machineset_name> -n openshift-machine-api --replicas=<n-1> <1>
+----
+<1> Where `<machineset_name>` is the name of the machine set and `<n-1>` is the decremented number of worker nodes.
+
+. When the host enters the `Available` state, scale up the machine set to make the `HostFirmwareComponents` resource changes take effect:
++
+[source,terminal]
+----
+$ oc scale machineset <machineset_name> -n openshift-machine-api --replicas=<n> <1>
+----
+<1> Where `<machineset_name>` is the name of the machine set and `<n>` is the number of worker nodes.
diff --git a/modules/bmo-getting-the-baremetalhost-resource.adoc b/modules/bmo-getting-the-baremetalhost-resource.adoc
index a21e36cfc087..e8a9b56bcb5a 100644
--- a/modules/bmo-getting-the-baremetalhost-resource.adoc
+++ b/modules/bmo-getting-the-baremetalhost-resource.adoc
@@ -66,7 +66,6 @@ spec:
     namespace: openshift-machine-api
   customDeploy:
     method: install_coreos
-  hardwareProfile: unknown
   online: true
   rootDeviceHints:
     deviceName: /dev/disk/by-id/scsi-<serial_number>
@@ -115,7 +114,6 @@ status:
       manufacturer: HPE
       productName: ProLiant DL380 Gen10 (868703-B21)
       serialNumber: CZ200606M3
-  hardwareProfile: unknown
   lastUpdated: "2022-06-16T11:41:42Z"
   operationalStatus: OK
   poweredOn: true
@@ -137,5 +135,4 @@ status:
       name: openshift-worker-0-bmc-secret
       namespace: openshift-machine-api
     credentialsVersion: "16120"
-
 ----
diff --git a/modules/bmo-getting-the-hostfirmwarecomponents-resource.adoc b/modules/bmo-getting-the-hostfirmwarecomponents-resource.adoc
new file mode 100644
index 000000000000..4591c23adb73
--- /dev/null
+++ b/modules/bmo-getting-the-hostfirmwarecomponents-resource.adoc
@@ -0,0 +1,80 @@
+// This is included in the following assemblies:
+//
+// post_installation_configuration/bare-metal-configuration.adoc
+
+[id="getting-the-hostfirmwarecomponents-resource_{context}"]
+= Getting the HostFirmwareComponents resource
+
+The `HostFirmwareComponents` resource contains the specific firmware version of the BIOS and baseboard management controller (BMC) of a physical host. You must get the `HostFirmwareComponents` resource for a physical host to review the firmware version and status.
+
+.Procedure
+
+. Get the detailed list of `HostFirmwareComponents` resources:
++
+[source,terminal]
+----
+$ oc get hostfirmwarecomponents -n openshift-machine-api -o yaml
+----
+
+. Get the list of `HostFirmwareComponents` resources:
++
+[source,terminal]
+----
+$ oc get hostfirmwarecomponents -n openshift-machine-api
+----
+
+. Get the `HostFirmwareComponents` resource for a particular host:
++
+[source,terminal]
+----
+$ oc get hostfirmwarecomponents <host_name> -n openshift-machine-api -o yaml
+----
++
+Where `<host_name>` is the name of the host.
++
+.Example output
+[source,yaml]
+----
+---
+apiVersion: metal3.io/v1alpha1
+kind: HostFirmwareComponents
+metadata:
+  creationTimestamp: 2024-04-25T20:32:06Z"
+  generation: 1
+  name: ostest-master-2
+  namespace: openshift-machine-api
+  ownerReferences:
+  - apiVersion: metal3.io/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: BareMetalHost
+    name: ostest-master-2
+    uid: 16022566-7850-4dc8-9e7d-f216211d4195
+  resourceVersion: "2437"
+  uid: 2038d63f-afc0-4413-8ffe-2f8e098d1f6c
+spec:
+  updates: []
+status:
+  components:
+  - component: bios
+    currentVersion: 1.0.0
+    initialVersion: 1.0.0
+  - component: bmc
+    currentVersion: "1.00"
+    initialVersion: "1.00"
+  conditions:
+  - lastTransitionTime: "2024-04-25T20:32:06Z"
+    message: ""
+    observedGeneration: 1
+    reason: OK
+    status: "True"
+    type: Valid
+  - lastTransitionTime: "2024-04-25T20:32:06Z"
+    message: ""
+    observedGeneration: 1
+    reason: OK
+    status: "False"
+    type: ChangeDetected
+  lastUpdated: "2024-04-25T20:32:06Z"
+  updates: [] 
+----
\ No newline at end of file
diff --git a/modules/build-config-capability.adoc b/modules/build-config-capability.adoc
index 13f8713c811b..4b685eb36419 100644
--- a/modules/build-config-capability.adoc
+++ b/modules/build-config-capability.adoc
@@ -13,5 +13,10 @@ The `Build` capability enables the `Build` API. The `Build` API manages the life
 
 [IMPORTANT]
 ====
-If the `Build` capability is disabled, the cluster cannot use `Build` or `BuildConfig` resources. Disable the capability only if `Build` and `BuildConfig` resources are not required in the cluster.
+If you disable the `Build` capability, the following resources will not be available in the cluster:
+
+* `Build` and `BuildConfig` resources
+* The `builder` service account
+
+Disable the `Build` capability only if you do not require `Build` and `BuildConfig` resources or the `builder` service account in the cluster.
 ====
diff --git a/modules/builds-source-secrets-entitlements.adoc b/modules/builds-source-secrets-entitlements.adoc
index 25e0947ab2a7..4e671b4bf2a5 100644
--- a/modules/builds-source-secrets-entitlements.adoc
+++ b/modules/builds-source-secrets-entitlements.adoc
@@ -10,7 +10,9 @@ Builds that use Red Hat subscriptions to install content must include the entitl
 
 .Prerequisites
 
+ifndef::openshift-dedicated,openshift-rosa[]
 * You must have access to {op-system-base-full} package repositories through your subscription. The entitlement secret to access these repositories is automatically created by the Insights Operator when your cluster is subscribed.
+endif::openshift-dedicated,openshift-rosa[]
 
 * You must have access to the cluster as a user with the `cluster-admin` role or you have permission to access secrets in the `openshift-config-managed` project.
 
diff --git a/modules/builds-using-bitbucket-webhooks.adoc b/modules/builds-using-bitbucket-webhooks.adoc
index 9bb97b275f44..cbbd1718e6b2 100644
--- a/modules/builds-using-bitbucket-webhooks.adoc
+++ b/modules/builds-using-bitbucket-webhooks.adoc
@@ -24,6 +24,10 @@ The payload URL is returned as the Bitbucket Webhook URL by the `oc describe` co
 https://<openshift_api_host:port>/apis/build.openshift.io/v1/namespaces/<namespace>/buildconfigs/<name>/webhooks/<secret>/bitbucket
 ----
 
+.Prerequisites
+
+* `system:unauthenticated` has access to the `system:webhook` role in the required namespaces. Or, `system:unauthenticated` has access to the `system:webhook` cluster role.
+
 .Procedure
 
 . Configure a Bitbucket Webhook.
diff --git a/modules/builds-using-build-volumes.adoc b/modules/builds-using-build-volumes.adoc
index 9a6dbc32b5ae..28d685cea154 100644
--- a/modules/builds-using-build-volumes.adoc
+++ b/modules/builds-using-build-volumes.adoc
@@ -1,3 +1,7 @@
+// Module included in the following assemblies:
+//
+// * cicd/builds/build-strategies.adoc
+
 ifeval::["{context}" == "build-strategies-docker"]
 :dockerstrategy:
 endif::[]
@@ -68,6 +72,9 @@ ifndef::openshift-dedicated,openshift-rosa[]
 <5> Required. The driver that provides the ephemeral CSI volume.
 <6> Required. This value must be set to `true`. Provides a read-only volume.
 <7> Optional. The volume attributes of the ephemeral CSI volume. Consult the CSI driver's documentation for supported attribute keys and values.
+
+:FeatureName: Shared Resource CSI Driver
+include::snippets/technology-preview.adoc[]
 endif::openshift-dedicated,openshift-rosa[]
 --
 
diff --git a/modules/builds-using-github-webhooks.adoc b/modules/builds-using-github-webhooks.adoc
index fe2d3ed8bf02..3dcab17b888f 100644
--- a/modules/builds-using-github-webhooks.adoc
+++ b/modules/builds-using-github-webhooks.adoc
@@ -35,6 +35,7 @@ https://<openshift_api_host:port>/apis/build.openshift.io/v1/namespaces/<namespa
 .Prerequisites
 
 * Create a `BuildConfig` from a GitHub repository.
+* `system:unauthenticated` has access to the `system:webhook` role in the required namespaces. Or, `system:unauthenticated` has access to the `system:webhook` cluster role.
 
 .Procedure
 
diff --git a/modules/builds-using-gitlab-webhooks.adoc b/modules/builds-using-gitlab-webhooks.adoc
index 2d139a32703f..7c27b3523050 100644
--- a/modules/builds-using-gitlab-webhooks.adoc
+++ b/modules/builds-using-gitlab-webhooks.adoc
@@ -24,6 +24,10 @@ The payload URL is returned as the GitLab Webhook URL by the `oc describe` comma
 https://<openshift_api_host:port>/apis/build.openshift.io/v1/namespaces/<namespace>/buildconfigs/<name>/webhooks/<secret>/gitlab
 ----
 
+.Prerequisites
+
+* `system:unauthenticated` has access to the `system:webhook` role in the required namespaces. Or, `system:unauthenticated` has access to the `system:webhook` cluster role.
+
 .Procedure
 
 . Configure a GitLab Webhook.
diff --git a/modules/capi-arch-operator.adoc b/modules/capi-arch-operator.adoc
index 6947c6d25c7c..eaa6c6f0575e 100644
--- a/modules/capi-arch-operator.adoc
+++ b/modules/capi-arch-operator.adoc
@@ -4,11 +4,11 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="capi-arch-operator_{context}"]
-= The Cluster CAPI Operator
+= The {cluster-capi-operator}
 
-The Cluster CAPI Operator is an {product-title} Operator that maintains the lifecycle of Cluster API resources.
+The {cluster-capi-operator} is an {product-title} Operator that maintains the lifecycle of Cluster API resources.
 This Operator is responsible for all administrative tasks related to deploying the Cluster API project within an {product-title} cluster.
 
-If a cluster is configured correctly to allow the use of the Cluster API, the Cluster CAPI Operator installs the Cluster API components on the cluster.
+If a cluster is configured correctly to allow the use of the Cluster API, the {cluster-capi-operator} installs the Cluster API components on the cluster.
 
-For more information, see the "Cluster CAPI Operator" entry in the _Cluster Operators reference_ content.
\ No newline at end of file
+For more information, see the "{cluster-capi-operator}" entry in the _Cluster Operators reference_ content.
\ No newline at end of file
diff --git a/modules/capi-creating-cluster-resource.adoc b/modules/capi-creating-cluster-resource.adoc
index 9ba168ed62aa..793d18157045 100644
--- a/modules/capi-creating-cluster-resource.adoc
+++ b/modules/capi-creating-cluster-resource.adoc
@@ -45,6 +45,7 @@ The following values are valid:
 +
 * `AWSCluster`: The cluster is running on {aws-first}.
 * `GCPCluster`: The cluster is running on {gcp-first}.
+* `VSphereCluster`: The cluster is running on {vmw-first}.
 --
 
 . Create the cluster CR by running the following command:
diff --git a/modules/capi-creating-infrastructure-resource.adoc b/modules/capi-creating-infrastructure-resource.adoc
index 7457d78faa86..c1c2df11dc8a 100644
--- a/modules/capi-creating-infrastructure-resource.adoc
+++ b/modules/capi-creating-infrastructure-resource.adoc
@@ -39,13 +39,14 @@ spec: # <4>
 <1> The `apiVersion` varies by platform.
 For more information, see the sample Cluster API infrastructure resource YAML for your provider.
 The following values are valid:
-* `infrastructure.cluster.x-k8s.io/v1beta1`: The version that {gcp-first} clusters use.
 * `infrastructure.cluster.x-k8s.io/v1beta2`: The version that {aws-first} clusters use.
+* `infrastructure.cluster.x-k8s.io/v1beta1`: The version that {gcp-first} and {vmw-first} clusters use.
 <2> Specify the infrastructure kind for the cluster.
 This value must match the value for your platform.
 The following values are valid:
 * `AWSCluster`: The cluster is running on {aws-short}.
 * `GCPCluster`: The cluster is running on {gcp-short}.
+* `VSphereCluster`: The cluster is running on {vmw-short}.
 <3> Specify the name of the cluster.
 <4> Specify the details for your environment.
 These parameters are provider specific.
diff --git a/modules/capi-creating-machine-template.adoc b/modules/capi-creating-machine-template.adoc
index d33710addc8b..0591043ccd2d 100644
--- a/modules/capi-creating-machine-template.adoc
+++ b/modules/capi-creating-machine-template.adoc
@@ -39,6 +39,7 @@ spec:
 <1> Specify the machine template kind. This value must match the value for your platform. The following values are valid:
 * `AWSMachineTemplate`: The cluster is running on {aws-first}.
 * `GCPMachineTemplate`: The cluster is running on {gcp-first}.
+* `VSphereMachineTemplate`: The cluster is running on {vmw-first}.
 <2> Specify a name for the machine template.
 <3> Specify the details for your environment. These parameters are provider specific. For more information, see the sample Cluster API machine template YAML for your provider.
 --
diff --git a/modules/capi-limitations.adoc b/modules/capi-limitations.adoc
index 342d6e1c55ae..d15bbbf6a5d4 100644
--- a/modules/capi-limitations.adoc
+++ b/modules/capi-limitations.adoc
@@ -15,7 +15,7 @@ Using the Cluster API to manage machines is a Technology Preview feature and has
 Enabling this feature set cannot be undone and prevents minor version updates.
 ====
 
-* Only {aws-short} and {gcp-short} clusters can use the Cluster API.
+* Only {aws-first}, {gcp-first}, and {vmw-first} clusters can use the Cluster API.
 
 * You must manually create the primary resources that the Cluster API requires.
 For more information, see "Getting started with the Cluster API".
diff --git a/modules/capi-modifying-machine-template.adoc b/modules/capi-modifying-machine-template.adoc
index 2eca15b0d94b..8e6a8afda7a5 100644
--- a/modules/capi-modifying-machine-template.adoc
+++ b/modules/capi-modifying-machine-template.adoc
@@ -28,6 +28,7 @@ $ oc get <machine_template_kind> <1>
 <1> Specify the value that corresponds to your platform. The following values are valid:
 * `AWSMachineTemplate`: The cluster is running on {aws-first}.
 * `GCPMachineTemplate`: The cluster is running on {gcp-first}.
+* `VSphereMachineTemplate`: The cluster is running on {vmw-first}.
 --
 +
 .Example output
diff --git a/modules/capi-yaml-cluster.adoc b/modules/capi-yaml-cluster.adoc
index 0e67850dbcec..7f26d8515c42 100644
--- a/modules/capi-yaml-cluster.adoc
+++ b/modules/capi-yaml-cluster.adoc
@@ -6,7 +6,8 @@
 [id="capi-yaml-cluster_{context}"]
 = Sample YAML for a Cluster API cluster resource
 
-The cluster resource defines the name and infrastructure provider for the cluster and is managed by the Cluster API. This resource has the same structure for all providers.
+The cluster resource defines the name and infrastructure provider for the cluster and is managed by the Cluster API.
+This resource has the same structure for all providers.
 
 [source,yaml]
 ----
@@ -16,16 +17,22 @@ metadata:
   name: <cluster_name> # <1>
   namespace: openshift-cluster-api
 spec:
+  controlPlaneEndpoint: # <2>
+    host: <control_plane_endpoint_address>
+    port: 6443
   infrastructureRef:
     apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-    kind: <infrastructure_kind> # <2>
+    kind: <infrastructure_kind> # <3>
     name: <cluster_name>
     namespace: openshift-cluster-api
 ----
 <1> Specify the name of the cluster.
-<2> Specify the infrastructure kind for the cluster. Valid values are:
+<2> Specify the IP address of the control plane endpoint and the port used to access it.
+<3> Specify the infrastructure kind for the cluster.
+Valid values are:
 +
 --
-* `AWSCluster`: The cluster is running on Amazon Web Services (AWS).
-* `GCPCluster`: The cluster is running on Google Cloud Platform (GCP).
+* `AWSCluster`: The cluster is running on {aws-full}.
+* `GCPCluster`: The cluster is running on {gcp-full}.
+* `VSphereCluster`: The cluster is running on {vmw-full}.
 --
\ No newline at end of file
diff --git a/modules/capi-yaml-infrastructure-aws.adoc b/modules/capi-yaml-infrastructure-aws.adoc
index f0abf1020a0d..cfb20233b206 100644
--- a/modules/capi-yaml-infrastructure-aws.adoc
+++ b/modules/capi-yaml-infrastructure-aws.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-infrastructure-aws_{context}"]
-= Sample YAML for a Cluster API infrastructure resource on Amazon Web Services
+= Sample YAML for a Cluster API infrastructure resource on {aws-full}
 
-The infrastructure resource is provider-specific and defines properties that are shared by all the compute machine sets in the cluster, such as the region and subnets. The compute machine set references this resource when creating machines.
+The infrastructure resource is provider-specific and defines properties that are shared by all the compute machine sets in the cluster, such as the region and subnets.
+The compute machine set references this resource when creating machines.
 
 [source,yaml]
 ----
diff --git a/modules/capi-yaml-infrastructure-gcp.adoc b/modules/capi-yaml-infrastructure-gcp.adoc
index 8a4b1f7501a2..96d0a3733118 100644
--- a/modules/capi-yaml-infrastructure-gcp.adoc
+++ b/modules/capi-yaml-infrastructure-gcp.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-infrastructure-gcp_{context}"]
-= Sample YAML for a Cluster API infrastructure resource on Google Cloud Platform
+= Sample YAML for a Cluster API infrastructure resource on {gcp-full}
 
-The infrastructure resource is provider-specific and defines properties that are shared by all the compute machine sets in the cluster, such as the region and subnets. The compute machine set references this resource when creating machines.
+The infrastructure resource is provider-specific and defines properties that are shared by all the compute machine sets in the cluster, such as the region and subnets.
+The compute machine set references this resource when creating machines.
 
 [source,yaml]
 ----
diff --git a/modules/capi-yaml-infrastructure-vsphere.adoc b/modules/capi-yaml-infrastructure-vsphere.adoc
new file mode 100644
index 000000000000..403af3240647
--- /dev/null
+++ b/modules/capi-yaml-infrastructure-vsphere.adoc
@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+//
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="capi-yaml-infrastructure-vsphere_{context}"]
+= Sample YAML for a Cluster API infrastructure resource on {vmw-full}
+
+The infrastructure resource is provider-specific and defines properties that are shared by all the compute machine sets in the cluster, such as the region and subnets.
+The compute machine set references this resource when creating machines.
+
+[source,yaml]
+----
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: VSphereCluster # <1>
+metadata:
+  name: <cluster_name> # <2>
+spec:
+  controlPlaneEndpoint: # <3>
+    host: <control_plane_endpoint_address>
+    port: 6443
+  identityRef:
+    kind: Secret
+    name: <cluster_name>
+  server: <vsphere_server> # <4>
+----
+<1> Specify the infrastructure kind for the cluster.
+This value must match the value for your platform.
+<2> Specify the cluster ID as the name of the cluster.
+<3> Specify the IP address of the control plane endpoint and the port used to access it.
+<4> Specify the {vmw-short} server for the cluster.
+You can find this value on an existing {vmw-short} cluster by running the following command:
++
+[source,terminal]
+----
+$ oc get infrastructure cluster \
+  -o jsonpath="{.spec.platformSpec.vsphere.vcenters[0].server}"
+----
\ No newline at end of file
diff --git a/modules/capi-yaml-machine-set-aws.adoc b/modules/capi-yaml-machine-set-aws.adoc
index d540c3c107df..468aea4cbea0 100644
--- a/modules/capi-yaml-machine-set-aws.adoc
+++ b/modules/capi-yaml-machine-set-aws.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-machine-set-aws_{context}"]
-= Sample YAML for a Cluster API compute machine set resource on Amazon Web Services
+= Sample YAML for a Cluster API compute machine set resource on {aws-full}
 
-The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the infrastructure resource and machine template when creating machines.
+The compute machine set resource defines additional properties of the machines that it creates.
+The compute machine set also references the infrastructure resource and machine template when creating machines.
 
 [source,yaml]
 ----
diff --git a/modules/capi-yaml-machine-set-gcp.adoc b/modules/capi-yaml-machine-set-gcp.adoc
index d77908a244c4..784629644233 100644
--- a/modules/capi-yaml-machine-set-gcp.adoc
+++ b/modules/capi-yaml-machine-set-gcp.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-machine-set-gcp_{context}"]
-= Sample YAML for a Cluster API compute machine set resource on Google Cloud Platform
+= Sample YAML for a Cluster API compute machine set resource on {gcp-full}
 
-The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the infrastructure resource and machine template when creating machines.
+The compute machine set resource defines additional properties of the machines that it creates.
+The compute machine set also references the infrastructure resource and machine template when creating machines.
 
 [source,yaml]
 ----
diff --git a/modules/capi-yaml-machine-set-vsphere.adoc b/modules/capi-yaml-machine-set-vsphere.adoc
new file mode 100644
index 000000000000..124ca3124779
--- /dev/null
+++ b/modules/capi-yaml-machine-set-vsphere.adoc
@@ -0,0 +1,64 @@
+// Module included in the following assemblies:
+//
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="capi-yaml-machine-set-vsphere_{context}"]
+= Sample YAML for a Cluster API compute machine set resource on {vmw-full}
+
+The compute machine set resource defines additional properties of the machines that it creates.
+The compute machine set also references the infrastructure resource and machine template when creating machines.
+
+[source,yaml]
+----
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: MachineSet
+metadata:
+  name: <machine_set_name> # <1>
+  namespace: openshift-cluster-api
+spec:
+  clusterName: <cluster_name> # <2>
+  replicas: 1
+  selector:
+    matchLabels:
+      test: example
+  template:
+    metadata:
+      labels:
+        test: example
+    spec:
+      bootstrap:
+         dataSecretName: worker-user-data # <3>
+      clusterName: <cluster_name>
+      infrastructureRef:
+        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+        kind: VSphereMachineTemplate # <4>
+        name: <template_name> # <5>
+      failureDomain: # <6>
+        - name: <failure_domain_name>
+          region: <region_a>
+          zone: <zone_a>
+          server: <vcenter_server_name>
+          topology:
+            datacenter: <region_a_datacenter>
+            computeCluster: "</region_a_datacenter/host/zone_a_cluster>"
+            resourcePool: "</region_a_datacenter/host/zone_a_cluster/Resources/resource_pool>"
+            datastore: "</region_a_datacenter/datastore/datastore_a>"
+            networks:
+            - port-group
+----
+<1> Specify a name for the compute machine set.
+<2> Specify the cluster ID as the name of the cluster.
+<3> For the Cluster API Technology Preview, the Operator can use the worker user data secret from the `openshift-machine-api` namespace.
+<4> Specify the machine template kind.
+This value must match the value for your platform.
+<5> Specify the machine template name.
+<6> Specify the failure domain configuration details.
++
+[NOTE]
+====
+Using multiple regions and zones on a {vmw-short} cluster that uses the Cluster API is not a validated configuration.
+====
+// This callout section can be updated if this configuration is validated. (see also: additional resources in cluster-api-config-options-vsphere.adoc)
+// <6> Specify one or more failure domains.
+// For more information about specifying multiple regions and zones on a {vmw-short} cluster, see "Multiple regions and zones configuration for a cluster on {vmw-full}."
\ No newline at end of file
diff --git a/modules/capi-yaml-machine-template-aws.adoc b/modules/capi-yaml-machine-template-aws.adoc
index fa083bd3a820..d1e8edece2a6 100644
--- a/modules/capi-yaml-machine-template-aws.adoc
+++ b/modules/capi-yaml-machine-template-aws.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-aws.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-machine-template-aws_{context}"]
-= Sample YAML for a Cluster API machine template resource on Amazon Web Services
+= Sample YAML for a Cluster API machine template resource on {aws-full}
 
-The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
+The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates.
+The compute machine set references this template when creating machines.
 
 [source,yaml]
 ----
@@ -37,6 +38,8 @@ spec:
           values:
           - # ...
 ----
-<1> Specify the machine template kind. This value must match the value for your platform.
+<1> Specify the machine template kind.
+This value must match the value for your platform.
 <2> Specify a name for the machine template.
-<3> Specify the details for your environment. The values here are examples.
\ No newline at end of file
+<3> Specify the details for your environment.
+The values here are examples.
\ No newline at end of file
diff --git a/modules/capi-yaml-machine-template-gcp.adoc b/modules/capi-yaml-machine-template-gcp.adoc
index e6863daa4793..34205e814ff9 100644
--- a/modules/capi-yaml-machine-template-gcp.adoc
+++ b/modules/capi-yaml-machine-template-gcp.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * machine_management/cluster_api_machine_management/cluster-api-configuration.adoc
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-gcp.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="capi-yaml-machine-template-gcp_{context}"]
-= Sample YAML for a Cluster API machine template resource on Google Cloud Platform
+= Sample YAML for a Cluster API machine template resource on {gcp-full}
 
-The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
+The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates.
+The compute machine set references this template when creating machines.
 
 [source,yaml]
 ----
@@ -33,6 +34,8 @@ spec:
         - <cluster_name>-worker
       ipForwarding: Disabled
 ----
-<1> Specify the machine template kind. This value must match the value for your platform.
+<1> Specify the machine template kind.
+This value must match the value for your platform.
 <2> Specify a name for the machine template.
-<3> Specify the details for your environment. The values here are examples.
+<3> Specify the details for your environment.
+The values here are examples.
diff --git a/modules/capi-yaml-machine-template-vsphere.adoc b/modules/capi-yaml-machine-template-vsphere.adoc
new file mode 100644
index 000000000000..6b68c24f284b
--- /dev/null
+++ b/modules/capi-yaml-machine-template-vsphere.adoc
@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * machine_management/cluster_api_machine_management/cluster_api_provider_configurations/cluster-api-config-options-vsphere.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="capi-yaml-machine-template-vsphere_{context}"]
+= Sample YAML for a Cluster API machine template resource on {vmw-full}
+
+The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates.
+The compute machine set references this template when creating machines.
+
+[source,yaml]
+----
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: VSphereMachineTemplate # <1>
+metadata:
+  name: <template_name> # <2>
+  namespace: openshift-cluster-api
+spec:
+  template:
+    spec: # <3>
+      template: <vm_template_name> # <4>
+      server: <vcenter_server_ip> # <5>
+      diskGiB: 128
+      cloneMode: linkedClone # <6>
+      datacenter: <vcenter_datacenter_name> # <7>
+      datastore: <vcenter_datastore_name> # <8>
+      folder: <vcenter_vm_folder_path> # <9>
+      resourcePool: <vsphere_resource_pool> # <10>
+      numCPUs: 4
+      memoryMiB: 16384
+      network:
+        devices:
+        - dhcp4: true
+          networkName: "<vm_network_name>" # <11>
+----
+<1> Specify the machine template kind.
+This value must match the value for your platform.
+<2> Specify a name for the machine template.
+<3> Specify the details for your environment.
+The values here are examples.
+<4> Specify the vSphere VM template to use, such as `user-5ddjd-rhcos`.
+<5> Specify the vCenter server IP or fully qualified domain name.
+<6> Specify the type of VM clone to use.
+The following values are valid:
++
+--
+* `fullClone`
+* `linkedClone`
+--
++
+When using the `linkedClone` type, the disk size matches the clone source instead of using the `diskGiB` value.
+For more information, see the {vmw-short} documentation about VM clone types.
+<7> Specify the vCenter Datacenter to deploy the compute machine set on.
+<8> Specify the vCenter Datastore to deploy the compute machine set on.
+<9> Specify the path to the vSphere VM folder in vCenter, such as `/dc1/vm/user-inst-5ddjd`.
+<10> Specify the vSphere resource pool for your VMs.
+<11> Specify the vSphere VM network to deploy the compute machine set to.
+This VM network must be where other compute machines reside in the cluster.
\ No newline at end of file
diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc
index 727a6b8d1253..ffa080090adf 100644
--- a/modules/cco-ccoctl-configuring.adoc
+++ b/modules/cco-ccoctl-configuring.adoc
@@ -1,11 +1,13 @@
 // Module included in the following assemblies:
 //
+//Postinstall  and update content
+// * post_installation_configuration/cluster-tasks.adoc
+// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
+//
 //Platforms that must use `ccoctl` and update content
 // * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
 // * installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.doc
-// * installing/installing_alibaba/manually-creating-alibaba-ram.adoc
 // * installing/installing_nutanix/preparing-to-install-on-nutanix.adoc
-// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
 //
 // AWS assemblies:
 // * installing/installing_aws/installing-aws-customizations.adoc
@@ -34,19 +36,21 @@
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
 
-//Platforms that must use `ccoctl` and update content
+//Postinstall  and update content
+ifeval::["{context}" == "post-install-cluster-tasks"]
+:postinstall:
+endif::[]
+ifeval::["{context}" == "preparing-manual-creds-update"]
+:update:
+endif::[]
+
+//Platforms that must use `ccoctl`
 ifeval::["{context}" == "configuring-iam-ibm-cloud"]
 :ibm-cloud:
 endif::[]
-ifeval::["{context}" == "manually-creating-alibaba-ram"]
-:alibabacloud:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-nutanix"]
 :nutanix:
 endif::[]
-ifeval::["{context}" == "preparing-manual-creds-update"]
-:update:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
 :ibm-power-vs:
 endif::[]
@@ -125,11 +129,6 @@ endif::[]
 ifndef::update[= Configuring the Cloud Credential Operator utility]
 ifdef::update[= Configuring the Cloud Credential Operator utility for a cluster update]
 
-//This applies only to Alibaba Cloud.
-ifdef::alibabacloud[]
-To assign RAM users and policies that provide long-term RAM AccessKeys (AKs) for each in-cluster component, extract and prepare the Cloud Credential Operator (CCO) utility (`ccoctl`) binary.
-endif::alibabacloud[]
-
 //Nutanix-only intro because it needs context in its install procedure.
 ifdef::nutanix[]
 The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). To install a cluster on Nutanix, you must set the CCO to `manual` mode as part of the installation process.
@@ -138,10 +137,15 @@ ifdef::ibm-power-vs[]
 The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). To install a cluster on {ibm-power-server-name}, you must set the CCO to `manual` mode as part of the installation process.
 endif::ibm-power-vs[]
 
-//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade procs also have a different intro, so they are excluded here.
-ifndef::alibabacloud,update[]
+//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade and postinstall procs also have a different intro, so they are excluded here.
+ifndef::alibabacloud,update,postinstall[]
 To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (`ccoctl`) binary.
-endif::alibabacloud,update[]
+endif::alibabacloud,update,postinstall[]
+
+//Intro for the postinstall procs.
+ifdef::postinstall[]
+To configure an existing cluster to create and manage cloud credentials from outside of the cluster, extract and prepare the Cloud Credential Operator utility (`ccoctl`) binary.
+endif::postinstall[]
 
 //Intro for the upgrade procs.
 ifdef::update[]
@@ -317,14 +321,19 @@ endif::google-cloud-platform[]
 
 .Procedure
 
-ifndef::update[]
-. Obtain the {product-title} release image by running the following command:
+. Set a variable for the {product-title} release image by running the following command:
 +
 [source,terminal]
+ifndef::update,postinstall[]
 ----
 $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
 ----
-endif::update[]
+endif::update,postinstall[]
+ifdef::update,postinstall[]
+----
+$ RELEASE_IMAGE=$(oc get clusterversion -o jsonpath={..desired.image})
+----
+endif::update,postinstall[]
 
 . Obtain the CCO container image from the {product-title} release image by running the following command:
 +
@@ -342,14 +351,22 @@ Ensure that the architecture of the `$RELEASE_IMAGE` matches the architecture of
 +
 [source,terminal]
 ----
-$ oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a ~/.pull-secret
+$ oc image extract $CCO_IMAGE \
+  --file="/usr/bin/ccoctl.<rhel_version>" \// <1>
+  -a ~/.pull-secret
 ----
+<1> For `<rhel_version>`, specify the value that corresponds to the version of {op-system-base-full} that the host uses.
+If no value is specified, `ccoctl.rhel8` is used by default.
+The following values are valid:
++
+* `rhel8`: Specify this value for hosts that use {op-system-base} 8.
+* `rhel9`: Specify this value for hosts that use {op-system-base} 9.
 
 . Change the permissions to make `ccoctl` executable by running the following command:
 +
 [source,terminal]
 ----
-$ chmod 775 ccoctl
+$ chmod 775 ccoctl.<rhel_version>
 ----
 
 .Verification
@@ -370,7 +387,6 @@ Usage:
   ccoctl [command]
 
 Available Commands:
-  alibabacloud Manage credentials objects for alibaba cloud
   aws          Manage credentials objects for AWS cloud
   azure        Manage credentials objects for Azure
   gcp          Manage credentials objects for Google cloud
@@ -384,19 +400,21 @@ Flags:
 Use "ccoctl [command] --help" for more information about a command.
 ----
 
+//Postinstall and update content
+ifeval::["{context}" == "post-install-cluster-tasks"]
+:!postinstall:
+endif::[]
+ifeval::["{context}" == "preparing-manual-creds-update"]
+:!update:
+endif::[]
+
 //Platforms that must use `ccoctl` and update content
 ifeval::["{context}" == "configuring-iam-ibm-cloud"]
 :!ibm-cloud:
 endif::[]
-ifeval::["{context}" == "manually-creating-alibaba-ram"]
-:!alibabacloud:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-nutanix"]
 :!nutanix:
 endif::[]
-ifeval::["{context}" == "preparing-manual-creds-update"]
-:!update:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
 :!ibm-power-vs:
 endif::[]
diff --git a/modules/cco-ccoctl-creating-at-once.adoc b/modules/cco-ccoctl-creating-at-once.adoc
index 1e8830f99820..294fbb8b7924 100644
--- a/modules/cco-ccoctl-creating-at-once.adoc
+++ b/modules/cco-ccoctl-creating-at-once.adoc
@@ -1,10 +1,5 @@
 // Module included in the following assemblies:
 //
-// Platforms that must use `ccoctl`
-// * installing/installing_alibaba/manually-creating-alibaba-ram.adoc
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
-//
 // AWS assemblies:
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
@@ -32,17 +27,6 @@
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
 
-//Platforms that must use `ccoctl`
-ifeval::["{context}" == "installing-alibaba-default"]
-:alibabacloud-default:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:alibabacloud-customizations:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:alibabacloud-vpc:
-endif::[]
-
 //AWS install assemblies
 ifeval::["{context}" == "installing-aws-customizations"]
 :aws-sts:
@@ -132,12 +116,6 @@ ifdef::azure-workload-id[]
 
 You can use the `ccoctl azure create-all` command to automate the creation of Azure resources.
 endif::azure-workload-id[]
-ifdef::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
-[id="cco-ccoctl-creating-at-once_{context}"]
-= Creating credentials for {product-title} components with the ccoctl tool
-
-You can use the {product-title} Cloud Credential Operator (CCO) utility to automate the creation of Alibaba Cloud RAM users and policies for each in-cluster component.
-endif::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
 
 [NOTE]
 ====
@@ -149,10 +127,7 @@ By default, `ccoctl` creates objects in the directory in which the commands are
 You must have:
 
 * Extracted and prepared the `ccoctl` binary.
-ifdef::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
-* Created a RAM user with sufficient permission to create the {product-title} cluster.
-* Added the AccessKeyID (`access_key_id`) and AccessKeySecret (`access_key_secret`) of that RAM user into the link:https://www.alibabacloud.com/help/en/doc-detail/311667.htm#h2-sls-mfm-3p3[`~/.alibabacloud/credentials` file] on your local computer.
-endif::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
+
 ifdef::azure-workload-id[]
 * Access to your Microsoft Azure account by using the Azure CLI.
 endif::azure-workload-id[]
@@ -267,77 +242,6 @@ To see additional optional parameters and explanations of how to use them, run t
 ====
 endif::azure-workload-id[]
 
-ifdef::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
-. Use the `ccoctl` tool to process all `CredentialsRequest` objects by running the following command:
-
-.. Run the following command to use the tool:
-+
-[source,terminal]
-----
-$ ccoctl alibabacloud create-ram-users \
-  --name <name> \// <1>
-  --region=<alibaba_region> \// <2>
-  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <3>
-  --output-dir=<path_to_ccoctl_output_dir> <4>
-----
-<1> Specify the name used to tag any cloud resources that are created for tracking.
-<2> Specify the Alibaba Cloud region in which cloud resources will be created.
-<3> Specify the directory containing the files for the component `CredentialsRequest` objects.
-<4> Specify the directory where the generated component credentials secrets will be placed.
-+
-[NOTE]
-====
-If your cluster uses Technology Preview features that are enabled by the `TechPreviewNoUpgrade` feature set, you must include the `--enable-tech-preview` parameter.
-====
-+
-.Example output
-[source,text]
-----
-2022/02/11 16:18:26 Created RAM User: user1-alicloud-openshift-machine-api-alibabacloud-credentials
-2022/02/11 16:18:27 Ready for creating new ram policy user1-alicloud-openshift-machine-api-alibabacloud-credentials-policy-policy
-2022/02/11 16:18:27 RAM policy user1-alicloud-openshift-machine-api-alibabacloud-credentials-policy-policy has created
-2022/02/11 16:18:28 Policy user1-alicloud-openshift-machine-api-alibabacloud-credentials-policy-policy has attached on user user1-alicloud-openshift-machine-api-alibabacloud-credentials
-2022/02/11 16:18:29 Created access keys for RAM User: user1-alicloud-openshift-machine-api-alibabacloud-credentials
-2022/02/11 16:18:29 Saved credentials configuration to: user1-alicloud/manifests/openshift-machine-api-alibabacloud-credentials-credentials.yaml
-...
-----
-+
-[NOTE]
-====
-A RAM user can have up to two AccessKeys at the same time. If you run `ccoctl alibabacloud create-ram-users` more than twice, the previously generated manifests secret becomes stale and you must reapply the newly generated secrets.
-====
-
-.. Verify that the {product-title} secrets are created:
-+
-[source,terminal]
-----
-$ ls <path_to_ccoctl_output_dir>/manifests
-----
-+
-.Example output
-[source,text]
-----
-openshift-cluster-csi-drivers-alibaba-disk-credentials-credentials.yaml
-openshift-image-registry-installer-cloud-credentials-credentials.yaml
-openshift-ingress-operator-cloud-credentials-credentials.yaml
-openshift-machine-api-alibabacloud-credentials-credentials.yaml
-----
-+
-You can verify that the RAM users and policies are created by querying Alibaba Cloud. For more information, refer to Alibaba Cloud documentation on listing RAM users and policies.
-
-. Copy the generated credential files to the target manifests directory:
-+
-[source,terminal]
-----
-$ cp ./<path_to_ccoctl_output_dir>/manifests/*credentials.yaml ./<path_to_installation>dir>/manifests/
-----
-+
-where:
-
-`<path_to_ccoctl_output_dir>`:: Specifies the directory created by the `ccoctl alibabacloud create-ram-users` command.
-`<path_to_installation_dir>`:: Specifies the directory in which the installation program creates files.
-endif::alibabacloud-default,alibabacloud-customizations,alibabacloud-vpc[]
-
 ifdef::aws-sts,google-cloud-platform,azure-workload-id[]
 .Verification
 
@@ -403,17 +307,6 @@ openshift-machine-api-azure-cloud-credentials-credentials.yaml
 You can verify that the Microsoft Entra ID service accounts are created by querying Azure. For more information, refer to Azure documentation on listing Entra ID service accounts.
 endif::azure-workload-id[]
 
-//Platforms that must use `ccoctl`
-ifeval::["{context}" == "installing-alibaba-default"]
-:!alibabacloud-default:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:!alibabacloud-customizations:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:!alibabacloud-vpc:
-endif::[]
-
 //AWS install assemblies
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws-sts:
diff --git a/modules/cco-ccoctl-install-verifying.adoc b/modules/cco-ccoctl-install-verifying.adoc
index 1226e3d4104d..26f40cc6d7c6 100644
--- a/modules/cco-ccoctl-install-verifying.adoc
+++ b/modules/cco-ccoctl-install-verifying.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
 // * installing/validating-an-installation.adoc
+// * post_installation_configuration/cluster-tasks.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="cco-ccoctl-install-verifying_{context}"]
-= Clusters that use short-term credentials: Verifying the credentials configuration
+= Verifying that a cluster uses short-term credentials
 
-You can verify that your cluster is using short-term security credentials for individual components.
+You can verify that a cluster uses short-term security credentials for individual components by checking the Cloud Credential Operator (CCO) configuration and other values in the cluster.
 
 .Prerequisites
 
@@ -14,16 +15,32 @@ You can verify that your cluster is using short-term security credentials for in
 
 * You installed the {oc-first}.
 
+* You are logged in as a user with `cluster-admin` privileges.
 
 .Procedure
 
-. Log in as a user with `cluster-admin` privileges.
+* Verify that the CCO is configured to operate in manual mode by running the following command:
++
+[source,terminal]
+----
+$ oc get cloudcredentials cluster \
+  -o=jsonpath={.spec.credentialsMode}
+----
++
+The following output confirms that the CCO is operating in manual mode:
++
+.Example output
+[source,text]
+----
+Manual
+----
 
-. Verify that the cluster does not have `root` credentials by running the following command:
+* Verify that the cluster does not have `root` credentials by running the following command:
 +
 [source,terminal]
 ----
-$ oc get secrets -n kube-system <secret_name>
+$ oc get secrets \
+  -n kube-system <secret_name>
 ----
 +
 where `<secret_name>` is the name of the root secret for your cloud provider.
@@ -33,26 +50,26 @@ where `<secret_name>` is the name of the root secret for your cloud provider.
 |Platform
 |Secret name
 
-|AWS
+|{aws-first}
 |`aws-creds`
 
-|Azure
+|{azure-first}
 |`azure-credentials`
 
-|GCP
+|{gcp-first}
 |`gcp-credentials`
 
 |===
 +
-An error confirms that the root secret is not present on the cluster. The following example shows the expected output from an AWS cluster:
+An error confirms that the root secret is not present on the cluster.
 +
-.Example output
+.Example output for an {aws-short} cluster
 [source,text]
 ----
 Error from server (NotFound): secrets "aws-creds" not found
 ----
 
-. Verify that the components are using short-term security credentials for individual components by running the following command:
+* Verify that the components are using short-term security credentials for individual components by running the following command:
 +
 [source,terminal]
 ----
@@ -61,4 +78,32 @@ $ oc get authentication cluster \
   --template='{ .spec.serviceAccountIssuer }'
 ----
 +
-This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object. An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
\ No newline at end of file
+This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object.
+An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
+
+* {azure-short} clusters: Verify that the components are assuming the {azure-short} client ID that is specified in the secret manifests by running the following command:
++
+[source,terminal]
+----
+$ oc get secrets \
+  -n openshift-image-registry installer-cloud-credentials \
+  -o jsonpath='{.data}'
+----
++
+An output that contains the `azure_client_id` and `azure_federated_token_file` felids confirms that the components are assuming the {azure-short} client ID.
+
+* {azure-short} clusters: Verify that the pod identity webhook is running by running the following command:
++
+[source,terminal]
+----
+$ oc get pods \
+  -n openshift-cloud-credential-operator
+----
++
+.Example output
+[source,text]
+----
+NAME                                         READY   STATUS    RESTARTS   AGE
+cloud-credential-operator-59cf744f78-r8pbq   2/2     Running   2          71m
+pod-identity-webhook-548f977b4c-859lz        1/1     Running   1          70m
+----
\ No newline at end of file
diff --git a/modules/cco-ccoctl-upgrading.adoc b/modules/cco-ccoctl-upgrading.adoc
index f0faf568670e..4bccfbc7f298 100644
--- a/modules/cco-ccoctl-upgrading.adoc
+++ b/modules/cco-ccoctl-upgrading.adoc
@@ -24,28 +24,6 @@ On AWS clusters, some `ccoctl` commands make AWS API calls to create or modify A
 
 . Use the `ccoctl` tool to process all `CredentialsRequest` objects by running the command for your cloud provider. The following commands process `CredentialsRequest` objects:
 +
-.{alibaba}
-[%collapsible]
-====
-[source,terminal]
-----
-$ ccoctl alibabacloud create-ram-users \
-  --name <name> \// <1>
-  --region=<alibaba_region> \// <2>
-  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <3>
-  --output-dir=<path_to_ccoctl_output_dir> <4>
-----
-<1> Specify the name used to tag any cloud resources that are created for tracking.
-<2> Specify the Alibaba Cloud region in which cloud resources will be created.
-<3> Specify the directory containing the files for the component `CredentialsRequest` objects.
-<4> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
-
-[NOTE]
-=====
-A RAM user can have up to two AccessKeys at the same time. If you run `ccoctl alibabacloud create-ram-users` more than twice, the previously generated manifests secret becomes stale and you must reapply the newly generated secrets.
-=====
-====
-+
 .Amazon Web Services (AWS)
 [%collapsible]
 ====
@@ -66,7 +44,7 @@ $ ccoctl aws create-all \// <1>
 <6> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
 ====
 +
-.Google Cloud Platform (GCP)
+.{gcp-first}
 [%collapsible]
 ====
 [source,terminal]
@@ -102,6 +80,46 @@ $ ccoctl ibmcloud create-service-id \
 <4> Optional: Specify the name of the resource group used for scoping the access policies.
 ====
 +
+.{azure-first}
+[%collapsible]
+====
+[source,terminal]
+----
+$ ccoctl azure create-managed-identities \
+  --name <azure_infra_name> \// <1>
+  --output-dir ./output_dir \
+  --region <azure_region> \// <2>
+  --subscription-id <azure_subscription_id> \// <3>
+  --credentials-requests-dir <path_to_directory_for_credentials_requests> \
+  --issuer-url "${OIDC_ISSUER_URL}" \// <4>
+  --dnszone-resource-group-name <azure_dns_zone_resourcegroup_name> \// <5>
+  --installation-resource-group-name "${AZURE_INSTALL_RG}" <6>
+----
+<1> The value of the `name` parameter is used to create an Azure resource group.
+To use an existing Azure resource group instead of creating a new one, specify the `--oidc-resource-group-name` argument with the existing group name as its value.
+<2> Specify the region of the existing cluster.
+<3> Specify the subscription ID of the existing cluster.
+<4> Specify the OIDC issuer URL from the existing cluster.
+You can obtain this value by running the following command:
++
+[source,terminal]
+----
+$ oc get authentication cluster \
+  -o jsonpath \
+  --template='{ .spec.serviceAccountIssuer }'
+----
+<5> Specify the name of the resource group that contains the DNS zone.
+<6> Specify the {azure-short} resource group name.
+You can obtain this value by running the following command:
++
+[source,terminal]
+----
+$ oc get infrastructure cluster \
+  -o jsonpath \
+  --template '{ .status.platformStatus.azure.resourceGroupName }'
+----
+====
++
 .Nutanix
 [%collapsible]
 ====
diff --git a/modules/cco-short-term-creds-component-permissions-aws.adoc b/modules/cco-short-term-creds-component-permissions-aws.adoc
index 2d108ce801c2..447291db9bef 100644
--- a/modules/cco-short-term-creds-component-permissions-aws.adoc
+++ b/modules/cco-short-term-creds-component-permissions-aws.adoc
@@ -17,7 +17,7 @@ These permissions apply to all resources. Unless specified, there are no request
 |====
 |Component |Custom resource |Required permissions for services
 
-|Cluster CAPI Operator
+|{cluster-capi-operator}
 |`openshift-cluster-api-aws`
 |**EC2**
 
diff --git a/modules/cco-short-term-creds-component-permissions-azure.adoc b/modules/cco-short-term-creds-component-permissions-azure.adoc
index 483f7c65f7ef..8bb601350754 100644
--- a/modules/cco-short-term-creds-component-permissions-azure.adoc
+++ b/modules/cco-short-term-creds-component-permissions-azure.adoc
@@ -24,7 +24,7 @@
 * `Microsoft.Network/publicIPAddresses/read`
 * `Microsoft.Network/publicIPAddresses/write`
 
-|Cluster CAPI Operator
+|{cluster-capi-operator}
 |`openshift-cluster-api-azure`
 |role: `Contributor` ^[1]^
 
diff --git a/modules/ccs-gcp-provisioned.adoc b/modules/ccs-gcp-provisioned.adoc
index 13b153b3bc65..21d5ecc2ecde 100644
--- a/modules/ccs-gcp-provisioned.adoc
+++ b/modules/ccs-gcp-provisioned.adoc
@@ -26,12 +26,12 @@ GCP compute instances are required to deploy the control plane and data plane fu
 == Storage
 
 * Infrastructure volumes:
-** 128 GB SSD persistent disk (deleted on instance deletion)
+** 300 GB SSD persistent disk (deleted on instance deletion)
 ** 110 GB  Standard persistent disk (kept on instance deletion)
 * Worker volumes:
-** 128 GB SSD persistent disk  (deleted on instance deletion)
+** 300 GB SSD persistent disk  (deleted on instance deletion)
 * Control plane volumes:
-** 128 GB SSD persistent disk  (deleted on instance deletion)
+** 350 GB SSD persistent disk  (deleted on instance deletion)
 
 [id="gcp-policy-vpc_{context}"]
 == VPC
diff --git a/modules/checking-mco-status.adoc b/modules/checking-mco-status.adoc
index 92ef365867c9..f676ef98eddd 100644
--- a/modules/checking-mco-status.adoc
+++ b/modules/checking-mco-status.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/index.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="checking-mco-status_{context}"]
diff --git a/modules/cleaning-crio-storage.adoc b/modules/cleaning-crio-storage.adoc
index 7c948efa446c..f2aa0b6bd199 100644
--- a/modules/cleaning-crio-storage.adoc
+++ b/modules/cleaning-crio-storage.adoc
@@ -31,7 +31,7 @@ can't stat lower layer ...  because it does not exist.  Going through storage to
 
 Follow this process to completely wipe the CRI-O storage and resolve the errors.
 
-.Prerequisites:
+.Prerequisites
 
   * You have access to the cluster as a user with the `cluster-admin` role.
   * You have installed the OpenShift CLI (`oc`).
diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc
index 298fd2849465..404a62c15f65 100644
--- a/modules/cli-installing-cli.adoc
+++ b/modules/cli-installing-cli.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * cli_reference/openshift_cli/getting-started.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc
index dbbd52bb17f5..48dc8a5d72e1 100644
--- a/modules/cli-logging-in-kubeadmin.adoc
+++ b/modules/cli-logging-in-kubeadmin.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
diff --git a/modules/cluster-capi-operator.adoc b/modules/cluster-capi-operator.adoc
index 961811c31c97..f99d0703bc90 100644
--- a/modules/cluster-capi-operator.adoc
+++ b/modules/cluster-capi-operator.adoc
@@ -3,17 +3,17 @@
 // * operators/operator-reference.adoc
 
 [id="cluster-capi-operator_{context}"]
-= Cluster CAPI Operator
+= {cluster-capi-operator}
 
 [NOTE]
 ====
-This Operator is available as a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] for Amazon Web Services (AWS) and Google Cloud Platform (GCP) clusters.
+This Operator is available as a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] for {aws-first}, {gcp-first}, and {vmw-first} clusters.
 ====
 
 [discrete]
 == Purpose
 
-The Cluster CAPI Operator maintains the lifecycle of Cluster API resources. This Operator is responsible for all administrative tasks related to deploying the Cluster API project within an {product-title} cluster.
+The {cluster-capi-operator} maintains the lifecycle of Cluster API resources. This Operator is responsible for all administrative tasks related to deploying the Cluster API project within an {product-title} cluster.
 
 [discrete]
 == Project
@@ -33,6 +33,11 @@ link:https://github.com/openshift/cluster-capi-operator[cluster-capi-operator]
 ** CR: `gcpmachine`
 ** Validation: No
 
+*  `vspheremachines.infrastructure.cluster.x-k8s.io`
+** Scope: Namespaced
+** CR: `vspheremachine`
+** Validation: No
+
 * `awsmachinetemplates.infrastructure.cluster.x-k8s.io`
 ** Scope: Namespaced
 ** CR: `awsmachinetemplate`
@@ -41,4 +46,9 @@ link:https://github.com/openshift/cluster-capi-operator[cluster-capi-operator]
 *  `gcpmachinetemplates.infrastructure.cluster.x-k8s.io`
 ** Scope: Namespaced
 ** CR: `gcpmachinetemplate`
+** Validation: No
+
+*  `vspheremachinetemplates.infrastructure.cluster.x-k8s.io`
+** Scope: Namespaced
+** CR: `vspheremachinetemplate`
 ** Validation: No
\ No newline at end of file
diff --git a/modules/cluster-cloud-controller-manager-operator.adoc b/modules/cluster-cloud-controller-manager-operator.adoc
index 82fb199097b8..45dcce0edf7c 100644
--- a/modules/cluster-cloud-controller-manager-operator.adoc
+++ b/modules/cluster-cloud-controller-manager-operator.adoc
@@ -2,12 +2,43 @@
 //
 // * operators/operator-reference.adoc
 
+ifeval::["{context}" == "cluster-operators-ref"]
+:operators:
+endif::[]
+ifeval::["{context}" == "cluster-capabilities"]
+:cluster-caps:
+endif::[]
+
 [id="cluster-cloud-controller-manager-operator_{context}"]
-= Cluster Cloud Controller Manager Operator
+ifdef::operators[= Cloud Controller Manager Operator]
+ifdef::cluster-caps[= Cloud controller manager capability]
 
 [discrete]
 == Purpose
 
+ifdef::cluster-caps[]
+The Cloud Controller Manager Operator provides features for the `CloudControllerManager` capability.
+
+[NOTE]
+====
+Currently, disabling the `CloudControllerManager` capability is not supported on all platforms.
+====
+
+You can determine if your cluster supports disabling the `CloudControllerManager` capability by checking values in the installation configuration (`install-config.yaml`) file for your cluster.
+
+In the `install-config.yaml` file, locate the `platform` parameter.
+
+* If the value of the `platform` parameter is `Baremetal` or `None`, you can disable the `CloudControllerManager` capability on your cluster.
+
+* If the value of the `platform` parameter is `External`, locate the `platform.external.cloudControllerManager` parameter.
+If the value of the `platform.external.cloudControllerManager` parameter is `None`, you can disable the `CloudControllerManager` capability on your cluster.
+
+[IMPORTANT]
+====
+If these parameters contain any other values than those listed, you cannot disable the `CloudControllerManager` capability on your cluster.
+====
+endif::cluster-caps[]
+
 [NOTE]
 ====
 The status of this Operator is General Availability for {aws-first}, {gcp-first}, {ibm-cloud-name}, global {azure-full}, Microsoft Azure Stack Hub, Nutanix, {rh-openstack-first}, and {vmw-full}.
@@ -15,7 +46,7 @@ The status of this Operator is General Availability for {aws-first}, {gcp-first}
 The Operator is available as a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] for {alibaba} and {ibm-power-server-name}.
 ====
 
-The Cluster Cloud Controller Manager Operator manages and updates the cloud controller managers deployed on top of {product-title}. The Operator is based on the Kubebuilder framework and `controller-runtime` libraries. It is installed via the Cluster Version Operator (CVO).
+The Cloud Controller Manager Operator manages and updates the cloud controller managers deployed on top of {product-title}. The Operator is based on the Kubebuilder framework and `controller-runtime` libraries. It is installed via the Cluster Version Operator (CVO).
 
 It contains the following components:
 
@@ -24,7 +55,16 @@ It contains the following components:
 
 By default, the Operator exposes Prometheus metrics through the `metrics` service.
 
+ifdef::operators[]
 [discrete]
 == Project
 
 link:https://github.com/openshift/cluster-cloud-controller-manager-operator[cluster-cloud-controller-manager-operator]
+endif::operators[]
+
+ifeval::["{context}" == "cluster-operators-ref"]
+:!operators:
+endif::[]
+ifeval::["{context}" == "cluster-capabilities"]
+:!cluster-caps:
+endif::[]
\ No newline at end of file
diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc
index f65b82856040..168beee1bc39 100644
--- a/modules/cluster-entitlements.adoc
+++ b/modules/cluster-entitlements.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
diff --git a/modules/cluster-image-registry-operator.adoc b/modules/cluster-image-registry-operator.adoc
index c84ff8fa2d45..d02ce4dadf7f 100644
--- a/modules/cluster-image-registry-operator.adoc
+++ b/modules/cluster-image-registry-operator.adoc
@@ -34,11 +34,11 @@ If insufficient information is available to define a complete `image-registry` r
 The Cluster Image Registry Operator runs in the `openshift-image-registry` namespace and it also manages the registry instance in that location. All configuration and workload resources for the registry reside in that namespace.
 
 ifdef::cluster-caps[]
-In order to integrate the image registry into the cluster's user authentication and authorization system, a service account token secret and an image pull secret are generated for each service account in the cluster.
+In order to integrate the image registry into the cluster's user authentication and authorization system, an image pull secret is generated for each service account in the cluster.
 
 [IMPORTANT]
 ====
-If you disable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, the service account token secret and image pull secret are not generated for each service account.
+If you disable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, the image pull secret is not generated for each service account.
 ====
 
 If you disable the `ImageRegistry` capability, you can reduce the overall resource footprint of {product-title} in resource-constrained environments. Depending on your deployment, you can disable this component if you do not need it.
diff --git a/modules/cluster-telemetry.adoc b/modules/cluster-telemetry.adoc
index af569170ac1e..392f608078d4 100644
--- a/modules/cluster-telemetry.adoc
+++ b/modules/cluster-telemetry.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
diff --git a/modules/cnf-about-topology-aware-lifecycle-manager-blocking-crs.adoc b/modules/cnf-about-topology-aware-lifecycle-manager-blocking-crs.adoc
index 8f103c858f19..f7a7341ea1e6 100644
--- a/modules/cnf-about-topology-aware-lifecycle-manager-blocking-crs.adoc
+++ b/modules/cnf-about-topology-aware-lifecycle-manager-blocking-crs.adoc
@@ -23,6 +23,7 @@ One `ClusterGroupUpgrade` CR can have multiple blocking CRs. In this case, all t
 
 . Save the content of the `ClusterGroupUpgrade` CRs in the `cgu-a.yaml`, `cgu-b.yaml`, and `cgu-c.yaml` files.
 +
+--
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -74,7 +75,7 @@ status:
   - - spoke2
 ----
 <1> Defines the blocking CRs. The `cgu-a` update cannot start until `cgu-c` is complete.
-+
+
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -129,7 +130,7 @@ status:
   status: {}
 ----
 <1> The `cgu-b` update cannot start until `cgu-a` is complete.
-+
+
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -174,6 +175,7 @@ status:
   status: {}
 ----
 <1> The `cgu-c` update does not have any blocking CRs. {cgu-operator} starts the `cgu-c` update when the `enable` field is set to `true`.
+--
 
 . Create the `ClusterGroupUpgrade` CRs by running the following command for each relevant CR:
 +
@@ -192,8 +194,8 @@ $ oc --namespace=default patch clustergroupupgrade.ran.openshift.io/<name> \
 +
 The following examples show `ClusterGroupUpgrade` CRs where the `enable` field is set to `true`:
 +
+--
 .Example for `cgu-a` with blocking CRs
-+
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -247,9 +249,8 @@ status:
   status: {}
 ----
 <1> Shows the list of blocking CRs.
-+
+
 .Example for `cgu-b` with blocking CRs
-+
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -305,9 +306,8 @@ status:
   status: {}
 ----
 <1> Shows the list of blocking CRs.
-+
+
 .Example for `cgu-c` with blocking CRs
-+
 [source,yaml]
 ----
 apiVersion: ran.openshift.io/v1alpha1
@@ -355,3 +355,4 @@ status:
       spoke6: 0
 ----
 <1> The `cgu-c` update does not have any blocking CRs.
+--
diff --git a/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc b/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc
index 2ee82dce5507..406bd6133248 100644
--- a/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc
+++ b/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc
@@ -12,10 +12,8 @@ The {cgu-operator-first} uses {rh-rhacm} policies for cluster updates.
 Supported use cases include the following:
 
 * Manual user creation of policy CRs
-* Automatically generated policies from the `PolicyGenTemplate` custom resource definition (CRD)
+* Automatically generated policies from the `PolicyGenerator` or `PolicyGentemplate` custom resource definition (CRD)
 
 For policies that update an Operator subscription with manual approval, {cgu-operator} provides additional functionality that approves the installation of the updated Operator.
 
 For more information about managed policies, see link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#policy-overview[Policy Overview] in the {rh-rhacm} documentation.
-
-For more information about the `PolicyGenTemplate` CRD, see the "About the PolicyGenTemplate CRD" section in "Configuring managed clusters with policies and PolicyGenTemplate resources".
diff --git a/modules/cnf-configuring-kubelet-nro.adoc b/modules/cnf-configuring-kubelet-nro.adoc
index 5c89b2462af6..805d1c5f94e9 100644
--- a/modules/cnf-configuring-kubelet-nro.adoc
+++ b/modules/cnf-configuring-kubelet-nro.adoc
@@ -8,7 +8,7 @@
 
 The recommended way to configure a single NUMA node policy is to apply a performance profile. Another way is by creating and applying a `KubeletConfig` custom resource (CR), as shown in the following procedure.
 
-.Procedure 
+.Procedure
 
 . Create the `KubeletConfig` custom resource (CR) that configures the pod admittance policy for the machine profile:
 
@@ -41,7 +41,7 @@ spec:
       memory: "512Mi"
     topologyManagerPolicy: "single-numa-node" <5>
 ----
-<1> Adjust this label to match the the `machineConfigPoolSelector` in the `NUMAResourcesOperator` CR.
+<1> Adjust this label to match the `machineConfigPoolSelector` in the `NUMAResourcesOperator` CR.
 <2> For `cpuManagerPolicy`, `static` must use a lowercase `s`.
 <3> Adjust this based on the CPU on your nodes.
 <4> For `memoryManagerPolicy`, `Static` must use an uppercase `S`.
@@ -56,5 +56,5 @@ $ oc create -f nro-kubeletconfig.yaml
 +
 [NOTE]
 ====
-Applying performance profile or `KubeletConfig` automatically triggers rebooting of the nodes. If no reboot is triggered, you can troubleshoot the issue by looking at the labels in `KubeletConfig` that address the node group. 
+Applying performance profile or `KubeletConfig` automatically triggers rebooting of the nodes. If no reboot is triggered, you can troubleshoot the issue by looking at the labels in `KubeletConfig` that address the node group.
 ====
diff --git a/modules/cnf-configuring-node-groups-for-the-numaresourcesoperator.adoc b/modules/cnf-configuring-node-groups-for-the-numaresourcesoperator.adoc
index 11eb1bc3b051..98cfc7eb9d99 100644
--- a/modules/cnf-configuring-node-groups-for-the-numaresourcesoperator.adoc
+++ b/modules/cnf-configuring-node-groups-for-the-numaresourcesoperator.adoc
@@ -7,7 +7,7 @@
 [id="cnf-configuring-node-groups-for-the-numaresourcesoperator_{context}"]
 = Optional: Configuring polling operations for NUMA resources updates
 
-The daemons controlled by the NUMA Resources Operator in their `nodeGroup` poll resources to retrieve updates about available NUMA resources. You can fine-tune polling operations for these daemons by configuring the `spec.nodeGroups` specification in the `NUMAResourcesOperator` custom resource (CR). This provides advanced control of polling operations. Configure these specifications to improve scheduling behaviour and troubleshoot suboptimal scheduling decisions.
+The daemons controlled by the NUMA Resources Operator in their `nodeGroup` poll resources to retrieve updates about available NUMA resources. You can fine-tune polling operations for these daemons by configuring the `spec.nodeGroups` specification in the `NUMAResourcesOperator` custom resource (CR). This provides advanced control of polling operations. Configure these specifications to improve scheduling behavior and troubleshoot suboptimal scheduling decisions.
 
 The configuration options are the following:
 
@@ -17,7 +17,7 @@ The configuration options are the following:
 +
 [NOTE]
 ====
-`podsFingerprinting` is enabled by default. `podsFingerprinting` is a requirement for the `cacheResyncPeriod` specification in the `NUMAResourcesScheduler` CR. The `cacheResyncPeriod` specification helps to report more exact resource availability by monitoring pending resources on nodes.
+The default value for `podsFingerprinting` is `EnabledExclusiveResources`. To optimize scheduler performance, set `podsFingerprinting` to either `EnabledExclusiveResources` or `Enabled`. Additionally, configure the `cacheResyncPeriod` in the `NUMAResourcesScheduler` custom resource (CR) to a value greater than 0. The `cacheResyncPeriod` specification helps to report more exact resource availability by monitoring pending resources on nodes.
 ====
 
 .Prerequisites
@@ -46,7 +46,7 @@ spec:
 ----
 <1> Valid values are `Periodic`, `Events`, `PeriodicAndEvents`. Use `Periodic` to poll the kubelet at intervals that you define in `infoRefreshPeriod`. Use `Events` to poll the kubelet at every pod lifecycle event. Use `PeriodicAndEvents` to enable both methods.
 <2> Define the polling interval for `Periodic` or `PeriodicAndEvents` refresh modes. The field is ignored if the refresh mode is `Events`.
-<3> Valid values are `Enabled`, `Disabled`, and `EnabledExclusiveResources`. Setting to `Enabled` is a requirement for the `cacheResyncPeriod` specification in the `NUMAResourcesScheduler`.
+<3> Valid values are `Enabled`, `Disabled`, and `EnabledExclusiveResources`. Setting to `Enabled` or `EnabledExclusiveResources` is a requirement for the `cacheResyncPeriod` specification in the `NUMAResourcesScheduler`.
 
 .Verification
 
diff --git a/modules/cnf-image-based-upgrade-generate-seed-image.adoc b/modules/cnf-image-based-upgrade-generate-seed-image.adoc
new file mode 100644
index 000000000000..c9c22defa2aa
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-generate-seed-image.adoc
@@ -0,0 +1,160 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-seed-generation_{context}"]
+= Generating a seed image with the {lcao}
+
+Use the {lcao} to generate the seed image with the `SeedGenerator` CR. The Operator checks for required system configurations, performs any necessary system cleanup before generating the seed image, and launches the image generation. The seed image generation includes the following tasks:
+
+* Stopping cluster Operators
+* Preparing the seed image configuration
+* Generating and pushing the seed image to the image repository specified in the `SeedGenerator` CR
+* Restoring cluster Operators
+* Expiring seed cluster certificates
+* Generating new certificates for the seed cluster
+* Restoring and updating the `SeedGenerator` CR on the seed cluster
+
+.Prerequisites
+
+* Configure a shared container directory on the seed cluster.
+* Install the OADP Operator and the {lcao} on the seed cluster.
+
+.Procedure
+
+. Detach the cluster from the hub to delete any cluster-specific resources from the seed cluster that must not be in the seed image:
+
+.. If you are using {rh-rhacm}, manually detach the seed cluster by running the following command:
++
+[source,terminal]
+----
+$ oc delete managedcluster sno-worker-example
+----
+
+... Wait until the `ManagedCluster` CR is removed. After the CR is removed, create the proper `SeedGenerator` CR. The {lcao} cleans up the {rh-rhacm} artifacts.
+
+.. If you are using {ztp}, detach your cluster by removing the seed cluster's `SiteConfig` CR from the `kustomization.yaml`:
+
+... Remove your seed cluster's `SiteConfig` CR from the `kustomization.yaml`.
++
+[source,yaml]
+----
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+#- example-seed-sno1.yaml
+- example-target-sno2.yaml
+- example-target-sno3.yaml
+----
+
+... Commit the `kustomization.yaml` changes in your Git repository and push the changes.
++
+The ArgoCD pipeline detects the changes and removes the managed cluster.
+
+. Create the `Secret`:
+
+.. Create the authentication file by running the following commands:
++
+--
+[source,terminal]
+----
+$ MY_USER=myuserid
+$ AUTHFILE=/tmp/my-auth.json
+$ podman login --authfile ${AUTHFILE} -u ${MY_USER} quay.io/${MY_USER}
+----
+
+[source,terminal]
+----
+$ base64 -w 0 ${AUTHFILE} ; echo
+----
+--
+
+.. Copy the output into the `seedAuth` field in the `Secret` YAML file named `seedgen` in the `openshift-lifecycle-agent` namespace:
++
+--
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: seedgen <1>
+  namespace: openshift-lifecycle-agent
+type: Opaque
+data:
+  seedAuth: <encoded_AUTHFILE> <2>
+----
+<1> The `Secret` resource must have the `name: seedgen` and `namespace: openshift-lifecycle-agent` fields.
+<2> Specifies a base64-encoded authfile for write-access to the registry for pushing the generated seed images.
+--
+
+.. Apply the `Secret` by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f secretseedgenerator.yaml
+----
+
+. Create the `SeedGenerator` CR:
++
+--
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: SeedGenerator
+metadata:
+  name: seedimage <1>
+spec:
+  seedImage: <seed_container_image> <2>
+----
+<1> The `SeedGenerator` CR must be named `seedimage`.
+<2> Specify the container image URL, for example, `quay.io/example/seed-container-image:<tag>`. It is recommended to use the `<seed_cluster_name>:<ocp_version>` format.
+--
+
+. Generate the seed image by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f seedgenerator.yaml
+----
+
++
+[IMPORTANT]
+====
+The cluster reboots and loses API capabilities while the {lcao} generates the seed image.
+Applying the `SeedGenerator` CR stops the `kubelet` and the CRI-O operations, then it starts the image generation.
+====
+
+If you want to generate more seed images, you must provision a new seed cluster with the version that you want to generate a seed image from.
+
+.Verification
+
+. After the cluster recovers and it is available, you can check the status of the `SeedGenerator` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get seedgenerator -o yaml
+----
+
+.Example output
+[source,yaml]
+----
+status:
+  conditions:
+  - lastTransitionTime: "2024-02-13T21:24:26Z"
+    message: Seed Generation completed
+    observedGeneration: 1
+    reason: Completed
+    status: "False"
+    type: SeedGenInProgress
+  - lastTransitionTime: "2024-02-13T21:24:26Z"
+    message: Seed Generation completed
+    observedGeneration: 1
+    reason: Completed
+    status: "True"
+    type: SeedGenCompleted <1>
+  observedGeneration: 1
+----
+<1> The seed image generation is complete.
+--
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-guidelines.adoc b/modules/cnf-image-based-upgrade-guidelines.adoc
new file mode 100644
index 000000000000..1898530002a1
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-guidelines.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztp-image-based-upgrade-guide_{context}"]
+= Guidelines for the image-based upgrade
+
+For a successful image-based upgrade, your deployments must meet certain requirements.
+
+There are different deployment methods in which you can perform the image-based upgrade:
+
+{ztp}:: You use the {ztp-first} to deploy and configure your clusters.
+Non-GitOps:: You only use {rh-rhacm-first} to deploy and configure your clusters.
+
+You can perform an image-based upgrade in disconnected environments. For more information about how to mirror images for a disconnected environment, see "Mirroring images for a disconnected installation".
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc b/modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc
similarity index 70%
rename from modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc
rename to modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc
index f4f551db9c0e..50a518e6d98a 100644
--- a/modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc
+++ b/modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc
@@ -1,11 +1,11 @@
 // Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="installing-lcao-using-cli_{context}"]
 = Installing the {lcao} by using the CLI
 
-You can use the OpenShift CLI (`oc`) to install the {lcao} from the 4.15 Operator catalog on both the seed and target cluster.
+You can use the OpenShift CLI (`oc`) to install the {lcao}.
 
 .Prerequisites
 
@@ -14,7 +14,7 @@ You can use the OpenShift CLI (`oc`) to install the {lcao} from the 4.15 Operato
 
 .Procedure
 
-. Create a namespace for the {lcao}.
+. Create a `Namespace` object YAML file for the {lcao}, for example `lcao-namespace.yaml`:
 +
 [source,yaml]
 ----
@@ -26,14 +26,14 @@ metadata:
     workload.openshift.io/allowed: management
 ----
 
-.. Create the `Namespace` CR:
+.. Create the `Namespace` CR by running the following command:
 +
 [source,terminal]
 ----
 $ oc create -f lcao-namespace.yaml
 ----
 
-. Create an Operator group for the {lcao}.
+. Create an `OperatorGroup` object YAML file for the {lcao}, for example `lcao-operatorgroup.yaml`:
 +
 [source,yaml]
 ----
@@ -47,26 +47,24 @@ spec:
   - openshift-lifecycle-agent
 ----
 
-.. Create the `OperatorGroup` CR:
+.. Create the `OperatorGroup` CR by running the following command:
 +
 [source,terminal]
 ----
 $ oc create -f lcao-operatorgroup.yaml
 ----
 
-. Create a `Subscription` CR:
-
-.. Define the `Subscription` CR and save the YAML file, for example, `lcao-subscription.yaml`:
+. Create a `Subscription` CR, for example, `lcao-subscription.yaml`:
 +
 [source,yaml]
 ----
-apiVersion: operators.coreos.com/v1alpha1
+apiVersion: operators.coreos.com/v1
 kind: Subscription
 metadata:
   name: openshift-lifecycle-agent-subscription
   namespace: openshift-lifecycle-agent
 spec:
-  channel: "alpha"
+  channel: "stable"
   name: lifecycle-agent
   source: redhat-operators
   sourceNamespace: openshift-marketplace
@@ -81,7 +79,7 @@ $ oc create -f lcao-subscription.yaml
 
 .Verification
 
-. Verify that the installation succeeded by inspecting the CSV resource:
+. To verify that the installation succeeded, inspect the CSV resource by running the following command:
 +
 [source,terminal]
 ----
@@ -95,7 +93,7 @@ NAME                              DISPLAY                     VERSION
 lifecycle-agent.v{product-version}.0           Openshift Lifecycle Agent   {product-version}.0                Succeeded
 ----
 
-. Verify that the {lcao} is up and running:
+. Verify that the {lcao} is up and running by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc b/modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc
new file mode 100644
index 000000000000..020e0af0761b
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc
@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-lifecycle-agent-using-web-console_{context}"]
+= Installing the {lcao} by using the web console
+
+You can use the {product-title} web console to install the {lcao}.
+
+.Prerequisites
+
+* Log in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* -> *OperatorHub*.
+. Search for the *{lcao}* from the list of available Operators, and then click *Install*.
+. On the *Install Operator* page, under *A specific namespace on the cluster* select *openshift-lifecycle-agent*.
+. Click *Install*.
+
+.Verification
+
+. To confirm that the installation is successful:
+
+.. Click *Operators* -> *Installed Operators*.
+.. Ensure that the {lcao} is listed in the *openshift-lifecycle-agent* project with a *Status* of *InstallSucceeded*.
++
+[NOTE]
+====
+During installation an Operator might display a *Failed* status. If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
+====
+
+If the Operator is not installed successfully:
+
+. Click *Operators* -> *Installed Operators*, and inspect the *Operator Subscriptions* and *Install Plans* tabs for any failure or errors under *Status*.
+. Click *Workloads* -> *Pods*, and check the logs for pods in the *openshift-lifecycle-agent* project.
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-prep-catalogsource.adoc b/modules/cnf-image-based-upgrade-prep-catalogsource.adoc
new file mode 100644
index 000000000000..d28045a03a68
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-prep-catalogsource.adoc
@@ -0,0 +1,44 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cnf-image-based-upgrade-creating-backup-custom-catalog-sources_{context}"]
+= Creating ConfigMap objects of custom catalog sources for the image-based upgrade with {lcao}
+
+You can keep your custom catalog sources after the upgrade by generating a `ConfigMap` object for your catalog sources and adding them to the `spec.extraManifest` field in the `ImageBasedUpgrade` CR.
+For more information about catalog sources, see "Catalog source".
+
+.Procedure
+
+. Create a YAML file that contains the `CatalogSource` CR:
++
+--
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: CatalogSource
+metadata:
+  name: example-catalogsources
+  namespace: openshift-marketplace
+spec:
+  sourceType: grpc
+  displayName: disconnected-redhat-operators
+  image: quay.io/example-org/example-catalog:v1
+----
+--
+
+. Create the `ConfigMap` object by running the following command:
++
+[source,terminal]
+----
+$ oc create configmap example-catalogsources-cm --from-file=example-catalogsources.yaml=<path_to_catalogsource_cr> -n openshift-lifecycle-agent
+----
+
+. Patch the `ImageBasedUpgrade` CR by running the following command:
++
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade \
+  -p='{"spec": {"extraManifests": [{"name": "example-catalogsources-cm", "namespace": "openshift-lifecycle-agent"}]}}' \
+  --type=merge -n openshift-lifecycle-agent
+----
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-prep-extramanifests.adoc b/modules/cnf-image-based-upgrade-prep-extramanifests.adoc
new file mode 100644
index 000000000000..532c15c5b9df
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-prep-extramanifests.adoc
@@ -0,0 +1,64 @@
+
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cnf-image-based-upgrade-creating-backup-extra-manifests_{context}"]
+= Creating ConfigMap objects of extra manifests for the image-based upgrade with {lcao}
+
+You can create additional manifests that you want to apply to the target cluster.
+
+.Procedure
+
+. Create a YAML file that contains your extra manifests:
++
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovNetworkNodePolicy
+metadata:
+  name: "pci-sriov-net-e5l"
+  namespace: openshift-sriov-network-operator
+spec:
+  deviceType: vfio-pci
+  isRdma: false
+  nicSelector:
+    pfNames: [ens1f0]
+  nodeSelector:
+    node-role.kubernetes.io/master: ""
+  mtu: 1500
+  numVfs: 8
+  priority: 99
+  resourceName: pci_sriov_net_e5l
+---
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovNetwork
+metadata:
+  name: "networking-e5l"
+  namespace: openshift-sriov-network-operator
+spec:
+  ipam: |-
+    {
+    }
+  linkState: auto
+  networkNamespace: sriov-namespace
+  resourceName: pci_sriov_net_e5l
+  spoofChk: "on"
+  trust: "off"
+----
+
+. Create the `ConfigMap` object by running the following command:
++
+[source,terminal]
+----
+$ oc create configmap example-extra-manifests-cm --from-file=example-extra-manifests.yaml=<path_to_extramanifest> -n openshift-lifecycle-agent
+----
+
+. Patch the `ImageBasedUpgrade` CR by running the following command:
++
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade \
+  -p='{"spec": {"extraManifests": [{"name": "example-extra-manifests-cm", "namespace": "openshift-lifecycle-agent"}]}}' \
+  --type=merge -n openshift-lifecycle-agent
+----
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-prep-oadp.adoc b/modules/cnf-image-based-upgrade-prep-oadp.adoc
new file mode 100644
index 000000000000..c7ff33ca8978
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-prep-oadp.adoc
@@ -0,0 +1,71 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cnf-image-based-upgrade-creating-backup-oadp-resources_{context}"]
+= Creating OADP ConfigMap objects for the image-based upgrade with {lcao}
+
+Create your OADP resources that are used to back up and restore your resources during the upgrade.
+
+.Prerequisites
+
+* Generate a seed image from a compatible seed cluster.
+* Create OADP backup and restore resources.
+* Create a separate partition on the target cluster for the container images that is shared between stateroots. For more information about, see "Configuring a shared container directory for the image-based upgrade".
+* Deploy a version of {lcao} that is compatible with the version used with the seed image.
+* Install the OADP Operator, the `DataProtectionApplication` CR, and its secret on the target cluster.
+* Create an S3-compatible storage solution and a ready-to-use bucket with proper credentials configured. For more information, see "About installing OADP".
+
+.Procedure
+
+. Create the OADP `Backup` and `Restore` CRs for platform artifacts in the same namespace where the OADP Operator is installed, which is `openshift-adp`.
+
+.. If the target cluster is managed by {rh-rhacm}, add the following YAML file for backing up and restoring {rh-rhacm} artifacts:
++
+--
+.PlatformBackupRestore.yaml for {rh-rhacm}
+include::snippets/ibu-PlatformBackupRestore.adoc[]
+--
+
+.. If you created persistent volumes on your cluster through {lvms}, add the following YAML file for {lvms} artifacts:
++
+.PlatformBackupRestoreLvms.yaml for {lvms}
+include::snippets/ibu-PlatformBackupRestoreLvms.adoc[]
+
+. (Optional) If you need to restore applications after the upgrade, create the OADP `Backup` and `Restore` CRs for your application in the `openshift-adp` namespace.
+
+.. Create the OADP CRs for cluster-scoped application artifacts in the `openshift-adp` namespace.
++
+.Example OADP CRs for cluster-scoped application artifacts for LSO and {LVMS}
+include::snippets/ibu-ApplicationClusterScopedBackupRestore.adoc[]
+
+.. Create the OADP CRs for your namespace-scoped application artifacts.
++
+--
+.Example OADP CRs namespace-scoped application artifacts when LSO is used
+include::snippets/ibu-ApplicationBackupRestoreLso.adoc[]
+
+.Example OADP CRs namespace-scoped application artifacts when {lvms} is used
+include::snippets/ibu-ApplicationBackupRestoreLvms.adoc[]
+
+[IMPORTANT]
+====
+The same version of the applications must function on both the current and the target release of {product-title}.
+====
+--
+
+. Create the `ConfigMap` object for your OADP CRs by running the following command:
++
+[source,terminal]
+----
+$ oc create configmap oadp-cm-example --from-file=example-oadp-resources.yaml=<path_to_oadp_crs> -n openshift-adp
+----
+
+. Patch the `ImageBasedUpgrade` CR by running the following command:
++
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade \
+  -p='{"spec": {"oadpContent": [{"name": "oadp-cm-example", "namespace": "openshift-adp"}]}}' \
+  --type=merge -n openshift-lifecycle-agent
+----
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-prep.adoc b/modules/cnf-image-based-upgrade-prep.adoc
new file mode 100644
index 000000000000..f43f19304d0d
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-prep.adoc
@@ -0,0 +1,121 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-image-based-upgrade-base.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-prep_{context}"]
+= Moving to the Prep stage of the image-based upgrade with {lcao}
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` custom resource (CR) is automatically created.
+
+After you created all the resources that you need during the upgrade, you can move on to the `Prep` stage.
+For more information, see the "Creating ConfigMap objects for the image-based upgrade with {lcao}" section.
+
+.Prerequisites
+
+* You have created resources to back up and restore your clusters.
+
+.Procedure
+
+. Check that you have patched your `ImageBasedUpgrade` CR:
++
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: ImageBasedUpgrade
+metadata:
+  name: upgrade
+spec:
+  stage: Idle
+  seedImageRef:
+    version: 4.15.2 <1>
+    image: <seed_container_image> <2>
+    pullSecretRef: <seed_pull_secret> <3>
+  autoRollbackOnFailure: {}
+#    initMonitorTimeoutSeconds: 1800 <4>
+  extraManifests: <5>
+  - name: example-extra-manifests-cm
+    namespace: openshift-lifecycle-agent
+  - name: example-catalogsources-cm
+    namespace: openshift-lifecycle-agent
+  oadpContent: <6>
+  - name: oadp-cm-example
+    namespace: openshift-adp
+----
+<1> Specify the target platform version. The value must match the version of the seed image.
+<2> Specify the repository where the target cluster can pull the seed image from.
+<3> Specify the reference to a secret with credentials to pull container images if the images are in a private registry.
+<4> (Optional) Specify the time frame in seconds to roll back if the upgrade does not complete within that time frame after the first reboot. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
+<5> (Optional) Specify the list of `ConfigMap` resources that contain your custom catalog sources to retain after the upgrade and your extra manifests to apply to the target cluster that are not part of the seed image.
+<6> Add the `oadpContent` section with the OADP `ConfigMap` information.
+
+. To start the `Prep` stage, change the value of the `stage` field to `Prep` in the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade -p='{"spec": {"stage": "Prep"}}' --type=merge -n openshift-lifecycle-agent
+----
+
+If you provide `ConfigMap` objects for OADP resources and extra manifests, {lcao} validates the specified `ConfigMap` objects during the `Prep` stage.
+You might encounter the following issues: 
+
+* Validation warnings or errors if the {lcao} detects any issues with the `extraManifests` parameters.
+* Validation errors if the {lcao} detects any issues with the `oadpContent` parameters.
+
+Validation warnings do not block the `Upgrade` stage but you must decide if it is safe to proceed with the upgrade.
+These warnings, for example missing CRDs, namespaces, or dry run failures, update the `status.conditions` for the `Prep` stage and `annotation` fields in the `ImageBasedUpgrade` CR with details about the warning.
+
+.Example validation warning
+[source,yaml]
+----
+[...]
+metadata:
+annotations:
+  extra-manifest.lca.openshift.io/validation-warning: '...'
+[...]
+----
+
+However, validation errors, such as adding `MachineConfig` or Operator manifests to extra manifests, cause the `Prep` stage to fail and block the `Upgrade` stage.
+
+When the validations pass, the cluster creates a new `ostree` stateroot, which involves pulling and unpacking the seed image, and running host-level commands.
+Finally, all the required images are precached on the target cluster.
+--
+
+.Verification
+
+* Check the status of the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get ibu -o yaml
+----
+
+.Example output
+[source,yaml]
+----
+  conditions:
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: In progress
+    observedGeneration: 13
+    reason: InProgress
+    status: "False"
+    type: Idle
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep completed
+    observedGeneration: 13
+    reason: Completed
+    status: "False"
+    type: PrepInProgress
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep stage completed successfully
+    observedGeneration: 13
+    reason: Completed
+    status: "True"
+    type: PrepCompleted
+  observedGeneration: 13
+  validNextStages:
+  - Idle
+  - Upgrade
+----
+--
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-rollback.adoc b/modules/cnf-image-based-upgrade-rollback.adoc
new file mode 100644
index 000000000000..142186b157fe
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-rollback.adoc
@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-image-based-upgrade-base.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-rollback_{context}"]
+= (Optional) Moving to the Rollback stage of the image-based upgrade with {lcao}
+
+An automatic rollback is initiated if the upgrade does not complete within the time frame specified in the `initMonitorTimeoutSeconds` field after rebooting.
+
+.Example ImageBasedUpgrade CR
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: ImageBasedUpgrade
+metadata:
+  name: upgrade
+spec:
+  stage: Idle
+  seedImageRef:
+    version: 4.15.2
+    image: <seed_container_image>
+  autoRollbackOnFailure: {}
+#    initMonitorTimeoutSeconds: 1800 <1>
+[...]
+----
+<1> (Optional) Specify the time frame in seconds to roll back if the upgrade does not complete within that time frame after the first reboot. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
+
+You can manually roll back the changes if you encounter unresolvable issues after an upgrade.
+
+.Prerequisites
+
+* Log in to the hub cluster as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. To move to the rollback stage, patch the value of the `stage` field to `Rollback` in the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade -p='{"spec": {"stage": "Rollback"}}' --type=merge
+----
+
+The {lcao} reboots the cluster with the previously installed version of {product-title} and restores the applications.
+--
+
+. If you are satisfied with the changes, finalize the rollback by patching the value of the `stage` field to `Idle` in the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade -p='{"spec": {"stage": "Idle"}}' --type=merge -n openshift-lifecycle-agent
+----
+
+[WARNING]
+====
+If you move to the `Idle` stage after a rollback, the {lcao} cleans up resources that can be used to troubleshoot a failed upgrade.
+====
+--
diff --git a/modules/cnf-image-based-upgrade-seed-image-config.adoc b/modules/cnf-image-based-upgrade-seed-image-config.adoc
new file mode 100644
index 000000000000..649aa5189d74
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-seed-image-config.adoc
@@ -0,0 +1,129 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-seed-image-config_{context}"]
+= Seed image configuration
+
+The seed image targets a set of {sno} clusters with similar configuration.
+This means that the seed image must have all of the components and configuration that the seed cluster shares with the target clusters.
+Therefore, the seed image generated from the seed cluster cannot contain any cluster-specific configuration.
+
+The following table lists the components, resources, and configurations that you must and must not include in your seed image:
+
+.Seed image configuration
+[cols=2*, width="80%", options="header"]
+|====
+|Cluster configuration
+|Include in seed image
+
+|Performance profile
+|Yes
+
+|`MachineConfig` resources for the target cluster
+|Yes
+
+|IP version ^[1]^
+|Yes
+
+|Set of Day 2 Operators, including the {lcao} and the OADP Operator
+|Yes
+
+|Disconnected registry configuration
+|Yes
+
+|Valid proxy configuration ^[2]^
+|Yes
+
+|FIPS configuration
+|Yes
+
+|Dedicated partition on the primary disk for container storage that matches the size of the target clusters
+|Yes
+
+a|Local volumes
+
+* `StorageClass` used in `LocalVolume` for LSO
+* `LocalVolume` for LSO
+* `LVMCluster` CR for LVMS
+|No
+
+|OADP `DataProtectionApplication` CR
+|No
+|====
+. Dual-stack networking is not supported in this release.
+. The proxy configuration does not have to be the same.
+
+[id="ztp-image-based-upgrade-seed-image-config-ran_{context}"]
+== Seed image configuration using the RAN DU profile
+
+The following table lists the components, resources, and configurations that you must and must not include in the seed image when using the RAN DU profile:
+
+.Seed image configuration with RAN DU profile
+[cols=2*, width="80%", options="header"]
+|====
+|Resource
+|Include in seed image
+
+|All extra manifests that are applied as part of Day 0 installation
+|Yes
+
+|All Day 2 Operator subscriptions
+|Yes
+
+|`ClusterLogging.yaml`
+|Yes
+
+|`DisableOLMPprof.yaml`
+|Yes
+
+|`TunedPerformancePatch.yaml`
+|Yes
+
+|`PerformanceProfile.yaml`
+|Yes
+
+|`SriovOperatorConfig.yaml`
+|Yes
+
+|`DisableSnoNetworkDiag.yaml`
+|Yes
+
+|`StorageClass.yaml`
+|No, if it is used in `StorageLV.yaml`
+
+|`StorageLV.yaml`
+|No
+
+|`StorageLVMCluster.yaml`
+|No
+|====
+
+.Seed image configuration with RAN DU profile for extra manifests
+[cols=2*, width="80%", options="header"]
+|====
+|Resource
+|Apply as extra manifest
+
+|`ClusterLogForwarder.yaml`
+|Yes
+
+|`ReduceMonitoringFootprint.yaml`
+|Yes
+
+|`SriovFecClusterConfig.yaml`
+|Yes
+
+|`PtpOperatorConfigForEvent.yaml`
+|Yes
+
+|`DefaultCatsrc.yaml`
+|Yes
+
+|`PtpConfig.yaml`
+|If the interfaces of the target cluster are common with the seed cluster, you can include them in the seed image. Otherwise, apply it as extra manifests.
+
+a|`SriovNetwork.yaml`
+`SriovNetworkNodePolicy.yaml`
+|If the configuration, including namespaces, is exactly the same on both the seed and target cluster, you can include them in the seed image. Otherwise, apply them as extra manifests.
+|====
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-shared-container-directory.adoc b/modules/cnf-image-based-upgrade-shared-container-directory.adoc
new file mode 100644
index 000000000000..62733cca6e58
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-shared-container-directory.adoc
@@ -0,0 +1,68 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cnf-image-based-upgrade-shared-container-directory_{context}"]
+= Configuring a shared container directory between ostree stateroots
+
+Apply a `MachineConfig` to both the seed and the target clusters during installation time to create a separate partition and share the `/var/lib/containers` directory between the two `ostree` stateroots that will be used during the upgrade process.
+
+[IMPORTANT]
+====
+You must complete this procedure at installation time.
+====
+
+.Procedure
+
+* Apply a `MachineConfig` to create a separate partition:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: master
+  name: 98-var-lib-containers-partitioned
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      disks:
+        - device: /dev/disk/by-id/wwn-<root_disk> <1>
+          partitions:
+            - label: varlibcontainers
+              startMiB: <start_of_partition> <2>
+              sizeMiB: <partition_size> <3>
+      filesystems:
+        - device: /dev/disk/by-partlabel/varlibcontainers
+          format: xfs
+          mountOptions:
+            - defaults
+            - prjquota
+          path: /var/lib/containers
+          wipeFilesystem: true
+    systemd:
+      units:
+        - contents: |-
+            # Generated by Butane
+            [Unit]
+            Before=local-fs.target
+            Requires=systemd-fsck@dev-disk-by\x2dpartlabel-varlibcontainers.service
+            After=systemd-fsck@dev-disk-by\x2dpartlabel-varlibcontainers.service
+
+            [Mount]
+            Where=/var/lib/containers
+            What=/dev/disk/by-partlabel/varlibcontainers
+            Type=xfs
+            Options=defaults,prjquota
+
+            [Install]
+            RequiredBy=local-fs.target
+          enabled: true
+          name: var-lib-containers.mount
+----
+<1> Specify the root disk.
+<2> Specify the start of the partition in MiB. If the value is too small, the installation will fail.
+<3> Specify a minimum size for the partition of 500 GB to ensure adequate disk space for precached images. If the value is too small, the deployments after installation will fail.
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-troubleshooting.adoc b/modules/cnf-image-based-upgrade-troubleshooting.adoc
new file mode 100644
index 000000000000..86e0eca5ed69
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-troubleshooting.adoc
@@ -0,0 +1,311 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-image-based-upgrade-base.adoc
+// * edge_computing/image-based-upgrade/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-troubleshooting_{context}"]
+= Troubleshooting image-based upgrades with {lcao}
+
+You can encounter issues during the image-based upgrade.
+
+[id="ztp-image-based-upgrade-troubleshooting-must-gather_{context}"]
+== Collecting logs
+
+You can use the `oc adm must-gather` CLI to collect information for debugging and troubleshooting.
+
+.Procedure
+
+* Collect data about the Operators by running the following command:
++
+[source,terminal]
+----
+$  oc adm must-gather \
+--dest-dir=must-gather/tmp \
+--image=$(oc -n openshift-lifecycle-agent get deployment.apps/lifecycle-agent-controller-manager -o jsonpath='{.spec.template.spec.containers[?(@.name == "manager")].image}') \
+--image=quay.io/konveyor/oadp-must-gather:latest \// <1>
+--image=quay.io/openshift/origin-must-gather:latest <2>
+----
+<1> (Optional) You can add this options if you need to gather more information from the OADP Operator.
+<2> (Optional) You can add this options if you need to gather more information from the SR-IOV Operator.
+
+[id="ztp-image-based-upgrade-troubleshooting-manual-cleanup_{context}"]
+== AbortFailed or FinalizeFailed error
+
+Issue::
++
+--
+During the finalize stage or when you stop the process at the `Prep` stage, {lcao} cleans up the following resources:
+
+* Stateroot that is no longer required
+* Precaching resources
+* OADP CRs
+* `ImageBasedUpgrade` CR
+
+If the {lcao} fails to perform the above steps, it transitions to the `AbortFailed` or `FinalizeFailed` states.
+The condition message and log show which steps failed.
+
+.Example error message
+[source,yaml]
+----
+message: failed to delete all the backup CRs. Perform cleanup manually then add 'lca.openshift.io/manual-cleanup-done' annotation to ibu CR to transition back to Idle
+      observedGeneration: 5
+      reason: AbortFailed
+      status: "False"
+      type: Idle
+----
+--
+
+Resolution::
++
+--
+. Inspect the logs to determine why the failure occurred.
+
+. To prompt {lcao} to retry the cleanup, add the `lca.openshift.io/manual-cleanup-done` annotation to the `ImageBasedUpgrade` CR.
+
++
+After observing this annotation, {lcao} retries the cleanup and, if it is successful, the `ImageBasedUpgrade` stage transitions to `Idle`.
+
++
+If the cleanup fails again, you can manually clean up the resources.
+--
+
+[id="ztp-image-based-upgrade-troubleshooting-stateroot_{context}"]
+=== Cleaning up stateroot manually
+
+Issue::
+
+Stopping at the `Prep` stage, {lcao} cleans up the new stateroot. When finalizing after a successful upgrade or a rollback, {lcao} cleans up the old stateroot.
+If this step fails, it is recommended that you inspect the logs to determine why the failure occurred.
+
+Resolution::
++
+--
+. Check if there are any existing deployments in the stateroot by running the following command:
++
+[source,terminal]
+----
+$ ostree admin status
+----
+
+. If there are any, clean up the existing deployment by running the following command:
++
+[source,terminal]
+----
+$ ostree admin undeploy <index_of_deployment>
+----
+
+. After cleaning up all the deployments of the stateroot, wipe the stateroot directory by running the following commands:
+
++
+[WARNING]
+====
+Ensure that the booted deployment is not in this stateroot.
+====
+
++
+[source,terminal]
+----
+$ stateroot="<stateroot_to_delete>"
+----
+
++
+[source,terminal]
+----
+$ unshare -m /bin/sh -c "mount -o remount,rw /sysroot && rm -rf /sysroot/ostree/deploy/${stateroot}"
+----
+--
+
+[id="ztp-image-based-upgrade-troubleshooting-oadp-resources_{context}"]
+=== Cleaning up OADP resources manually
+
+Issue::
+
+Automatic cleanup of OADP resources can fail due to connection issues between {lcao} and the S3 backend. By restoring the connection and adding the `lca.openshift.io/manual-cleanup-done` annotation, the {lcao} can successfully cleanup backup resources.
+
+Resolution::
+--
+. Check the backend connectivity by running the following command:
++
+[source,terminal]
+----
+$ oc get backupstoragelocations.velero.io -n openshift-adp
+----
+
++
+.Example output
+[source,terminal]
+----
+NAME                          PHASE       LAST VALIDATED   AGE   DEFAULT
+dataprotectionapplication-1   Available   33s              8d    true
+----
+
+. Remove all backup resources and then add the `lca.openshift.io/manual-cleanup-done` annotation to the `ImageBasedUpgrade` CR.
+--
+
+[id="ztp-image-based-upgrade-troubleshooting-lvms_{context}"]
+== {lvms} volume contents not restored
+
+When {lvms} is used to provide dynamic persistent volume storage, {lvms} might not restore the persistent volume contents if it is configured incorrectly.
+
+[id="ztp-image-based-upgrade-troubleshooting-lvms-backup_{context}"]
+=== Missing {lvms}-related fields in Backup CR
+
+Issue::
+Your `Backup` CRs might be missing fields that are needed to restore your persistent volumes.
+You can check for events in your application pod to determine if you have this issue by running the following:
++
+--
+[source,terminal]
+----
+$ oc describe pod <your_app_name>
+----
+
+.Example output showing missing {lvms}-related fields in Backup CR
+[source,terminal]
+----
+Events:
+  Type     Reason            Age                From               Message
+  ----     ------            ----               ----               -------
+  Warning  FailedScheduling  58s (x2 over 66s)  default-scheduler  0/1 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/1 nodes are available: 1 Preemption is not helpful for scheduling..
+  Normal   Scheduled         56s                default-scheduler  Successfully assigned default/db-1234 to sno1.example.lab
+  Warning  FailedMount       24s (x7 over 55s)  kubelet            MountVolume.SetUp failed for volume "pvc-1234" : rpc error: code = Unknown desc = VolumeID is not found
+----
+--
+
+Resolution::
+You must include `logicalvolumes.topolvm.io` in the application `Backup` CR.
+Without this resource, the application restores its persistent volume claims and persistent volume manifests correctly, however, the `logicalvolume` associated with this persistent volume is not restored properly after pivot.
++
+.Example Backup CR
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  labels:
+    velero.io/storage-location: default
+  name: small-app
+  namespace: openshift-adp
+spec:
+  includedNamespaces:
+  - test
+  includedNamespaceScopedResources:
+  - secrets
+  - persistentvolumeclaims
+  - deployments
+  - statefulsets
+  includedClusterScopedResources: <1>
+  - persistentVolumes
+  - volumesnapshotcontents
+  - logicalvolumes.topolvm.io
+----
+<1> To restore the persistent volumes for your application, you must configure this section as shown.
+
+[id="ztp-image-based-upgrade-troubleshooting-lvms-restore_{context}"]
+=== Missing {lvms}-related fields in Restore CR
+
+Issue::
+The expected resources for the applications are restored but the persistent volume contents are not preserved after upgrading.
+
+. List the persistent volumes for you applications by running the following command before pivot:
++
+--
+[source,terminal]
+----
+$ oc get pv,pvc,logicalvolumes.topolvm.io -A
+----
+
+.Example output before pivot
+[source,terminal]
+----
+NAME                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM            STORAGECLASS   REASON   AGE
+persistentvolume/pvc-1234   1Gi        RWO            Retain           Bound    default/pvc-db   lvms-vg1                4h45m
+
+NAMESPACE   NAME                           STATUS   VOLUME     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+default     persistentvolumeclaim/pvc-db   Bound    pvc-1234   1Gi        RWO            lvms-vg1       4h45m
+
+NAMESPACE   NAME                                AGE
+            logicalvolume.topolvm.io/pvc-1234   4h45m
+----
+--
+
+. List the persistent volumes for you applications by running the following command after pivot:
++
+--
+[source,terminal]
+----
+$ oc get pv,pvc,logicalvolumes.topolvm.io -A
+----
+
+.Example output after pivot
+[source,terminal]
+----
+NAME                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM            STORAGECLASS   REASON   AGE
+persistentvolume/pvc-1234   1Gi        RWO            Delete           Bound    default/pvc-db   lvms-vg1                19s
+
+NAMESPACE   NAME                           STATUS   VOLUME     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+default     persistentvolumeclaim/pvc-db   Bound    pvc-1234   1Gi        RWO            lvms-vg1       19s
+
+NAMESPACE   NAME                                AGE
+            logicalvolume.topolvm.io/pvc-1234   18s
+----
+--
+
+Resolution::
+The reason for this issue is that the `logicalvolume` status is not preserved in the `Restore` CR.
+This status is important because it is required for Velero to reference the volumes that must be preserved after pivoting.
+You must include the following fields in the application `Restore` CR:
++
+.Example Restore CR
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: sample-vote-app
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "3"
+spec:
+  backupName:
+    sample-vote-app
+  restorePVs: true <1>
+  restoreStatus: <2>
+    includedResources:
+      - logicalvolumes
+----
+<1> To preserve the persistent volumes for your application, you must set `restorePVs` to `true`.
+<2> To preserve the persistent volumes for your application, you must configure this section as shown.
+
+[id="ztp-image-based-upgrade-troubleshooting-debugging-oadp-crs_{context}"]
+== Debugging failed Backup and Restore CRs
+
+Issue::
+The backup or restoration of artifacts failed.
+
+Resolution::
+You can debug `Backup` and `Restore` CRs and retrieve logs with the Velero CLI tool.
+The Velero CLI tool provides more detailed information than the OpenShift CLI tool.
+
+. Describe the `Backup` CR that contains errors by running the following command:
++
+[source,terminal]
+----
+$ oc exec -n openshift-adp velero-7c87d58c7b-sw6fc -c velero -- ./velero describe backup -n openshift-adp backup-acm-klusterlet --details
+----
+
+. Describe the `Restore` CR that contains errors by running the following command:
++
+[source,terminal]
+----
+$ oc exec -n openshift-adp velero-7c87d58c7b-sw6fc -c velero -- ./velero describe restore -n openshift-adp restore-acm-klusterlet --details
+----
+
+. Download the backed up resources to a local directory by running the following command:
++
+[source,terminal]
+----
+$ oc exec -n openshift-adp velero-7c87d58c7b-sw6fc -c velero -- ./velero backup download -n openshift-adp backup-acm-klusterlet -o ~/backup-acm-klusterlet.tar.gz
+----
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade-with-backup.adoc b/modules/cnf-image-based-upgrade-with-backup.adoc
new file mode 100644
index 000000000000..569c32770ed7
--- /dev/null
+++ b/modules/cnf-image-based-upgrade-with-backup.adoc
@@ -0,0 +1,171 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-image-based-upgrade-base.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrading-with-backup_{context}"]
+= Moving to the Upgrade stage of the image-based upgrade with {lcao}
+
+After you generate the seed image and complete the `Prep` stage, you can upgrade the target cluster.
+During the upgrade process, the OADP Operator creates a backup of the artifacts specified in the OADP custom resources (CRs), then the {lcao} upgrades the cluster.
+
+If the upgrade fails or stops, an automatic rollback is initiated.
+If you have an issue after the upgrade, you can initiate a manual rollback.
+For more information about manual rollback, see "(Optional) Initiating a rollback with {lcao}".
+
+.Prerequisites
+
+* Complete the `Prep` stage.
+
+.Procedure
+
+. To move to the `Upgrade` stage, change the value of the `stage` field to `Upgrade` in the `ImageBasedUpgrade` CR by running the following command:
++
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade -p='{"spec": {"stage": "Upgrade"}}' --type=merge
+----
+
+. Check the status of the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get ibu -o yaml
+----
+
+.Example output
+[source,yaml]
+----
+status:
+  conditions:
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: In progress
+    observedGeneration: 5
+    reason: InProgress
+    status: "False"
+    type: Idle
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep completed
+    observedGeneration: 5
+    reason: Completed
+    status: "False"
+    type: PrepInProgress
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep completed successfully
+    observedGeneration: 5
+    reason: Completed
+    status: "True"
+    type: PrepCompleted
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: |-
+      Waiting for system to stabilize: one or more health checks failed
+        - one or more ClusterOperators not yet ready: authentication
+        - one or more MachineConfigPools not yet ready: master
+        - one or more ClusterServiceVersions not yet ready: sriov-fec.v2.8.0
+    observedGeneration: 1
+    reason: InProgress
+    status: "True"
+    type: UpgradeInProgress
+  observedGeneration: 1
+  rollbackAvailabilityExpiration: "2024-05-19T14:01:52Z"
+  validNextStages:
+  - Rollback
+----
+
+The OADP Operator creates a backup of the data specified in the OADP `Backup` and `Restore` CRs and the target cluster reboots.
+--
+
+. Monitor the status of the CR by running the following command:
++
+[source,terminal]
+----
+$ oc get ibu -o yaml
+----
+
+. If you are satisfied with the upgrade, finalize the changes by patching the value of the `stage` field to `Idle` in the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc patch imagebasedupgrades.lca.openshift.io upgrade -p='{"spec": {"stage": "Idle"}}' --type=merge
+----
+
+[IMPORTANT]
+====
+You cannot roll back the changes once you move to the `Idle` stage after an upgrade.
+====
+
+The {lcao} deletes all resources created during the upgrade process.
+--
+
+.Verification
+
+. Check the status of the `ImageBasedUpgrade` CR by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get ibu -o yaml
+----
+
+.Example output
+[source,yaml]
+----
+status:
+  conditions:
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: In progress
+    observedGeneration: 5
+    reason: InProgress
+    status: "False"
+    type: Idle
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep completed
+    observedGeneration: 5
+    reason: Completed
+    status: "False"
+    type: PrepInProgress
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Prep completed successfully
+    observedGeneration: 5
+    reason: Completed
+    status: "True"
+    type: PrepCompleted
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Upgrade completed
+    observedGeneration: 1
+    reason: Completed
+    status: "False"
+    type: UpgradeInProgress
+  - lastTransitionTime: "2024-01-01T09:00:00Z"
+    message: Upgrade completed
+    observedGeneration: 1
+    reason: Completed
+    status: "True"
+    type: UpgradeCompleted
+  observedGeneration: 1
+  rollbackAvailabilityExpiration: "2024-01-01T09:00:00Z"
+  validNextStages:
+  - Idle
+  - Rollback
+----
+--
+
+. Check the status of the cluster restoration by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get restores -n openshift-adp -o custom-columns=NAME:.metadata.name,Status:.status.phase,Reason:.status.failureReason
+----
+
+.Example output
+[source,terminal]
+----
+NAME             Status      Reason
+acm-klusterlet   Completed   <none> <1>
+apache-app       Completed   <none>
+localvolume      Completed   <none>
+----
+<1> The `acm-klusterlet` is specific to {rh-rhacm} environments only.
+--
\ No newline at end of file
diff --git a/modules/cnf-image-based-upgrade.adoc b/modules/cnf-image-based-upgrade.adoc
new file mode 100644
index 000000000000..9acb1b074d1c
--- /dev/null
+++ b/modules/cnf-image-based-upgrade.adoc
@@ -0,0 +1,105 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztp-image-based-upgrade-concept-stages_{context}"]
+= Stages of the image-based upgrade
+
+After generating the seed image on the seed cluster, you can move through the stages on the target cluster by setting the `spec.stage` field to one of the following values in the `ImageBasedUpgrade` CR:
+
+* `Idle`
+* `Prep`
+* `Upgrade`
+* `Rollback` (Optional)
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_0.png[Stages of the image-based upgrade]
+
+[id="ztp-image-based-upgrade-concept-idle_{context}"]
+== Idle stage
+
+The {lcao} creates an `ImageBasedUpgrade` CR set to `stage: Idle` when the Operator is first deployed.
+This is the default stage.
+There is no ongoing upgrade and the cluster is ready to move to the `Prep` stage.
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_1.png[Transition from Idle stage]
+
+You also move to the `Idle` stage to do one of the following steps:
+
+* Finalize a successful upgrade
+* Finalize a rollback
+* Cancel an ongoing upgrade until the pre-pivot phase in the `Upgrade` stage
+
+Moving to the `Idle` stage ensures that the {lcao} cleans up resources, so that the cluster is ready for upgrades again.
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_2.png[Transitions to Idle stage]
+
+[IMPORTANT]
+====
+If using {rh-rhacm} when you cancel an upgrade, you must remove the `import.open-cluster-management.io/disable-auto-import` annotation from the target managed cluster to re-enable the automatic import of the cluster.
+====
+
+[id="ztp-image-based-upgrade-concept-prep_{context}"]
+== Prep stage
+
+[NOTE]
+====
+You can complete this stage before a scheduled maintenance window.
+====
+
+For the `Prep` stage, you specify the following upgrade details in the `ImageBasedUpgrade` CR:
+
+* seed image to use
+* resources to back up
+* extra manifests to apply and custom catalog sources to retain after the upgrade, if any
+
+Then, based on what you specify, the {lcao} prepares for the upgrade without impacting the current running version.
+During this stage, the {lcao} ensures that the target cluster is ready to proceed to the `Upgrade` stage by checking if it meets certain conditions and pulls the seed image to the target cluster with additional container images specified in the seed image.
+
+You also prepare backup resources with the OADP Operator's `Backup` and `Restore` CRs.
+These CRs are used in the `Upgrade` stage to reconfigure the cluster, register the cluster with {rh-rhacm}, and restore application artifacts.
+
+In addition to the OADP Operator, the {lcao} uses the `ostree` versioning system to create a backup, which allows complete cluster reconfiguration after both upgrade and rollback.
+
+After the `Prep` stage finishes, you can cancel the upgrade process by moving to the `Idle` stage or you can start the upgrade by moving to the `Upgrade` stage in the `ImageBasedUpgrade` CR.
+If you cancel the upgrade, the Operator performs cleanup operations.
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_3.png[Transition from Prep stage]
+
+[id="ztp-image-based-upgrade-concept-upgrade_{context}"]
+== Upgrade stage
+
+The `Upgrade` stage consists of two phases:
+
+pre-pivot:: Just before pivoting to the new stateroot, the {lcao} collects the required cluster specific artifacts and stores them in the new stateroot. The backup of your cluster resources specified in the `Prep` stage are created on a compatible Object storage solution. The {lcao} exports CRs specified in the `extraManifests` field in the `ImageBasedUpgrade` CR or the CRs described in the ZTP policies that are bound to the target cluster. After pre-pivot phase has completed, the {lcao} sets the new stateroot deployment as the default boot entry and reboots the node.
+post-pivot:: After booting from the new stateroot, the {lcao} reconfigures the cluster by applying cluster-specific artifacts that were collected in the pre-pivot phase. The Operator applies all saved CRs, and restores the backups.
+The Operator also regenerates the seed image's cluster cryptography.
+This ensures that each {sno} cluster upgraded with the same seed image has unique and valid cryptographic objects.
+
+After the upgrade has completed and you are satisfied with the changes, you can finalize the upgrade by moving to the `Idle` stage.
+
+[IMPORTANT]
+====
+When you finalize the upgrade, you cannot roll back to the original release.
+====
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_4.png[Transitions from Upgrade stage]
+
+If you want to cancel the upgrade, you can do so until the pre-pivot phase of the `Upgrade` stage.
+If you encounter issues after the upgrade, you can move to the `Rollback` stage for a manual rollback.
+
+[id="ztp-image-based-upgrade-concept-rollback_{context}"]
+== (Optional) Rollback stage
+
+The `Rollback` stage can be initiated manually or automatically upon failure.
+During the `Rollback` stage, the {lcao} sets the original `ostree` stateroot deployment as default.
+Then, the node reboots with the previous release of {product-title} and application configurations.
+
+[WARNING]
+====
+If you move to the `Idle` stage after a rollback, the {lcao} cleans up resources that can be used to troubleshoot a failed upgrade.
+====
+
+The {lcao} initiates an automatic rollback if the upgrade does not complete within a specified time limit.
+For more information about the automatic rollback, see the relevant _(Optional) Initiating a rollback with Lifecycle Agent_ sections.
+
+image::../images/696_OpenShift_Lifecycle_Agent_0624_4.png[Transition from Rollback stage]
\ No newline at end of file
diff --git a/modules/cnf-installing-amq-interconnect-messaging-bus.adoc b/modules/cnf-installing-amq-interconnect-messaging-bus.adoc
index 5279cb2c5ef5..21e7ce0a61c4 100644
--- a/modules/cnf-installing-amq-interconnect-messaging-bus.adoc
+++ b/modules/cnf-installing-amq-interconnect-messaging-bus.adoc
@@ -8,12 +8,10 @@
 
 To pass PTP fast event notifications between publisher and subscriber on a node, you can install and configure an AMQ messaging bus to run locally on the node.
 To use AMQ messaging, you must install the AMQ Interconnect Operator.
-
 include::snippets/ptp-amq-interconnect-eol.adoc[]
 
 .Prerequisites
 
-* Install the {product-title} CLI (`oc`).
 
 * Log in as a user with `cluster-admin` privileges.
 
diff --git a/modules/cnf-performance-profile-creator-arguments.adoc b/modules/cnf-performance-profile-creator-arguments.adoc
index e83293a017bd..d55d6f948296 100644
--- a/modules/cnf-performance-profile-creator-arguments.adoc
+++ b/modules/cnf-performance-profile-creator-arguments.adoc
@@ -23,6 +23,15 @@ Default: `false`.
 If this argument is set to `true` you should not disable hyperthreading in the BIOS. Disabling hyperthreading is accomplished with a kernel command line argument.
 ====
 
+| --enable-hardware-tuning 
+a|Enable the setting of maximum CPU frequencies. 
+This parameter is optional.
+
+To enable this feature, set the maximum frequency for applications running on isolated and reserved CPUs for both of the following:
+
+* `spec.hardwareTuning.isolatedCpuFreq` 
+* `spec.hardwareTuning.reservedCpuFreq`
+
 | `info`
 a| This captures cluster information and is used in discovery mode only. Discovery mode also requires the `must-gather-dir-path` argument. If any other arguments are set they are ignored.
 
diff --git a/modules/cnf-running-the-performance-creator-profile-offline.adoc b/modules/cnf-running-the-performance-creator-profile-offline.adoc
index 741342f9d687..ed8b3bbf14f8 100644
--- a/modules/cnf-running-the-performance-creator-profile-offline.adoc
+++ b/modules/cnf-running-the-performance-creator-profile-offline.adoc
@@ -154,6 +154,7 @@ Flags:
       --split-reserved-cpus-across-numa   Split the Reserved CPUs across NUMA nodes
       --topology-manager-policy string    Kubelet Topology Manager Policy of the performance profile to be created. [Valid values: single-numa-node, best-effort, restricted] (default "restricted")
       --user-level-networking             Run with User level Networking(DPDK) enabled
+      --enable-hardware-tuning            Enable setting maximum CPU frequencies
 ----
 +
 [NOTE]
@@ -248,6 +249,29 @@ spec:
   realTimeKernel:
     enabled: false
 ----
++
+[NOTE]
+--
+When you pass the argument `--enable-hardware-tuning` as a flag to the Performance Profile Creator, the generated `PerformanceProfile` includes guidance on how to set frequency settings as follows:
+
+[source,yaml]
+----
+apiVersion: performance.openshift.io/v2
+kind: PerformanceProfile
+metadata:
+  name: performance
+spec:
+……………………
+……………………
+#HardwareTuning is an advanced feature, and only intended to be used if 
+#user is aware of the vendor recommendation on maximum cpu frequency.
+#The structure must follow
+#
+# hardwareTuning:
+#   isolatedCpuFreq: <Maximum frequency for applications running on isolated CPUs>
+#   reservedCpuFreq: <Maximum frequency for platform software running on reserved CPUs>
+----
+--
 
 . Apply the generated profile:
 +
diff --git a/modules/cnf-topology-aware-lifecycle-manager-backup-recovery.adoc b/modules/cnf-topology-aware-lifecycle-manager-backup-recovery.adoc
index ceb398af8306..623a75a0e0b1 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-backup-recovery.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-backup-recovery.adoc
@@ -42,8 +42,10 @@ $ oc delete cgu/du-upgrade-4918 -n ztp-group-du-sno
 ----
 $ ostree admin status
 ----
-.Example outputs
 +
+--
+.Example outputs
+
 [source,terminal]
 ----
 [root@lab-test-spoke2-node-0 core]# ostree admin status
@@ -53,7 +55,7 @@ $ ostree admin status
     origin refspec: c038a8f08458bbed83a77ece033ad3c55597e3f64edad66ea12fda18cbdceaf9
 ----
 <1> The current deployment is pinned. A platform OS deployment rollback is not necessary.
-+
+
 [source,terminal]
 ----
 [root@lab-test-spoke2-node-0 core]# ostree admin status
@@ -67,6 +69,7 @@ rhcos ad8f159f9dc4ea7e773fd9604c9a16be0fe9b266ae800ac8470f63abc39b52ca.0 (rollba
 ----
 <1> This platform OS deployment is marked for rollback.
 <2> The previous deployment is pinned and can be rolled back.
+--
 
 . To trigger a rollback of the platform OS deployment, run the following command:
 +
diff --git a/modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc b/modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc
index 77f1217030a6..abb8867997ad 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-creating-custom-resources.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="talm-prechache-user-specified-images-preparing-crs_{context}"]
-== Creating the custom resources for pre-caching
+= Creating the custom resources for pre-caching
 
 You must create the `PreCachingConfig` CR before or concurrently with the `ClusterGroupUpgrade` CR.
 
@@ -26,7 +26,7 @@ spec:
     - quay.io/exampleconfig/applicationN@sha256:4fe1334adfafadsf987123adfffdaf1243340adfafdedga0991234afdadfsa09
 ----
 <1> The `namespace` must be accessible to the hub cluster.
-<2>  It is recommended to set the minimum disk space required field to ensure that there is sufficient storage space for the pre-cached images.
+<2> It is recommended to set the minimum disk space required field to ensure that there is sufficient storage space for the pre-cached images.
 
 . Create a `ClusterGroupUpgrade` CR with the `preCaching` field set to `true` and specify the `PreCachingConfig` CR created in the previous step:
 +
@@ -225,4 +225,4 @@ $ chroot /host/
 [source,terminal]
 ----
 $ sudo podman images | grep <operator_name>
-----
\ No newline at end of file
+----
diff --git a/modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc b/modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc
index 8c94a5069707..a85a08158798 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-operator-and-platform-update.adoc
@@ -18,7 +18,7 @@ You can perform a platform and an Operator update at the same time.
 
 .Procedure
 
-. Create the `PolicyGenTemplate` CR for the updates by following the steps described in the "Performing a platform update" and "Performing an Operator update" sections.
+. Create the `{policy-gen-cr}` CR for the updates by following the steps described in the "Performing a platform update" and "Performing an Operator update" sections.
 
 . Apply the prep work for the platform and the Operator update.
 
diff --git a/modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc b/modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
index a90d9986083a..036c41a136f9 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
@@ -3,53 +3,25 @@
 // * scalability_and_performance/ztp_far_edge/ztp-talm-updating-managed-policies.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="cnf-topology-aware-lifecycle-manager-operator-troubleshooting_{context}"]
-= Troubleshooting missed Operator updates due to out-of-date policy compliance states
+[id="cnf-topology-aware-lifecycle-manager-operator-troubleshooting-{policy-gen-cr}_{context}"]
+= Troubleshooting missed Operator updates with {policy-gen-cr} CRs
 
 In some scenarios, {cgu-operator-first} might miss Operator updates due to an out-of-date policy compliance state.
 
 After a catalog source update, it takes time for the Operator Lifecycle Manager (OLM) to update the subscription status. The status of the subscription policy might continue to show as compliant while {cgu-operator} decides whether remediation is needed. As a result, the Operator specified in the subscription policy does not get upgraded.
 
-To avoid this scenario, add another catalog source configuration to the `PolicyGenTemplate` and specify this configuration in the subscription for any Operators that require an update.
+To avoid this scenario, add another catalog source configuration to the `{policy-gen-cr}` and specify this configuration in the subscription for any Operators that require an update.
 
 .Procedure
 
-. Add a catalog source configuration in the `PolicyGenTemplate` resource:
+. Add a catalog source configuration in the `{policy-gen-cr}` resource:
 +
-[source,yaml]
-----
-- fileName: DefaultCatsrc.yaml
-      remediationAction: inform
-      policyName: "operator-catsrc-policy"
-      metadata:
-        name: redhat-operators
-      spec:
-        displayName: Red Hat Operators Catalog
-        image: registry.example.com:5000/olm/redhat-operators:v{product-version}
-        updateStrategy:
-          registryPoll:
-            interval: 1h
-      status:
-        connectionState:
-            lastObservedState: READY
-- fileName: DefaultCatsrc.yaml
-      remediationAction: inform
-      policyName: "operator-catsrc-policy"
-      metadata:
-        name: redhat-operators-v2 <1>
-      spec:
-        displayName: Red Hat Operators Catalog v2 <2>
-        image: registry.example.com:5000/olredhat-operators:<version> <3>
-        updateStrategy:
-          registryPoll:
-            interval: 1h
-      status:
-        connectionState:
-            lastObservedState: READY
-----
-<1> Update the name for the new configuration.
-<2> Update the display name for the new configuration.
-<3> Update the index image URL. This `fileName.spec.image` field overrides any configuration in the `DefaultCatsrc.yaml` file.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc[]
+endif::[]
 
 . Update the `Subscription` resource to point to the new configuration for Operators that require an update:
 +
@@ -65,4 +37,4 @@ spec:
   source: redhat-operators-v2 <1>
 # ...
 ----
-<1> Enter the name of the additional catalog source configuration that you defined in the `PolicyGenTemplate` resource.
+<1> Enter the name of the additional catalog source configuration that you defined in the `{policy-gen-cr}` resource.
diff --git a/modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc b/modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc
index 9d12b206c77f..85b1b0929320 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-operator-update.adoc
@@ -3,8 +3,8 @@
 // * scalability_and_performance/ztp_far_edge/ztp-talm-updating-managed-policies.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="talo-operator-update_{context}"]
-= Performing an Operator update
+[id="talo-operator-update-{policy-gen-cr}_{context}"]
+= Performing an Operator update with {policy-gen-cr} CRs
 
 You can perform an Operator update with the {cgu-operator}.
 
@@ -19,40 +19,15 @@ You can perform an Operator update with the {cgu-operator}.
 
 .Procedure
 
-. Update the `PolicyGenTemplate` CR for the Operator update.
-.. Update the `du-upgrade` `PolicyGenTemplate` CR with the following additional contents in the `du-upgrade.yaml` file:
+. Update the `{policy-gen-cr}` CR for the Operator update.
+.. Update the `du-upgrade` `{policy-gen-cr}` CR with the following additional contents in the `du-upgrade.yaml` file:
 +
-[source,yaml,subs="attributes+"]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "du-upgrade"
-  namespace: "ztp-group-du-sno"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  remediationAction: inform
-  sourceFiles:
-    - fileName: DefaultCatsrc.yaml
-      remediationAction: inform
-      policyName: "operator-catsrc-policy"
-      metadata:
-        name: redhat-operators
-      spec:
-        displayName: Red Hat Operators Catalog
-        image: registry.example.com:5000/olm/redhat-operators:v{product-version} <1>
-        updateStrategy: <2>
-          registryPoll:
-            interval: 1h
-      status:
-        connectionState:
-            lastObservedState: READY <3>
-----
-<1> The index image URL contains the desired Operator images. If the index images are always pushed to the same image name and tag, this change is not needed.
-<2> Set how frequently the Operator Lifecycle Manager (OLM) polls the index image for new Operator versions with the `registryPoll.interval` field. This change is not needed if a new index image tag is always pushed for y-stream and z-stream Operator updates. The `registryPoll.interval` field can be set to a shorter interval to expedite the update, however shorter intervals increase computational load. To counteract this, you can restore `registryPoll.interval` to the default value once the update is complete.
-<3> Last observed state of the catalog connection. The `READY` value ensures that the `CatalogSource` policy is ready, indicating that the index pod is pulled and is running. This way, {cgu-operator} upgrades the Operators based on up-to-date policy compliance states.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-update.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-cnf-topology-aware-lifecycle-manager-operator-update.adoc[]
+endif::[]
 
 .. This update generates one policy, `du-upgrade-operator-catsrc-policy`, to update the `redhat-operators` catalog source with the new index images that contain the desired Operators images.
 +
@@ -66,46 +41,21 @@ If you want to use the image pre-caching for Operators and there are Operators f
 +
 For example, the desired SRIOV-FEC Operator is available in the `certified-operators` catalog source. To update the catalog source and the Operator subscription, add the following contents to generate two policies, `du-upgrade-fec-catsrc-policy` and `du-upgrade-subscriptions-fec-policy`:
 +
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "du-upgrade"
-  namespace: "ztp-group-du-sno"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  remediationAction: inform
-  sourceFiles:
-       …
-    - fileName: DefaultCatsrc.yaml
-      remediationAction: inform
-      policyName: "fec-catsrc-policy"
-      metadata:
-        name: certified-operators
-      spec:
-        displayName: Intel SRIOV-FEC Operator
-        image: registry.example.com:5000/olm/far-edge-sriov-fec:v4.10
-        updateStrategy:
-          registryPoll:
-            interval: 10m
-    - fileName: AcceleratorsSubscription.yaml
-      policyName: "subscriptions-fec-policy"
-      spec:
-        channel: "stable"
-        source: certified-operators
-----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc[]
+endif::[]
 
-.. Remove the specified subscriptions channels in the common `PolicyGenTemplate` CR, if they exist. The default subscriptions channels from the {ztp} image are used for the update.
+.. Remove the specified subscriptions channels in the common `{policy-gen-cr}` CR, if they exist. The default subscriptions channels from the {ztp} image are used for the update.
 +
 [NOTE]
 ====
-The default channel for the Operators applied through {ztp} {product-version} is `stable`, except for the `performance-addon-operator`. As of {product-title} 4.11, the `performance-addon-operator` functionality was moved to the `node-tuning-operator`. For the 4.10 release, the default channel for PAO is `v4.10`. You can also specify the default channels in the common `PolicyGenTemplate` CR.
+The default channel for the Operators applied through {ztp} {product-version} is `stable`, except for the `performance-addon-operator`. As of {product-title} 4.11, the `performance-addon-operator` functionality was moved to the `node-tuning-operator`. For the 4.10 release, the default channel for PAO is `v4.10`. You can also specify the default channels in the common `{policy-gen-cr}` CR.
 ====
 
-.. Push the `PolicyGenTemplate` CRs updates to the {ztp} Git repository.
+.. Push the `{policy-gen-cr}` CRs updates to the {ztp} Git repository.
 +
 ArgoCD pulls the changes from the Git repository and generates the policies on the hub cluster.
 
@@ -152,7 +102,7 @@ $ oc get policies -A | grep -E "catsrc-policy"
 ----
 
 . Create the `ClusterGroupUpgrade` CR for the Operator update with the `spec.enable` field set to `false`.
-.. Save the content of the Operator update `ClusterGroupUpgrade` CR with the `du-upgrade-operator-catsrc-policy` policy and the subscription policies created from the common `PolicyGenTemplate` and the target clusters to the `cgu-operator-upgrade.yml` file, as shown in the following example:
+.. Save the content of the Operator update `ClusterGroupUpgrade` CR with the `du-upgrade-operator-catsrc-policy` policy and the subscription policies created from the common `{policy-gen-cr}` and the target clusters to the `cgu-operator-upgrade.yml` file, as shown in the following example:
 +
 [source,yaml]
 ----
diff --git a/modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc b/modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc
index 99542d1c4276..c02ad67f6ac7 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-pao-update.adoc
@@ -3,8 +3,8 @@
 // * scalability_and_performance/ztp_far_edge/ztp-talm-updating-managed-policies.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="talm-pao-update_{context}"]
-= Removing Performance Addon Operator subscriptions from deployed clusters
+[id="talm-pao-update-{policy-gen-cr}_{context}"]
+= Removing Performance Addon Operator subscriptions from deployed clusters with {policy-gen-cr} CRs
 
 In earlier versions of {product-title}, the Performance Addon Operator provided automatic, low latency performance tuning for applications. In {product-title} 4.11 or later, these functions are part of the Node Tuning Operator.
 
@@ -15,7 +15,7 @@ Do not install the Performance Addon Operator on clusters running {product-title
 You need to remove any policies that create Performance Addon Operator subscriptions to prevent a re-installation of the Operator.
 ====
 
-The reference DU profile includes the Performance Addon Operator in the `PolicyGenTemplate` CR `common-ranGen.yaml`. To remove the subscription from deployed managed clusters, you must update `common-ranGen.yaml`.
+The reference DU profile includes the Performance Addon Operator in the `{policy-gen-cr}` CR `{policy-prefix}common-ranGen.yaml`. To remove the subscription from deployed managed clusters, you must update `{policy-prefix}common-ranGen.yaml`.
 
 [NOTE]
 ====
@@ -32,19 +32,16 @@ If you install Performance Addon Operator 4.10.3-5 or later on {product-title} 4
 
 .Procedure
 
-. Change the `complianceType` to `mustnothave` for the Performance Addon Operator namespace, Operator group, and subscription in the `common-ranGen.yaml` file.
+. Change the `complianceType` to `mustnothave` for the Performance Addon Operator namespace, Operator group, and subscription in the `{policy-prefix}common-ranGen.yaml` file.
 +
 [source,yaml]
 ----
- -  fileName: PaoSubscriptionNS.yaml
-    policyName: "subscriptions-policy"
-    complianceType: mustnothave
- -  fileName: PaoSubscriptionOperGroup.yaml
-    policyName: "subscriptions-policy"
-    complianceType: mustnothave
- -  fileName: PaoSubscription.yaml
-    policyName: "subscriptions-policy"
-    complianceType: mustnothave
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-cnf-topology-aware-lifecycle-manager-pao-update.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-cnf-topology-aware-lifecycle-manager-pao-update.yaml[]
+endif::[]
 ----
 
 . Merge the changes with your custom site repository and wait for the ArgoCD application to synchronize the change to the hub cluster. The status of the `common-subscriptions-policy` policy changes to `Non-Compliant`.
@@ -58,6 +55,6 @@ If you install Performance Addon Operator 4.10.3-5 or later on {product-title} 4
 $ oc get policy -n ztp-common common-subscriptions-policy
 ----
 
-. Delete the Performance Addon Operator namespace, Operator group and subscription CRs from `.spec.sourceFiles` in the `common-ranGen.yaml` file.
+. Delete the Performance Addon Operator namespace, Operator group and subscription CRs from `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file.
 
 . Merge the changes with your custom site repository and wait for the ArgoCD application to synchronize the change to the hub cluster. The policy remains compliant.
diff --git a/modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc b/modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc
index 5e1363a8cc6d..69d1fb80e0fe 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-platform-update.adoc
@@ -3,8 +3,8 @@
 // * scalability_and_performance/ztp_far_edge/ztp-talm-updating-managed-policies.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="talo-platform-update_{context}"]
-= Performing a platform update
+[id="talo-platform-update-{policy-gen-cr}_{context}"]
+= Performing a platform update with {policy-gen-cr} CRs
 
 You can perform a platform update with the {cgu-operator}.
 
@@ -19,66 +19,27 @@ You can perform a platform update with the {cgu-operator}.
 
 .Procedure
 
-. Create a `PolicyGenTemplate` CR for the platform update:
-.. Save the following contents of the `PolicyGenTemplate` CR in the `du-upgrade.yaml` file.
-+
-.Example of `PolicyGenTemplate` for platform update
-+
-[source,yaml,subs="attributes+"]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "du-upgrade"
-  namespace: "ztp-group-du-sno"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  remediationAction: inform
-  sourceFiles:
-    - fileName: ImageSignature.yaml <1>
-      policyName: "platform-upgrade-prep"
-      binaryData:
-        ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64} <2>
-    - fileName: DisconnectedICSP.yaml
-      policyName: "platform-upgrade-prep"
-      metadata:
-        name: disconnected-internal-icsp-for-ocp
-      spec:
-        repositoryDigestMirrors: <3>
-          - mirrors:
-            - quay-intern.example.com/ocp4/openshift-release-dev
-            source: quay.io/openshift-release-dev/ocp-release
-          - mirrors:
-            - quay-intern.example.com/ocp4/openshift-release-dev
-            source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
-    - fileName: ClusterVersion.yaml <4>
-      policyName: "platform-upgrade"
-      metadata:
-        name: version
-      spec:
-        channel: "stable-{product-version}"
-        upstream: http://upgrade.example.com/images/upgrade-graph_stable-{product-version}
-        desiredUpdate:
-          version: {product-version}.4
-      status:
-        history:
-          - version: {product-version}.4
-            state: "Completed"
-----
-<1> The `ConfigMap` CR contains the signature of the desired release image to update to.
-<2> Shows the image signature of the desired {product-title} release. Get the signature from the `checksum-${OCP_RELEASE_NUMBER}.yaml` file you saved when following the procedures in the "Setting up the environment" section.
-<3> Shows the mirror repository that contains the desired {product-title} image. Get the mirrors from the `imageContentSources.yaml` file that you saved when following the procedures in the "Setting up the environment" section.
-<4> Shows the `ClusterVersion` CR to trigger the update. The `channel`, `upstream`, and `desiredVersion` fields are all required for image pre-caching.
+. Create a `{policy-gen-cr}` CR for the platform update:
+
+.. Save the following `{policy-gen-cr}` CR in the `du-upgrade.yaml` file:
 +
-The `PolicyGenTemplate` CR generates two policies:
+--
+.Example of `{policy-gen-cr}` for platform update
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-cnf-topology-aware-lifecycle-manager-platform-update.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-cnf-topology-aware-lifecycle-manager-platform-update.adoc[]
+endif::[]
+
+The `{policy-gen-cr}` CR generates two policies:
 
 * The `du-upgrade-platform-upgrade-prep` policy does the preparation work for the platform update. It creates the `ConfigMap` CR for the desired release image signature, creates the image content source of the mirrored release image repository, and updates the cluster version with the desired update channel and the update graph reachable by the managed cluster in the disconnected environment.
 
 * The `du-upgrade-platform-upgrade` policy is used to perform platform upgrade.
+--
 
-.. Add the `du-upgrade.yaml` file contents to the `kustomization.yaml` file located in the {ztp} Git repository for the `PolicyGenTemplate` CRs and push the changes to the Git repository.
+.. Add the `du-upgrade.yaml` file contents to the `kustomization.yaml` file located in the {ztp} Git repository for the `{policy-gen-cr}` CRs and push the changes to the Git repository.
 +
 ArgoCD pulls the changes from the Git repository and generates the policies on the hub cluster.
 
diff --git a/modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc b/modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc
index 0218ab047d88..aeff0af2703c 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-preparing-for-updates.adoc
@@ -3,13 +3,8 @@
 // * scalability_and_performance/ztp_far_edge/ztp-talm-updating-managed-policies.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="talo-platform-prepare-end-to-end_{context}"]
-= Updating clusters in a disconnected environment
-
-You can upgrade managed clusters and Operators for managed clusters that you have deployed using {ztp-first} and {cgu-operator-first}.
-
 [id="talo-platform-prepare-for-update-env-setup_{context}"]
-== Setting up the environment
+= Setting up the disconnected environment
 
 {cgu-operator} can perform both platform and Operator updates.
 
@@ -31,7 +26,7 @@ imageContentSources:
    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
 ----
 
-. Save the image signature of the desired platform image that was mirrored. You must add the image signature to the `PolicyGenTemplate` CR for platform updates. To get the image signature, perform the following steps:
+. Save the image signature of the desired platform image that was mirrored. You must add the image signature to the `{policy-gen-cr}` CR for platform updates. To get the image signature, perform the following steps:
 
 .. Specify the desired {product-title} tag by running the following command:
 +
diff --git a/modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc b/modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc
index 6b92cba9f0af..4a4d8d5848fb 100644
--- a/modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc
@@ -425,7 +425,7 @@ Resolution:: Create and apply a new `ClusterGroupUpdate` CR with the same specif
 
 Issue:: If there are no policies for the managed cluster when the cluster becomes `Ready`, a `ClusterGroupUpgrade` CR with no policies is auto-created.
 Upon completion of the `ClusterGroupUpgrade` CR, the managed cluster is labeled as `ztp-done`.
-If the `PolicyGenTemplate` CRs were not pushed to the Git repository within the required time after `SiteConfig` resources were pushed, this might result in no policies being available for the target cluster when the cluster became `Ready`.
+If the `PolicyGenerator` or `PolicyGenTemplate` CRs were not pushed to the Git repository within the required time after `SiteConfig` resources were pushed, this might result in no policies being available for the target cluster when the cluster became `Ready`.
 
 Resolution:: Verify that the policies you want to apply are available on the hub cluster, then create a `ClusterGroupUpgrade` CR with the required policies.
 
diff --git a/modules/compliance-operator-hcp-install.adoc b/modules/compliance-operator-hcp-install.adoc
index d45b440248a0..a04177485ef5 100644
--- a/modules/compliance-operator-hcp-install.adoc
+++ b/modules/compliance-operator-hcp-install.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="installing-compliance-operator-hcp_{context}"]
-= Installing the Compliance Operator on {hcp}
+= Installing the Compliance Operator on Hypershift {hcp}
 
 The Compliance Operator can be installed in {hcp} using the OperatorHub by creating a `Subscription` file.
 
diff --git a/modules/compliance-operator-rosa-installation.adoc b/modules/compliance-operator-rosa-installation.adoc
new file mode 100644
index 000000000000..f4c289cc6251
--- /dev/null
+++ b/modules/compliance-operator-rosa-installation.adoc
@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/co-management/compliance-operator-installation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-compliance-operator-rosa_{context}"]
+= Installing the Compliance Operator on ROSA hosted control planes (HCP)
+
+As of the Compliance Operator 1.5.0 release, the Operator is tested against {product-rosa} using {hcp-capital}.
+
+{product-rosa} {hcp-capital} clusters have restricted access to the control plane, which is managed by Red{nbsp}Hat. By default, the Compliance Operator will schedule to nodes within the `master` node pool, which is not available in {product-rosa} {hcp-capital} installations. This requires you to configure the `Subscription` object in a way that allows the Operator to schedule on available node pools. This step is necessary for a successful installation on {product-rosa} {hcp-capital} clusters.
+
+.Prerequisites
+
+* You must have `admin` privileges.
+
+.Procedure
+
+. Define a `Namespace` object:
++
+.Example `namespace-object.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    openshift.io/cluster-monitoring: "true"
+    pod-security.kubernetes.io/enforce: privileged <1>
+  name: openshift-compliance
+----
+<1> In {product-title} {product-version}, the pod security label must be set to `privileged` at the namespace level.
+
+. Create the `Namespace` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f namespace-object.yaml
+----
+
+. Define an `OperatorGroup` object:
++
+.Example `operator-group-object.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: compliance-operator
+  namespace: openshift-compliance
+spec:
+  targetNamespaces:
+  - openshift-compliance
+----
+
+. Create the `OperatorGroup` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f operator-group-object.yaml
+----
+
+. Define a `Subscription` object:
++
+.Example `subscription-object.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: compliance-operator-sub
+  namespace: openshift-compliance
+spec:
+  channel: "stable"
+  installPlanApproval: Automatic
+  name: compliance-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  config:
+    nodeSelector:
+      node-role.kubernetes.io/worker: "" <1>
+----
+<1> Update the Operator deployment to deploy on `worker` nodes.
+
+. Create the `Subscription` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f subscription-object.yaml
+----
+
+.Verification
+
+. Verify that the installation succeeded by running the following command to inspect the cluster service version (CSV) file:
++
+[source,terminal]
+----
+$ oc get csv -n openshift-compliance
+----
+
+. Verify that the Compliance Operator is up and running by using the following command:
++
+[source,terminal]
+----
+$ oc get deploy -n openshift-compliance
+----
diff --git a/modules/compliance-supported-profiles.adoc b/modules/compliance-supported-profiles.adoc
index 2deb6578b5b3..dcb1a1a98d44 100644
--- a/modules/compliance-supported-profiles.adoc
+++ b/modules/compliance-supported-profiles.adoc
@@ -9,7 +9,7 @@
 The Compliance Operator provides the following compliance profiles:
 
 .Supported compliance profiles
-[cols="10%,40%,10%,10%,40%,10%", options="header"]
+[cols="10%,40%,10%,10%,40%,10%,40%", options="header"]
 
 |===
 |Profile
@@ -18,6 +18,7 @@ The Compliance Operator provides the following compliance profiles:
 |Compliance Operator version
 |Industry compliance benchmark
 |Supported architectures
+|Supported platforms
 
 |rhcos4-stig
 |Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
@@ -25,6 +26,7 @@ The Compliance Operator provides the following compliance profiles:
 |1.3.0+
 |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-stig-node
 |Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
@@ -32,6 +34,7 @@ The Compliance Operator provides the following compliance profiles:
 |1.3.0+
 |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-stig
 |Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Openshift
@@ -39,6 +42,7 @@ The Compliance Operator provides the following compliance profiles:
 |1.3.0+
 |link:https://public.cyber.mil/stigs/downloads/[DISA-STIG] ^[1]^
 |`x86_64`
+|
 
 |ocp4-cis-1-4
 |CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0
@@ -48,6 +52,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|
 
 |ocp4-cis-node-1-4
 |CIS Red Hat OpenShift Container Platform 4 Benchmark v1.4.0
@@ -57,6 +62,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-cis
 |CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0
@@ -66,6 +72,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|
 
 |ocp4-cis-node
 |CIS Red Hat OpenShift Container Platform 4 Benchmark v1.5.0
@@ -75,6 +82,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-e8
 |Australian Cyber Security Centre (ACSC) Essential Eight
@@ -82,6 +90,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.39+
 |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers]
 |`x86_64`
+|
 
 |ocp4-moderate
 |NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
@@ -91,6 +100,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|
 
 |rhcos4-e8
 |Australian Cyber Security Centre (ACSC) Essential Eight
@@ -98,6 +108,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.39+
 |link:https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers[ACSC Hardening Linux Workstations and Servers]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |rhcos4-moderate
 |NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
@@ -105,6 +116,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.39+
 |link:https://nvd.nist.gov/800-53/Rev4/impact/moderate[NIST SP-800-53 Release Search]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-moderate-node
 |NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
@@ -114,6 +126,7 @@ The Compliance Operator provides the following compliance profiles:
 |`x86_64`
  `ppc64le`
  `s390x`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-nerc-cip
 |North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Platform level
@@ -121,6 +134,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.44+
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
+|
 
 |ocp4-nerc-cip-node
 |North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the Red Hat OpenShift Container Platform - Node level
@@ -128,6 +142,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.44+
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |rhcos4-nerc-cip
 |North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS
@@ -135,6 +150,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.44+
 |link:https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx[NERC CIP Standards]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-pci-dss
 |PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
@@ -143,6 +159,8 @@ The Compliance Operator provides the following compliance profiles:
 |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards &#174; Council Document Library]
 |`x86_64`
  `ppc64le`
+ `s390x`
+|
 
 |ocp4-pci-dss-node
 |PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
@@ -151,6 +169,8 @@ The Compliance Operator provides the following compliance profiles:
 |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards &#174; Council Document Library]
 |`x86_64`
  `ppc64le`
+ `s390x`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |ocp4-high
 |NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
@@ -158,6 +178,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.52+
 |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
 |`x86_64`
+|
 
 |ocp4-high-node
 |NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
@@ -165,6 +186,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.52+
 |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 
 |rhcos4-high
 |NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
@@ -172,6 +194,7 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.52+
 |link:https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53[NIST SP-800-53 Release Search]
 |`x86_64`
+|Red Hat OpenShift Service on AWS with hosted control planes (ROSA HCP) - requires 1.5.0+
 |===
 [.small]
 1. To locate the CIS {product-title} v4 Benchmark, go to  link:https://www.cisecurity.org/benchmark/kubernetes[CIS Benchmarks] and click *Download Latest CIS Benchmark*, where you can then register to download the benchmark.
@@ -214,4 +237,4 @@ For example, the NIST High-Impact and Moderate-Impact profiles extend the CIS pr
 
 |ocp4-nerc-cip-node
 |ocp4-moderate-node
-|===
\ No newline at end of file
+|===
diff --git a/modules/con_bmo-bare-metal-operator-architecture.adoc b/modules/con_bmo-bare-metal-operator-architecture.adoc
index eea8e45d9bc9..6d3f772a144f 100644
--- a/modules/con_bmo-bare-metal-operator-architecture.adoc
+++ b/modules/con_bmo-bare-metal-operator-architecture.adoc
@@ -5,9 +5,9 @@
 [id="bmo-bare-metal-operator-architecture_{context}"]
 = Bare Metal Operator architecture
 
-The Bare Metal Operator (BMO) uses three resources to provision, manage, and inspect bare-metal hosts in your cluster. The following diagram illustrates the architecture of these resources:
+The Bare Metal Operator (BMO) uses the following resources to provision, manage, and inspect bare-metal hosts in your cluster. The following diagram illustrates the architecture of these resources:
 
-image::302_OpenShift_Bare_Metal_Operator_0223.png[BMO architecture overview]
+image::715_OpenShift_Bare_Metal_Operator_updates_0624.png[BMO architecture overview]
 
 .BareMetalHost
 
@@ -42,7 +42,11 @@ Firmware settings vary among hardware vendors and host models. A `FirmwareSchema
 
 A `FirmwareSchema` resource can apply to many `BareMetalHost` resources if the schema is the same.
 
+.HostFirmwareComponents
+
+Metal^3^ provides the `HostFirmwareComponents` resource, which describes BIOS and baseboard management controller (BMC) firmware versions. You can upgrade or downgrade the host's firmware to a specific version by editing the `spec` field of the `HostFirmwareComponents` resource. This is useful when deploying with validated patterns that have been tested against specific firmware versions.
+
 [role="_additional-resources"]
 .Additional resources
-* link:https://metal3.io/[Metal³ API service for provisioning bare-metal hosts]
+* link:https://metal3.io/[Metal^3^ API service for provisioning bare-metal hosts]
 * link:https://ironicbaremetal.org/[Ironic API service for managing bare-metal infrastructure]
diff --git a/modules/config-htpasswd-idp.adoc b/modules/config-htpasswd-idp.adoc
index 531b2d551efb..bc67721ee69d 100644
--- a/modules/config-htpasswd-idp.adoc
+++ b/modules/config-htpasswd-idp.adoc
@@ -52,7 +52,7 @@ The credentials defined in this step are not visible after you select *Add* in t
 ifdef::osd-distro[]
 .. Select a *Group.*
 ** If you are installing {product-title} using the Customer Cloud Subscription (CCS) infrastructure type, choose either the `dedicated-admins` or `cluster-admins` group. Users in the `dedicated-admins` group have standard administrative privileges for {product-title}. Users in the `cluster-admins` group have full administrative access to the cluster.
-** If you are installing {product-title} using the Red Hat cloud account infrastructure type, the `dedicated-admins` group is automatically selected.
+** If you are installing {product-title} using the Red{nbsp}Hat cloud account infrastructure type, the `dedicated-admins` group is automatically selected.
 endif::osd-distro[]
 ifdef::rosa-distro[]
 .. Select a *Group*. Users in the `dedicated-admins` group have standard administrative privileges for {product-title}. Users in the `cluster-admins` group have full administrative access to the cluster.
diff --git a/modules/config-openid-idp.adoc b/modules/config-openid-idp.adoc
index a2a9ecfa3a4e..6f4f43ec866d 100644
--- a/modules/config-openid-idp.adoc
+++ b/modules/config-openid-idp.adoc
@@ -53,7 +53,7 @@ link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[OpenID
 for more information.
 
 .Prerequisites
-* Before you configure OpenID Connect, check the installation prerequisites for any Red Hat product or service you want to use with your {product-title} cluster.
+* Before you configure OpenID Connect, check the installation prerequisites for any Red{nbsp}Hat product or service you want to use with your {product-title} cluster.
 
 .Procedure
 
diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc
index 458db31cdba5..2562bd50fc8d 100644
--- a/modules/configuring-firewall.adoc
+++ b/modules/configuring-firewall.adoc
@@ -62,6 +62,18 @@ If your environment has a dedicated load balancer in front of your {product-titl
 |443
 |Provides core container images
 
+|`cdn04.quay.io`
+|443
+|Provides core container images
+
+|`cdn05.quay.io`
+|443
+|Provides core container images
+
+|`cdn06.quay.io`
+|443
+|Provides core container images
+
 |`sso.redhat.com`
 |443
 |The `https://console.redhat.com` site uses authentication from `sso.redhat.com`
@@ -177,15 +189,15 @@ Alternatively, if you choose to not use a wildcard for AWS APIs, you must includ
 |443
 |Used to install and manage clusters in an AWS environment.
 
-|`s3.amazonaws.com`
+|`*.s3.amazonaws.com`
 |443
 |Used to install and manage clusters in an AWS environment.
 
-|`s3.<aws_region>.amazonaws.com`
+|`*.s3.<aws_region>.amazonaws.com`
 |443
 |Used to install and manage clusters in an AWS environment.
 
-|`s3.dualstack.<aws_region>.amazonaws.com`
+|`*.s3.dualstack.<aws_region>.amazonaws.com`
 |443
 |Used to install and manage clusters in an AWS environment.
 
diff --git a/modules/configuring-haproxy-interval.adoc b/modules/configuring-haproxy-interval.adoc
index 34f73a83c65d..f9a08f0b4821 100644
--- a/modules/configuring-haproxy-interval.adoc
+++ b/modules/configuring-haproxy-interval.adoc
@@ -14,7 +14,7 @@ The default minimum HAProxy reload interval is five seconds. You can configure a
 
 [WARNING]
 ====
-Setting a large value for the minimum HAProxy reload interval can cause latency in observing updates to routes and their endpoints. To lessen the risk, avoid setting a value larger than the tolerable latency for updates.
+Setting a large value for the minimum HAProxy reload interval can cause latency in observing updates to routes and their endpoints. To lessen the risk, avoid setting a value larger than the tolerable latency for updates. The maximum value for HAProxy reload interval is 120 seconds.
 ====
 
 .Procedure
diff --git a/modules/configuring-node-pools-for-hcp.adoc b/modules/configuring-node-pools-for-hcp.adoc
index 9f89bfc38b8b..0b3270a5eeeb 100644
--- a/modules/configuring-node-pools-for-hcp.adoc
+++ b/modules/configuring-node-pools-for-hcp.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * updates/updating_a_cluster/updating-hosted-control-planes.adoc
+// * hosted_control_planes/hcp-machine-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="configuring-node-pools-for-hcp_{context}"]
diff --git a/modules/control-plane-latency.adoc b/modules/control-plane-latency.adoc
new file mode 100644
index 000000000000..f08e5a166f71
--- /dev/null
+++ b/modules/control-plane-latency.adoc
@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * scalability_and_performance/control-plane-latency-recommendations-for-reliable-clusters.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="control-plane-latency_{context}"]
+= Recommended Control Plane latency for reliable clusters
+
+Latency between each of the control plane nodes must be less than 15ms to ensure a well performing and reliable cluster. Some of the metrics to keep track of include etcd gRPC requests latency, fysnc latency and any critical alerts. Here are the PromQL queries:
+
++
+[source,terminal]
+----
+histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{job=~".*etcd.*", grpc_method!="Defragment", grpc_type="unary"}[5m])) without(grpc_type)) < 0.15
+
+avg_over_time(histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket[2m]))[10m:]) < 1
+
+ALERTS{severity="critical", alertstate="firing"} > 0
+
+----
diff --git a/modules/core-user-password.adoc b/modules/core-user-password.adoc
index 08bd58ff59fb..34346d250ad6 100644
--- a/modules/core-user-password.adoc
+++ b/modules/core-user-password.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="core-user-password_{context}"]
diff --git a/modules/coreos-layering-configuring-on.adoc b/modules/coreos-layering-configuring-on.adoc
new file mode 100644
index 000000000000..47c11b0b7d77
--- /dev/null
+++ b/modules/coreos-layering-configuring-on.adoc
@@ -0,0 +1,232 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on_{context}"]
+= Using on-cluster layering to apply a custom layered image
+
+To apply a custom layered image to your cluster by using the on-cluster build process, make a `MachineOSConfig` custom resource that includes a Containerfile, a machine config pool reference, repository push and pull secrets, and other parameters as described in the prerequisites. 
+
+When you create the object, the Machine Config Operator (MCO) creates a `MachineOSBuild` object and a `machine-os-builder` pod. The build process also creates transient objects, such as config maps, which are cleaned up after the build is complete. 
+
+When the build is complete, the MCO pushes the new custom layered image to your repository for use when deploying new nodes. You can see the digested image pull spec for the new custom layered image in the `MachineOSBuild` object and `machine-os-builder` pod.
+
+You should not need to interact with these new objects or the `machine-os-builder` pod. However, you can use all of these resources for troubleshooting, if necessary.
+
+You need a separate `MachineOSConfig` CR for each machine config pool where you want to use a custom layered image.
+
+:FeatureName: On-cluster image layering
+include::snippets/technology-preview.adoc[]
+
+.Prerequisites
+
+* You have enabled the `TechPreviewNoUpgrade` feature set by using the feature gates. For more information, see "Enabling features using feature gates".
+
+* You have the pull secret in the `openshift-machine-config-operator` namespace that the MCO needs to pull the base operating system image.
+
+* You have the push secret that the MCO needs to push the new custom layered image to your registry.
+
+* You have a pull secret that your nodes need to pull the new custom layered image from your registry. This should be a different secret than the one used to push the image to the repository.
+
+* You are familiar with how to configure a Containerfile. Instructions on how to create a Containerfile are beyond the scope of this documentation.
+
+* Optional: You have a separate machine config pool for the nodes where you want to apply the custom layered image.
+
+.Procedure
+
+. Create a `machineOSconfig` object:
+
+.. Create a YAML file similar to the following:
++
+[source,terminal]
+----
+apiVersion: machineconfiguration.openshift.io/v1alpha1
+kind: MachineOSConfig
+metadata:
+  name: layered
+spec:
+  machineConfigPool:
+    name: <mcp_name> <1>
+  buildInputs:
+    containerFile: # <2>
+    - containerfileArch: noarch
+      content: |-
+        FROM configs AS final
+        RUN rpm-ostree install cowsay && \
+          ostree container commit
+    imageBuilder: # <3>
+      imageBuilderType: PodImageBuilder
+    baseImagePullSecret: # <4>
+      name: global-pull-secret-copy
+    renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift/os-image:latest  # <5>
+    renderedImagePushSecret: # <6>
+      name: builder-dockercfg-7lzwl
+  buildOutputs: # <7>
+    currentImagePullSecret:
+      name: builder-dockercfg-7lzwl
+----
+<1> Specifies the name of the machine config pool associated with the nodes where you want to deploy the custom layered image.
+<2> Specifies the Containerfile to configure the custom layered image.
+<3> Specifies the name of the image builder to use. This must be `PodImageBuilder`.
+<4> Specifies the name of the pull secret that the MCO needs to pull the base operating system image from the registry.
+<5> Specifies the image registry to push the newly-built custom layered image to. This can be any registry that your cluster has access to. This example uses the internal {product-title} registry.
+<6> Specifies the name of the push secret that the MCO needs to push the newly-built custom layered image to that registry.
+<7> Specifies the secret required by the image registry that the nodes need to pull the newly-built custom layered image. This should be a different secret than the one used to push the image to your repository.
+
+.. Create the `MachineOSConfig` object:
++
+[source,terminal]
+----
+$ oc create -f <file_name>.yaml
+----
+
+. If necessary, when the `MachineOSBuild` object has been created and is in the `READY` state, modify the node spec for the nodes where you want to use the new custom layered image:
++
+.. Check that the `MachineOSBuild` object is `READY`. When the `SUCCEEDED` value is `True`, the build is complete.
++
+[source,terminal]
+----
+$ oc get machineosbuild
+----
++
+.Example output showing that the `MachineOSBuild` object is ready
+[source,terminal]
+----
+NAME                                                                PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
+layered-rendered-layered-ad5a3cad36303c363cf458ab0524e7c0-builder   False      False      True        False         False
+----
+
+.. Edit the nodes where you want to deploy the custom layered image by adding a label for the machine config pool you specified in the `MachineOSConfig` object:
++
+[source,terminal]
+----
+$ oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>='
+----
++
+--
+where:
+
+node-role.kubernetes.io/<mcp_name>=:: Specifies a node selector that identifies the nodes to deploy the custom layered image. 
+--
++
+When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node will be using the new custom layered image.
+
+.Verification
+
+. Verify that the new pods are running by using the following command:
++
+[source,terminal]
+----
+$ oc get pods -n <machineosbuilds_namespace>
+----
++
+[source,terminal]
+----
+NAME                                                              READY   STATUS    RESTARTS   AGE
+build-rendered-layered-ad5a3cad36303c363cf458ab0524e7c0           2/2     Running   0          2m40s # <1>
+# ...
+machine-os-builder-6fb66cfb99-zcpvq                               1/1     Running   0          2m42s # <2>
+----
+<1> This is the build pod where the custom layered image is building.
+<2> This pod can be used for troubleshooting.
+
+. Verify that the `MachineOSConfig` object contains a reference to the new custom layered image:
++
+[source,terminal]
+----
+$ oc describe MachineOSConfig <object_name>
+----
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1alpha1
+kind: MachineOSConfig
+metadata:
+  name: layered
+spec:
+  buildInputs:
+    baseImagePullSecret:
+      name: global-pull-secret-copy
+    containerFile:
+    - containerfileArch: noarch
+      content: ""
+    imageBuilder:
+      imageBuilderType: PodImageBuilder
+    renderedImagePushSecret:
+      name: builder-dockercfg-ng82t-canonical
+    renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image:latest
+  buildOutputs:
+    currentImagePullSecret:
+      name: global-pull-secret-copy
+  machineConfigPool:
+    name: layered
+status:
+  currentImagePullspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:f636fa5b504e92e6faa22ecd71a60b089dab72200f3d130c68dfec07148d11cd # <1>
+----
+<1> Digested image pull spec for the new custom layered image.
+
+. Verify that the `MachineOSBuild` object contains a reference to the new custom layered image.
++
+[source,terminal]
+----
+$ oc describe machineosbuild <object_name>
+----
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1alpha1
+kind: MachineOSBuild
+metadata:
+  name: layered-rendered-layered-ad5a3cad36303c363cf458ab0524e7c0-builder
+spec:
+  desiredConfig:
+    name: rendered-layered-ad5a3cad36303c363cf458ab0524e7c0
+  machineOSConfig:
+    name: layered
+  renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image:latest
+# ...
+status:
+  conditions:
+    - lastTransitionTime: "2024-05-21T20:25:06Z"
+      message: Build Ready
+      reason: Ready
+      status: "True"
+      type: Succeeded
+  finalImagePullspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:f636fa5b504e92e6faa22ecd71a60b089dab72200f3d130c68dfec07148d11cd # <1>
+----
+<1> Digested image pull spec for the new custom layered image.
+
+. Verify that the appropriate nodes are using the new custom layered image:
+
+.. Start a debug session as root for a control plane node:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell:
++
+[source,terminal]
+----
+sh-4.4# chroot /host
+----
+
+.. Run the `rpm-ostree status` command to view that the custom layered image is in use:
++
+[source,terminal]
+----
+sh-5.1# rpm-ostree status
+----
++
+.Example output
+[source,terminal]
+----
+# ...
+Deployments:
+* ostree-unverified-registry:quay.io/openshift-release-dev/os-image@sha256:f636fa5b504e92e6faa22ecd71a60b089dab72200f3d130c68dfec07148d11cd # <1>
+                   Digest: sha256:bcea2546295b2a55e0a9bf6dd4789433a9867e378661093b6fdee0031ed1e8a4
+                  Version: 416.94.202405141654-0 (2024-05-14T16:58:43Z)
+----
+<1> Digested image pull spec for the new custom layered image.
diff --git a/modules/coreos-layering-configuring.adoc b/modules/coreos-layering-configuring.adoc
index f9f31a8f2fe8..36014767c966 100644
--- a/modules/coreos-layering-configuring.adoc
+++ b/modules/coreos-layering-configuring.adoc
@@ -1,10 +1,10 @@
 // Module included in the following assemblies:
 //
-// * post-installation_configuration/coreos-layering.adoc
+// * machine_configuration/coreos-layering.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="coreos-layering-configuring_{context}"]
-= Applying a {op-system} custom layered image
+= Using out-of-cluster layering to apply a custom layered image
 
 You can easily configure {op-system-first} image layering on the nodes in specific machine config pools. The Machine Config Operator (MCO) reboots those nodes with the new custom layered image, overriding the base {op-system-first} image.
 
@@ -32,14 +32,12 @@ For example, the following Containerfile creates a custom layered image from an
 # Using a {product-version}.0 image
 FROM quay.io/openshift-release/ocp-release@sha256... <1>
 #Install hotfix rpm
-RUN rpm-ostree cliwrap install-to-root / && \ <2>
-    rpm-ostree override replace http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/kernel-{,core-,modules-,modules-core-,modules-extra-}5.14.0-295.el9.x86_64.rpm && \ <3>
+RUN rpm-ostree override replace http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/kernel-{,core-,modules-,modules-core-,modules-extra-}5.14.0-295.el9.x86_64.rpm && \ <2>
     rpm-ostree cleanup -m && \
     ostree container commit
 ----
 <1> Specifies the {op-system} base image of your cluster.
-<2> Enables `cliwrap`. This is currently required to intercept some command invocations made from kernel scripts.
-<3> Replaces the kernel packages.
+<2> Replaces the kernel packages.
 +
 [NOTE]
 ====
diff --git a/modules/coreos-layering-removing.adoc b/modules/coreos-layering-removing.adoc
index b22ba836af73..09cca56577f8 100644
--- a/modules/coreos-layering-removing.adoc
+++ b/modules/coreos-layering-removing.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post-installation_configuration/coreos-layering.adoc
+// * machine_configuration/coreos-layering.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="coreos-layering-removing_{context}"]
diff --git a/modules/coreos-layering-updating.adoc b/modules/coreos-layering-updating.adoc
index f76e9c98a97f..739352ab5848 100644
--- a/modules/coreos-layering-updating.adoc
+++ b/modules/coreos-layering-updating.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post-installation_configuration/coreos-layering.adoc
+// * machine_configuration/coreos-layering.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="coreos-layering-updating_{context}"]
diff --git a/modules/cpmso-openstack-with-az-config.adoc b/modules/cpmso-openstack-with-az-config.adoc
index 7ec702771972..28f9b244a952 100644
--- a/modules/cpmso-openstack-with-az-config.adoc
+++ b/modules/cpmso-openstack-with-az-config.adoc
@@ -43,7 +43,7 @@ providerSpec:
       name: openstack-cloud-credentials
       namespace: openshift-machine-api
     flavor: m1.xlarge
-    image: rhcos-4.15
+    image: rhcos-4.16
     kind: OpenstackProviderSpec
     metadata:
       creationTimestamp: null
diff --git a/modules/create-a-containerruntimeconfig-crd.adoc b/modules/create-a-containerruntimeconfig-crd.adoc
index 0fa703c55cbb..62e1a2cb8538 100644
--- a/modules/create-a-containerruntimeconfig-crd.adoc
+++ b/modules/create-a-containerruntimeconfig-crd.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-custom.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="create-a-containerruntimeconfig_{context}"]
diff --git a/modules/create-a-kubeletconfig-crd-to-edit-kubelet-parameters.adoc b/modules/create-a-kubeletconfig-crd-to-edit-kubelet-parameters.adoc
index 088279adfc3c..a572adeb91e4 100644
--- a/modules/create-a-kubeletconfig-crd-to-edit-kubelet-parameters.adoc
+++ b/modules/create-a-kubeletconfig-crd-to-edit-kubelet-parameters.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * post_installation_configuration/node-tasks.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-custom.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="create-a-kubeletconfig-crd-to-edit-kubelet-parameters_{context}"]
diff --git a/modules/creating-a-machine-pool-cli.adoc b/modules/creating-a-machine-pool-cli.adoc
index ae00fdd310ba..d1312cab8643 100644
--- a/modules/creating-a-machine-pool-cli.adoc
+++ b/modules/creating-a-machine-pool-cli.adoc
@@ -11,7 +11,7 @@ You can create additional machine pools for your {product-title} (ROSA) cluster
 .Prerequisites
 
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 
 .Procedure
@@ -66,7 +66,7 @@ For fault-tolerant worker machine pools, choosing a Multi-AZ machine pool distri
 * A Multi-AZ machine pool with three availability zones can have a machine count in multiples of 3 only, such as 3, 6, 9, and so on. 
 * A Single-AZ machine pool with one availability zone can have a machine count in multiples of 1, such as 1,2,3,4 and so on.
 ====
-<10> Optional: For machine pools in clusters that do not have Red Hat managed VPCs, you can select additional custom security groups to use in your machine pools. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for security groups in the "Additional resources" section.
+<10> Optional: For machine pools in clusters that do not have Red{nbsp}Hat managed VPCs, you can select additional custom security groups to use in your machine pools. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for security groups in the "Additional resources" section.
 +
 [IMPORTANT]
 ====
diff --git a/modules/creating-a-machine-pool-ocm.adoc b/modules/creating-a-machine-pool-ocm.adoc
index 8bf4f6acb461..85984f79b520 100644
--- a/modules/creating-a-machine-pool-ocm.adoc
+++ b/modules/creating-a-machine-pool-ocm.adoc
@@ -30,7 +30,7 @@ endif::openshift-rosa[]
 ifndef::openshift-rosa[]
 {product-title}
 endif::[]
-subscriptions, resource quotas and deployment scenario. For more information, contact your sales representative or Red Hat support.
+subscriptions, resource quotas and deployment scenario. For more information, contact your sales representative or Red{nbsp}Hat support.
 ====
 endif::openshift-rosa[]
 
@@ -64,7 +64,7 @@ ifdef::openshift-dedicated[]
 +
 [NOTE]
 ====
-The *Enable autoscaling* option is only available for {product-title} if you have the `capability.cluster.autoscale_clusters` subscription. For more information, contact your sales representative or Red Hat support.
+The *Enable autoscaling* option is only available for {product-title} if you have the `capability.cluster.autoscale_clusters` subscription. For more information, contact your sales representative or Red{nbsp}Hat support.
 ====
 endif::openshift-dedicated[]
 .. Set the minimum and maximum node count limits for autoscaling. The cluster autoscaler does not reduce or increase the machine pool node count beyond the limits that you specify.
diff --git a/modules/creating-an-infra-node.adoc b/modules/creating-an-infra-node.adoc
index a2f5d887d3df..26f598b6a4f6 100644
--- a/modules/creating-an-infra-node.adoc
+++ b/modules/creating-an-infra-node.adoc
@@ -65,10 +65,10 @@ kind: Scheduler
 metadata:
   name: cluster
 spec:
-  defaultNodeSelector: topology.kubernetes.io/region=us-east-1 <1>
+  defaultNodeSelector: node-role.kubernetes.io/infra="" <1>
 # ...
 ----
-<1> This example node selector deploys pods on nodes in the `us-east-1` region by default.
+<1> This example node selector deploys pods on infrastructure nodes by default.
 
 .. Save the file to apply the changes.
 
diff --git a/modules/creating-config-files-cluster-install-oci.adoc b/modules/creating-config-files-cluster-install-oci.adoc
index fe314d57ee1c..6a8b8e5dca9b 100644
--- a/modules/creating-config-files-cluster-install-oci.adoc
+++ b/modules/creating-config-files-cluster-install-oci.adoc
@@ -38,9 +38,9 @@ $ ./openshift-install version
 .Example output for a shared registry binary
 [source,terminal,subs="quotes"]
 ----
-./openshift-install 4.15.0
+./openshift-install 4.16.0
 built from commit ae7977b7d1ca908674a0d45c5c243c766fa4b2ca
-release image registry.ci.openshift.org/origin/release:4.15ocp-release@sha256:0da6316466d60a3a4535d5fed3589feb0391989982fba59d47d4c729912d6363
+release image registry.ci.openshift.org/origin/release:4.16ocp-release@sha256:0da6316466d60a3a4535d5fed3589feb0391989982fba59d47d4c729912d6363
 release architecture amd64
 ----
 ====
diff --git a/modules/creating-recurring-etcd-backups.adoc b/modules/creating-recurring-etcd-backups.adoc
new file mode 100644
index 000000000000..78eaedbcf52d
--- /dev/null
+++ b/modules/creating-recurring-etcd-backups.adoc
@@ -0,0 +1,258 @@
+[id="creating-recurring-etcd-backups_{context}"]
+== Creating recurring etcd backups
+
+Follow these steps to create automated recurring backups of etcd.
+
+Use dynamically-provisioned storage to keep the created etcd backup data in a safe, external location if possible. If dynamically-provisioned storage is not available, consider storing the backup data on an NFS share to make backup recovery more accessible.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have access to the OpenShift CLI (`oc`).
+
+.Procedure
+
+. If dynamically-provisioned storage is available, complete the following steps to create automated recurring backups:
+
+.. Create a persistent volume claim (PVC) named `etcd-backup-pvc.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: etcd-backup-pvc
+  namespace: openshift-etcd
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Gi <1>
+  volumeMode: Filesystem
+  storageClassName: etcd-backup-local-storage
+----
+<1> The amount of storage available to the PVC. Adjust this value for your requirements.
++
+[NOTE]
+====
+Each of the following providers require changes to the `accessModes` and `storageClassName` keys:
+
+[cols="1,1,1"]
+|===
+|Provider|`accessModes` value|`storageClassName` value
+
+|AWS with the `versioned-installer-efc_operator-ci` profile
+|`- ReadWriteMany`
+|`efs-sc`
+
+|Google Cloud Platform
+|`- ReadWriteMany`
+|`filestore-csi`
+
+|Microsoft Azure
+|`- ReadWriteMany`
+|`azurefile-csi`
+|===
+====
+
+.. Apply the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-pvc.yaml
+----
+
+.. Verify the creation of the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc get pvc
+----
++
+.Example output
+[source,terminal]
+----
+NAME              STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+etcd-backup-pvc   Bound                                                       51s
+----
++
+[NOTE]
+====
+Dynamic PVCs stay in the `Pending` state until they are mounted.
+====
+
+. If dynamically-provisioned storage is unavailable, create a local storage PVC by completing the following steps:
++
+[WARNING]
+====
+If you delete or otherwise lose access to the node that contains the stored backup data, you can lose data.
+====
+
+.. Create a `StorageClass` CR file named `etcd-backup-local-storage.yaml` with the following contents:
++
+[source,yaml]
+----
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: etcd-backup-local-storage
+provisioner: kubernetes.io/no-provisioner
+volumeBindingMode: Immediate
+----
+
+.. Apply the `StorageClass` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-local-storage.yaml
+----
+
+.. Create a PV named `etcd-backup-pv-fs.yaml` from the applied `StorageClass` with contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: etcd-backup-pv-fs
+spec:
+  capacity:
+    storage: 100Gi <1>
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteMany
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: etcd-backup-local-storage
+  local:
+    path: /mnt/
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - <example_master_node> <2>
+----
+<1> The amount of storage available to the PV. Adjust this value for your requirements.
+<2> Replace this value with the master node to attach this PV to.
++
+[TIP]
+====
+Run the following command to list the available nodes:
+
+[source,terminal]
+----
+$ oc get nodes
+----
+====
+
+.. Verify the creation of the PV by running the following command:
++
+[source,terminal]
+----
+$ oc get pv
+----
++
+.Example output
+[source,terminal]
+----
+NAME                    CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS                REASON   AGE
+etcd-backup-pv-fs       100Gi      RWX            Delete           Available           etcd-backup-local-storage            10s
+----
+
+.. Create a PVC named `etcd-backup-pvc.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: etcd-backup-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi <1>
+  storageClassName: etcd-backup-local-storage
+----
+<1> The amount of storage available to the PVC. Adjust this value for your requirements.
+
+.. Apply the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-pvc.yaml
+----
+
+. Create a custom resource definition (CRD) file named `etcd-recurring-backups.yaml`. The contents of the created CRD define the schedule and retention type of automated backups.
++
+For the default retention type of `RetentionNumber` with 15 retained backups, use contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1alpha1
+kind: Backup
+metadata:
+  name: etcd-recurring-backup
+spec:
+  etcd:
+    schedule: "20 4 * * *" <1>
+    timeZone: "UTC"
+    pvcName: etcd-backup-pvc
+----
+<1> The `CronTab` schedule for recurring backups. Adjust this value for your needs.
++
+To use retention based on the maximum number of backups, add the following key-value pairs to the `etcd` key:
++
+[source,yaml]
+----
+spec:
+  etcd:
+    retentionPolicy:
+      retentionType: RetentionNumber <1>
+      retentionNumber:
+        maxNumberOfBackups: 5 <2>
+----
+<1> The retention type. Defaults to `RetentionNumber` if unspecified.
+<2> The maximum number of backups to retain. Adjust this value for your needs. Defaults to 15 backups if unspecified.
++
+[WARNING]
+====
+A known issue causes the number of retained backups to be one greater than the configured value.
+====
++
+For retention based on the file size of backups, use the following:
++
+[source,yaml]
+----
+spec:
+  etcd:
+    retentionPolicy:
+      retentionType: RetentionSize
+      retentionSize:
+        maxSizeOfBackupsGb: 20 <1>
+----
+<1> The maximum file size of the retained backups in gigabytes. Adjust this value for your needs. Defaults to 10 GB if unspecified.
++
+[WARNING]
+====
+A known issue causes the maximum size of retained backups to be up to 10 GB greater than the configured value.
+====
+
+. Create the cron job defined by the CRD by running the following command:
++
+[source,terminal]
+----
+$ oc create -f etcd-recurring-backup.yaml
+----
+
+. To find the created cron job, run the following command:
++
+[source,terminal]
+----
+$ oc get cronjob -n openshift-etcd
+----
\ No newline at end of file
diff --git a/modules/creating-single-etcd-backup.adoc b/modules/creating-single-etcd-backup.adoc
new file mode 100644
index 000000000000..f9fcc9ed194b
--- /dev/null
+++ b/modules/creating-single-etcd-backup.adoc
@@ -0,0 +1,196 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="creating-single-etcd-backup_{context}"]
+== Creating a single etcd backup
+
+Follow these steps to create a single etcd backup by creating and applying a custom resource (CR).
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have access to the OpenShift CLI (`oc`).
+
+.Procedure
+
+* If dynamically-provisioned storage is available, complete the following steps to create a single automated etcd backup:
++
+.. Create a persistent volume claim (PVC) named `etcd-backup-pvc.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: etcd-backup-pvc
+  namespace: openshift-etcd
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Gi <1>
+  volumeMode: Filesystem
+----
+<1> The amount of storage available to the PVC. Adjust this value for your requirements.
++
+.. Apply the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-pvc.yaml
+----
++
+.. Verify the creation of the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc get pvc
+----
++
+.Example output
+[source,terminal]
+----
+NAME              STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+etcd-backup-pvc   Bound                                                       51s
+----
++
+[NOTE]
+====
+Dynamic PVCs stay in the `Pending` state until they are mounted.
+====
++
+.. Create a CR file named `etcd-single-backup.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: EtcdBackup
+metadata:
+  name: etcd-single-backup
+  namespace: openshift-etcd
+spec:
+  pvcName: etcd-backup-pvc <1>
+----
+<1> The name of the PVC to save the backup to. Adjust this value according to your environment.
++
+.. Apply the CR to start a single backup:
++
+[source,terminal]
+----
+$ oc apply -f etcd-single-backup.yaml
+----
+
+* If dynamically-provisioned storage is not available, complete the following steps to create a single automated etcd backup:
++
+.. Create a `StorageClass` CR file named `etcd-backup-local-storage.yaml` with the following contents:
++
+[source,yaml]
+----
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: etcd-backup-local-storage
+provisioner: kubernetes.io/no-provisioner
+volumeBindingMode: Immediate
+----
++
+.. Apply the `StorageClass` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-local-storage.yaml
+----
++
+.. Create a PV named `etcd-backup-pv-fs.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: etcd-backup-pv-fs
+spec:
+  capacity:
+    storage: 100Gi <1>
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: etcd-backup-local-storage
+  local:
+    path: /mnt
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+      - key: kubernetes.io/hostname
+         operator: In
+         values:
+         - <example_master_node> <2>
+----
+<1> The amount of storage available to the PV. Adjust this value for your requirements.
+<2> Replace this value with the node to attach this PV to.
++
+.. Verify the creation of the PV by running the following command:
++
+[source,terminal]
+----
+$ oc get pv
+----
++
+.Example output
+[source,terminal]
+----
+NAME                    CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS                REASON   AGE
+etcd-backup-pv-fs       100Gi      RWO            Retain           Available           etcd-backup-local-storage            10s
+----
++
+.. Create a PVC named `etcd-backup-pvc.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: etcd-backup-pvc
+  namespace: openshift-etcd
+spec:
+  accessModes: 
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi <1>
+----
+<1> The amount of storage available to the PVC. Adjust this value for your requirements.
++
+.. Apply the PVC by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f etcd-backup-pvc.yaml
+----
++
+.. Create a CR file named `etcd-single-backup.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: EtcdBackup
+metadata:
+  name: etcd-single-backup
+  namespace: openshift-etcd
+spec:
+  pvcName: etcd-backup-pvc <1>
+----
+<1> The name of the persistent volume claim (PVC) to save the backup to. Adjust this value according to your environment.
++
+.. Apply the CR to start a single backup:
++
+[source,terminal]
+----
+$ oc apply -f etcd-single-backup.yaml
+----
\ No newline at end of file
diff --git a/modules/customize-certificates-add-service-serving.adoc b/modules/customize-certificates-add-service-serving.adoc
index 3cb4d86fb9be..a4991bda43d7 100644
--- a/modules/customize-certificates-add-service-serving.adoc
+++ b/modules/customize-certificates-add-service-serving.adoc
@@ -18,7 +18,7 @@ Because the generated certificates contain wildcard subjects for headless servic
 * Do not accept the service CA as a trusted CA for connections that are directed to individual pods and must not be impersonated by other pods. These connections must be configured to trust the CA that was used to generate the individual TLS certificates.
 ====
 
-.Prerequisites:
+.Prerequisites
 
 * You must have a service defined.
 
diff --git a/modules/debug-nodes-hcp.adoc b/modules/debug-nodes-hcp.adoc
deleted file mode 100644
index 9d70a5bc91ca..000000000000
--- a/modules/debug-nodes-hcp.adoc
+++ /dev/null
@@ -1,109 +0,0 @@
-{hcp-capital}// Module included in the following assemblies:
-//
-// * hosted_control_planes/hcp-troubleshooting.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="debug-nodes-hcp_{context}"]
-= Checking why worker nodes did not join the hosted cluster
-
-If your control plane API endpoint is available, but worker nodes did not join the hosted cluster on AWS, you can debug worker node issues. To troubleshoot why worker nodes did not join the hosted cluster on AWS, you can check the following information.
-
-:FeatureName: {hcp-capital} on AWS
-include::snippets/technology-preview.adoc[]
-
-.Prerequisites
-
-* You have link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/clusters/cluster_mce_overview#hosting-service-cluster-configure-aws[configured the hosting cluster on AWS].
-* Your control plane API endpoint is available.
-
-.Procedure
-
-. Address any error messages in the status of the `HostedCluster` and `NodePool` resources:
-
-.. Check the status of the `HostedCluster` resource by running the following command:
-+
-[source,terminal]
-----
-$ oc get hc -n <hosted_cluster_namespace> <hosted_cluster_name> -o jsonpath='{.status}'
-----
-
-.. Check the status of the `NodePool` resource by running the following command:
-+
-[source,terminal]
-----
-$ oc get hc -n <hosted_cluster_namespace> <hosted_cluster_name> -o jsonpath='{.status}'
-----
-+
-If you did not find any error messages in the status of the `HostedCluster` and `NodePool` resources, proceed to the next step.
-
-. Check if your worker machines are created by running the following commands, replacing values as necessary:
-+
-[source,terminal]
-----
-$ HC_NAMESPACE="clusters"
-$ HC_NAME="cluster_name"
-$ CONTROL_PLANE_NAMESPACE="${HC_NAMESPACE}-${HC_NAME}"
-$ oc get machines.cluster.x-k8s.io -n $CONTROL_PLANE_NAMESPACE
-$ oc get awsmachines -n $CONTROL_PLANE_NAMESPACE
-----
-
-. If worker machines do not exist, check if the `machinedeployment` and `machineset` resources are created by running the following commands:
-+
-[source,terminal]
-----
-$ oc get machinedeployment -n $CONTROL_PLANE_NAMESPACE
-$ oc get machineset -n $CONTROL_PLANE_NAMESPACE
-----
-
-. If the `machinedeployment` and `machineset` resources do not exist, check logs of the HyperShift Operator by running the following command:
-+
-[source,terminal]
-----
-$ oc logs deployment/operator -n hypershift
-----
-
-. If worker machines exist but are not provisioned in the hosted cluster, check the log of the cluster API provider by running the following command:
-+
-[source,terminal]
-----
-$ oc logs deployment/capi-provider -c manager -n $CONTROL_PLANE_NAMESPACE
-----
-
-. If worker machines exist and are provisioned in the cluster, ensure that machines are initialized through Ignition successfully by checking the system console logs. Check the system console logs of every machine by using the `console-logs` utility by running the following command:
-+
-[source,terminal]
-----
-$ ./bin/hypershift console-logs aws --name $HC_NAME --aws-creds ~/.aws/credentials --output-dir /tmp/console-logs
-----
-+
-You can access the system console logs in the `/tmp/console-logs` directory. The control plane exposes the Ignition endpoint. If you see an error related to the Ignition endpoint, then the Ignition endpoint is not accessible from the worker nodes through `https`.
-
-. If worker machines are provisioned and initialized through Ignition successfully, you can extract and access the journal logs of every worker machine by creating a bastion machine. A bastion machine allows you to access worker machines by using SSH.
-
-.. Create a bastion machine by running the following command:
-+
-[source,terminal]
-----
-$ ./bin/hypershift create bastion aws --aws-creds ~/.aws/credentials --name $CLUSTER_NAME --ssh-key-file /tmp/ssh/id_rsa.pub
-----
-
-.. Optional: If you used the `--generate-ssh` flag when creating the cluster, you can extract the public and private key for the cluster by running the following commands:
-+
-[souce,terminal]
-----
-$ mkdir /tmp/ssh
-$ oc get secret -n clusters ${HC_NAME}-ssh-key -o jsonpath='{ .data.id_rsa }' | base64 -d > /tmp/ssh/id_rsa
-$ oc get secret -n clusters ${HC_NAME}-ssh-key -o jsonpath='{ .data.id_rsa\.pub }' | base64 -d > /tmp/ssh/id_rsa.pub
-----
-
-.. Extract journal logs from the every worker machine by running the following commands:
-+
-[source,terminal]
-----
-$ mkdir /tmp/journals
-$ INFRAID="$(oc get hc -n clusters $CLUSTER_NAME -o jsonpath='{ .spec.infraID }')"
-$ SSH_PRIVATE_KEY=/tmp/ssh/id_rsa
-$ ./test/e2e/util/dump/copy-machine-journals.sh /tmp/journals
-----
-+
-You must place journal logs in the `/tmp/journals` directory in a compressed format. Check for the error that indicates why kubelet did not join the cluster.
diff --git a/modules/deleting-machine-pools-cli.adoc b/modules/deleting-machine-pools-cli.adoc
index f7dd88d1610d..5c203ed75cc5 100644
--- a/modules/deleting-machine-pools-cli.adoc
+++ b/modules/deleting-machine-pools-cli.adoc
@@ -5,7 +5,7 @@
 :_mod-docs-content-type: PROCEDURE
 [id="deleting-machine-pools-cli{context}"]
 = Deleting a machine pool using the ROSA CLI
-You can delete a machine pool for your Red Hat OpenShift Service on AWS (ROSA) cluster by using the ROSA CLI.
+You can delete a machine pool for your Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster by using the ROSA CLI.
 
 [NOTE]
 ====
diff --git a/modules/deleting-machine-pools-ocm.adoc b/modules/deleting-machine-pools-ocm.adoc
index 9d9a32e83000..42a96971f8d3 100644
--- a/modules/deleting-machine-pools-ocm.adoc
+++ b/modules/deleting-machine-pools-ocm.adoc
@@ -13,7 +13,7 @@ ifdef::openshift-rosa[]
 = Deleting a machine pool using OpenShift Cluster Manager
 endif::openshift-rosa[]
 
-You can delete a machine pool for your Red Hat OpenShift Service on AWS (ROSA) cluster by using OpenShift Cluster Manager.
+You can delete a machine pool for your Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster by using OpenShift Cluster Manager.
 
 .Prerequisites
 
diff --git a/modules/deploy-app.adoc b/modules/deploy-app.adoc
index 9c60e051ec22..0685224de22b 100644
--- a/modules/deploy-app.adoc
+++ b/modules/deploy-app.adoc
@@ -34,7 +34,7 @@ endif::[]
 
 . Click *Open console*.
 
-. Your cluster console opens in a new browser window. Login to your Red Hat account with your configured identity provider credentials.
+. Your cluster console opens in a new browser window. Log in to your Red{nbsp}Hat account with your configured identity provider credentials.
 
 . In the *Administrator* perspective, select *Home* -> *Projects* -> *Create Project*.
 
diff --git a/modules/disconnected-osus-overview.adoc b/modules/disconnected-osus-overview.adoc
index f737fdeb5f05..32b243aae4b7 100644
--- a/modules/disconnected-osus-overview.adoc
+++ b/modules/disconnected-osus-overview.adoc
@@ -7,16 +7,16 @@
 
 = Using the OpenShift Update Service in a disconnected environment
 
-The OpenShift Update Service (OSUS) provides update recommendations to {product-title} clusters. Red Hat publicly hosts the OpenShift Update Service, and clusters in a connected environment can connect to the service through public APIs to retrieve update recommendations.
+The OpenShift Update Service (OSUS) provides update recommendations to {product-title} clusters. Red{nbsp}Hat publicly hosts the OpenShift Update Service, and clusters in a connected environment can connect to the service through public APIs to retrieve update recommendations.
 
-However, clusters in a disconnected environment cannot access these public APIs to retrieve update information. To have a similar update experience in a disconnected environment, you can install and configure the OpenShift Update Service locally so that it is available within the disconnected environment.
+However, clusters in a disconnected environment cannot access these public APIs to retrieve update information. To have a similar update experience in a disconnected environment, you can install and configure the OpenShift Update Service so that it is available within the disconnected environment.
 
 A single OSUS instance is capable of serving recommendations to thousands of clusters.
 OSUS can be scaled horizontally to cater to more clusters by changing the replica value.
 So for most disconnected use cases, one OSUS instance is enough.
-For example, Red Hat hosts just one OSUS instance for the entire fleet of connected clusters.
+For example, Red{nbsp}Hat hosts just one OSUS instance for the entire fleet of connected clusters.
 
 If you want to keep update recommendations separate in different environments, you can run one OSUS instance for each environment.
 For example, in a case where you have separate test and stage environments, you might not want a cluster in a stage environment to receive update recommendations to version A if that version has not been tested in the test environment yet.
 
-The following sections describe how to install a local OSUS instance and configure it to provide update recommendations to a cluster.
\ No newline at end of file
+The following sections describe how to install an OSUS instance and configure it to provide update recommendations to a cluster.
\ No newline at end of file
diff --git a/modules/distr-tracing-tempo-config-default.adoc b/modules/distr-tracing-tempo-config-default.adoc
index 7717e6676bc1..b03254c93770 100644
--- a/modules/distr-tracing-tempo-config-default.adoc
+++ b/modules/distr-tracing-tempo-config-default.adoc
@@ -6,7 +6,7 @@
 [id="distr-tracing-tempo-config-default_{context}"]
 = Default configuration options
 
-The Tempo custom resource (CR) defines the architecture and settings to be used when creating the {TempoShortName} resources. You can modify these parameters to customize your {TempoShortName} implementation to your business needs.
+The `TempoStack` custom resource (CR) defines the architecture and settings to be used when creating the {TempoShortName} resources. You can modify these parameters to customize your {TempoShortName} implementation to your business needs.
 
 .Example of a generic Tempo YAML file
 [source,yaml]
@@ -32,86 +32,86 @@ spec:
 
 .Tempo parameters
 [options="header"]
-[cols="l, a, a, a"]
+[cols="a, a, a, a"]
 |===
 |Parameter |Description |Values |Default value
 
-|apiVersion:
+|`apiVersion:`
 |API version to use when creating the object.
 |`tempo.grafana.com/v1alpha1`
 |`tempo.grafana.com/v1alpha1`
 
-|kind:
+|`kind:`
 |Defines the kind of Kubernetes object to create.
 |`tempo`
 |
 
-|metadata:
+|`metadata:`
 |Data that uniquely identifies the object, including a `name` string, `UID`, and optional `namespace`.
 |
 |{product-title} automatically generates the `UID` and completes the `namespace` with the name of the project where the object is created.
 
-|name:
+|`name:`
 |Name for the object.
 |Name of your TempoStack instance.
 |`tempo-all-in-one-inmemory`
 
-|spec:
+|`spec:`
 |Specification for the object to be created.
 |Contains all of the configuration parameters for your TempoStack instance. When a common definition for all Tempo components is required, it is defined under the `spec` node. When the definition relates to an individual component, it is placed under the `spec/template/<component>` node.
 |N/A
 
-|resources:
+|`resources:`
 |Resources assigned to the TempoStack instance.
 |
 |
 
-|storageSize:
+|`storageSize:`
 |Storage size for ingester PVCs.
 |
 |
 
-|replicationFactor:
+|`replicationFactor:`
 |Configuration for the replication factor.
 |
 |
 
-|retention:
+|`retention:`
 |Configuration options for retention of traces.
 |
 |
 
-|storage:
+|`storage:`
 |Configuration options that define the storage. All storage-related options must be placed under `storage` and not under the `allInOne` or other component options.
 |
 |
 
-|template.distributor:
+|`template.distributor:`
 |Configuration options for the Tempo `distributor`.
 |
 |
 
-|template.ingester:
+|`template.ingester:`
 |Configuration options for the Tempo `ingester`.
 |
 |
 
-|template.compactor:
+|`template.compactor:`
 |Configuration options for the Tempo `compactor`.
 |
 |
 
-|template.querier:
+|`template.querier:`
 |Configuration options for the Tempo `querier`.
 |
 |
 
-|template.queryFrontend:
+|`template.queryFrontend:`
 |Configuration options for the Tempo `query-frontend`.
 |
 |
 
-|template.gateway:
+|`template.gateway:`
 |Configuration options for the Tempo `gateway`.
 |
 |
diff --git a/modules/distr-tracing-tempo-config-multitenancy.adoc b/modules/distr-tracing-tempo-config-multitenancy.adoc
index 001211eb72b0..68ee12be6263 100644
--- a/modules/distr-tracing-tempo-config-multitenancy.adoc
+++ b/modules/distr-tracing-tempo-config-multitenancy.adoc
@@ -9,6 +9,11 @@
 Multitenancy with authentication and authorization is provided in the Tempo Gateway service.
 The authentication uses OpenShift OAuth and the Kubernetes `TokenReview` API. The authorization uses the Kubernetes `SubjectAccessReview` API.
 
+[NOTE]
+====
+The Tempo Gateway service supports ingestion of traces only via the OTLP/gRPC. The OTLP/HTTP is not supported.
+====
+
 .Sample Tempo CR with two tenants, `dev` and `prod`
 [source,yaml]
 ----
diff --git a/modules/distr-tracing-tempo-config-query-frontend.adoc b/modules/distr-tracing-tempo-config-query-frontend.adoc
index 0c35fff646ff..bfae764553a1 100644
--- a/modules/distr-tracing-tempo-config-query-frontend.adoc
+++ b/modules/distr-tracing-tempo-config-query-frontend.adoc
@@ -11,7 +11,7 @@ Two components of the {TempoShortName}, the querier and query frontend, manage q
 The querier component finds the requested trace ID in the ingesters or back-end storage. Depending on the set parameters, the querier component can query both the ingesters and pull bloom or indexes from the back end to search blocks in object storage. The querier component exposes an HTTP endpoint at `GET /querier/api/traces/<trace_id>`, but it is not expected to be used directly. Queries must be sent to the query frontend.
 
 .Configuration parameters for the querier component
-[options="header",cols="l, a, a]
+[options="header",cols="a, a, a]
 |===
 |Parameter |Description |Values
 
@@ -31,7 +31,7 @@ The querier component finds the requested trace ID in the ingesters or back-end
 The query frontend component is responsible for sharding the search space for an incoming query. The query frontend exposes traces via a simple HTTP endpoint: `GET /api/traces/<trace_id>`. Internally, the query frontend component splits the `blockID` space into a configurable number of shards and then queues these requests. The querier component connects to the query frontend component via a streaming gRPC connection to process these sharded queries.
 
 .Configuration parameters for the query frontend component
-[options="header",cols="l, a, a]
+[options="header",cols="a, a, a]
 |===
 |Parameter |Description |Values
 
diff --git a/modules/distr-tracing-tempo-config-spanmetrics.adoc b/modules/distr-tracing-tempo-config-spanmetrics.adoc
index 710f6572b34d..9a3fc243cd23 100644
--- a/modules/distr-tracing-tempo-config-spanmetrics.adoc
+++ b/modules/distr-tracing-tempo-config-spanmetrics.adoc
@@ -77,7 +77,7 @@ The `TempoStack` custom resource must specify the following: the *Monitor* tab i
 .TempoStack custom resource with the enabled Monitor tab
 [source,yaml]
 ----
-kind:  TempoStack
+kind: TempoStack
 apiVersion: tempo.grafana.com/v1alpha1
 metadata:
   name: simplest
@@ -102,21 +102,21 @@ The metrics generated by the `spanmetrics` connector are usable with alerting ru
 
 .Labels of the metrics created in the `spanmetrics` connector
 [options="header"]
-[cols="l, a, a"]
+[cols="a, a, a"]
 |===
 |Label |Description |Values
 
-|service_name
+|`service_name`
 |Service name set by the `otel_service_name` environment variable.
 |`frontend`
 
-|span_name
+|`span_name`
 | Name of the operation.
 |
 * `/`
 * `/customer`
 
-|span_kind
+|`span_kind`
 |Identifies the server, client, messaging, or internal operation.
 |
 * `SPAN_KIND_SERVER`
diff --git a/modules/distr-tracing-tempo-config-storage.adoc b/modules/distr-tracing-tempo-config-storage.adoc
index 986946c9f6af..ad1048daa902 100644
--- a/modules/distr-tracing-tempo-config-storage.adoc
+++ b/modules/distr-tracing-tempo-config-storage.adoc
@@ -11,26 +11,20 @@ You can configure object storage for the {TempoShortName} in the `TempoStack` cu
 
 .General storage parameters used by the {TempoOperator} to define distributed tracing storage
 [options="header"]
-[cols="l, a, a, a"]
+[cols="a, a, a, a"]
 |===
 |Parameter |Description |Values |Default value
-|spec:
-  storage:
-    secret
-      type:
+|`spec.storage.secret.type`
 |Type of storage to use for the deployment.
 |`memory`. Memory storage is only appropriate for development, testing, demonstrations, and proof of concept environments because the data does not persist when the pod is shut down.
 |`memory`
 
-|storage:
-  secretname:
+|`storage.secretname`
 |Name of the secret that contains the credentials for the set object storage type.
 |
 |N/A
 
-|storage:
-  tls:
-    caName:
+|`storage.tls.caName`
 |CA is the name of a `ConfigMap` object containing a CA certificate.
 |
 |
diff --git a/modules/distr-tracing-tempo-install-cli.adoc b/modules/distr-tracing-tempo-install-cli.adoc
index 082db5bb1f43..e41645978088 100644
--- a/modules/distr-tracing-tempo-install-cli.adoc
+++ b/modules/distr-tracing-tempo-install-cli.adoc
@@ -1,12 +1,12 @@
 // Module included in the following assemblies:
 //
-//* observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="distr-tracing-tempo-install-cli_{context}"]
-= Installing by using the CLI
+= Installing the {TempoOperator} by using the CLI
 
-You can install the {TempoShortName} from the command line.
+You can install the {TempoOperator} from the command line.
 
 .Prerequisites
 
@@ -24,7 +24,7 @@ $ oc login --username=<your_username>
 ----
 ====
 
-* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[Red Hat OpenShift Data Foundation], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
+* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
 +
 [WARNING]
 ====
@@ -33,9 +33,7 @@ Object storage is required and not included with the {TempoShortName}. You must
 
 .Procedure
 
-. Install the {TempoOperator}:
-
-.. Create a project for the {TempoOperator} by running the following command:
+. Create a project for the {TempoOperator} by running the following command:
 +
 [source,terminal]
 ----
@@ -50,7 +48,7 @@ metadata:
 EOF
 ----
 
-.. Create an Operator group by running the following command:
+. Create an Operator group by running the following command:
 +
 [source,terminal]
 ----
@@ -65,7 +63,7 @@ spec:
 EOF
 ----
 
-.. Create a subscription by running the following command:
+. Create a subscription by running the following command:
 +
 [source,terminal]
 ----
@@ -84,144 +82,11 @@ spec:
 EOF
 ----
 
-.. Check the Operator status by running the following command:
-+
-[source,terminal]
-----
-$ oc get csv -n openshift-tempo-operator
-----
-
-. Run the following command to create a project of your choice for the TempoStack instance that you will create in a subsequent step:
-+
-[source,terminal]
-----
-$ oc apply -f - << EOF
-apiVersion: project.openshift.io/v1
-kind: Project
-metadata:
-  name: <project_of_tempostack_instance>
-EOF
-----
-
-. In the project that you created for the TempoStack instance, create a secret for your object storage bucket by running the following command:
-+
-[source,terminal]
-----
-$ oc apply -f - << EOF
-<object_storage_secret>
-EOF
-----
-+
-For more information, see "Object storage setup".
-+
---
-include::snippets/distr-tracing-tempo-secret-example.adoc[]
---
-
-. Create a TempoStack instance in the project that you created for the TempoStack instance.
-+
-[NOTE]
-====
-You can create multiple TempoStack instances in separate projects on the same cluster.
-====
-+
-.. Customize the `TempoStack` custom resource (CR):
-+
-[source,yaml]
-----
-apiVersion: tempo.grafana.com/v1alpha1
-kind: TempoStack
-metadata:
-  name: sample
-  namespace: <project_of_tempostack_instance>
-spec:
-  storageSize: 1Gi
-  storage:
-      secret: # <1>
-          name: <secret-name> # <2>
-          type: <secret-provider> # <3>
-  template:
-    queryFrontend:
-      jaegerQuery:
-        enabled: true
-        ingress:
-          route:
-            termination: edge
-          type: route
-----
-<1> The secret you created in step 3.
-<2> The value of the `name` in the `metadata` of the secret.
-<3> The accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or Red Hat OpenShift Data Foundation.
-+
-.Example of a `TempoStack` CR for AWS S3 and MinIO storage
-[source,yaml]
-----
-apiVersion: tempo.grafana.com/v1alpha1
-kind: TempoStack
-metadata:
-  name: simplest
-  namespace: project_of_tempostack_instance
-spec:
-  storageSize: 1Gi
-  storage: # <1>
-    secret:
-      name: minio-test
-      type: s3
-  resources:
-    total:
-      limits:
-        memory: 2Gi
-        cpu: 2000m
-  template:
-    queryFrontend:
-      jaegerQuery: # <2>
-        enabled: true
-        ingress:
-          route:
-            termination: edge
-          type: route
-----
-<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 3.
-<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI.
-
-.. Apply the customized CR by running the following command.
-+
-[source,terminal]
-----
-$ oc apply -f - << EOF
-<TempoStack_custom_resource>
-EOF
-----
-
-
 .Verification
 
-. Verify that the `status` of all TempoStack `components` is `Running` and the `conditions` are `type: Ready` by running the following command:
+* Check the Operator status by running the following command:
 +
 [source,terminal]
 ----
-$ oc get tempostacks.tempo.grafana.com simplest -o yaml
-----
-
-. Verify that all the TempoStack component pods are running by running the following command:
-+
-[source,terminal]
-----
-$ oc get pods
-----
-
-. Access the Tempo console:
-
-.. Query the route details by running the following command:
-+
-[source,terminal]
-----
-$ oc get route
+$ oc get csv -n openshift-tempo-operator
 ----
-
-.. Open `\https://<route_from_previous_step>` in a web browser.
-+
-[NOTE]
-====
-The Tempo console initially shows no trace data following the Tempo console installation.
-====
diff --git a/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc b/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc
new file mode 100644
index 000000000000..34b27da6424d
--- /dev/null
+++ b/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc
@@ -0,0 +1,116 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-install-tempomonolithic-cli_{context}"]
+= Installing a TempoMonolithic instance by using the CLI
+
+:FeatureName: The TempoMonolithic instance
+include::snippets/technology-preview.adoc[]
+
+You can install a TempoMonolithic instance from the command line.
+
+.Prerequisites
+
+* An active {oc-first} session by a cluster administrator with the `cluster-admin` role.
++
+[TIP]
+====
+* Ensure that your {oc-first} version is up to date and matches your {product-title} version.
+
+* Run the `oc login` command:
++
+[source,terminal]
+----
+$ oc login --username=<your_username>
+----
+====
+
+.Procedure
+
+. Run the following command to create a project of your choice for the TempoMonolithic instance that you will create in a subsequent step:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  name: <project_of_tempomonolithic_instance>
+EOF
+----
+
+. Decide which type of supported storage to use for storing traces: in-memory storage, a persistent volume, or object storage.
++
+[IMPORTANT]
+====
+Object storage is not included with the {TempoShortName} and requires setting up an object store by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], or link:https://cloud.google.com/storage/[Google Cloud Storage].
+
+Additionally, opting for object storage requires creating a secret for your object storage bucket in the project that you created for the TempoMonolithic instance. You can do this by running the following command:
+
+[source,terminal]
+----
+$ oc apply -f - << EOF
+<object_storage_secret>
+EOF
+----
+
+For more information, see "Object storage setup".
+
+--
+include::snippets/distr-tracing-tempo-secret-example.adoc[]
+--
+
+====
+
+. Create a TempoMonolithic instance in the project that you created for it.
++
+[TIP]
+====
+You can create multiple TempoMonolithic instances in separate projects on the same cluster.
+====
+
+.. Customize the `TempoMonolithic` custom resource (CR).
++
+include::snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc[]
+
+.. Apply the customized CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+<tempomonolithic_cr>
+EOF
+----
+
+.Verification
+
+. Verify that the `status` of all TempoMonolithic `components` is `Running` and the `conditions` are `type: Ready` by running the following command:
++
+[source,terminal]
+----
+$ oc get tempomonolithic.tempo.grafana.com <metadata_name_of_tempomonolithic_cr> -o yaml
+----
+
+. Run the following command to verify that the pod of the TempoMonolithic instance is running:
++
+[source,terminal]
+----
+$ oc get pods
+----
+
+. Access the Jaeger UI:
+
+.. Query the route details for the `tempo-<metadata_name_of_tempomonolithic_cr>-jaegerui` route by running the following command:
++
+[source,terminal]
+----
+$ oc get route
+----
+
+.. Open `\https://<route_from_previous_step>` in a web browser.
+
+. When the pod of the TempoMonolithic instance is ready, you can send traces to the `tempo-<metadata_name_of_tempomonolithic_cr>:4317` (OTLP/gRPC) and `tempo-<metadata_name_of_tempomonolithic_cr>:4318` (OTLP/HTTP) endpoints inside the cluster.
++
+The Tempo API is available at the `tempo-<metadata_name_of_tempomonolithic_cr>:3200` endpoint inside the cluster.
diff --git a/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc b/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc
new file mode 100644
index 000000000000..6542e4037a28
--- /dev/null
+++ b/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc
@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-install-tempomonolithic-web-console_{context}"]
+= Installing a TempoMonolithic instance by using the web console
+
+:FeatureName: The TempoMonolithic instance
+include::snippets/technology-preview.adoc[]
+
+You can install a TempoMonolithic instance from the *Administrator* view of the web console.
+
+.Prerequisites
+
+* You are logged in to the {product-title} web console as a cluster administrator with the `cluster-admin` role.
+
+* For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role.
+
+.Procedure
+
+. Go to *Home* -> *Projects* -> *Create Project* to create a project of your choice for the *TempoMonolithic* instance that you will create in a subsequent step.
+
+. Decide which type of supported storage to use for storing traces: in-memory storage, a persistent volume, or object storage.
++
+[IMPORTANT]
+====
+Object storage is not included with the {TempoShortName} and requires setting up an object store by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], or link:https://cloud.google.com/storage/[Google Cloud Storage].
+
+Additionally, opting for object storage requires creating a secret for your object storage bucket in the project that you created for the *TempoMonolithic* instance. You can do this in *Workloads* -> *Secrets* -> *Create* -> *From YAML*.
+
+For more information, see "Object storage setup".
+
+--
+include::snippets/distr-tracing-tempo-secret-example.adoc[]
+--
+====
+
+. Create a *TempoMonolithic* instance:
++
+[NOTE]
+====
+You can create multiple *TempoMonolithic* instances in separate projects on the same cluster.
+====
+
+.. Go to *Operators* -> *Installed Operators*.
+
+.. Select *TempoMonolithic* -> *Create TempoMonolithic* -> *YAML view*.
+
+.. In the *YAML view*, customize the `TempoMonolithic` custom resource (CR).
++
+include::snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc[]
+
+.. Select *Create*.
+
+.Verification
+
+. Use the *Project:* dropdown list to select the project of the *TempoMonolithic* instance.
+
+. Go to *Operators* -> *Installed Operators* to verify that the *Status* of the *TempoMonolithic* instance is *Condition: Ready*.
+
+. Go to *Workloads* -> *Pods* to verify that the pod of the *TempoMonolithic* instance is running.
+
+. Access the Jaeger UI:
+
+.. Go to *Networking* -> *Routes* and kbd:[Ctrl+F] to search for `jaegerui`.
++
+[NOTE]
+====
+The Jaeger UI uses the `tempo-<metadata_name_of_TempoMonolithic_CR>-jaegerui` route.
+====
+
+.. In the *Location* column, open the URL to access the Jaeger UI.
+
+. When the pod of the *TempoMonolithic* instance is ready, you can send traces to the `tempo-<metadata_name_of_TempoMonolithic_CR>:4317` (OTLP/gRPC) and `tempo-<metadata_name_of_TempoMonolithic_CR>:4318` (OTLP/HTTP) endpoints inside the cluster.
++
+The Tempo API is available at the `tempo-<metadata_name_of_TempoMonolithic_CR>:3200` endpoint inside the cluster.
diff --git a/modules/distr-tracing-tempo-install-tempostack-cli.adoc b/modules/distr-tracing-tempo-install-tempostack-cli.adoc
new file mode 100644
index 000000000000..a3fb6fbb97c5
--- /dev/null
+++ b/modules/distr-tracing-tempo-install-tempostack-cli.adoc
@@ -0,0 +1,169 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-install-tempostack-cli_{context}"]
+= Installing a TempoStack instance by using the CLI
+
+You can install a TempoStack instance from the command line.
+
+.Prerequisites
+
+* An active {oc-first} session by a cluster administrator with the `cluster-admin` role.
++
+[TIP]
+====
+* Ensure that your {oc-first} version is up to date and matches your {product-title} version.
+
+* Run the `oc login` command:
++
+[source,terminal]
+----
+$ oc login --username=<your_username>
+----
+====
+
+* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
++
+[WARNING]
+====
+Object storage is required and not included with the {TempoShortName}. You must choose and set up object storage by a supported provider before installing the {TempoShortName}.
+====
+
+.Procedure
+
+. Run the following command to create a project of your choice for the TempoStack instance that you will create in a subsequent step:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  name: <project_of_tempostack_instance>
+EOF
+----
+
+. In the project that you created for the TempoStack instance, create a secret for your object storage bucket by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+<object_storage_secret>
+EOF
+----
++
+For more information, see "Object storage setup".
++
+--
+include::snippets/distr-tracing-tempo-secret-example.adoc[]
+--
+
+. Create a TempoStack instance in the project that you created for it:
++
+[NOTE]
+====
+You can create multiple TempoStack instances in separate projects on the same cluster.
+====
++
+.. Customize the `TempoStack` custom resource (CR):
++
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: sample
+  namespace: <project_of_tempostack_instance>
+spec:
+  storageSize: 1Gi
+  storage:
+      secret: # <1>
+          name: <secret_name> # <2>
+          type: <secret_provider> # <3>
+  template:
+    queryFrontend:
+      jaegerQuery:
+        enabled: true
+        ingress:
+          route:
+            termination: edge
+          type: route
+----
+<1> The secret you created in step 2 for the object storage that had been set up as one of the prerequisites.
+<2> The value of the `name` in the `metadata` of the secret.
+<3> The accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or {odf-full}.
++
+.Example of a `TempoStack` CR for AWS S3 and MinIO storage
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: simplest
+  namespace: <project_of_tempostack_instance>
+spec:
+  storageSize: 1Gi
+  storage: # <1>
+    secret:
+      name: minio-test
+      type: s3
+  resources:
+    total:
+      limits:
+        memory: 2Gi
+        cpu: 2000m
+  template:
+    queryFrontend:
+      jaegerQuery: # <2>
+        enabled: true
+        ingress:
+          route:
+            termination: edge
+          type: route
+----
+<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 2.
+<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI.
+
+.. Apply the customized CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+<tempostack_cr>
+EOF
+----
+
+
+.Verification
+
+. Verify that the `status` of all TempoStack `components` is `Running` and the `conditions` are `type: Ready` by running the following command:
++
+[source,terminal]
+----
+$ oc get tempostacks.tempo.grafana.com simplest -o yaml
+----
+
+. Verify that all the TempoStack component pods are running by running the following command:
++
+[source,terminal]
+----
+$ oc get pods
+----
+
+. Access the Tempo console:
+
+.. Query the route details by running the following command:
++
+[source,terminal]
+----
+$ oc get route
+----
+
+.. Open `\https://<route_from_previous_step>` in a web browser.
++
+[NOTE]
+====
+The Tempo console initially shows no trace data following the Tempo console installation.
+====
diff --git a/modules/distr-tracing-tempo-install-tempostack-web-console.adoc b/modules/distr-tracing-tempo-install-tempostack-web-console.adoc
new file mode 100644
index 000000000000..900ca3d999fb
--- /dev/null
+++ b/modules/distr-tracing-tempo-install-tempostack-web-console.adoc
@@ -0,0 +1,124 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-install-tempostack-web-console_{context}"]
+= Installing a TempoStack instance by using the web console
+
+You can install a TempoStack instance from the *Administrator* view of the web console.
+
+.Prerequisites
+
+* You are logged in to the {product-title} web console as a cluster administrator with the `cluster-admin` role.
+
+* For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role.
+
+* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
++
+[WARNING]
+====
+Object storage is required and not included with the {TempoShortName}. You must choose and set up object storage by a supported provider before installing the {TempoShortName}.
+====
+
+.Procedure
+
+. Go to *Home* -> *Projects* -> *Create Project* to create a project of your choice for the TempoStack instance that you will create in a subsequent step.
+
+. Go to *Workloads* -> *Secrets* -> *Create* -> *From YAML* to create a secret for your object storage bucket in the project that you created for the TempoStack instance. For more information, see "Object storage setup".
++
+--
+include::snippets/distr-tracing-tempo-secret-example.adoc[]
+--
+
+. Create a TempoStack instance.
++
+[NOTE]
+====
+You can create multiple TempoStack instances in separate projects on the same cluster.
+====
+
+.. Go to *Operators* -> *Installed Operators*.
+
+.. Select *TempoStack* -> *Create TempoStack* -> *YAML view*.
+
+.. In the *YAML view*, customize the `TempoStack` custom resource (CR):
++
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: sample
+  namespace: <project_of_tempostack_instance>
+spec:
+  storageSize: 1Gi
+  storage:
+    secret: # <1>
+      name: <secret_name> # <2>
+      type: <secret_provider> # <3>
+  template:
+    queryFrontend:
+      jaegerQuery:
+        enabled: true
+        ingress:
+          route:
+            termination: edge
+          type: route
+----
+<1> The secret you created in step 2 for the object storage that had been set up as one of the prerequisites.
+<2> The value of the `name` in the `metadata` of the secret.
+<3> The accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or {odf-full}.
++
+.Example of a `TempoStack` CR for AWS S3 and MinIO storage
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: simplest
+  namespace: <project_of_tempostack_instance>
+spec:
+  storageSize: 1Gi
+  storage: # <1>
+    secret:
+      name: minio-test
+      type: s3
+  resources:
+    total:
+      limits:
+        memory: 2Gi
+        cpu: 2000m
+  template:
+    queryFrontend:
+      jaegerQuery: # <2>
+        enabled: true
+        ingress:
+          route:
+            termination: edge
+          type: route
+----
+<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 2.
+<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI.
+
+.. Select *Create*.
+
+
+.Verification
+
+. Use the *Project:* dropdown list to select the project of the *TempoStack* instance.
+
+. Go to *Operators* -> *Installed Operators* to verify that the *Status* of the *TempoStack* instance is *Condition: Ready*.
+
+. Go to *Workloads* -> *Pods* to verify that all the component pods of the *TempoStack* instance are running.
+
+. Access the Tempo console:
+
+.. Go to *Networking* -> *Routes* and kbd:[Ctrl+F] to search for `tempo`.
+
+.. In the *Location* column, open the URL to access the Tempo console.
++
+[NOTE]
+====
+The Tempo console initially shows no trace data following the Tempo console installation.
+====
diff --git a/modules/distr-tracing-tempo-install-web-console.adoc b/modules/distr-tracing-tempo-install-web-console.adoc
index 7f6591eb406f..cd7b6ed8cb72 100644
--- a/modules/distr-tracing-tempo-install-web-console.adoc
+++ b/modules/distr-tracing-tempo-install-web-console.adoc
@@ -1,12 +1,12 @@
 // Module included in the following assemblies:
 //
-//* observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="distr-tracing-tempo-install-web-console_{context}"]
-= Installing by using the web console
+= Installing the {TempoOperator} by using the web console
 
-You can install the {TempoShortName} from the *Administrator* view of the web console.
+You can install the {TempoOperator} from the *Administrator* view of the web console.
 
 .Prerequisites
 
@@ -14,7 +14,7 @@ You can install the {TempoShortName} from the *Administrator* view of the web co
 
 * For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role.
 
-* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[Red Hat OpenShift Data Foundation], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
+* You have completed setting up the required object storage by a supported provider: link:https://www.redhat.com/en/technologies/cloud-computing/openshift-data-foundation[{odf-full}], link:https://min.io/[MinIO], link:https://aws.amazon.com/s3/[Amazon S3], link:https://azure.microsoft.com/en-us/products/storage/blobs/[Azure Blob Storage], link:https://cloud.google.com/storage/[Google Cloud Storage]. For more information, see "Object storage setup".
 +
 [WARNING]
 ====
@@ -23,11 +23,9 @@ Object storage is required and not included with the {TempoShortName}. You must
 
 .Procedure
 
-. Install the {TempoOperator}:
+. Go to *Operators* -> *OperatorHub* and search for `{TempoOperator}`.
 
-.. Go to *Operators* -> *OperatorHub* and search for `{TempoOperator}`.
-
-.. Select the *{TempoOperator}* that is *provided by Red Hat*.
+. Select the *{TempoOperator}* that is *provided by Red Hat*.
 +
 [IMPORTANT]
 ====
@@ -39,108 +37,10 @@ The following selections are the default presets for this Operator:
 * *Update approval* -> *Automatic*
 ====
 
-.. Select the *Enable Operator recommended cluster monitoring on this Namespace* checkbox.
-
-.. Select *Install* -> *Install* -> *View Operator*.
-
-.. In the *Details* tab of the page of the installed Operator, under *ClusterServiceVersion details*, verify that the installation *Status* is *Succeeded*.
-
-. Create a project of your choice for the *TempoStack* instance that you will create in a subsequent step: go to *Home* -> *Projects* -> *Create Project*.
-
-. In the project that you created for the *TempoStack* instance, create a secret for your object storage bucket: go to *Workloads* -> *Secrets* -> *Create* -> *From YAML*. For more information, see "Object storage setup".
-+
---
-include::snippets/distr-tracing-tempo-secret-example.adoc[]
---
-
-. Create a *TempoStack* instance.
-+
-[NOTE]
-====
-You can create multiple *TempoStack* instances in separate projects on the same cluster.
-====
-
-.. Go to *Operators* -> *Installed Operators*.
-
-.. Select *TempoStack* -> *Create TempoStack* -> *YAML view*.
-
-.. In the *YAML view*, customize the `TempoStack` custom resource (CR):
-+
-[source,yaml]
-----
-apiVersion: tempo.grafana.com/v1alpha1
-kind: TempoStack
-metadata:
-  name: sample
-  namespace: <project_of_tempostack_instance>
-spec:
-  storageSize: 1Gi
-  storage:
-    secret: # <1>
-      name: <secret-name> # <2>
-      type: <secret-provider> # <3>
-  template:
-    queryFrontend:
-      jaegerQuery:
-        enabled: true
-        ingress:
-          route:
-            termination: edge
-          type: route
-----
-<1> The secret you created in step 3.
-<2> The value of the `name` in the `metadata` of the secret.
-<3> The accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or Red Hat OpenShift Data Foundation.
-+
-.Example of a `TempoStack` CR for AWS S3 and MinIO storage
-[source,yaml]
-----
-apiVersion: tempo.grafana.com/v1alpha1
-kind: TempoStack
-metadata:
-  name: simplest
-  namespace: <project_of_tempostack_instance>
-spec:
-  storageSize: 1Gi
-  storage: # <1>
-    secret:
-      name: minio-test
-      type: s3
-  resources:
-    total:
-      limits:
-        memory: 2Gi
-        cpu: 2000m
-  template:
-    queryFrontend:
-      jaegerQuery: # <2>
-        enabled: true
-        ingress:
-          route:
-            termination: edge
-          type: route
-----
-<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 3.
-<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI.
-
-.. Select *Create*.
+. Select the *Enable Operator recommended cluster monitoring on this Namespace* checkbox.
 
+. Select *Install* -> *Install* -> *View Operator*.
 
 .Verification
 
-. Use the *Project:* dropdown list to select the project of the *TempoStack* instance.
-
-. Go to *Operators* -> *Installed Operators* to verify that the *Status* of the *TempoStack* instance is *Condition: Ready*.
-
-. Go to *Workloads* -> *Pods* to verify that all the component pods of the *TempoStack* instance are running.
-
-. Access the Tempo console:
-
-.. Go to *Networking* -> *Routes* and kbd:[Ctrl+F] to search for `tempo`.
-
-.. In the *Location* column, open the URL to access the Tempo console.
-+
-[NOTE]
-====
-The Tempo console initially shows no trace data following the Tempo console installation.
-====
+* In the *Details* tab of the page of the installed Operator, under *ClusterServiceVersion details*, verify that the installation *Status* is *Succeeded*.
diff --git a/modules/enabling-entra-workload-id-existing-cluster.adoc b/modules/enabling-entra-workload-id-existing-cluster.adoc
new file mode 100644
index 000000000000..3bef1bf59627
--- /dev/null
+++ b/modules/enabling-entra-workload-id-existing-cluster.adoc
@@ -0,0 +1,249 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/cluster-tasks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-entra-workload-id-existing-cluster_{context}"]
+= Enabling {entra-first} on an existing cluster
+
+If you did not configure your {azure-first} {product-title} cluster to use {entra-first} during installation, you can enable this authentication method on an existing cluster.
+
+[IMPORTANT]
+====
+The process to enable {entra-short} on an existing cluster is disruptive and takes a significant amount of time.
+Before proceeding, observe the following considerations:
+
+* Read the following steps and ensure that you understand and accept the time requirement.
+The exact time requirement varies depending on the individual cluster, but it is likely to require at least one hour.
+
+* During this process, you must refresh all service accounts and restart all pods on the cluster.
+These actions are disruptive to workloads.
+To mitigate this impact, you can temporarily halt these services and then redeploy them when the cluster is ready.
+
+* After starting this process, do not attempt to update the cluster until it is complete.
+If an update is triggered, the process to enable {entra-short} on an existing cluster fails.
+====
+
+.Prerequisites
+
+* You have installed an {product-title} cluster on {azure-first}.
+* You have access to the cluster using an account with `cluster-admin` permissions.
+* You have installed the {oc-first}.
+* You have extracted and prepared the Cloud Credential Operator utility (`ccoctl`) binary.
+* You have access to your {azure-short} account by using the {azure-short} CLI (`az`).
+
+.Procedure
+
+. Create an output directory for the manifests that the `ccoctl` utility generates.
+This procedure uses `./output_dir` as an example.
+
+. Extract the service account public signing key for the cluster to the output directory by running the following command:
++
+[source,terminal]
+----
+$ oc get configmap \
+  --namespace openshift-kube-apiserver bound-sa-token-signing-certs \
+  --output 'go-template={{index .data "service-account-001.pub"}}' > ./output_dir/serviceaccount-signer.public <1>
+----
+<1> This procedure uses a file named `serviceaccount-signer.public` as an example.
+
+. Use the extracted service account public signing key to create an OpenID Connect (OIDC) issuer and {azure-short} blob storage container with OIDC configuration files by running the following command:
++
+[source,terminal]
+----
+$ ./ccoctl azure create-oidc-issuer \
+  --name <azure_infra_name> \// <1>
+  --output-dir ./output_dir \
+  --region <azure_region> \// <2>
+  --subscription-id <azure_subscription_id> \// <3>
+  --tenant-id <azure_tenant_id> \
+  --public-key-file ./output_dir/serviceaccount-signer.public <4>
+----
+<1> The value of the `name` parameter is used to create an Azure resource group.
+To use an existing Azure resource group instead of creating a new one, specify the `--oidc-resource-group-name` argument with the existing group name as its value.
+<2> Specify the region of the existing cluster.
+<3> Specify the subscription ID of the existing cluster.
+<4> Specify the file that contains the service account public signing key for the cluster.
+
+. Verify that the configuration file for the Azure pod identity webhook was created by running the following command:
++
+[source,terminal]
+----
+$ ll ./output_dir/manifests
+----
++
+.Example output
++
+[source,text]
+----
+total 8
+-rw-------. 1 cloud-user cloud-user 193 May 22 02:29 azure-ad-pod-identity-webhook-config.yaml <1>
+-rw-------. 1 cloud-user cloud-user 165 May 22 02:29 cluster-authentication-02-config.yaml
+----
+<1> The file `azure-ad-pod-identity-webhook-config.yaml` contains the Azure pod identity webhook configuration.
+
+. Set an `OIDC_ISSUER_URL` variable with the OIDC issuer URL from the generated manifests in the output directory by running the following command:
++
+[source,terminal]
+----
+$ OIDC_ISSUER_URL=`awk '/serviceAccountIssuer/ { print $2 }' ./output_dir/manifests/cluster-authentication-02-config.yaml`
+----
+
+. Update the `spec.serviceAccountIssuer` parameter of the cluster `authentication` configuration by running the following command:
++
+[source,terminal]
+----
+$ oc patch authentication cluster \
+  --type=merge \
+  -p "{\"spec\":{\"serviceAccountIssuer\":\"${OIDC_ISSUER_URL}\"}}"
+----
+
+. Monitor the configuration update progress by running the following command:
++
+[source,terminal]
+----
+$ oc adm wait-for-stable-cluster
+----
++
+This process might take 15 minutes or longer.
+The following output indicates that the process is complete:
++
+[source,text]
+----
+All clusteroperators are stable
+----
+
+. Restart all of the pods in the cluster by running the following command:
++
+[source,terminal]
+----
+$ oc adm reboot-machine-config-pool mcp/worker mcp/master
+----
++
+Restarting a pod updates the `serviceAccountIssuer` field and refreshes the service account public signing key.
+
+. Monitor the restart and update process by running the following command:
++
+[source,terminal]
+----
+$ oc adm wait-for-node-reboot nodes --all
+----
++
+This process might take 15 minutes or longer.
+The following output indicates that the process is complete:
++
+[source,text]
+----
+All nodes rebooted
+----
+
+. Update the Cloud Credential Operator `spec.credentialsMode` parameter to `Manual` by running the following command:
++
+[source,terminal]
+----
+$ oc patch cloudcredential cluster \
+  --type=merge \
+  --patch '{"spec":{"credentialsMode":"Manual"}}'
+----
+
+. Extract the list of `CredentialsRequest` objects from the {product-title} release image by running the following command:
++
+[source,terminal]
+----
+$ oc adm release extract \
+  --credentials-requests \
+  --included \
+  --to <path_to_directory_for_credentials_requests> \
+  --registry-config ~/.pull-secret
+----
++
+[NOTE]
+====
+This command might take a few moments to run.
+====
+
+. Set an `AZURE_INSTALL_RG` variable with the {azure-short} resource group name by running the following command:
++
+[source,terminal]
+----
+$ AZURE_INSTALL_RG=`oc get infrastructure cluster -o jsonpath --template '{ .status.platformStatus.azure.resourceGroupName }'`
+----
+
+. Use the `ccoctl` utility to create managed identities for all `CredentialsRequest` objects by running the following command:
++
+[source,terminal]
+----
+$ ccoctl azure create-managed-identities \
+  --name <azure_infra_name> \
+  --output-dir ./output_dir \
+  --region <azure_region> \
+  --subscription-id <azure_subscription_id> \
+  --credentials-requests-dir <path_to_directory_for_credentials_requests> \
+  --issuer-url "${OIDC_ISSUER_URL}" \
+  --dnszone-resource-group-name <azure_dns_zone_resourcegroup_name> \// <1>
+  --installation-resource-group-name "${AZURE_INSTALL_RG}"
+----
+<1> Specify the name of the resource group that contains the DNS zone.
+
+. Apply the {azure-short} pod identity webhook configuration for {entra-short} by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f ./output_dir/manifests/azure-ad-pod-identity-webhook-config.yaml
+----
+
+. Apply the secrets generated by the `ccoctl` utility by running the following command:
++
+[source,terminal]
+----
+$ find ./output_dir/manifests -iname "openshift*yaml" -print0 | xargs -I {} -0 -t oc replace -f {}
+----
++
+This process might take several minutes.
+
+
+. Restart all of the pods in the cluster by running the following command:
++
+[source,terminal]
+----
+$ oc adm reboot-machine-config-pool mcp/worker mcp/master
+----
++
+Restarting a pod updates the `serviceAccountIssuer` field and refreshes the service account public signing key.
+
+. Monitor the restart and update process by running the following command:
++
+[source,terminal]
+----
+$ oc adm wait-for-node-reboot nodes --all
+----
++
+This process might take 15 minutes or longer.
+The following output indicates that the process is complete:
++
+[source,text]
+----
+All nodes rebooted
+----
+
+. Monitor the configuration update progress by running the following command:
++
+[source,terminal]
+----
+$ oc adm wait-for-stable-cluster
+----
++
+This process might take 15 minutes or longer.
+The following output indicates that the process is complete:
++
+[source,text]
+----
+All clusteroperators are stable
+----
+
+. Optional: Remove the {azure-short} root credentials secret by running the following command:
++
+[source,terminal]
+----
+$ oc delete secret -n kube-system azure-credentials
+----
\ No newline at end of file
diff --git a/modules/etcd-cert-alerts-metrics-signer.adoc b/modules/etcd-cert-alerts-metrics-signer.adoc
new file mode 100644
index 000000000000..cc5135bf87a2
--- /dev/null
+++ b/modules/etcd-cert-alerts-metrics-signer.adoc
@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * security/certificate_types_descriptions/etcd-certificates.adoc
+
+:_mod-docs-content-type: CONCEPT    
+[id="etcd-cert-alerts-metrics-signer_{context}"]
+= etcd certificate rotation alerts and metrics signer certificates
+
+Two alert types inform users about pending `etcd` certificate expiration:
+[horizontal]
+`etcdSignerCAExpirationWarning`:: Occurs 730 days until the signer expires.
+`etcdSignerCAExpirationCritical`:: Occurs 365 days until the signer expires.
+
+You can rotate the certificate for the following reasons:
+
+* You receive an expiration alert.
+* The private key is leaked.
+
+[IMPORTANT]
+====
+When a private key is leaked, you must rotate all of the certificates.
+====
+
+There is an `etcd` signer for the {product-title} metrics system. Substitute the following metrics parameters in _Rotating the etcd certificate_.
+
+* `etcd-metric-signer` instead of `etcd-signer`
+* `etcd-metrics-ca-bundle` instead of `etcd-ca-bundle`
\ No newline at end of file
diff --git a/modules/etcd-creating-automated-backups.adoc b/modules/etcd-creating-automated-backups.adoc
index 5576bf54cd2a..cde0e2210c05 100644
--- a/modules/etcd-creating-automated-backups.adoc
+++ b/modules/etcd-creating-automated-backups.adoc
@@ -11,9 +11,6 @@ The automated backup feature for etcd supports both recurring and single backups
 :FeatureName: Automating etcd backups
 include::snippets/technology-preview.adoc[]
 
-[id="enabling-automated-etcd-backups_{context}"]
-== Enabling automated etcd backups
-
 Follow these steps to enable automated backups for etcd.
 
 [WARNING]
@@ -59,298 +56,4 @@ $ oc get crd | grep backup
 ----
 backups.config.openshift.io 2023-10-25T13:32:43Z
 etcdbackups.operator.openshift.io 2023-10-25T13:32:04Z
-----
-
-[id="creating-single-etcd-backup_{context}"]
-== Creating a single etcd backup
-
-Follow these steps to create a single etcd backup by creating and applying a custom resource (CR).
-
-.Prerequisites
-
-* You have access to the cluster as a user with the `cluster-admin` role.
-* You have access to the OpenShift CLI (`oc`).
-* You have a PVC to save backup data to.
-
-.Procedure
-
-. Create a CR file named `etcd-single-backup.yaml` with contents such as the following example:
-+
-[source,yaml]
-----
-apiVersion: operator.openshift.io/v1alpha1
-kind: EtcdBackup
-metadata:
-  name: etcd-single-backup
-  namespace: openshift-etcd
-spec:
-  pvcName: etcd-backup-pvc <1>
-----
-<1> The name of the persistent volume claim (PVC) to save the backup to. Adjust this value according to your environment.
-
-. Apply the CR to start a single backup:
-+
-[source,terminal]
-----
-$ oc apply -f etcd-single-backup.yaml
-----
-
-[id="creating-recurring-etcd-backups_{context}"]
-== Creating recurring etcd backups
-
-Follow these steps to create automated recurring backups of etcd.
-
-Use dynamically-provisioned storage to keep the created etcd backup data in a safe, external location if possible. If dynamically-provisioned storage is not available, consider storing the backup data on an NFS share to make backup recovery more accessible.
-
-.Prerequisites
-
-* You have access to the cluster as a user with the `cluster-admin` role.
-* You have access to the OpenShift CLI (`oc`).
-
-.Procedure
-
-. If dynamically-provisioned storage is available, complete the following steps to create automated recurring backups:
-
-.. Create a persistent volume claim (PVC) named `etcd-backup-pvc.yaml` with contents such as the following example:
-+
-[source,yaml]
-----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: etcd-backup-pvc
-  namespace: openshift-etcd
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 200Gi <1>
-  storageClassName: standard-csi <2>
-  volumeMode: Filesystem
-----
-<1> The amount of storage available to the PVC. Adjust this value for your requirements.
-<2> The name of the `StorageClass` required by the claim. Adjust this value according to your environment.
-+
-[NOTE]
-====
-Each of the following providers require changes to the `accessModes` and `storageClassName` keys:
-
-[cols="1,1,1"]
-|===
-|Provider|`accessModes` value|`storageClassName` value
-
-|AWS with the `versioned-installer-efc_operator-ci` profile
-|`- ReadWriteMany`
-|`efs-sc`
-
-|Google Cloud Platform
-|`- ReadWriteMany`
-|`filestore-csi`
-
-|Microsoft Azure
-|`- ReadWriteMany`
-|`azurefile-csi`
-|===
-====
-
-.. Apply the PVC by running the following command:
-+
-[source,terminal]
-----
-$ oc apply -f etcd-backup-pvc.yaml
-----
-
-.. Verify the creation of the PVC by running the following command:
-+
-[source,terminal]
-----
-$ oc get pvc
-----
-+
-.Example output
-[source,terminal]
-----
-NAME              STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
-etcd-backup-pvc   Pending                                      standard-csi   51s
-----
-+
-[NOTE]
-====
-Dynamic PVCs stay in the `Pending` state until they are mounted.
-====
-
-. If dynamically-provisioned storage is unavailable, create a local storage PVC by completing the following steps:
-+
-[WARNING]
-====
-If you delete or otherwise lose access to the node that contains the stored backup data, you can lose data.
-====
-
-.. Create a `StorageClass` CR file named `etcd-backup-local-storage.yaml` with the following contents:
-+
-[source,yaml]
-----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: etcd-backup-local-storage
-provisioner: kubernetes.io/no-provisioner
-volumeBindingMode: WaitForFirstConsumer
-----
-
-.. Apply the `StorageClass` CR by running the following command:
-+
-[source,terminal]
-----
-$ oc apply -f etcd-backup-local-storage.yaml
-----
-
-.. Create a PV named `etcd-backup-pv-fs.yaml` from the applied `StorageClass` with content such as the following example:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: etcd-backup-pv-fs
-spec:
-  capacity:
-    storage: 100Gi <1>
-  volumeMode: Filesystem
-  accessModes:
-  - ReadWriteMany
-  persistentVolumeReclaimPolicy: Delete
-  storageClassName: local-storage
-  local:
-    path: /mnt/
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - <example-master-node> <2>
-----
-<1> The amount of storage available to the PV. Adjust this value for your requirements.
-<2> Replace this value with the node to attach this PV to.
-+
-[TIP]
-====
-Run the following command to list the available nodes:
-
-[source,terminal]
-----
-$ oc get nodes
-----
-====
-
-.. Verify the creation of the PV by running the following command:
-+
-[source,terminal]
-----
-$ oc get pv
-----
-+
-.Example output
-[source,terminal]
-----
-NAME                    CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS    REASON   AGE
-etcd-backup-pv-fs       100Gi      RWX            Delete           Available           local-storage            10s
-----
-
-.. Create a PVC named `etcd-backup-pvc.yaml` with contents such as the following example:
-+
-[source,yaml]
-----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: etcd-backup-pvc
-spec:
-  accessModes:
-  - ReadWriteMany
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 10Gi <1>
-  storageClassName: local-storage
-----
-<1> The amount of storage available to the PVC. Adjust this value for your requirements.
-
-.. Apply the PVC by running the following command:
-+
-[source,terminal]
-----
-$ oc apply -f etcd-backup-pvc.yaml
-----
-
-. Create a custom resource definition (CRD) file named `etcd-recurring-backups.yaml`. The contents of the created CRD define the schedule and retention type of automated backups.
-+
-For the default retention type of `RetentionNumber` with 15 retained backups, use contents such as the following example:
-+
-[source,yaml]
-----
-apiVersion: config.openshift.io/v1alpha1
-kind: Backup
-metadata:
-  name: etcd-recurring-backup
-spec:
-  etcd:
-    schedule: "20 4 * * *" <1>
-    timeZone: "UTC"
-    pvcName: etcd-backup-pvc
-----
-<1> The `CronTab` schedule for recurring backups. Adjust this value for your needs.
-+
-To use retention based on the maximum number of backups, add the following key-value pairs to the `etcd` key:
-+
-[source,yaml]
-----
-spec:
-  etcd:
-    retentionPolicy:
-      retentionType: RetentionNumber <1>
-      retentionNumber:
-        maxNumberOfBackups: 5 <2>
-----
-<1> The retention type. Defaults to `RetentionNumber` if unspecified.
-<2> The maximum number of backups to retain. Adjust this value for your needs. Defaults to 15 backups if unspecified.
-+
-[WARNING]
-====
-A known issue causes the number of retained backups to be one greater than the configured value.
-====
-+
-For retention based on the file size of backups, use the following:
-+
-[source,yaml]
-----
-spec:
-  etcd:
-    retentionPolicy:
-      retentionType: RetentionSize
-      retentionSize:
-        maxSizeOfBackupsGb: 20 <1>
-----
-<1> The maximum file size of the retained backups in gigabytes. Adjust this value for your needs. Defaults to 10 GB if unspecified.
-+
-[WARNING]
-====
-A known issue causes the maximum size of retained backups to be up to 10 GB greater than the configured value.
-====
-
-. Create the cron job defined by the CRD by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f etcd-recurring-backup.yaml
-----
-
-. To find the created cron job, run the following command:
-+
-[source,terminal]
-----
-$ oc get cronjob -n openshift-etcd
-----
+----
\ No newline at end of file
diff --git a/modules/etcd-increase-db.adoc b/modules/etcd-increase-db.adoc
new file mode 100644
index 000000000000..7d2f39563a34
--- /dev/null
+++ b/modules/etcd-increase-db.adoc
@@ -0,0 +1,195 @@
+// Module included in the following assemblies:
+//
+// * scalability_and_performance/recommended-performance-scale-practices/recommended-etcd-practices.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="etcd-increase-db_{context}"]
+= Increasing the database size for etcd
+
+You can set the disk quota in gibibytes (GiB) for each etcd instance. If you set a disk quota for your etcd instance, you can specify integer values from 8 to 32. The default value is 8. You can specify only increasing values.
+
+You might want to increase the disk quota if you encounter a `low space` alert. This alert indicates that the cluster is too large to fit in etcd despite automatic compaction and defragmentation. If you see this alert, you need to increase the disk quota immediately because after etcd runs out of space, writes fail.
+
+Another scenario where you might want to increase the disk quota is if you encounter an `excessive database growth` alert. This alert is a warning that the database might grow too large in the next four hours. In this scenario, consider increasing the disk quota so that you do not eventually encounter a `low space` alert and possible write fails. 
+
+If you increase the disk quota, the disk space that you specify is not immediately reserved. Instead, etcd can grow to that size if needed. Ensure that etcd is running on a dedicated disk that is larger than the value that you specify for the disk quota. 
+
+For large etcd databases, the control plane nodes must have additional memory and storage. Because you must account for the API server cache, the minimum memory required is at least three times the configured size of the etcd database.
+
+:FeatureName: Increasing the database size for etcd
+include::snippets/technology-preview.adoc[]
+
+[id="etcd-change-db-size_{context}"]
+== Changing the etcd database size
+
+To change the database size for etcd, complete the following steps.
+
+.Procedure
+
+. Check the current value of the disk quota for each etcd instance by entering the following command:
++
+[source,terminal]
+----
+$ oc describe etcd/cluster | grep "Backend Quota"
+----
++
+.Example output
+[source,terminal]
+----
+Backend Quota Gi B: <value>
+----
+
+. Change the value of the disk quota by entering the following command:
++
+[source,terminal]
+----
+$ oc patch etcd/cluster --type=merge -p '{"spec": {"backendQuotaGiB": <value>}}'
+----
++
+.Example output
+[source,terminal]
+----
+etcd.operator.openshift.io/cluster patched
+----
+
+.Verification
+
+. Verify that the new value for the disk quota is set by entering the following command:
++
+[source,terminal]
+----
+$ oc describe etcd/cluster | grep "Backend Quota"
+----
++
+The etcd Operator automatically rolls out the etcd instances with the new values. 
+
+. Verify that the etcd pods are up and running by entering the following command:
++
+[source,terminal]
+----
+oc get pods -n openshift-etcd
+----
++
+The following output shows the expected entries.
++
+.Example output
+[source,terminal]
+----
+NAME                                                   READY   STATUS      RESTARTS   AGE
+etcd-ci-ln-b6kfsw2-72292-mzwbq-master-0                4/4     Running     0          39m
+etcd-ci-ln-b6kfsw2-72292-mzwbq-master-1                4/4     Running     0          37m
+etcd-ci-ln-b6kfsw2-72292-mzwbq-master-2                4/4     Running     0          41m
+etcd-guard-ci-ln-b6kfsw2-72292-mzwbq-master-0          1/1     Running     0          51m
+etcd-guard-ci-ln-b6kfsw2-72292-mzwbq-master-1          1/1     Running     0          49m
+etcd-guard-ci-ln-b6kfsw2-72292-mzwbq-master-2          1/1     Running     0          54m
+installer-5-ci-ln-b6kfsw2-72292-mzwbq-master-1         0/1     Completed   0          51m
+installer-7-ci-ln-b6kfsw2-72292-mzwbq-master-0         0/1     Completed   0          46m
+installer-7-ci-ln-b6kfsw2-72292-mzwbq-master-1         0/1     Completed   0          44m
+installer-7-ci-ln-b6kfsw2-72292-mzwbq-master-2         0/1     Completed   0          49m
+installer-8-ci-ln-b6kfsw2-72292-mzwbq-master-0         0/1     Completed   0          40m
+installer-8-ci-ln-b6kfsw2-72292-mzwbq-master-1         0/1     Completed   0          38m
+installer-8-ci-ln-b6kfsw2-72292-mzwbq-master-2         0/1     Completed   0          42m
+revision-pruner-7-ci-ln-b6kfsw2-72292-mzwbq-master-0   0/1     Completed   0          43m
+revision-pruner-7-ci-ln-b6kfsw2-72292-mzwbq-master-1   0/1     Completed   0          43m
+revision-pruner-7-ci-ln-b6kfsw2-72292-mzwbq-master-2   0/1     Completed   0          43m
+revision-pruner-8-ci-ln-b6kfsw2-72292-mzwbq-master-0   0/1     Completed   0          42m
+revision-pruner-8-ci-ln-b6kfsw2-72292-mzwbq-master-1   0/1     Completed   0          42m
+revision-pruner-8-ci-ln-b6kfsw2-72292-mzwbq-master-2   0/1     Completed   0          42m
+----
+
+. Verify that the disk quota value is updated for the etcd pod by entering the following command:
++
+[source,terminal]
+----
+$ oc describe -n openshift-etcd pod/<etcd_podname> | grep "ETCD_QUOTA_BACKEND_BYTES"
+----
++
+The value might not have changed from the default value of `8`. 
++
+.Example output
+[source,terminal]
+----
+ETCD_QUOTA_BACKEND_BYTES:                               8589934592
+----
++
+[NOTE]
+=====
+While the value that you set is an integer in GiB, the value shown in the output is converted to bytes.
+=====
+
+
+[id="etcd-change-db-size-troubleshooting_{context}"]
+== Troubleshooting
+
+If you encounter issues when you try to increase the database size for etcd, the following troubleshooting steps might help.
+
+[id="etcd-troubleshoot-small-value_{context}"]
+=== Value is too small
+
+If the value that you specify is less than `8`, you see the following error message:
+
+[source,terminal]
+----
+$ oc patch etcd/cluster --type=merge -p '{"spec": {"backendQuotaGiB": 5}}'
+----
+
+.Example error message
+[source,terminal]
+----
+The Etcd "cluster" is invalid: 
+* spec.backendQuotaGiB: Invalid value: 5: spec.backendQuotaGiB in body should be greater than or equal to 8
+* spec.backendQuotaGiB: Invalid value: "integer": etcd backendQuotaGiB may not be decreased
+----
+
+To resolve this issue, specify an integer between `8` and `32`.
+
+[id="etcd-troubleshoot-large-value_{context}"]
+=== Value is too large
+
+If the value that you specify is greater than `32`, you see the following error message:
+
+[source,terminal]
+----
+$ oc patch etcd/cluster --type=merge -p '{"spec": {"backendQuotaGiB": 64}}'
+----
+
+.Example error message
+[source,terminal]
+----
+The Etcd "cluster" is invalid: spec.backendQuotaGiB: Invalid value: 64: spec.backendQuotaGiB in body should be less than or equal to 32
+----
+
+To resolve this issue, specify an integer between `8` and `32`.
+
+[id="etcd-troubleshoot-decreasing-value_{context}"]
+=== Value is decreasing
+
+If the value is set to a valid value between `8` and `32`, you cannot decrease the value. Otherwise, you see an error message.
+
+. Check to see the current value by entering the following command:
++
+[source,terminal]
+----
+$ oc describe etcd/cluster | grep "Backend Quota"
+----
++
+.Example output
+[source,terminal]
+----
+Backend Quota Gi B: 10
+----
+
+. Decrease the disk quota value by entering the following command:
++
+[source,terminal]
+----
+$ oc patch etcd/cluster --type=merge -p '{"spec": {"backendQuotaGiB": 8}}'
+----
++
+.Example error message
+[source,terminal]
+----
+The Etcd "cluster" is invalid: spec.backendQuotaGiB: Invalid value: "integer": etcd backendQuotaGiB may not be decreased
+----
+
+. To resolve this issue, specify an integer greater than `10`.
\ No newline at end of file
diff --git a/modules/graceful-shutdown.adoc b/modules/graceful-shutdown.adoc
index 7e7f7a77c857..a35438b2a4cc 100644
--- a/modules/graceful-shutdown.adoc
+++ b/modules/graceful-shutdown.adoc
@@ -62,7 +62,7 @@ node/ci-ln-mgdnf4b-72292-n547t-worker-c-vcmtn cordoned
 [source,terminal]
 +
 ----
-$ for node in $(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{.items[*].metadata.name}'); do echo ${node} ; oc adm drain ${node} --delete-emptydir-data --ignore-daemonsets=true --timeout=15s ; done
+$ for node in $(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{.items[*].metadata.name}'); do echo ${node} ; oc adm drain ${node} --delete-emptydir-data --ignore-daemonsets=true --timeout=15s --force ; done
 ----
 
 . Shut down all of the nodes in the cluster. You can do this from your cloud provider’s web console, or by running the following loop:
@@ -107,4 +107,4 @@ Cluster administrators are responsible for ensuring a clean restart of their own
 [IMPORTANT]
 ====
 If you deployed your cluster on a cloud-provider platform, do not shut down, suspend, or delete the associated cloud resources. If you delete the cloud resources of a suspended virtual machine, {product-title} might not restore successfully.
-====
\ No newline at end of file
+====
diff --git a/modules/hosted-control-planes-overview.adoc b/modules/hosted-control-planes-overview.adoc
index 515e5c1501b0..51ebbe3675ef 100644
--- a/modules/hosted-control-planes-overview.adoc
+++ b/modules/hosted-control-planes-overview.adoc
@@ -13,7 +13,7 @@ You can use {hcp} for Red Hat {product-title} to reduce management costs, optimi
 {hcp-capital} is available by using the link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/clusters/cluster_mce_overview#cluster_mce_overview[{mce} version 2.0 or later] on the following platforms:
 
 * Bare metal by using the Agent provider
-* {VirtProductName}
+* {VirtProductName}, as a Generally Available feature in connected environments and a Technology Preview feature in disconnected environments
 * {aws-first}, as a Technology Preview feature
 * {ibm-z-title}, as a Technology Preview feature
 * {ibm-power-title}, as a Technology Preview feature
diff --git a/modules/hosted-control-planes-version-support.adoc b/modules/hosted-control-planes-version-support.adoc
index 28be2770a07a..313cecfb66f7 100644
--- a/modules/hosted-control-planes-version-support.adoc
+++ b/modules/hosted-control-planes-version-support.adoc
@@ -22,7 +22,7 @@ You can host different versions of control planes on the same management cluster
 ----
     apiVersion: v1
     data:
-      supported-versions: '{"versions":["4.15"]}'
+      supported-versions: '{"versions":["4.16"]}'
     kind: ConfigMap
     metadata:
       labels:
diff --git a/modules/hosted-restart-hcp-components.adoc b/modules/hosted-restart-hcp-components.adoc
new file mode 100644
index 000000000000..47cd41537c8e
--- /dev/null
+++ b/modules/hosted-restart-hcp-components.adoc
@@ -0,0 +1,50 @@
+// Module included in the following assembly:
+//
+// * hosted_control_planes/index.adoc
+
+:_content-type: PROCEDURE
+[id="hosted-restart-hcp-components_{context}"]
+= Restarting hosted control plane components
+
+If you are an administrator for hosted control planes, you can use the `hypershift.openshift.io/restart-date` annotation to restart all control plane components for a particular `HostedCluster` resource. For example, you might need to restart control plane components for certificate rotation.
+
+.Procedure
+
+To restart a control plane, annotate the `HostedCluster` resource by entering the following command:
+
+[source,terminal]
+----
+$ oc annotate hostedcluster -n <hosted_cluster_namespace> <hosted_cluster_name> hypershift.openshift.io/restart-date=$(date --iso-8601=seconds)
+----
+
+.Verification
+
+The control plane is restarted whenever the value of the anonotation changes. The `date` command in the example serves as the source of a unique string. The annotation is treated as a string, not a timestamp.
+
+The following components are restarted:
+
+* catalog-operator
+* certified-operators-catalog
+* cluster-api
+* cluster-autoscaler
+* cluster-policy-controller
+* cluster-version-operator
+* community-operators-catalog
+* control-plane-operator
+* hosted-cluster-config-operator
+* ignition-server
+* ingress-operator
+* konnectivity-agent
+* konnectivity-server
+* kube-apiserver
+* kube-controller-manager
+* kube-scheduler
+* machine-approver
+* oauth-openshift
+* olm-operator
+* openshift-apiserver
+* openshift-controller-manager
+* openshift-oauth-apiserver
+* packageserver
+* redhat-marketplace-catalog
+* redhat-operators-catalog
\ No newline at end of file
diff --git a/modules/how-the-live-migration-process-works.adoc b/modules/how-the-live-migration-process-works.adoc
new file mode 100644
index 000000000000..d42ab25bc952
--- /dev/null
+++ b/modules/how-the-live-migration-process-works.adoc
@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+ifeval::["{context}" == "migrate-to-openshift-sdn"]
+:sdn: OpenShift SDN
+:previous-sdn: OVN-Kubernetes
+:type: OpenShiftSDN
+endif::[]
+ifeval::["{context}" == "migrate-from-openshift-sdn"]
+:sdn: OVN-Kubernetes
+:previous-sdn: OpenShift SDN
+:type: OVNKubernetes
+endif::[]
+
+[id="how-the-live-migration-process-works_{context}"]
+= How the live migration process works
+
+The following table summarizes the live migration process by segmenting between the user-initiated steps in the process and the actions that the migration script performs in response.
+
+.Live migration to OVNKubernetes from OpenShiftSDN
+[cols="1,1a",options="header"]
+|===
+|User-initiated steps|Migration activity
+ifdef::openshift-rosa,openshift-dedicated[]
+| Add the `unsupported-red-hat-internal-testing` annotation to the cluster-level network configuration. 
+| The Cluster Network Operator (CNO) acknowledges the unsupported testing environment.
+endif::[]
+
+| Patch the cluster-level networking configuration by changing the `networkType` from `OpenShiftSDN` to `OVNKubernetes`.
+| 
+Cluster Network Operator (CNO)::
++
+--
+* Sets migration related fields in the `network.operator` custom resource (CR) and waits for routable MTUs to be applied to all nodes.
+* Patches the `network.operator` CR to set the migration mode to `Live` for OVN-Kubernetes and deploys the OpenShift SDN network plugin in migration mode.
+* Deploys OVN-Kubernetes with hybrid overlay enabled, ensuring that no racing conditions occur.
+* Waits for the OVN-Kubernetes deployment and updates the conditions in the status of the `network.config` CR.
+* Triggers the Machine Config Operator (MCO) to apply the new machine config to each machine config pool, which includes node cordoning, draining, and rebooting.
+* OVN-Kubernetes adds nodes to the appropriate zones and recreates pods using OVN-Kubernetes as the default CNI plugin.
+* Removes migration-related fields from the network.operator CR and performs cleanup actions, such as deleting OpenShift SDN resources and redeploying OVN-Kubernetes in normal mode with the necessary configurations.
+* Waits for the OVN-Kubernetes redeployment and updates the status conditions in the `network.config` CR to indicate migration completion. If your migration is blocked, see "Checking limited live migration metrics" for information on troubleshooting the issue.
+--
+|===
+
+ifdef::sdn[]
+:!sdn:
+endif::[]
+ifdef::previous-sdn[]
+:!previous-sdn:
+endif::[]
+ifdef::type[]
+:!type:
+endif::[]
diff --git a/modules/infrastructure-components.adoc b/modules/infrastructure-components.adoc
index 36da526a83cc..a02791fa932a 100644
--- a/modules/infrastructure-components.adoc
+++ b/modules/infrastructure-components.adoc
@@ -18,7 +18,7 @@ To qualify as an infrastructure node and use the included entitlement, only comp
 * Cluster aggregated logging
 * Red Hat Quay
 * {rh-storage-first}
-* Red Hat Advanced Cluster Manager
+* Red Hat Advanced Cluster Management for Kubernetes
 * Red Hat Advanced Cluster Security for Kubernetes
 * Red Hat OpenShift GitOps
 * Red Hat OpenShift Pipelines
diff --git a/modules/infrastructure-moving-monitoring.adoc b/modules/infrastructure-moving-monitoring.adoc
index c1852ae07167..a75076cc8795 100644
--- a/modules/infrastructure-moving-monitoring.adoc
+++ b/modules/infrastructure-moving-monitoring.adoc
@@ -57,7 +57,7 @@ data:
       - key: node-role.kubernetes.io/infra
         value: reserved
         effect: NoExecute
-    k8sPrometheusAdapter:
+    metricsServer:
       nodeSelector:
         node-role.kubernetes.io/infra: ""
       tolerations:
diff --git a/modules/ingress-operator.adoc b/modules/ingress-operator.adoc
index 595f04371018..4ce1f0ca6063 100644
--- a/modules/ingress-operator.adoc
+++ b/modules/ingress-operator.adoc
@@ -1,13 +1,30 @@
 // Module included in the following assemblies:
 //
 // * operators/operator-reference.adoc
+// * installing/cluster-capabilities.adoc
 
+ifeval::["{context}" == "cluster-capabilities"]
+:cluster-caps:
+endif::[]
+
+ifeval::["{context}" == "cluster-operators-ref"]
+:operator-ref:
+endif::[]
+
+:_mod-docs-content-type: REFERENCE
 [id="ingress-operator_{context}"]
-= Ingress Operator
+ifdef::operator-ref[= Ingress Operator]
+ifdef::cluster-caps[= Ingress Capability]
 
 [discrete]
 == Purpose
 
+ifdef::cluster-caps[]
+
+The Ingress Operator provides the features for the `Ingress` capability.
+
+endif::cluster-caps[]
+
 The Ingress Operator configures and manages the {product-title} router.
 
 [discrete]
@@ -60,3 +77,11 @@ $ oc get network/cluster -o jsonpath='{.status.clusterNetwork[*]}'
 ----
 map[cidr:10.128.0.0/14 hostPrefix:23]
 ----
+
+ifeval::["{context}" == "cluster-operators-ref"]
+:!operator-ref:
+endif::[]
+
+ifeval::["{context}" == "cluster-caps"]
+:!cluster-caps:
+endif::[]
\ No newline at end of file
diff --git a/modules/insights-operator-one-time-gather.adoc b/modules/insights-operator-one-time-gather.adoc
index e25ef62f76af..83132586135b 100644
--- a/modules/insights-operator-one-time-gather.adoc
+++ b/modules/insights-operator-one-time-gather.adoc
@@ -20,7 +20,7 @@ You must run a gather operation to create an Insights Operator archive.
 +
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/insights-operator/release-4.15/docs/gather-job.yaml[]
+include::https://raw.githubusercontent.com/openshift/insights-operator/release-4.16/docs/gather-job.yaml[]
 ----
 . Copy your `insights-operator` image version:
 +
diff --git a/modules/install-and-configure-oadp-kubevirt.adoc b/modules/install-and-configure-oadp-kubevirt.adoc
index 353bf7f2385d..cd1f319aaa56 100644
--- a/modules/install-and-configure-oadp-kubevirt.adoc
+++ b/modules/install-and-configure-oadp-kubevirt.adoc
@@ -8,7 +8,7 @@
 
 As a cluster administrator, you install {oadp-short} by installing the {oadp-short} Operator.
 
-The Operator installs link:https://velero.io/docs/v{velero-version}[Velero {velero-version}].
+The latest version of the {oadp-short} Operator installs link:https://velero.io/docs/v{velero-version}[Velero {velero-version}].
 
 .Prerequisites
 
diff --git a/modules/install-sno-ibm-z-kvm.adoc b/modules/install-sno-ibm-z-kvm.adoc
index 53457c44a6fb..9dd6cee933fc 100644
--- a/modules/install-sno-ibm-z-kvm.adoc
+++ b/modules/install-sno-ibm-z-kvm.adoc
@@ -19,7 +19,7 @@
 $ OCP_VERSION=<ocp_version> <1>
 ----
 +
-<1> Replace `<ocp_version>` with the current version, for example, `latest-{product-version}`
+<1> Replace `<ocp_version>` with the current version. For example, `latest-{product-version}`.
 
 . Set the host architecture by running the following command:
 +
diff --git a/modules/install-sno-ibm-z-lpar.adoc b/modules/install-sno-ibm-z-lpar.adoc
new file mode 100644
index 000000000000..e5ac545a339a
--- /dev/null
+++ b/modules/install-sno-ibm-z-lpar.adoc
@@ -0,0 +1,226 @@
+// This is included in the following assemblies:
+//
+// installing_sno/install-sno-installing-sno.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-sno-on-ibm-z-lpar_{context}"]
+= Installing {sno} in an LPAR on {ibm-z-title} and {ibm-linuxone-title}
+
+.Prerequisites
+
+* If you are deploying a single-node cluster there are zero compute nodes, the Ingress Controller pods run on the control plane nodes. In single-node cluster deployments, you must configure your application ingress load balancer to route HTTP and HTTPS traffic to the control plane nodes. See the _Load balancing requirements for user-provisioned infrastructure_ section for more information.
+
+.Procedure
+
+. Set the {product-title} version by running the following command:
++
+[source,terminal]
+----
+$ OCP_VERSION=<ocp_version> <1>
+----
++
+<1> Replace `<ocp_version>` with the current version. For example, `latest-{product-version}`.
+
+. Set the host architecture by running the following command:
++
+[source,terminal]
+----
+$ ARCH=<architecture> <1>
+----
+<1> Replace `<architecture>` with the target host architecture `s390x`.
+
+. Download the {product-title} client (`oc`) and make it available for use by entering the following commands:
++
+[source,terminal]
+----
+$ curl -k https://mirror.openshift.com/pub/openshift-v4/${ARCH}/clients/ocp/${OCP_VERSION}/openshift-client-linux.tar.gz -o oc.tar.gz
+----
++
+[source,terminal]
+----
+$ tar zxvf oc.tar.gz
+----
++
+[source,terminal]
+----
+$ chmod +x oc
+----
+
+. Download the {product-title} installer and make it available for use by entering the following commands:
++
+[source,terminal]
+----
+$ curl -k https://mirror.openshift.com/pub/openshift-v4/${ARCH}/clients/ocp/${OCP_VERSION}/openshift-install-linux.tar.gz -o openshift-install-linux.tar.gz
+----
++
+[source,terminal]
+----
+$ tar zxvf openshift-install-linux.tar.gz
+----
++
+[source,terminal]
+----
+$ chmod +x openshift-install
+----
+
+. Prepare the `install-config.yaml` file:
++
+[source,yaml]
+----
+apiVersion: v1
+baseDomain: <domain> <1>
+compute:
+- name: worker
+  replicas: 0 <2>
+controlPlane:
+  name: master
+  replicas: 1 <3>
+metadata:
+  name: <name> <4>
+networking: <5>
+  clusterNetwork:
+  - cidr: 10.128.0.0/14
+    hostPrefix: 23
+  machineNetwork:
+  - cidr: 10.0.0.0/16 <6>
+  networkType: OVNKubernetes
+  serviceNetwork:
+  - 172.30.0.0/16
+platform:
+  none: {}
+pullSecret: '<pull_secret>' <7>
+sshKey: |
+  <ssh_key> <8>
+----
+<1> Add the cluster domain name.
+<2> Set the `compute` replicas to `0`. This makes the control plane node schedulable.
+<3> Set the `controlPlane` replicas to `1`. In conjunction with the previous `compute` setting, this setting ensures the cluster runs on a single node.
+<4> Set the `metadata` name to the cluster name.
+<5> Set the `networking` details. OVN-Kubernetes is the only allowed network plugin type for single-node clusters.
+<6> Set the `cidr` value to match the subnet of the {sno} cluster.
+<7> Copy the {cluster-manager-url-pull} and add the contents to this configuration setting.
+<8> Add the public SSH key from the administration host so that you can log in to the cluster after installation.
+
+. Generate {product-title} assets by running the following commands:
++
+[source,terminal]
+----
+$ mkdir ocp
+----
++
+[source,terminal]
+----
+$ cp install-config.yaml ocp
+----
+
+. Change to the directory that contains the {product-title} installation program and generate the Kubernetes manifests for the cluster:
++
+[source,terminal]
+----
+$ ./openshift-install create manifests --dir <installation_directory> <1>
+----
++
+<1> For `<installation_directory>`, specify the installation directory that contains the `install-config.yaml` file you created.
+
+. Check that the `mastersSchedulable` parameter in the `<installation_directory>/manifests/cluster-scheduler-02-config.yml` Kubernetes manifest file is set to `true`.
++
+--
+.. Open the `<installation_directory>/manifests/cluster-scheduler-02-config.yml` file.
+.. Locate the `mastersSchedulable` parameter and ensure that it is set to `true` as shown in the following `spec` stanza:
++
+[source,yaml]
+----
+spec:
+  mastersSchedulable: true
+status: {}
+----
+.. Save and exit the file.
+--
+
+. Create the Ignition configuration files by running the following command from the directory that contains the installation program:
++
+[source,terminal]
+----
+$ ./openshift-install create ignition-configs --dir <installation_directory> <1>
+----
+<1> For `<installation_directory>`, specify the same installation directory.
+
+. Obtain the {op-system-base} `kernel`, `initramfs`, and `rootfs`  artifacts from the link:https://access.redhat.com/downloads/content/290[Product Downloads] page on the Red Hat Customer Portal or from the link:https://mirror.openshift.com/pub/openshift-v4/s390x/dependencies/rhcos/latest/[{op-system} image mirror] page.
++
+[IMPORTANT]
+====
+The {op-system} images might not change with every release of {product-title}. You must download images with the highest version that is less than or equal to the {product-title} version that you install. Only use the appropriate `kernel`, `initramfs`, and `rootfs` artifacts described in the following procedure.
+====
++
+The file names contain the {product-title} version number. They resemble the following examples:
++
+`kernel`:: `rhcos-<version>-live-kernel-<architecture>`
+`initramfs`:: `rhcos-<version>-live-initramfs.<architecture>.img`
+`rootfs`:: `rhcos-<version>-live-rootfs.<architecture>.img`
++
+[NOTE]
+====
+The `rootfs` image is the same for FCP and DASD.
+====
+
+. Move the following artifacts and files to an HTTP or HTTPS server:
+
+** Downloaded {op-system-base} live `kernel`, `initramfs`, and `rootfs` artifacts
+** Ignition files
+
+. Create a parameter file for the bootstrap in an LPAR:
++
+.Example parameter file for the bootstrap machine
++
+[source,terminal]
+----
+cio_ignore=all,!condev rd.neednet=1 \
+console=ttysclp0 \
+coreos.inst.install_dev=/dev/<block_device> \// <1>
+coreos.inst.ignition_url=http://<http_server>/bootstrap.ign \// <2>
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <3>
+ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \// <4>
+rd.znet=qeth,0.0.1140,0.0.1141,0.0.1142,layer2=1,portno=0 \
+rd.dasd=0.0.4411 \// <5>
+rd.zfcp=0.0.8001,0x50050763040051e3,0x4000406300000000 \// <6>
+zfcp.allow_lun_scan=0
+----
+<1> Specify the block device on the system to install to. For installations on DASD-type disk use `dasda`, for installations on FCP-type disks use `sda`.
+<2> Specify the location of the `bootstrap.ign` config file. Only HTTP and HTTPS protocols are supported.
+<3> For the `coreos.live.rootfs_url=` artifact, specify the matching `rootfs` artifact for the `kernel`and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
+<4> For the `ip=` parameter, assign the IP address manually as described in "Installing a cluster in an LPAR on {ibm-z-name} and {ibm-linuxone-name}".
+<5> For installations on DASD-type disks, use `rd.dasd=` to specify the DASD where {op-system} is to be installed. Omit this entry for FCP-type disks.
+<6> For installations on FCP-type disks, use `rd.zfcp=<adapter>,<wwpn>,<lun>` to specify the FCP disk where {op-system} is to be installed. Omit this entry for DASD-type disks.
++
+You can adjust further parameters if required.
+
+. Create a parameter file for the control plane in an LPAR:
++
+.Example parameter file for the control plane machine
++
+[source,terminal]
+----
+cio_ignore=all,!condev rd.neednet=1 \
+console=ttysclp0 \
+coreos.inst.install_dev=/dev/<block_device> \
+coreos.inst.ignition_url=http://<http_server>/master.ign \// <1>
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \
+ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
+rd.znet=qeth,0.0.1140,0.0.1141,0.0.1142,layer2=1,portno=0 \
+rd.dasd=0.0.4411 \
+rd.zfcp=0.0.8001,0x50050763040051e3,0x4000406300000000 \
+zfcp.allow_lun_scan=0
+----
+<1> Specify the location of the `master.ign` config file. Only HTTP and HTTPS protocols are supported.
+
+. Transfer the following artifacts, files, and images to the LPAR. For example by using FTP:
+
+** `kernel` and `initramfs` artifacts
+** Parameter files
+** {op-system} images
++
+For details about how to transfer the files with FTP and boot, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/performing_a_standard_rhel_9_installation/assembly_installing-on-64-bit-ibm-z_installing-rhel#installing-in-an-lpar_installing-in-an-lpar[Installing in an LPAR].
+
+. Boot the bootstrap machine.
+
+. Boot the control plane machine.
\ No newline at end of file
diff --git a/modules/install-sno-ibm-z.adoc b/modules/install-sno-ibm-z.adoc
index 21e5be98143d..4e7e610eaa56 100644
--- a/modules/install-sno-ibm-z.adoc
+++ b/modules/install-sno-ibm-z.adoc
@@ -19,7 +19,7 @@
 $ OCP_VERSION=<ocp_version> <1>
 ----
 +
-<1> Replace `<ocp_version>` with the current version, for example, `latest-{product-version}`
+<1> Replace `<ocp_version>` with the current version. For example, `latest-{product-version}`.
 
 . Set the host architecture by running the following command:
 +
diff --git a/modules/installation-adding-registry-pull-secret.adoc b/modules/installation-adding-registry-pull-secret.adoc
index a3918c0cb846..d5a09344924b 100644
--- a/modules/installation-adding-registry-pull-secret.adoc
+++ b/modules/installation-adding-registry-pull-secret.adoc
@@ -20,12 +20,15 @@ ifeval::["{context}" == "installing-mirroring-disconnected"]
 :oc-mirror:
 endif::[]
 
+ifeval::["{context}" == "about-installing-oc-mirror-v2"]
+:oc-mirror-v2:
+endif::[]
+
 :_mod-docs-content-type: PROCEDURE
 [id="installation-adding-registry-pull-secret_{context}"]
 = Configuring credentials that allow images to be mirrored
 
-Create a container image registry credentials file that allows mirroring
-images from Red Hat to your mirror.
+Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.
 
 ifdef::restricted[]
 [WARNING]
@@ -96,14 +99,50 @@ The contents of the file resemble the following example:
 ----
 // An additional step for following this procedure when using oc-mirror as part of the disconnected install process.
 ifdef::oc-mirror[]
-. Save the file either as `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`.
+. Save the file as either `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`:
+.. If the `.docker` or `$XDG_RUNTIME_DIR/containers` directories do not exist, create one by entering the following command:
++
+[source,terminal]
+----
+$ mkdir -p <directory_name>
+----
++
+Where `<directory_name>` is either `~/.docker` or `$XDG_RUNTIME_DIR/containers`.
+.. Copy the pull secret to the appropriate directory by entering the following command:
++
+[source,terminal]
+----
+$ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>
+----
++
+Where `<directory_name>` is either `~/.docker` or `$XDG_RUNTIME_DIR/containers`, and `<auth_file>` is either `config.json` or `auth.json`.
 endif::[]
 // Similar to the additional step above, except it is framed as optional because it is included in a disconnected update page (where users may or may not use oc-mirror for their process)
 ifdef::update-oc-mirror[]
-. Optional: If using the oc-mirror plugin, save the file either as `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`.
+. Optional: If using the oc-mirror plugin, save the file as either `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`:
+.. If the `.docker` or `$XDG_RUNTIME_DIR/containers` directories do not exist, create one by entering the following command:
++
+[source,terminal]
+----
+$ mkdir -p <directory_name>
+----
++
+Where `<directory_name>` is either `~/.docker` or `$XDG_RUNTIME_DIR/containers`.
+.. Copy the pull secret to the appropriate directory by entering the following command:
++
+[source,terminal]
+----
+$ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>
+----
++
+Where `<directory_name>` is either `~/.docker` or `$XDG_RUNTIME_DIR/containers`, and `<auth_file>` is either `config.json` or `auth.json`.
 endif::[]
+// Additional step for allowing this procedure for oc-mirror-v2
+ifdef::oc-mirror-v2[]
+. Save the file as `$XDG_RUNTIME_DIR/containers/auth.json`.
 endif::[]
-
+endif::[]
+ 
 . Generate the base64-encoded user name and password or token for your mirror registry:
 +
 [source,terminal]
@@ -142,10 +181,9 @@ ifdef::openshift-origin[]
 }
 endif::[]
 ----
-<1> For `<mirror_registry>`, specify the registry domain name, and optionally the
-port, that your mirror registry uses to serve content. For example,
+<1> Specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example,
 `registry.example.com` or `registry.example.com:8443`
-<2> For `<credentials>`, specify the base64-encoded user name and password for
+<2> Specify the base64-encoded user name and password for
 the mirror registry.
 +
 ifndef::openshift-origin[]
@@ -205,3 +243,8 @@ ifeval::["{context}" == "installing-mirroring-disconnected"]
 :!restricted:
 :!oc-mirror:
 endif::[]
+
+ifeval::["{context}" == "about-installing-oc-mirror-v2"]
+:!oc-mirror-v2:
+endif::[]
+
diff --git a/modules/installation-alibaba-config-yaml.adoc b/modules/installation-alibaba-config-yaml.adoc
deleted file mode 100644
index b39ca28f060f..000000000000
--- a/modules/installation-alibaba-config-yaml.adoc
+++ /dev/null
@@ -1,67 +0,0 @@
-// Module included in the following assemblies:
-//
-// installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-customizations.adoc
-
-:_mod-docs-content-type: REFERENCE
-[id="installation-alibaba-config-yaml_{context}"]
-= Sample customized install-config.yaml file for Alibaba Cloud
-
-You can customize the installation configuration file (`install-config.yaml`) to specify more details about
-your cluster's platform or modify the values of the required
-parameters.
-
-[source,yaml]
-----
-apiVersion: v1
-baseDomain: alicloud-dev.devcluster.openshift.com
-credentialsMode: Manual
-compute:
-- architecture: amd64
-  hyperthreading: Enabled
-  name: worker
-  platform: {}
-  replicas: 3
-controlPlane:
-  architecture: amd64
-  hyperthreading: Enabled
-  name: master
-  platform: {}
-  replicas: 3
-metadata:
-  creationTimestamp: null
-  name: test-cluster <1>
- networking:
-  clusterNetwork:
-  - cidr: 10.128.0.0/14
-    hostPrefix: 23
-  machineNetwork:
-  - cidr: 10.0.0.0/16
-  networkType: OVNKubernetes <2>
-  serviceNetwork:
-  - 172.30.0.0/16
-platform:
-  alibabacloud:
-    defaultMachinePlatform: <3>
-      instanceType: ecs.g6.xlarge
-      systemDiskCategory: cloud_efficiency
-      systemDiskSize: 200
-    region: ap-southeast-1 <4>
-    resourceGroupID: rg-acfnw6j3hyai <5>
-    vpcID: vpc-0xifdjerdibmaqvtjob2b <8>
-    vswitchIDs: <8>
-    - vsw-0xi8ycgwc8wv5rhviwdq5
-    - vsw-0xiy6v3z2tedv009b4pz2
-publish: External
-pullSecret: '{"auths": {"cloud.openshift.com": {"auth": ... }' <6>
-sshKey: |
-  ssh-rsa AAAA... <7>
-----
-<1> Required. The installation program prompts you for a cluster name.
-<2> The cluster network plugin to install. The default value `OVNKubernetes` is the only supported value.
-<3> Optional. Specify parameters for machine pools that do not define their own platform configuration.
-<4> Required. The installation program prompts you for the region to deploy the cluster to.
-<5> Optional. Specify an existing resource group where the cluster should be installed.
-<6> Required. The installation program prompts you for the pull secret.
-<7> Optional. The installation program prompts you for the SSH key value that you use to access the machines in your cluster.
-<8> Optional. These are example vswitchID values.
diff --git a/modules/installation-alibaba-dns.adoc b/modules/installation-alibaba-dns.adoc
deleted file mode 100644
index 6a9de87bad7d..000000000000
--- a/modules/installation-alibaba-dns.adoc
+++ /dev/null
@@ -1,37 +0,0 @@
-// Module included in the following assemblies:
-//
-// * installing/installing_alibaba/installing-alibaba-account.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="installation-alibaba-dns_{context}"]
-= Registering and Configuring Alibaba Cloud Domain
-
-To install {product-title}, the Alibaba Cloud account you use must have a dedicated public hosted zone in your account. This zone must be authoritative for the domain. This service provides cluster DNS resolution and name lookup for external connections to the cluster.
-
-.Procedure
-
-. Identify your domain, or subdomain, and registrar. You can transfer an existing domain and registrar or obtain a new one through Alibaba Cloud or another source.
-+
-[NOTE]
-====
-If you purchase a new domain through Alibaba Cloud, it takes time for the relevant DNS changes to propagate. For more information about purchasing domains through Alibaba Cloud, see link:https://www.alibabacloud.com/domain[Alibaba Cloud domains].
-====
-
-. If you are using an existing domain and registrar, migrate its DNS to Alibaba Cloud. See link:https://www.alibabacloud.com/help/en/doc-detail/42479.htm[Domain name transfer]
-in the Alibaba Cloud documentation.
-
-. Configure DNS for your domain. This includes:
-* link:https://partners-intl.aliyun.com/help/en/doc-detail/54068.htm?spm=a2c63.p38356.0.0.427d2054k5gZOr#task-1830383[Registering a generic domain name].
-* link:https://partners-intl.aliyun.com/help/en/doc-detail/108953.htm?spm=a2c63.p38356.0.0.3c62433fjUrdZG#section-qyn-s41-ygb[Completing real-name verification for your domain name].
-* link:https://account.alibabacloud.com/login/login.htm[Applying for an Internet Content Provider (ICP) filing].
-* link:https://www.alibabacloud.com/product/dns/pricing?spm=a3c0i.23458820.2359477120.2.36ca7d3fe0b5KL[Enabling domain name resolution].
-+
-Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain, such as `clusters.openshiftcorp.com`.
-
-. If you are using a subdomain, follow the procedures of your company to add its delegation records to the parent domain.
-
-////
-.Question
-
-Can Alibaba provide a link(s) to their doc on how to complete each task under step 3 in their doc? Could not find content in their help.
-////
diff --git a/modules/installation-alibaba-regions.adoc b/modules/installation-alibaba-regions.adoc
deleted file mode 100644
index 99134ab62dba..000000000000
--- a/modules/installation-alibaba-regions.adoc
+++ /dev/null
@@ -1,15 +0,0 @@
-// Module included in the following assemblies:
-//
-// * installing/installing_alibaba/installing-alibaba-account.adoc
-
-:_mod-docs-content-type: REFERENCE
-[id="installation-alibaba-regions_{context}"]
-= Supported Alibaba regions
-
-You can deploy an {product-title} cluster to the regions listed in the link:https://www.alibabacloud.com/help/en/doc-detail/188196.htm[Alibaba _Regions and zones_ documentation].
-
-////
-Answer from Gaurav Singh (PM)
-
-All of the regions (in mainland china and outside mainland china ) listed in this doc https://www.alibabacloud.com/help/doc-detail/188196.htm[Alibaba doc] will be shown as option to the customer to deploy openshift . We might need to test all of them.
-////
diff --git a/modules/installation-arm-bootstrap.adoc b/modules/installation-arm-bootstrap.adoc
index 7d370f0e2aed..42a355385752 100644
--- a/modules/installation-arm-bootstrap.adoc
+++ b/modules/installation-arm-bootstrap.adoc
@@ -20,10 +20,10 @@ bootstrap machine that you need for your {product-title} cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/04_bootstrap.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/04_bootstrap.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/04_bootstrap.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/04_bootstrap.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-arm-control-plane.adoc b/modules/installation-arm-control-plane.adoc
index e39c8656f86b..28e1b84df84e 100644
--- a/modules/installation-arm-control-plane.adoc
+++ b/modules/installation-arm-control-plane.adoc
@@ -20,10 +20,10 @@ control plane machines that you need for your {product-title} cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/05_masters.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/05_masters.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/05_masters.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/05_masters.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-arm-dns.adoc b/modules/installation-arm-dns.adoc
index c767e54d3d97..7049e4ebf123 100644
--- a/modules/installation-arm-dns.adoc
+++ b/modules/installation-arm-dns.adoc
@@ -21,10 +21,10 @@ cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/03_infra.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/03_infra.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/03_infra.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/03_infra.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-arm-image-storage.adoc b/modules/installation-arm-image-storage.adoc
index f5627f78a8e9..5039aaf70d86 100644
--- a/modules/installation-arm-image-storage.adoc
+++ b/modules/installation-arm-image-storage.adoc
@@ -20,10 +20,10 @@ stored {op-system-first} image that you need for your {product-title} cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/02_storage.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/02_storage.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/02_storage.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/02_storage.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-arm-vnet.adoc b/modules/installation-arm-vnet.adoc
index b9130e79b53d..7fdf18d43a74 100644
--- a/modules/installation-arm-vnet.adoc
+++ b/modules/installation-arm-vnet.adoc
@@ -20,10 +20,10 @@ VNet that you need for your {product-title} cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/01_vnet.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/01_vnet.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/01_vnet.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/01_vnet.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-arm-worker.adoc b/modules/installation-arm-worker.adoc
index 3966a73010e2..276dbed7f28a 100644
--- a/modules/installation-arm-worker.adoc
+++ b/modules/installation-arm-worker.adoc
@@ -20,10 +20,10 @@ worker machines that you need for your {product-title} cluster:
 [source,json]
 ----
 ifndef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azure/06_workers.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azure/06_workers.json[]
 endif::ash[]
 ifdef::ash[]
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/azurestack/06_workers.json[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/azurestack/06_workers.json[]
 endif::ash[]
 ----
 ====
diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc
index 3e1f14a9f949..39fcb5e4e795 100644
--- a/modules/installation-aws-config-yaml.adoc
+++ b/modules/installation-aws-config-yaml.adoc
@@ -358,10 +358,9 @@ host must trust the certificate.
 ifndef::openshift-origin[]
 <13> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
@@ -374,10 +373,9 @@ ifndef::vpc,restricted,aws-outposts[]
 ifndef::openshift-origin[]
 <11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <12> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-aws-permissions.adoc b/modules/installation-aws-permissions.adoc
index 4b1184ab53b5..68c2fb68c2f0 100644
--- a/modules/installation-aws-permissions.adoc
+++ b/modules/installation-aws-permissions.adoc
@@ -46,6 +46,7 @@ cluster, the IAM user requires the following permissions:
 * `ec2:DescribeNetworkAcls`
 * `ec2:DescribeNetworkInterfaces`
 * `ec2:DescribePrefixLists`
+* `ec2:DescribePublicIpv4Pools` (only required if `publicIpv4Pool` is specified in `install-config.yaml`)
 * `ec2:DescribeRegions`
 * `ec2:DescribeRouteTables`
 * `ec2:DescribeSecurityGroupRules`
@@ -58,6 +59,7 @@ cluster, the IAM user requires the following permissions:
 * `ec2:DescribeVpcClassicLinkDnsSupport`
 * `ec2:DescribeVpcEndpoints`
 * `ec2:DescribeVpcs`
+* `ec2:DisassociateAddress` (only required if `publicIpv4Pool` is specified in `install-config.yaml`)
 * `ec2:GetEbsDefaultKmsKeyId`
 * `ec2:ModifyInstanceAttribute`
 * `ec2:ModifyNetworkInterfaceAttribute`
@@ -119,6 +121,7 @@ If you use an existing Virtual Private Cloud (VPC), your account does not requir
 * `elasticloadbalancing:RegisterInstancesWithLoadBalancer`
 * `elasticloadbalancing:RegisterTargets`
 * `elasticloadbalancing:SetLoadBalancerPoliciesOfListener`
+* `elasticloadbalancing:SetSecurityGroups`
 
 [IMPORTANT]
 =====
@@ -192,6 +195,7 @@ If you have not created a load balancer in your AWS account, the IAM user also r
 * `s3:GetReplicationConfiguration`
 * `s3:ListBucket`
 * `s3:PutBucketAcl`
+* `s3:PutBucketPolicy`
 * `s3:PutBucketTagging`
 * `s3:PutEncryptionConfiguration`
 ====
@@ -303,3 +307,10 @@ If you are managing your cloud provider credentials with mint mode, the IAM user
 ====
 * `sts:AssumeRole`
 ====
+
+.Required permissions for enabling Bring your own public IPv4 addresses (BYOIP) feature for installation
+[%collapsible]
+====
+* `ec2:DescribePublicIpv4Pools`
+* `ec2:DisassociateAddress`
+====
\ No newline at end of file
diff --git a/modules/installation-aws-regions.adoc b/modules/installation-aws-regions.adoc
index afc349204c7b..d5f83ae47323 100644
--- a/modules/installation-aws-regions.adoc
+++ b/modules/installation-aws-regions.adoc
@@ -29,6 +29,7 @@ The following AWS public regions are supported:
 * `ap-southeast-3` (Jakarta)
 * `ap-southeast-4` (Melbourne)
 * `ca-central-1` (Central)
+* `ca-west-1` (Calgary)
 * `eu-central-1` (Frankfurt)
 * `eu-central-2` (Zurich)
 * `eu-north-1` (Stockholm)
diff --git a/modules/installation-aws-user-infra-rhcos-ami.adoc b/modules/installation-aws-user-infra-rhcos-ami.adoc
index 1da8f0986e05..d92561a0ae53 100644
--- a/modules/installation-aws-user-infra-rhcos-ami.adoc
+++ b/modules/installation-aws-user-infra-rhcos-ami.adoc
@@ -23,94 +23,97 @@ ifndef::openshift-origin[]
 |AWS AMI
 
 |`af-south-1`
-|`ami-0493ec0f0a451f83b`
+|`ami-018de6b1be470b7e6`
 
 |`ap-east-1`
-|`ami-050a6d164705e7f62`
+|`ami-092f09a4c8aacf56a`
 
 |`ap-northeast-1`
-|`ami-00910c337e0f52cff`
+|`ami-001c9fc85b77505f4`
 
 |`ap-northeast-2`
-|`ami-07e98d33de2b93ac0`
+|`ami-0a5d7f1966d88fba3`
 
 |`ap-northeast-3`
-|`ami-09bc0a599f4b3c483`
+|`ami-085a2726ceb4f5eeb`
 
 |`ap-south-1`
-|`ami-0ba603a7f9d41228e`
+|`ami-03f2c19071fb6eab3`
 
 |`ap-south-2`
-|`ami-03130aecb5d7459cc`
+|`ami-0c82522890979d94b`
 
 |`ap-southeast-1`
-|`ami-026c056e0a25e5a04`
+|`ami-06e5b9d16ead6c55c`
 
 |`ap-southeast-2`
-|`ami-0d471f504ff6d9a0f`
+|`ami-0ccd429129fbf6bc0`
 
 |`ap-southeast-3`
-|`ami-0c1b9a0721cbb3291`
+|`ami-096f9b4d41116d95c`
 
 |`ap-southeast-4`
-|`ami-0ef23bfe787efe11e`
+|`ami-0b511ab55f9f7d052`
 
 |`ca-central-1`
-|`ami-0163965a05b75f976`
+|`ami-0e357287c651be1f2`
+
+|`ca-west-1`
+|`ami-0b1692e5776740901`
 
 |`eu-central-1`
-|`ami-01edb54011f870f0c`
+|`ami-08b13fb388ba5610d`
 
 |`eu-central-2`
-|`ami-0bc500d6056a3b104`
+|`ami-04777298b55045ea9`
 
 |`eu-north-1`
-|`ami-0ab155e935177f16a`
+|`ami-05421993a4ee567b9`
 
 |`eu-south-1`
-|`ami-051b4c06b21f5a328`
+|`ami-00959341869d34746`
 
 |`eu-south-2`
-|`ami-096644e5555c23b19`
+|`ami-0a745b610522a87cc`
 
 |`eu-west-1`
-|`ami-0faeeeb3d2b1aa07c`
+|`ami-0e48f85ec57bd7baa`
 
 |`eu-west-2`
-|`ami-00bb1522dc71b604f`
+|`ami-0c015b1387acddc5e`
 
 |`eu-west-3`
-|`ami-01e5397bd2b795bd3`
+|`ami-01e466af77a95b93d`
 
 |`il-central-1`
-|`ami-0b32feb5d77c64e61`
+|`ami-0a1b706793b54d087`
 
 |`me-central-1`
-|`ami-0a5158a3e68ab7e88`
+|`ami-09d58e8b2099ae5bc`
 
 |`me-south-1`
-|`ami-024864ad1b799dbba`
+|`ami-0f9c259bc4346599c`
 
 |`sa-east-1`
-|`ami-0c402ffb0c4b7edc0`
+|`ami-06277517d966881a3`
 
 |`us-east-1`
-|`ami-057df4d0cb8cbae0d`
+|`ami-05483066c3caaccf5`
 
 |`us-east-2`
-|`ami-07566e5da1fd297f8`
+|`ami-0c704ce516493a479`
 
 |`us-gov-east-1`
-|`ami-0fe03a7e289354670`
+|`ami-0695b2cbdd1ec4d48`
 
 |`us-gov-west-1`
-|`ami-06b7cc6445c5da732`
+|`ami-004404a0eaa427b39`
 
 |`us-west-1`
-|`ami-02d20001c5b9df1e9`
+|`ami-0aaa56637063be772`
 
 |`us-west-2`
-|`ami-0dfba457127fba98c`
+|`ami-0870c7a3d5ef4d2b3`
 
 |===
 
@@ -123,94 +126,97 @@ ifndef::openshift-origin[]
 |AWS AMI
 
 |`af-south-1`
-|`ami-06c7b4e42179544df`
+|`ami-0d96d447d3df14f4e`
 
 |`ap-east-1`
-|`ami-07b6a37fa6d2d2e99`
+|`ami-010236402dfba1717`
 
 |`ap-northeast-1`
-|`ami-056d2eef4a3638246`
+|`ami-08feeb6d9068bb12e`
 
 |`ap-northeast-2`
-|`ami-0bd5a7684f0ff4e02`
+|`ami-0772082c119147205`
 
 |`ap-northeast-3`
-|`ami-0fd08063da50de1da`
+|`ami-05bcbb13493d0516f`
 
 |`ap-south-1`
-|`ami-08f1ae2cef8f9690e`
+|`ami-0034a539e8adcb817`
 
 |`ap-south-2`
-|`ami-020ba25cc1ec53b1c`
+|`ami-0fc56b7c53c38ff70`
 
 |`ap-southeast-1`
-|`ami-0020a1c0964ac8e48`
+|`ami-0b50a0e92a58f3ad8`
 
 |`ap-southeast-2`
-|`ami-07013a63289350c3c`
+|`ami-0697a9174ae206182`
 
 |`ap-southeast-3`
-|`ami-041d6ca1d57e3190f`
+|`ami-05ae309319a7ad504`
 
 |`ap-southeast-4`
-|`ami-06539e9cbefc28702`
+|`ami-00500414843baa657`
 
 |`ca-central-1`
-|`ami-0bb3991641f2b40f6`
+|`ami-05e76bf99d3b0d4c8`
+
+|`ca-west-1`
+|`ami-099fc953c221ec590`
 
 |`eu-central-1`
-|`ami-0908d117c26059e39`
+|`ami-0d2e2698884020b71`
 
 |`eu-central-2`
-|`ami-0e48c82ffbde67ed2`
+|`ami-0a96ba21ddee01719`
 
 |`eu-north-1`
-|`ami-016614599b38d515e`
+|`ami-0ab8a1070d0b1d9a5`
 
 |`eu-south-1`
-|`ami-01b6cc1f0fd7b431f`
+|`ami-0d0465299a8b196c1`
 
 |`eu-south-2`
-|`ami-0687e1d98e55e402d`
+|`ami-07d5aa3c6d468c738`
 
 |`eu-west-1`
-|`ami-0bf0b7b1cb052d68d`
+|`ami-08e7d209f26c09c80`
 
 |`eu-west-2`
-|`ami-0ba0bf567caa63731`
+|`ami-0c8336d4e2c1f13cb`
 
 |`eu-west-3`
-|`ami-0eab6a7956a66deda`
+|`ami-085d804b98acf0648`
 
 |`il-central-1`
-|`ami-03b3cb1f4869bf21d`
+|`ami-02ce030e36aeb7643`
 
 |`me-central-1`
-|`ami-0a6e1ade3c9e206a1`
+|`ami-0dea3ac466040b77f`
 
 |`me-south-1`
-|`ami-0aa0775c68eac9f6f`
+|`ami-02ef2a46887b9786d`
 
 |`sa-east-1`
-|`ami-07235eee0bb930c78`
+|`ami-0d19817d31b2399f9`
 
 |`us-east-1`
-|`ami-005808ca73e7b36ff`
+|`ami-04859c888566a2c2f`
 
 |`us-east-2`
-|`ami-0c5c9420f6b992e9e`
+|`ami-02f7e4a5dc66361bb`
 
 |`us-gov-east-1`
-|`ami-08c9b2b8d578caf92`
+|`ami-067ef782980ea96ad`
 
 |`us-gov-west-1`
-|`ami-0bdff65422ba7d95d`
+|`ami-0ce67540c1bb2319d`
 
 |`us-west-1`
-|`ami-017ad4dd030a04233`
+|`ami-0a09c5d2f287718a3`
 
 |`us-west-2`
-|`ami-068d0af5e3c08e618`
+|`ami-06b94e64e595f6cee`
 
 |===
 endif::openshift-origin[]
diff --git a/modules/installation-azure-config-yaml.adoc b/modules/installation-azure-config-yaml.adoc
index 6f57c753289b..614675fa15ae 100644
--- a/modules/installation-azure-config-yaml.adoc
+++ b/modules/installation-azure-config-yaml.adoc
@@ -252,20 +252,18 @@ ifdef::restricted[]
 <15> When using Azure Firewall to restrict Internet access, you must configure outbound routing to send traffic through the Azure Firewall. Configuring user-defined routing prevents exposing external endpoints in your cluster.
 <16> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64`, `ppc64le`, and `s390x` architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <17> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::restricted[]
 ifdef::vnet[]
 ifndef::openshift-origin[]
 <15> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <16> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
@@ -276,10 +274,9 @@ ifdef::private[]
 ifndef::openshift-origin[]
 <16> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <17> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
@@ -290,10 +287,9 @@ ifdef::gov[]
 ifndef::openshift-origin[]
 <17> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <18> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
@@ -304,10 +300,9 @@ ifndef::vnet,private,gov,restricted[]
 ifndef::openshift-origin[]
 <11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <12> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-azure-marketplace-subscribe.adoc b/modules/installation-azure-marketplace-subscribe.adoc
index 5112b1334137..c6bb04c4da25 100644
--- a/modules/installation-azure-marketplace-subscribe.adoc
+++ b/modules/installation-azure-marketplace-subscribe.adoc
@@ -31,7 +31,7 @@ endif::[]
 ifndef::mapi[]
 Using the Azure Marketplace offering lets you deploy an {product-title} cluster, which is billed on pay-per-use basis (hourly, per core) through Azure, while still being supported directly by Red{nbsp}Hat.
 
-To deploy an {product-title} cluster using the Azure Marketplace offering, you must first obtain the Azure Marketplace image. The installation program uses this image to deploy worker nodes. When obtaining your image, consider the following:
+To deploy an {product-title} cluster using the Azure Marketplace offering, you must first obtain the Azure Marketplace image. The installation program uses this image to deploy worker or control plane nodes. When obtaining your image, consider the following:
 endif::mapi[]
 ifdef::mapi[]
 You can create a machine set running on Azure that deploys machines that use the Azure Marketplace offering. To use this offering, you must first obtain the Azure Marketplace image. When obtaining your image, consider the following:
@@ -90,7 +90,7 @@ rh-ocp-worker  redhat-limited  rh-ocp-worker-gen1  redhat-limited:rh-ocp-worker:
 +
 [NOTE]
 ====
-Regardless of the version of {product-title} that you install, the correct version of the Azure Marketplace image to use is 4.13. If required, your VMs are automatically upgraded as part of the installation process.
+Use the latest image that is available for compute and control plane nodes. If required, your VMs are automatically upgraded as part of the installation process.
 ====
 . Inspect the image for your offer by running one of the following commands:
 ** North America:
@@ -132,10 +132,10 @@ $ az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>
 $ az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>
 ----
 ifdef::ipi[]
-. Record the image details of your offer. You must update the `compute` section in the `install-config.yaml` file with values for `publisher`, `offer`, `sku`, and `version` before deploying the cluster.
+. Record the image details of your offer. You must update the `compute` section in the `install-config.yaml` file with values for `publisher`, `offer`, `sku`, and `version` before deploying the cluster. You may also update the `controlPlane` section to deploy control plane machines with the specified image details, or the `defaultMachinePlatform` section to deploy both control plane and compute machines with the specified image details. Use the latest available image for control plane and compute nodes.
 endif::ipi[]
 ifdef::upi[]
-. Record the image details of your offer. If you use the Azure Resource Manager (ARM) template to deploy your worker nodes:
+. Record the image details of your offer. If you use the Azure Resource Manager (ARM) template to deploy your compute nodes:
 +
 .. Update `storageProfile.imageReference` by deleting the `id` parameter and adding the `offer`, `publisher`, `sku`, and `version` parameters by using the values from your offer.
 .. Specify a `plan` for the virtual machines (VMs).
@@ -174,7 +174,7 @@ ifdef::mapi[]
 endif::mapi[]
 
 ifdef::ipi[]
-.Sample `install-config.yaml` file with the Azure Marketplace worker nodes
+.Sample `install-config.yaml` file with the Azure Marketplace compute nodes
 
 [source,yaml]
 ----
diff --git a/modules/installation-azure-regions.adoc b/modules/installation-azure-regions.adoc
index fde0952945cc..b079abebca73 100644
--- a/modules/installation-azure-regions.adoc
+++ b/modules/installation-azure-regions.adoc
@@ -34,6 +34,7 @@ The installation program dynamically generates the list of available Microsoft A
 * `japanwest` (Japan West)
 * `koreacentral` (Korea Central)
 * `koreasouth` (Korea South)
+* `mexicocentral` (Mexico Central)
 * `northcentralus` (North Central US)
 * `northeurope` (North Europe)
 * `norwayeast` (Norway East)
diff --git a/modules/installation-azure-stack-hub-config-yaml.adoc b/modules/installation-azure-stack-hub-config-yaml.adoc
index 7c0a19ea3efa..62ee71f2ed00 100644
--- a/modules/installation-azure-stack-hub-config-yaml.adoc
+++ b/modules/installation-azure-stack-hub-config-yaml.adoc
@@ -93,10 +93,14 @@ endif::openshift-origin[]
 ifndef::openshift-origin[]
 <11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
+--
 [IMPORTANT]
 ====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
+
+When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
 ====
+--
 <12> If your Azure Stack Hub environment uses an internal certificate authority (CA), add the necessary certificate bundle in `.pem` format.
 <13> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
diff --git a/modules/installation-bare-metal-config-yaml.adoc b/modules/installation-bare-metal-config-yaml.adoc
index c57683491f8e..9b5ff25557ef 100644
--- a/modules/installation-bare-metal-config-yaml.adoc
+++ b/modules/installation-bare-metal-config-yaml.adoc
@@ -243,10 +243,10 @@ Clusters that are installed with the platform type `none` are unable to use some
 ifndef::openshift-origin[]
 <12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
+
 endif::openshift-origin[]
 ifndef::restricted[]
 ifndef::openshift-origin[]
diff --git a/modules/installation-cloudformation-bootstrap.adoc b/modules/installation-cloudformation-bootstrap.adoc
index c7fce6247e49..2b509ba5a581 100644
--- a/modules/installation-cloudformation-bootstrap.adoc
+++ b/modules/installation-cloudformation-bootstrap.adoc
@@ -13,6 +13,6 @@ You can use the following CloudFormation template to deploy the bootstrap machin
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/04_cluster_bootstrap.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/04_cluster_bootstrap.yaml[]
 ----
 ====
diff --git a/modules/installation-cloudformation-control-plane.adoc b/modules/installation-cloudformation-control-plane.adoc
index 735119d573b6..3dd5d5c78771 100644
--- a/modules/installation-cloudformation-control-plane.adoc
+++ b/modules/installation-cloudformation-control-plane.adoc
@@ -14,6 +14,6 @@ machines that you need for your {product-title} cluster.
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/05_cluster_master_nodes.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/05_cluster_master_nodes.yaml[]
 ----
 ====
diff --git a/modules/installation-cloudformation-dns.adoc b/modules/installation-cloudformation-dns.adoc
index a285b88c408c..a438273a94bf 100644
--- a/modules/installation-cloudformation-dns.adoc
+++ b/modules/installation-cloudformation-dns.adoc
@@ -14,7 +14,7 @@ objects and load balancers that you need for your {product-title} cluster.
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/02_cluster_infra.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/02_cluster_infra.yaml[]
 ----
 ====
 
diff --git a/modules/installation-cloudformation-security.adoc b/modules/installation-cloudformation-security.adoc
index 4fa7f8899a8e..98698a461267 100644
--- a/modules/installation-cloudformation-security.adoc
+++ b/modules/installation-cloudformation-security.adoc
@@ -14,6 +14,6 @@ that you need for your {product-title} cluster.
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/03_cluster_security.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/03_cluster_security.yaml[]
 ----
 ====
diff --git a/modules/installation-cloudformation-vpc.adoc b/modules/installation-cloudformation-vpc.adoc
index 426237718bf4..3a2661b17175 100644
--- a/modules/installation-cloudformation-vpc.adoc
+++ b/modules/installation-cloudformation-vpc.adoc
@@ -14,6 +14,6 @@ you need for your {product-title} cluster.
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/01_vpc.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/01_vpc.yaml[]
 ----
 ====
diff --git a/modules/installation-cloudformation-worker.adoc b/modules/installation-cloudformation-worker.adoc
index 8c9e71011af4..6bec122b8301 100644
--- a/modules/installation-cloudformation-worker.adoc
+++ b/modules/installation-cloudformation-worker.adoc
@@ -14,6 +14,6 @@ that you need for your {product-title} cluster.
 ====
 [source,yaml]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/aws/cloudformation/06_cluster_worker_node.yaml[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/aws/cloudformation/06_cluster_worker_node.yaml[]
 ----
 ====
diff --git a/modules/installation-complete-user-infra.adoc b/modules/installation-complete-user-infra.adoc
index 2cfd58aac631..49fab076b67a 100644
--- a/modules/installation-complete-user-infra.adoc
+++ b/modules/installation-complete-user-infra.adoc
@@ -36,10 +36,10 @@ ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
 :restricted:
 endif::[]
 ifeval::["{context}" == "installing-ibm-z-lpar"]
-:ibm-z:
+:ibm-z-lpar:
 endif::[]
 ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
-:ibm-z:
+:ibm-z-lpar:
 :restricted:
 endif::[]
 ifeval::["{context}" == "installing-ibm-power"]
@@ -177,6 +177,77 @@ ifdef::restricted[]
 . Register your cluster on the link:https://console.redhat.com/openshift/register[Cluster registration] page.
 endif::restricted[]
 
+ifdef::ibm-z,ibm-z-lpar[]
+.Verification
+
+If you have enabled secure boot during the {product-title} bootstrap process, the following verification steps are required:
+
+. Debug the node by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+chroot /host
+----
++
+. Confirm that secure boot is enabled by running the following command:
++
+[source,terminal]
+----
+$ cat /sys/firmware/ipl/secure
+----
++
+.Example output
+[source,terminal]
+----
+1 <1>
+----
+<1> The value is `1` if secure boot is enabled and `0` if secure boot is not enabled.
+endif::ibm-z,ibm-z-lpar[]
+ifdef::ibm-z-lpar[]
+. List the re-IPL configuration by running the following command:
++
+[source,terminal]
+----
+# lsreipl
+----
++
+.Example output for an FCP disk
+[source,terminal]
+----
+Re-IPL type: fcp
+WWPN: 0x500507630400d1e3
+LUN: 0x4001400e00000000
+Device: 0.0.810e
+bootprog: 0
+br_lba: 0
+Loadparm: ""
+Bootparms: ""
+clear: 0
+----
++
+.Example output for a DASD disk
+[source,terminal]
+----
+for DASD output:
+Re-IPL type: ccw
+Device: 0.0.525d
+Loadparm: ""
+clear: 0
+----
+
+. Shut down the node by running the following command:
++
+[source,terminal]
+----
+sudo shutdown -h
+----
+
+. Initiate a boot from LPAR from the Hardware Management Console (HMC). See link:https://www.ibm.com/docs/en/linux-on-systems?topic=boot-lpar[Initiating a secure boot from an LPAR] in IBM documentation.
+
+. When the node is back, check the secure boot status again.
+endif::ibm-z-lpar[]
+
 ifeval::["{context}" == "installing-restricted-networks-vsphere"]
 :!restricted:
 endif::[]
@@ -208,9 +279,9 @@ ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
 :!restricted:
 endif::[]
 ifeval::["{context}" == "installing-ibm-z-lpar"]
-:!ibm-z:
+:!ibm-z-lpar:
 endif::[]
 ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
-:!ibm-z:
+:!ibm-z-lpar:
 :!restricted:
 endif::[]
diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
index ea64fe2fa33a..14f7a0b2fdfb 100644
--- a/modules/installation-configuration-parameters.adoc
+++ b/modules/installation-configuration-parameters.adoc
@@ -7,7 +7,6 @@
 // * installing/installing_azure_stack_hub/installation-config-parameters-ash.adoc
 // * installing/installing_bare_metal/installation-config-parameters-bare-metal.adoc
 // * installing/installing_ibm_cloud_public/installation-config-parameters-ibm-cloud-vps.adoc
-// * installing/installing_alibaba/installation-config-parameters-alibaba.adoc
 // * installing/installing_ibm_powervs/installation-config-parameters-ibm-power-vs.adoc
 // * installing/installing_nutanix/installation-config-parameters-nutanix.adoc
 // * installing/installing_openstack/installation-config-parameters-openstack.adoc
@@ -36,9 +35,6 @@ endif::[]
 ifeval::["{context}" == "installation-config-parameters-ibm-cloud-vpc"]
 :ibm-cloud:
 endif::[]
-ifeval::["{context}" == "installation-config-parameters-alibaba"]
-:alibaba-cloud:
-endif::[]
 ifeval::["{context}" == "installation-config-parameters-ibm-power-vs"]
 :ibm-power-vs:
 endif::[]
@@ -125,7 +121,7 @@ endif::osp[]
 
 |platform:
 ifndef::agent[]
-|The configuration for the specific platform upon which to perform the installation: `alibabacloud`, `aws`, `baremetal`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`. For additional information about `platform.<platform>` parameters, consult the table for your specific platform that follows.
+|The configuration for the specific platform upon which to perform the installation: `aws`, `baremetal`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`. For additional information about `platform.<platform>` parameters, consult the table for your specific platform that follows.
 endif::agent[]
 ifdef::agent[]
 |The configuration for the specific platform upon which to perform the installation: `baremetal`, `external`, `none`, or `vsphere`.
@@ -528,7 +524,7 @@ ifdef::ibm-power-vs[]
 Example usage, `compute.platform.powervs.sysType`.
 endif::ibm-power-vs[]
 ifndef::agent[]
-|`alibabacloud`, `aws`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`
+|`aws`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`
 endif::agent[]
 ifdef::agent[]
 |`baremetal`, `vsphere`, or `{}`
@@ -622,7 +618,7 @@ ifdef::ibm-power-vs[]
 Example usage, `controlPlane.platform.powervs.processors`.
 endif::ibm-power-vs[]
 ifndef::agent[]
-|`alibabacloud`, `aws`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`
+|`aws`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `powervs`, `vsphere`, or `{}`
 endif::agent[]
 ifdef::agent[]
 |`baremetal`, `vsphere`, or `{}`
@@ -640,10 +636,9 @@ endif::agent[]
 ifndef::openshift-origin,ibm-power-vs[]
 |fips:
 |Enable or disable FIPS mode. The default is `false` (disabled). If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+
+include::snippets/fips-snippet.adoc[]
+
 [NOTE]
 ====
 If you are using Azure File storage, you cannot enable FIPS mode.
@@ -1007,6 +1002,17 @@ For a private cluster, specify a private subnet for each availability zone.
 For clusters that use AWS Local Zones, you must add AWS Local Zone subnets to this list to ensure edge machine pool creation.
 |Valid subnet IDs.
 
+|platform:
+  aws:
+    publicIpv4Pool:
+|The public IPv4 pool ID that is used to allocate Elastic IPs (EIPs) when `publish` is set to `External`. You must provision and advertise the pool in the same {aws-short} account and region of the cluster. You must ensure that you have 2n + 1 IPv4 available in the pool where _n_ is the total number of {aws-short} zones used to deploy the Network Load Balancer (NLB) for API, NAT gateways, and bootstrap node. For more information about bring your own IP addresses (BYOIP) in {aws-short}, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-onboard[Onboard your BYOIP].
+| A valid link:https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-public-ipv4-pools.html[public IPv4 pool id]
+
+[NOTE]
+====
+BYOIP can be enabled only for customized installations that have no network restrictions.
+====
+
 |platform:
   aws:
     preserveBootstrapIgnition:
@@ -3107,171 +3113,6 @@ configuring user-defined routing.
 |====
 endif::ash[]
 
-ifdef::alibaba-cloud[]
-//From: https://github.com/openshift/installer/blob/master/data/data/install.openshift.io_installconfigs.yaml#L20; https://github.com/openshift/openshift-docs/pull/40651/files#r792388476
-
-[id="installation-configuration-parameters-additional-alibaba_{context}"]
-== Additional Alibaba Cloud configuration parameters
-
-Additional Alibaba Cloud configuration parameters are described in the following table. The `alibabacloud` parameters are the configuration used when installing on Alibaba Cloud. The `defaultMachinePlatform` parameters are the default configuration used when installing on Alibaba Cloud for machine pools that do not define their own platform configuration.
-
-These parameters apply to both compute machines and control plane machines where specified.
-
-[NOTE]
-====
-If defined, the parameters `compute.platform.alibabacloud` and `controlPlane.platform.alibabacloud` will overwrite `platform.alibabacloud.defaultMachinePlatform` settings for compute machines and control plane machines respectively.
-====
-
-.Optional {alibaba} parameters
-[cols=".^2l,.^3,.^5a",options="header"]
-|====
-|Parameter|Description|Values
-
-|compute:
-  platform:
-    alibabacloud:
-      imageID:
-|The imageID used to create the ECS instance. ImageID must belong to the same region as the cluster.
-|String.
-
-|compute:
-  platform:
-    alibabacloud:
-      instanceType:
-|InstanceType defines the ECS instance type. Example: `ecs.g6.large`
-|String.
-
-|compute:
-  platform:
-    alibabacloud:
-      systemDiskCategory:
-|Defines the category of the system disk. Examples: `cloud_efficiency`,`cloud_essd`
-|String.
-
-|compute:
-  platform:
-    alibabacloud:
-      systemDisksize:
-|Defines the size of the system disk in gibibytes (GiB).
-|Integer.
-
-|compute:
-  platform:
-    alibabacloud:
-      zones:
-|The list of availability zones that can be used. Examples: `cn-hangzhou-h`, `cn-hangzhou-j`
-|String list.
-
-|controlPlane:
-  platform:
-    alibabacloud:
-      imageID:
-|The imageID used to create the ECS instance. ImageID must belong to the same region as the cluster.
-|String.
-
-|controlPlane:
-  platform:
-    alibabacloud:
-      instanceType:
-|InstanceType defines the ECS instance type. Example: `ecs.g6.xlarge`
-|String.
-
-|controlPlane:
-  platform:
-    alibabacloud:
-      systemDiskCategory:
-|Defines the category of the system disk. Examples: `cloud_efficiency`,`cloud_essd`
-|String.
-
-|controlPlane:
-  platform:
-    alibabacloud:
-      systemDisksize:
-|Defines the size of the system disk in gibibytes (GiB).
-|Integer.
-
-|controlPlane:
-  platform:
-    alibabacloud:
-      zones:
-|The list of availability zones that can be used. Examples: `cn-hangzhou-h`, `cn-hangzhou-j`
-|String list.
-
-|platform:
-  alibabacloud:
-    region:
-|Required. The Alibaba Cloud region where the cluster will be created.
-|String.
-
-|platform:
-  alibabacloud:
-    resourceGroupID:
-|The ID of an already existing resource group where the cluster will be installed. If empty, the installation program will create a new resource group for the cluster.
-|String.
-
-|platform:
-  alibabacloud:
-    tags:
-|Additional keys and values to apply to all Alibaba Cloud resources created for the cluster.
-|Object.
-
-|platform:
-  alibabacloud:
-    vpcID:
-|The ID of an already existing VPC where the cluster should be installed. If empty, the installation program will create a new VPC for the cluster.
-|String.
-
-|platform:
-  alibabacloud:
-    vswitchIDs:
-|The ID list of already existing VSwitches where cluster resources will be created. The existing VSwitches can only be used when also using existing VPC. If empty, the installation program will create new VSwitches for the cluster.
-|String list.
-
-|platform:
-  alibabacloud:
-    defaultMachinePlatform:
-      imageID:
-|For both compute machines and control plane machines, the image ID that should be used to create ECS instance. If set, the image ID should belong to the same region as the cluster.
-|String.
-
-|platform:
-  alibabacloud:
-    defaultMachinePlatform:
-      instanceType:
-|For both compute machines and control plane machines, the ECS instance type used to create the ECS instance. Example: `ecs.g6.xlarge`
-|String.
-
-|platform:
-  alibabacloud:
-    defaultMachinePlatform:
-      systemDiskCategory:
-|For both compute machines and control plane machines, the category of the system disk. Examples: `cloud_efficiency`, `cloud_essd`.
-|String, for example "", `cloud_efficiency`, `cloud_essd`.
-
-|platform:
-  alibabacloud:
-    defaultMachinePlatform:
-      systemDiskSize:
-|For both compute machines and control plane machines, the size of the system disk in gibibytes (GiB). The minimum is `120`.
-|Integer.
-
-|platform:
-  alibabacloud:
-    defaultMachinePlatform:
-      zones:
-|For both compute machines and control plane machines, the list of availability zones that can be used. Examples: `cn-hangzhou-h`, `cn-hangzhou-j`
-|String list.
-
-|platform:
-  alibabacloud:
-    privateZoneID:
-|The ID of an existing private zone into which to add DNS records for the cluster's internal API. An existing private zone can only be used when also using existing VPC. The private zone must be associated with the VPC containing the subnets. Leave the private zone unset to have the installation program create the private zone on your behalf.
-|String.
-
-|====
-
-endif::alibaba-cloud[]
-
 ifdef::nutanix[]
 [id="installation-configuration-parameters-additional-nutanix_{context}"]
 == Additional Nutanix configuration parameters
@@ -3548,9 +3389,6 @@ endif::[]
 ifeval::["{context}" == "installation-config-parameters-ibm-cloud-vpc"]
 :!ibm-cloud:
 endif::[]
-ifeval::["{context}" == "installation-config-parameters-alibaba"]
-:!alibaba-cloud:
-endif::[]
 ifeval::["{context}" == "installation-config-parameters-ibm-power-vs"]
 :!ibm-power-vs:
 endif::[]
diff --git a/modules/installation-configure-proxy.adoc b/modules/installation-configure-proxy.adoc
index 8747934acc96..09fd00ccb7f2 100644
--- a/modules/installation-configure-proxy.adoc
+++ b/modules/installation-configure-proxy.adoc
@@ -1,6 +1,5 @@
 // Module included in the following assemblies:
 //
-// installing/installing_alibaba/installing-alibaba-network-customizations.adoc
 // * installing/installing_aws/installing_aws-customizations.adoc
 // * installing/installing_aws/installing_aws-network-customizations.adoc
 // * installing/installing_aws/installing_aws-private.adoc
diff --git a/modules/installation-custom-alibaba-vpc.adoc b/modules/installation-custom-alibaba-vpc.adoc
deleted file mode 100644
index 0be217cb89d4..000000000000
--- a/modules/installation-custom-alibaba-vpc.adoc
+++ /dev/null
@@ -1,52 +0,0 @@
-// Module included in the following assemblies:
-//
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="installation-custom-alibaba-vpc_{context}"]
-= Using a custom VPC
-
-In {product-title} {product-version}, you can deploy a cluster into existing subnets in an existing Virtual Private Cloud (VPC) in the Alibaba Cloud Platform. By deploying {product-title} into an existing Alibaba VPC, you can avoid limit constraints in new accounts and more easily adhere to your organization's operational constraints. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option. You must configure networking using vSwitches.
-
-[id="installation-custom-alibaba-vpc-requirements_{context}"]
-== Requirements for using your VPC
-
-The union of the VPC CIDR block and the machine network CIDR must be non-empty. The vSwitches must be within the machine network.
-
-The installation program does not create the following components:
-
-* VPC
-* vSwitches
-* Route table
-* NAT gateway
-
-include::snippets/custom-dns-server.adoc[]
-
-[id="installation-custom-alibaba-vpc-validation_{context}"]
-== VPC validation
-
-To ensure that the vSwitches you provide are suitable, the installation program confirms the following data:
-
-* All the vSwitches that you specify must exist.
-* You have provided one or more vSwitches for control plane machines and compute machines.
-* The vSwitches' CIDRs belong to the machine CIDR that you specified.
-
-[id="installation-about-custom-alibaba-permissions_{context}"]
-== Division of permissions
-
-Some individuals can create different resources in your cloud than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components, such as VPCs or vSwitches.
-
-[id="installation-custom-alibaba-vpc-isolation_{context}"]
-== Isolation between clusters
-
-If you deploy {product-title} into an existing network, the isolation of cluster services is reduced in the following ways:
-
-* You can install multiple {product-title} clusters in the same VPC.
-
-* ICMP ingress is allowed to the entire network.
-
-* TCP 22 ingress (SSH) is allowed to the entire network.
-
-* Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
-
-* Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
diff --git a/modules/installation-deployment-manager-bootstrap.adoc b/modules/installation-deployment-manager-bootstrap.adoc
index 1375d54523a2..56b5096fe90f 100644
--- a/modules/installation-deployment-manager-bootstrap.adoc
+++ b/modules/installation-deployment-manager-bootstrap.adoc
@@ -14,6 +14,6 @@ machine that you need for your {product-title} cluster:
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/04_bootstrap.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/04_bootstrap.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-control-plane.adoc b/modules/installation-deployment-manager-control-plane.adoc
index 6e9e12b12c4f..a9de6701729e 100644
--- a/modules/installation-deployment-manager-control-plane.adoc
+++ b/modules/installation-deployment-manager-control-plane.adoc
@@ -14,6 +14,6 @@ plane machines that you need for your {product-title} cluster:
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/05_control_plane.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/05_control_plane.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-ext-lb.adoc b/modules/installation-deployment-manager-ext-lb.adoc
index 803507d584f5..3edbf1a0c283 100644
--- a/modules/installation-deployment-manager-ext-lb.adoc
+++ b/modules/installation-deployment-manager-ext-lb.adoc
@@ -12,6 +12,6 @@ You can use the following Deployment Manager template to deploy the external loa
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/02_lb_ext.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/02_lb_ext.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-firewall-rules.adoc b/modules/installation-deployment-manager-firewall-rules.adoc
index 96baed764272..3608861774ce 100644
--- a/modules/installation-deployment-manager-firewall-rules.adoc
+++ b/modules/installation-deployment-manager-firewall-rules.adoc
@@ -12,6 +12,6 @@ You can use the following Deployment Manager template to deploy the firewall rue
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/03_firewall.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/03_firewall.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-iam-shared-vpc.adoc b/modules/installation-deployment-manager-iam-shared-vpc.adoc
index 18742d3775c1..cebdffd31665 100644
--- a/modules/installation-deployment-manager-iam-shared-vpc.adoc
+++ b/modules/installation-deployment-manager-iam-shared-vpc.adoc
@@ -12,6 +12,6 @@ You can use the following Deployment Manager template to deploy the IAM roles th
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/03_iam.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/03_iam.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-int-lb.adoc b/modules/installation-deployment-manager-int-lb.adoc
index 1fc098a08cd4..97ebf20b8d0a 100644
--- a/modules/installation-deployment-manager-int-lb.adoc
+++ b/modules/installation-deployment-manager-int-lb.adoc
@@ -12,7 +12,7 @@ You can use the following Deployment Manager template to deploy the internal loa
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/02_lb_int.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/02_lb_int.py[]
 ----
 ====
 
diff --git a/modules/installation-deployment-manager-private-dns.adoc b/modules/installation-deployment-manager-private-dns.adoc
index c48c47849635..b6a19b580866 100644
--- a/modules/installation-deployment-manager-private-dns.adoc
+++ b/modules/installation-deployment-manager-private-dns.adoc
@@ -12,6 +12,6 @@ You can use the following Deployment Manager template to deploy the private DNS
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/02_dns.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/02_dns.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-vpc.adoc b/modules/installation-deployment-manager-vpc.adoc
index 6f5b6041520e..b5e24890ea24 100644
--- a/modules/installation-deployment-manager-vpc.adoc
+++ b/modules/installation-deployment-manager-vpc.adoc
@@ -14,6 +14,6 @@ you need for your {product-title} cluster:
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/01_vpc.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/01_vpc.py[]
 ----
 ====
diff --git a/modules/installation-deployment-manager-worker.adoc b/modules/installation-deployment-manager-worker.adoc
index 03bc8806711c..f287a589315b 100644
--- a/modules/installation-deployment-manager-worker.adoc
+++ b/modules/installation-deployment-manager-worker.adoc
@@ -14,6 +14,6 @@ that you need for your {product-title} cluster:
 ====
 [source,python]
 ----
-include::https://raw.githubusercontent.com/openshift/installer/release-4.15/upi/gcp/06_worker.py[]
+include::https://raw.githubusercontent.com/openshift/installer/release-4.16/upi/gcp/06_worker.py[]
 ----
 ====
diff --git a/modules/installation-gcp-config-yaml.adoc b/modules/installation-gcp-config-yaml.adoc
index a8599903c568..0329074211b8 100644
--- a/modules/installation-gcp-config-yaml.adoc
+++ b/modules/installation-gcp-config-yaml.adoc
@@ -216,10 +216,14 @@ ifdef::vpc[]
 ifndef::openshift-origin[]
 <13> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
+--
 [IMPORTANT]
 ====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
+
+When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
 ====
+--
 <14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-gcp-user-infra-rhcos.adoc b/modules/installation-gcp-user-infra-rhcos.adoc
index 513533349047..1582ec723525 100644
--- a/modules/installation-gcp-user-infra-rhcos.adoc
+++ b/modules/installation-gcp-user-infra-rhcos.adoc
@@ -12,7 +12,7 @@ your {product-title} nodes.
 .Procedure
 
 ifndef::openshift-origin[]
-. Obtain the {op-system} image from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.15/[{op-system} image mirror] page.
+. Obtain the {op-system} image from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.16/[{op-system} image mirror] page.
 +
 [IMPORTANT]
 ====
diff --git a/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc b/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc
index 4e8e633e2691..1d17a4b4fe32 100644
--- a/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc
+++ b/modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc
@@ -88,10 +88,9 @@ If you disable simultaneous multithreading, ensure that your capacity planning a
 ifndef::openshift-origin[]
 <9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 <10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-ibm-cloud-config-yaml.adoc b/modules/installation-ibm-cloud-config-yaml.adoc
index c9da1fdf3f07..4e7d3eea791e 100644
--- a/modules/installation-ibm-cloud-config-yaml.adoc
+++ b/modules/installation-ibm-cloud-config-yaml.adoc
@@ -93,10 +93,14 @@ If you disable simultaneous multithreading, ensure that your capacity planning a
 ifndef::openshift-origin[]
 <6> Enables or disables FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
+--
 [IMPORTANT]
 ====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
+
+When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
 ====
+--
 <7> Optional: provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-ibm-cloud-regions.adoc b/modules/installation-ibm-cloud-regions.adoc
index 115ba1f87e84..deb07feeec97 100644
--- a/modules/installation-ibm-cloud-regions.adoc
+++ b/modules/installation-ibm-cloud-regions.adoc
@@ -49,11 +49,18 @@ ifdef::ibm-power-vs[]
 * `eu-de` (Frankfurt, Germany)
 ** `eu-de-1`
 ** `eu-de-2`
+* `lon` (London, UK)
+** `lon04`
 * `mad` (Madrid, Spain)
 ** `mad02`
 ** `mad04`
+* `osa` (Osaka, Japan)
+** `osa21`
 * `sao` (Sao Paulo, Brazil)
+** `sao01`
 ** `sao04`
+* `syd` (Sydney, Australia)
+** `syd04`
 * `wdc` (Washington DC, USA)
 ** `wdc06`
 ** `wdc07`
diff --git a/modules/installation-ibm-cloud-tested-machine-types.adoc b/modules/installation-ibm-cloud-tested-machine-types.adoc
new file mode 100644
index 000000000000..f8114abed397
--- /dev/null
+++ b/modules/installation-ibm-cloud-tested-machine-types.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc
+// installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
+// installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
+// installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
+// installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
+
+[id="installation-ibm-cloud-tested-machine-types_{context}"]
+= Tested instance types for {ibm-cloud-title}
+
+The following {ibm-cloud-name} instance types have been tested with {product-title}.
+
+.Machine series
+[%collapsible]
+====
+include::https://raw.githubusercontent.com/openshift/installer/master/docs/user/ibmcloud/tested_instance_types_x86_64.md[]
+====
\ No newline at end of file
diff --git a/modules/installation-ibm-z-user-infra-machines-iso.adoc b/modules/installation-ibm-z-user-infra-machines-iso.adoc
index 89a065206af9..9cf4a3956798 100644
--- a/modules/installation-ibm-z-user-infra-machines-iso.adoc
+++ b/modules/installation-ibm-z-user-infra-machines-iso.adoc
@@ -35,6 +35,7 @@ Complete the following steps to create the machines.
 .Prerequisites
 
 * An HTTP or HTTPS server running on your provisioning machine that is accessible to the machines you create.
+* If you want to enable secure boot, you have obtained the appropriate Red Hat Product Signing Key and read link:https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-boot-linux-onibm-z-linuxone[Secure boot on IBM Z and IBM LinuxONE] in IBM documentation.
 
 .Procedure
 
@@ -61,6 +62,7 @@ The rootfs image is the same for FCP and DASD.
 ====
 +
 . Create parameter files. The following parameters are specific for a particular virtual machine:
+
 ** For `ip=`, specify the following seven entries:
 ... The IP address for the machine.
 ... An empty string.
@@ -71,6 +73,7 @@ The rootfs image is the same for FCP and DASD.
 ... If you use static IP addresses, specify `none`.
 ** For `coreos.inst.ignition_url=`, specify the Ignition file for the machine role. Use `bootstrap.ign`, `master.ign`, or `worker.ign`. Only HTTP and HTTPS protocols are supported.
 ** For `coreos.live.rootfs_url=`, specify the matching rootfs artifact for the kernel and initramfs you are booting. Only HTTP and HTTPS protocols are supported.
+** Optional: To enable secure boot, add `coreos.inst.secure_ipl`
 
 ** For installations on DASD-type disks, complete the following tasks:
 ... For `coreos.inst.install_dev=`, specify `/dev/dasda`.
@@ -84,13 +87,17 @@ Example parameter file, `bootstrap-0.parm`, for the bootstrap machine:
 rd.neednet=1 \
 console=ttysclp0 \
 coreos.inst.install_dev=/dev/dasda \
-coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
-coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/bootstrap.ign \
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <1>
+coreos.inst.ignition_url=http://<http_server>/bootstrap.ign \// <2>
+coreos.inst.secure_ipl \// <3>
 ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \
 rd.znet=qeth,0.0.bdf0,0.0.bdf1,0.0.bdf2,layer2=1,portno=0 \
 zfcp.allow_lun_scan=0 \
 rd.dasd=0.0.3490
 ----
+<1> Specify the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
+<2> Specify the location of the Ignition config file. Use `bootstrap.ign`, `master.ign`, or `worker.ign`. Only HTTP and HTTPS protocols are supported.
+<3> Optional: To enable secure boot, add `coreos.inst.secure_ipl`.
 +
 Write all options in the parameter file as a single line and make sure you have no newline characters.
 
@@ -115,15 +122,15 @@ Additional postinstallation steps are required to fully enable multipathing. For
 ====
 // Add xref once it's allowed.
 +
-The following is an example parameter file `worker-1.parm` for a worker node with multipathing:
+The following is an example parameter file `worker-1.parm` for a compute node with multipathing:
 +
 [source,terminal]
 ----
 rd.neednet=1 \
 console=ttysclp0 \
 coreos.inst.install_dev=/dev/disk/by-id/scsi-<serial_number> \
-coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
-coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/worker.ign \
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \
+coreos.inst.ignition_url=http://<http_server>/worker.ign \
 ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \
 rd.znet=qeth,0.0.bdf0,0.0.bdf1,0.0.bdf2,layer2=1,portno=0 \
 zfcp.allow_lun_scan=0 \
diff --git a/modules/installation-initializing-manual.adoc b/modules/installation-initializing-manual.adoc
index 4441b3a35985..69e7d8419791 100644
--- a/modules/installation-initializing-manual.adoc
+++ b/modules/installation-initializing-manual.adoc
@@ -89,7 +89,7 @@ Installing the cluster requires that you manually create the installation config
 ifdef::vsphere-upi,restricted-upi[]
 [IMPORTANT]
 ====
-The Cluster Cloud Controller Manager Operator performs a connectivity check on a provided hostname or IP address. Ensure that you specify a hostname or an IP address to a reachable vCenter server. If you provide metadata to a non-existent vCenter server, installation of the cluster fails at the bootstrap stage.
+The Cloud Controller Manager Operator performs a connectivity check on a provided hostname or IP address. Ensure that you specify a hostname or an IP address to a reachable vCenter server. If you provide metadata to a non-existent vCenter server, installation of the cluster fails at the bootstrap stage.
 ====
 endif::vsphere-upi,restricted-upi[]
 
diff --git a/modules/installation-initializing.adoc b/modules/installation-initializing.adoc
index 5c7d6ad05883..0d70a507e0a0 100644
--- a/modules/installation-initializing.adoc
+++ b/modules/installation-initializing.adoc
@@ -1,9 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_aws/installing-alibaba-default.adoc
-// * installing/installing_aws/installing-alibaba-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_aws/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
@@ -44,15 +40,6 @@
 // Consider also adding the installation-configuration-parameters.adoc module.
 //YOU MUST SET AN IFEVAL FOR EACH NEW MODULE
 
-ifeval::["{context}" == "installing-alibaba-default"]
-:alibabacloud-default:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:alibabacloud-custom:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:alibabacloud-vpc:
-endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :aws:
 :three-node-cluster:
@@ -183,9 +170,6 @@ endif::[]
 = Creating the installation configuration file
 
 You can customize the {product-title} cluster you install on
-ifdef::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
-Alibaba Cloud.
-endif::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
 ifdef::aws[]
 Amazon Web Services (AWS).
 endif::aws[]
@@ -279,12 +263,6 @@ endif::ibm-power-vs[]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
 ====
-ifdef::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
-... Select *alibabacloud* as the platform to target.
-... Select the region to deploy the cluster to.
-... Select the base domain to deploy the cluster to. The base domain corresponds to the public DNS zone that you created for your cluster.
-... Provide a descriptive name for your cluster.
-endif::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
 ifdef::aws[]
 ... Select *AWS* as the platform to target.
 ... If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS
@@ -386,7 +364,6 @@ The installation program connects to Prism Central.
 ... Enter the base domain. This base domain must be the same one that you configured in the DNS records.
 endif::nutanix[]
 ifndef::osp[]
-ifndef::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
 ... Enter a descriptive name for your cluster.
 ifdef::azure[]
 +
@@ -404,7 +381,6 @@ ifdef::vsphere,nutanix[]
 The cluster name you enter must match the cluster name you specified when configuring the DNS records.
 
 endif::vsphere,nutanix[]
-endif::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
 endif::osp[]
 ifdef::osp[]
 ... Enter a name for your cluster. The name must be 14 or fewer characters long.
@@ -419,9 +395,9 @@ ifdef::aws-outposts[]
 You will find more information about how to change these values below.
 endif::aws-outposts[]
 
-ifndef::restricted,alibabacloud-default,alibabacloud-custom,alibabacloud-vpc,nutanix,aws-outposts[]
+ifndef::restricted,nutanix,aws-outposts[]
 . Modify the `install-config.yaml` file. You can find more information about the available parameters in the "Installation configuration parameters" section.
-endif::restricted,alibabacloud-default,alibabacloud-custom,alibabacloud-vpc,nutanix,aws-outposts[]
+endif::restricted,nutanix,aws-outposts[]
 ifdef::three-node-cluster[]
 +
 [NOTE]
@@ -430,28 +406,6 @@ If you are installing a three-node cluster, be sure to set the `compute.replicas
 ====
 endif::three-node-cluster[]
 
-ifdef::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
-. Installing the cluster into Alibaba Cloud requires that the Cloud Credential Operator (CCO) operate in manual mode. Modify the `install-config.yaml` file to set the `credentialsMode` parameter to `Manual`:
-+
-.Example install-config.yaml configuration file with `credentialsMode` set to `Manual`
-[source,yaml]
-----
-apiVersion: v1
-baseDomain: cluster1.example.com
-credentialsMode: Manual <1>
-compute:
-- architecture: amd64
-  hyperthreading: Enabled
- ...
-----
-<1> Add this line to set the `credentialsMode` to `Manual`.
-endif::alibabacloud-default,alibabacloud-custom,alibabacloud-vpc[]
-
-ifdef::alibabacloud-custom,alibabacloud-vpc[]
-. Modify the `install-config.yaml` file. You can find more information about the available parameters in the "Installation configuration parameters" section.
-endif::alibabacloud-custom,alibabacloud-vpc[]
-
-
 ifdef::osp+restricted[]
 . In the `install-config.yaml` file, set the value of `platform.openstack.clusterOSImage` to the image location or name. For example:
 +
@@ -679,15 +633,6 @@ endif::azure[]
 
 ifdef::osp-user[You now have the file `install-config.yaml` in the directory that you specified.]
 
-ifeval::["{context}" == "installing-alibaba-default"]
-:!alibabacloud-default:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:!alibabacloud-custom:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:!alibabacloud-vpc:
-endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws:
 :!three-node-cluster:
diff --git a/modules/installation-installer-provisioned-vsphere-config-yaml.adoc b/modules/installation-installer-provisioned-vsphere-config-yaml.adoc
index 7af89af033fb..14fbb3c2c900 100644
--- a/modules/installation-installer-provisioned-vsphere-config-yaml.adoc
+++ b/modules/installation-installer-provisioned-vsphere-config-yaml.adoc
@@ -42,7 +42,7 @@ networking:
     hostPrefix: 23
   machineNetwork:
   - cidr: 10.0.0.0/16
-  networkType: OVNKubernetes <9>
+  networkType: OVNKubernetes <11>
   serviceNetwork:
   - 172.30.0.0/16
 endif::network[]
@@ -62,6 +62,8 @@ platform:
         - <VM_Network_name>
         resourcePool: "/<datacenter>/host/<cluster>/Resources/<resourcePool>" <7>
         folder: "/<datacenter_name>/vm/<folder_name>/<subfolder_name>"
+        tagIDs: <8>
+        - <tag_id>  <9>
       zone: <default_zone_name>
     ingressVIPs:
     - 10.0.0.2
@@ -72,9 +74,9 @@ platform:
       port: 443
       server: <fully_qualified_domain_name>
       user: administrator@vsphere.local
-    diskType: thin <8>
+    diskType: thin <10>
 ifdef::restricted[]
-    clusterOSImage: http://mirror.example.com/images/rhcos-47.83.202103221318-0-vmware.x86_64.ova <9>
+    clusterOSImage: http://mirror.example.com/images/rhcos-47.83.202103221318-0-vmware.x86_64.ova <11>
 endif::restricted[]
 ifndef::openshift-origin[]
 fips: false
@@ -83,15 +85,15 @@ ifndef::restricted[]
 pullSecret: '{"auths": ...}'
 endif::restricted[]
 ifdef::restricted[]
-pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}' <10>
+pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}' <12>
 endif::restricted[]
 sshKey: 'ssh-ed25519 AAAA...'
 ifdef::restricted[]
-additionalTrustBundle: | <11>
+additionalTrustBundle: | <13>
   -----BEGIN CERTIFICATE-----
   ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
   -----END CERTIFICATE-----
-imageContentSources: <12>
+imageContentSources: <14>
 - mirrors:
   - <mirror_host_name>:<mirror_port>/<repo_name>/release
   source: <source_image_1>
@@ -114,18 +116,20 @@ You can specify the path of any datastore that exists in a datastore cluster. By
 If you must specify VMs across multiple datastores, use a `datastore` object to specify a failure domain in your cluster's `install-config.yaml` configuration file. For more information, see "VMware vSphere region and zone enablement".
 ====
 <7> Optional: Provides an existing resource pool for machine creation. If you do not specify a value, the installation program uses the root resource pool of the vSphere cluster.
-<8> The vSphere disk provisioning method.
+<8> Optional: Each VM created by {product-title} is assigned a unique tag that is specific to the cluster. The assigned tag enables the installation program to identify and remove the associated VMs when a cluster is decommissioned. You can list up to ten additional tag IDs to be attached to the VMs provisioned by the installation program.
+<9> The ID of the tag to be associated by the installation program. For example, `urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL`. For more information about determining the tag ID, see the link:https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenterhost.doc/GUID-E8E854DD-AA97-4E0C-8419-CE84F93C4058.html[vSphere Tags and Attributes documentation].
+<10> The vSphere disk provisioning method.
 ifdef::network[]
-<9> The cluster network plugin to install. The default value `OVNKubernetes` is the only supported value.
+<11> The cluster network plugin to install. The default value `OVNKubernetes` is the only supported value.
 endif::network[]
 ifdef::restricted[]
-<9> The location of the {op-system-first} image that is accessible from the bastion server.
-<10> For `<local_registry>`, specify the registry domain name, and optionally the
+<11> The location of the {op-system-first} image that is accessible from the bastion server.
+<12> For `<local_registry>`, specify the registry domain name, and optionally the
 port, that your mirror registry uses to serve content. For example
 `registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
 specify the base64-encoded user name and password for your mirror registry.
-<11> Provide the contents of the certificate file that you used for your mirror registry.
-<12> Provide the `imageContentSources` section from the output of the command to mirror the repository.
+<13> Provide the contents of the certificate file that you used for your mirror registry.
+<14> Provide the `imageContentSources` section from the output of the command to mirror the repository.
 endif::restricted[]
 
 [NOTE]
diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc
index 1bf1c5c68d07..b74127ce6dfb 100644
--- a/modules/installation-launching-installer.adoc
+++ b/modules/installation-launching-installer.adoc
@@ -1,9 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-default.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
@@ -50,22 +46,6 @@
 // If you use this module in any other assembly, you must update the ifeval
 // statements.
 
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:custom-config:
-:single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-default"]
-:custom-config:
-:single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-network-customizations"]
-:custom-config:
-:single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:custom-config:
-:single-step:
-endif::[]
 ifeval::["{context}" == "installing-aws-private"]
 :custom-config:
 :aws:
@@ -555,22 +535,6 @@ INFO Time elapsed: 36m22s
 * It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 ====
 
-ifeval::["{context}" == "installing-alibaba-customizations"]
-:!custom-config:
-:!single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-default"]
-:!custom-config:
-:!single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-network-customizations"]
-:!custom-config:
-:!single-step:
-endif::[]
-ifeval::["{context}" == "installing-alibaba-vpc"]
-:!custom-config:
-:!single-step:
-endif::[]
 ifeval::["{context}" == "installing-aws-private"]
 :!custom-config:
 :!aws:
diff --git a/modules/installation-network-user-infra.adoc b/modules/installation-network-user-infra.adoc
index 1f1edd705275..20882cf72b60 100644
--- a/modules/installation-network-user-infra.adoc
+++ b/modules/installation-network-user-infra.adoc
@@ -159,7 +159,7 @@ the Cluster Version Operator on port `9099`.
 |`10250`-`10259`
 |The default ports that Kubernetes reserves
 
-.5+|UDP
+.6+|UDP
 |`4789`
 |VXLAN
 
@@ -175,6 +175,11 @@ the Cluster Version Operator on port `9099`.
 |`4500`
 |IPsec NAT-T packets
 
+|`123`
+|Network Time Protocol (NTP) on UDP port `123`
+
+If an external NTP time server is configured, you must open UDP port `123`.
+
 |TCP/UDP
 |`30000`-`32767`
 |Kubernetes node port
diff --git a/modules/installation-nutanix-installer-infra-reqs.adoc b/modules/installation-nutanix-installer-infra-reqs.adoc
index fbf59f5629a0..a40dd335ccc6 100644
--- a/modules/installation-nutanix-installer-infra-reqs.adoc
+++ b/modules/installation-nutanix-installer-infra-reqs.adoc
@@ -133,6 +133,8 @@ You specify these IP addresses when you install the {product-title} cluster.
 === DNS records
 You must create DNS records for two static IP addresses in the appropriate DNS server for the Nutanix instance that hosts your {product-title} cluster. In each record, `<cluster_name>` is the cluster name and `<base_domain>` is the cluster base domain that you specify when you install the cluster.
 
+If you use your own DNS or DHCP server, you must also create records for each node, including the bootstrap, control plane, and compute nodes.
+
 A complete DNS record takes the form: `<component>.<cluster_name>.<base_domain>.`.
 
 .Required DNS records
diff --git a/modules/installation-obtaining-fips-installer-mirror.adoc b/modules/installation-obtaining-fips-installer-mirror.adoc
new file mode 100644
index 000000000000..1409ee5ef838
--- /dev/null
+++ b/modules/installation-obtaining-fips-installer-mirror.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assembly:
+// installing/installing-fips.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-obtaining-fips-installer-mirror_{context}"]
+= Obtaining a FIPS-capable installation program using the public OpenShift mirror
+
+{product-title} requires the use of a FIPS-capable installation binary to install a cluster in FIPS mode. You can obtain this binary by downloading it from the public OpenShift mirror. After you have obtained the binary, proceed with the cluster installation, replacing all instances of the `openshift-install` binary with `openshift-install-fips`.
+
+.Prerequisites
+
+* You have access to the internet.
+
+.Procedure
+
+. Download the installation program from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.16/openshift-install-rhel9-amd64.tar.gz.
+. Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
++
+[source,terminal]
+----
+$ tar -xvf openshift-install-rhel9-amd64.tar.gz
+----
++
+. Proceed with cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
diff --git a/modules/installation-obtaining-fips-installer-oc.adoc b/modules/installation-obtaining-fips-installer-oc.adoc
new file mode 100644
index 000000000000..173d287b271f
--- /dev/null
+++ b/modules/installation-obtaining-fips-installer-oc.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assembly:
+// installing/installing-fips.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-obtaining-fips-installer-oc_{context}"]
+= Obtaining a FIPS-capable installation program using `oc adm extract`
+
+{product-title} requires the use of a FIPS-capable installation binary to install a cluster in FIPS mode. You can obtain this binary by extracting it from the release image by using the {oc-first}. After you have obtained the binary, you proceed with the cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
+
+.Prerequisites
+
+* You have installed the {oc-first} with version 4.16 or newer.
+
+.Procedure
+
+. Extract the FIPS-capable binary from the installation program by running the following command:
++
+[source,terminal]
+----
+$ oc adm release extract --registry-config "${pullsecret_file}" --command=openshift-install-fips --to "${extract_dir}" ${RELEASE_IMAGE}
+----
++
+where:
++
+--
+`<pullsecret_file>`:: Specifies the name of a file that contains your pull secret.
+`<extract_dir>`:: Specifies the directory where you want to extract the binary.
+`<RELEASE_IMAGE>`:: Specifies the Quay.io URL of the {product-title} release you are using. For more information on finding the release image, see _Extracting the {product-title} installation program_.
+--
+. Proceed with cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
diff --git a/modules/installation-obtaining-installer.adoc b/modules/installation-obtaining-installer.adoc
index 45ff48c57699..05d7b1539ba6 100644
--- a/modules/installation-obtaining-installer.adoc
+++ b/modules/installation-obtaining-installer.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
diff --git a/modules/installation-osp-setting-worker-affinity.adoc b/modules/installation-osp-setting-worker-affinity.adoc
index 8f369b029868..cdef531a844f 100644
--- a/modules/installation-osp-setting-worker-affinity.adoc
+++ b/modules/installation-osp-setting-worker-affinity.adoc
@@ -79,7 +79,7 @@ spec:
     spec:
       providerSpec:
         value:
-          apiVersion: openstackproviderconfig.openshift.io/v1alpha1
+          apiVersion: machine.openshift.io/v1alpha1
           cloudName: openstack
           cloudsSecret:
             name: openstack-cloud-credentials
diff --git a/modules/installation-special-config-chrony.adoc b/modules/installation-special-config-chrony.adoc
index 827875829c45..da38d8062e5a 100644
--- a/modules/installation-special-config-chrony.adoc
+++ b/modules/installation-special-config-chrony.adoc
@@ -5,7 +5,7 @@
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
 // * installing/installing_gcp/installing-restricted-networks-gcp.adoc
 // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
diff --git a/modules/installation-special-config-raid-intel-vroc.adoc b/modules/installation-special-config-raid-intel-vroc.adoc
new file mode 100644
index 000000000000..9a97695a2eaa
--- /dev/null
+++ b/modules/installation-special-config-raid-intel-vroc.adoc
@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * installing/install_config/installing-customizing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-special-config-raid-intel-vroc_{context}"]
+== Configuring an Intel(R) Virtual RAID on CPU (VROC) data volume
+
+Intel(R) VROC is a type of hybrid RAID, where some of the maintenance is offloaded to the hardware, but appears as software RAID to the operating system.
+
+The following procedure configures an Intel(R) VROC-enabled RAID1.
+
+.Prerequisites
+
+* You have a system with Intel(R) Volume Management Device (VMD) enabled.
+
+.Procedure
+
+. Create the Intel(R) Matrix Storage Manager (IMSM) RAID container by running the following command:
++
+[source,terminal]
+----
+$ mdadm -CR /dev/md/imsm0 -e \
+  imsm -n2 /dev/nvme0n1 /dev/nvme1n1 <1>
+----
+<1> The RAID device names. In this example, there are two devices listed. If you provide more than two device names, you must adjust the `-n` flag. For example, listing three devices would use the flag `-n3`.
+
+. Create the RAID1 storage inside the container:
+
+.. Create a dummy RAID0 volume in front of the real RAID1 volume by running the following command:
++
+[source,terminal]
+----
+$ mdadm -CR /dev/md/dummy -l0 -n2 /dev/imsm0 -z10m --assume-clean
+----
+
+.. Create the real RAID1 array by running the following command:
++
+[source,terminal]
+----
+$ mdadm -CR /dev/md/coreos -l1 -n2 /dev/imsm0
+----
+
+.. Stop both RAID0 and RAID1 member arrays and delete the dummy RAID0 array with the following commands:
++
+[source,terminal]
+----
+$ mdadm -S /dev/md/dummy \
+  mdadm -S /dev/md/coreos \
+  mdadm --kill-subarray=0 /dev/md/imsm0
+----
+
+.. Restart the RAID1 arrays by running the following command:
++
+[source,terminal]
+----
+$ mdadm -A /dev/md/coreos /dev/md/imsm0
+----
+
+. Install {op-system} on the RAID1 device:
+
+.. Get the UUID of the IMSM container by running the following command:
++
+[source,terminal]
+----
+$ mdadm --details --export /dev/md/imsm0
+----
+
+.. Install {op-system} and include the `rd.md.uuid` kernel argument by running the following command:
++
+[source,terminal]
+----
+$ coreos-installer install /dev/md/coreos \
+  --append-karg rd.md.uuid=<md_UUID> <1>
+  ...
+----
+<1> The UUID of the IMSM container.
++
+Include any additional `coreos-installer` arguments you need to install {op-system}.
diff --git a/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc b/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc
new file mode 100644
index 000000000000..67436f29af20
--- /dev/null
+++ b/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-ibft.adoc
@@ -0,0 +1,65 @@
+// Module included in the following assemblies
+//
+// * installing/installing_bare_metal/installing-bare-metal.adoc
+// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+// * installing_bare_metal/installing-bare-metal-network-customizations.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-user-infra-machines-advanced-customizing-live-{boot}-iscsi-ibft_{context}"]
+= Customizing a live install {boot-media} for an iSCSI boot device with iBFT
+
+You can set the iSCSI target and initiator values for automatic mounting, booting and configuration using a customized version of the live {op-system} image.
+
+.Prerequisites
+. You have an iSCSI target you want to install {op-system} on.
+. Optional: you have multipathed your iSCSI target.
+
+.Procedure
+
+. Download the `coreos-installer` binary from the link:https://mirror.openshift.com/pub/openshift-v4/clients/coreos-installer/latest/[`coreos-installer` image mirror] page.
+
+ifeval::["{boot-media}" == "ISO image"]
+. Retrieve the {op-system} ISO image from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/latest/[{op-system} image mirror] page and run the following command to customize the ISO image with the following information:
++
+[source,text]
+----
+$ coreos-installer iso customize \
+    --pre-install mount-iscsi.sh \ <1>
+    --post-install unmount-iscsi.sh \ <2>
+    --dest-device /dev/mapper/mpatha \ <3>
+    --dest-ignition config.ign \ <4>
+    --dest-karg-append rd.iscsi.firmware=1 \ <5>
+    --dest-karg-append rd.multipath=default \ <6>
+    -o custom.iso rhcos-<version>-live.x86_64.iso
+----
+<1> The script that gets run before installation. It should contain the `iscsiadm` commands for mounting the iSCSI target and any commands enabling multipathing.
+<2> The script that gets run after installation. It should contain the command `iscsiadm --mode node --logout=all`.
+<3> The path to the device. If you are using multipath, the multipath device, `/dev/mapper/mpatha`, If there are multiple multipath devices connected, or to be explicit, you can use the World Wide Name (WWN) symlink available in `/dev/disk/by-path`.
+<4> The Ignition configuration for the destination system.
+<5> The iSCSI parameter is read from the BIOS firmware.
+<6> Optional: include this parameter if you are enabling multipathing.
+endif::[]
+
+ifeval::["{boot-media}" == "PXE environment"]
+. Retrieve the {op-system} `kernel`, `initramfs` and `rootfs` files from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/latest/[{op-system} image mirror] page and run the following command to create a new customized `initramfs` file with the following information:
++
+[source,text]
+----
+$ coreos-installer pxe customize \
+    --pre-install mount-iscsi.sh \ <1>
+    --post-install unmount-iscsi.sh \ <2>
+    --dest-device /dev/mapper/mpatha \ <3>
+    --dest-ignition config.ign \ <4>
+    --dest-karg-append rd.iscsi.firmware=1 \ <5>
+    --dest-karg-append rd.multipath=default \ <6>
+    -o custom.img rhcos-<version>-live-initramfs.x86_64.img
+----
+<1> The script that gets run before installation. It should contain the `iscsiadm` commands for mounting the iSCSI target.
+<2> The script that gets run after installation. It should contain the command `iscsiadm --mode node --logout=all`.
+<3> The path to the device. If you are using multipath, the multipath device, `/dev/mapper/mpatha`, If there are multiple multipath devices connected, or to be explicit, you can use the World Wide Name (WWN) symlink available in `/dev/disk/by-path`.
+<4> The Ignition configuration for the destination system.
+<5> The iSCSI parameter is read from the BIOS firmware.
+<6> Optional: include this parameter if you are enabling multipathing.
+endif::[]
++
+For more information about the iSCSI options supported by `dracut`, see the link:https://www.man7.org/linux/man-pages/man7/dracut.cmdline.7.html[`dracut.cmdline` manual page].
diff --git a/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc b/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc
new file mode 100644
index 000000000000..052bd7ce49d9
--- /dev/null
+++ b/modules/installation-user-infra-machines-advanced-customizing-live-iscsi-manual.adoc
@@ -0,0 +1,64 @@
+// Module included in the following assemblies
+//
+// * installing/installing_bare_metal/installing-bare-metal.adoc
+// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+// * installing_bare_metal/installing-bare-metal-network-customizations.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-user-infra-machines-advanced-customizing-live-{boot}-iscsi-manual_{context}"]
+= Customizing a live install {boot-media} for an iSCSI boot device
+
+You can set the iSCSI target and initiator values for automatic mounting, booting and configuration using a customized version of the live {op-system} image.
+
+.Prerequisites
+. You have an iSCSI target you want to install {op-system} on.
+
+.Procedure
+
+. Download the `coreos-installer` binary from the link:https://mirror.openshift.com/pub/openshift-v4/clients/coreos-installer/latest/[`coreos-installer` image mirror] page.
+
+ifeval::["{boot-media}" == "ISO image"]
+. Retrieve the {op-system} ISO image from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/latest/[{op-system} image mirror] page and run the following command to customize the ISO image with the following information:
++
+[source,text]
+----
+$ coreos-installer iso customize \
+    --pre-install mount-iscsi.sh \ <1>
+    --post-install unmount-iscsi.sh \ <2>
+    --dest-device /dev/disk/by-path/<IP_address>:<port>-iscsi-<target_iqn>-lun-<lun> \ <3>
+    --dest-ignition config.ign \ <4>
+    --dest-karg-append rd.iscsi.initiator=<initiator_iqn> \ <5>
+    --dest-karg-append netroot=<target_iqn> \ <6>
+    -o custom.iso rhcos-<version>-live.x86_64.iso
+----
+<1> The script that gets run before installation. It should contain the `iscsiadm` commands for mounting the iSCSI target and any commands enabling multipathing.
+<2> The script that gets run after installation. It should contain the command `iscsiadm --mode node --logout=all`.
+<3> The location of the destination system. You must provide the IP address of the target portal, the associated port number, the target iSCSI node in IQN format, and the iSCSI logical unit number (LUN).
+<4> The Ignition configuration for the destination system.
+<5> The iSCSI initiator, or client, name in IQN format. The initiator forms a session to connect to the iSCSI target.
+<6> The the iSCSI target, or server, name in IQN format.
+endif::[]
+
+ifeval::["{boot-media}" == "PXE environment"]
+. Retrieve the {op-system} `kernel`, `initramfs` and `rootfs` files from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/latest/[{op-system} image mirror] page and run the following command to create a new customized `initramfs` file with the following information:
++
+[source,text]
+----
+$ coreos-installer pxe customize \
+    --pre-install mount-iscsi.sh \ <1>
+    --post-install unmount-iscsi.sh \ <2>
+    --dest-device /dev/disk/by-path/<IP_address>:<port>-iscsi-<target_iqn>-lun-<lun> \ <3>
+    --dest-ignition config.ign \ <4>
+    --dest-karg-append rd.iscsi.initiator=<initiator_iqn> \ <5>
+    --dest-karg-append netroot=<target_iqn> \ <6>
+    -o custom.img rhcos-<version>-live-initramfs.x86_64.img
+----
+<1> The script that gets run before installation. It should contain the `iscsiadm` commands for mounting the iSCSI target and any commands enabling multipathing.
+<2> The script that gets run after installation. It should contain the command `iscsiadm --mode node --logout=all`.
+<3> The location of the destination system. You must provide the IP address of the target portal, the associated port number, the target iSCSI node in IQN format, and the iSCSI logical unit number (LUN).
+<4> The Ignition configuration for the destination system.
+<5> The iSCSI initiator, or client, name in IQN format. The initiator forms a session to connect to the iSCSI target.
+<6> The the iSCSI target, or server, name in IQN format.
+endif::[]
++
+For more information about the iSCSI options supported by `dracut`, see the link:https://www.man7.org/linux/man-pages/man7/dracut.cmdline.7.html[`dracut.cmdline` manual page].
diff --git a/modules/installation-user-infra-machines-iso.adoc b/modules/installation-user-infra-machines-iso.adoc
index 7bea85e9ba9d..aecf008c32e9 100644
--- a/modules/installation-user-infra-machines-iso.adoc
+++ b/modules/installation-user-infra-machines-iso.adoc
@@ -85,10 +85,10 @@ $ openshift-install coreos print-stream-json | grep '\.iso[^.]'
 [source,terminal]
 ifndef::openshift-origin[]
 ----
-"location": "<url>/art/storage/releases/rhcos-4.15-aarch64/<release>/aarch64/rhcos-<release>-live.aarch64.iso",
-"location": "<url>/art/storage/releases/rhcos-4.15-ppc64le/<release>/ppc64le/rhcos-<release>-live.ppc64le.iso",
-"location": "<url>/art/storage/releases/rhcos-4.15-s390x/<release>/s390x/rhcos-<release>-live.s390x.iso",
-"location": "<url>/art/storage/releases/rhcos-4.15/<release>/x86_64/rhcos-<release>-live.x86_64.iso",
+"location": "<url>/art/storage/releases/rhcos-4.16-aarch64/<release>/aarch64/rhcos-<release>-live.aarch64.iso",
+"location": "<url>/art/storage/releases/rhcos-4.16-ppc64le/<release>/ppc64le/rhcos-<release>-live.ppc64le.iso",
+"location": "<url>/art/storage/releases/rhcos-4.16-s390x/<release>/s390x/rhcos-<release>-live.s390x.iso",
+"location": "<url>/art/storage/releases/rhcos-4.16/<release>/x86_64/rhcos-<release>-live.x86_64.iso",
 ----
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-user-infra-machines-pxe.adoc b/modules/installation-user-infra-machines-pxe.adoc
index 707e6e0ba6ae..b5bf251c97e9 100644
--- a/modules/installation-user-infra-machines-pxe.adoc
+++ b/modules/installation-user-infra-machines-pxe.adoc
@@ -101,18 +101,18 @@ $ openshift-install coreos print-stream-json | grep -Eo '"https.*(kernel-|initra
 [source,terminal]
 ifndef::openshift-origin[]
 ----
-"<url>/art/storage/releases/rhcos-4.15-aarch64/<release>/aarch64/rhcos-<release>-live-kernel-aarch64"
-"<url>/art/storage/releases/rhcos-4.15-aarch64/<release>/aarch64/rhcos-<release>-live-initramfs.aarch64.img"
-"<url>/art/storage/releases/rhcos-4.15-aarch64/<release>/aarch64/rhcos-<release>-live-rootfs.aarch64.img"
-"<url>/art/storage/releases/rhcos-4.15-ppc64le/49.84.202110081256-0/ppc64le/rhcos-<release>-live-kernel-ppc64le"
-"<url>/art/storage/releases/rhcos-4.15-ppc64le/<release>/ppc64le/rhcos-<release>-live-initramfs.ppc64le.img"
-"<url>/art/storage/releases/rhcos-4.15-ppc64le/<release>/ppc64le/rhcos-<release>-live-rootfs.ppc64le.img"
-"<url>/art/storage/releases/rhcos-4.15-s390x/<release>/s390x/rhcos-<release>-live-kernel-s390x"
-"<url>/art/storage/releases/rhcos-4.15-s390x/<release>/s390x/rhcos-<release>-live-initramfs.s390x.img"
-"<url>/art/storage/releases/rhcos-4.15-s390x/<release>/s390x/rhcos-<release>-live-rootfs.s390x.img"
-"<url>/art/storage/releases/rhcos-4.15/<release>/x86_64/rhcos-<release>-live-kernel-x86_64"
-"<url>/art/storage/releases/rhcos-4.15/<release>/x86_64/rhcos-<release>-live-initramfs.x86_64.img"
-"<url>/art/storage/releases/rhcos-4.15/<release>/x86_64/rhcos-<release>-live-rootfs.x86_64.img"
+"<url>/art/storage/releases/rhcos-4.16-aarch64/<release>/aarch64/rhcos-<release>-live-kernel-aarch64"
+"<url>/art/storage/releases/rhcos-4.16-aarch64/<release>/aarch64/rhcos-<release>-live-initramfs.aarch64.img"
+"<url>/art/storage/releases/rhcos-4.16-aarch64/<release>/aarch64/rhcos-<release>-live-rootfs.aarch64.img"
+"<url>/art/storage/releases/rhcos-4.16-ppc64le/49.84.202110081256-0/ppc64le/rhcos-<release>-live-kernel-ppc64le"
+"<url>/art/storage/releases/rhcos-4.16-ppc64le/<release>/ppc64le/rhcos-<release>-live-initramfs.ppc64le.img"
+"<url>/art/storage/releases/rhcos-4.16-ppc64le/<release>/ppc64le/rhcos-<release>-live-rootfs.ppc64le.img"
+"<url>/art/storage/releases/rhcos-4.16-s390x/<release>/s390x/rhcos-<release>-live-kernel-s390x"
+"<url>/art/storage/releases/rhcos-4.16-s390x/<release>/s390x/rhcos-<release>-live-initramfs.s390x.img"
+"<url>/art/storage/releases/rhcos-4.16-s390x/<release>/s390x/rhcos-<release>-live-rootfs.s390x.img"
+"<url>/art/storage/releases/rhcos-4.16/<release>/x86_64/rhcos-<release>-live-kernel-x86_64"
+"<url>/art/storage/releases/rhcos-4.16/<release>/x86_64/rhcos-<release>-live-initramfs.x86_64.img"
+"<url>/art/storage/releases/rhcos-4.16/<release>/x86_64/rhcos-<release>-live-rootfs.x86_64.img"
 ----
 endif::openshift-origin[]
 ifdef::openshift-origin[]
diff --git a/modules/installation-vsphere-config-yaml.adoc b/modules/installation-vsphere-config-yaml.adoc
index 40aaa9b7bb20..b445a555c386 100644
--- a/modules/installation-vsphere-config-yaml.adoc
+++ b/modules/installation-vsphere-config-yaml.adoc
@@ -150,16 +150,15 @@ If you must specify VMs across multiple datastores, use a `datastore` object to
 +
 [IMPORTANT]
 ====
-The Cluster Cloud Controller Manager Operator performs a connectivity check on a provided hostname or IP address. Ensure that you specify a hostname or an IP address to a reachable vCenter server. If you provide metadata to a non-existent vCenter server, installation of the cluster fails at the bootstrap stage.
+The Cloud Controller Manager Operator performs a connectivity check on a provided hostname or IP address. Ensure that you specify a hostname or an IP address to a reachable vCenter server. If you provide metadata to a non-existent vCenter server, installation of the cluster fails at the bootstrap stage.
 ====
 <13> The vSphere disk provisioning method.
 ifndef::openshift-origin[]
 <14> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 endif::openshift-origin[]
 ifndef::restricted[]
 ifndef::openshift-origin[]
diff --git a/modules/installation-vsphere-installer-network-requirements.adoc b/modules/installation-vsphere-installer-network-requirements.adoc
index b5aee272a164..6492f1552a40 100644
--- a/modules/installation-vsphere-installer-network-requirements.adoc
+++ b/modules/installation-vsphere-installer-network-requirements.adoc
@@ -18,6 +18,10 @@ Review the following details about the required network ports.
 |Port
 |Description
 
+|VRRP
+|N/A
+|Required for keepalived
+
 |ICMP
 |N/A
 |Network reachability tests
diff --git a/modules/installation-vsphere-machines.adoc b/modules/installation-vsphere-machines.adoc
index d331dc3015dc..90cba21cb835 100644
--- a/modules/installation-vsphere-machines.adoc
+++ b/modules/installation-vsphere-machines.adoc
@@ -79,7 +79,7 @@ If you plan to add more compute machines to your cluster after you finish instal
 ====
 
 ifndef::openshift-origin[]
-. Obtain the {op-system} OVA image. Images are available from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.15/[{op-system} image mirror] page.
+. Obtain the {op-system} OVA image. Images are available from the link:https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.16/[{op-system} image mirror] page.
 +
 [IMPORTANT]
 ====
diff --git a/modules/installing-aws-load-balancer-operator-cli.adoc b/modules/installing-aws-load-balancer-operator-cli.adoc
index ca5acfebcded..658f3df434a9 100644
--- a/modules/installing-aws-load-balancer-operator-cli.adoc
+++ b/modules/installing-aws-load-balancer-operator-cli.adoc
@@ -77,7 +77,7 @@ spec:
   channel: stable-v1
   installPlanApproval: Automatic
   name: aws-load-balancer-operator
-  source: qe-app-registry
+  source: redhat-operators
   sourceNamespace: openshift-marketplace
 ----
 
diff --git a/modules/installing-oci-about-agent-based-installer.adoc b/modules/installing-oci-about-agent-based-installer.adoc
index f5e98673477d..162c28b5364a 100644
--- a/modules/installing-oci-about-agent-based-installer.adoc
+++ b/modules/installing-oci-about-agent-based-installer.adoc
@@ -8,11 +8,16 @@
 
 You can install an {product-title} cluster on {oci-first} by using the Agent-based Installer. Both Red Hat and Oracle test, validate, and support running {oci} and {ocvs-first} workloads in an {product-title} cluster on {oci}.
 
-:FeatureName: Using the Agent-based Installer to install an {product-title} cluster on {oci} that is configured with a virtual machine (VM) compute instance
-include::snippets/technology-preview.adoc[]
-
 The Agent-based installer provides the ease of use of the Assisted Installation service, but with the capability to install a cluster in either a connected or disconnected environment.
 
+The following diagrams show workflows for connected and disconnected environments:
+
+.Workflow for using the Agent-based installer in a connected environment to install a cluster on {oci}
+image::684_OpenShift_Installing_on_OCI_0624-connected.png[Image of a high-level workflow for using the Agent-based installer in a connected environment to install a cluster on {oci}]
+
+.Workflow for using the Agent-based installer in a disconnected environment to install a cluster on {oci}
+image::684_OpenShift_Installing_on_OCI_0624-disconnected.png[Image of a high-level workflow for using the Agent-based installer in a disconnected environment to install a cluster on {oci}]
+
 {oci} provides services that can meet your regulatory compliance, performance, and cost-effectiveness needs. {oci} supports 64-bit `x86` instances and 64-bit `ARM` instances. Additionally, {oci} provides an {ocvs} service where you can move VMware workloads to {oci} with minimal application re-architecture.
 
 [NOTE]
diff --git a/modules/installing-oci-about-assisted-installer.adoc b/modules/installing-oci-about-assisted-installer.adoc
index 70790a269c80..271bec23681a 100644
--- a/modules/installing-oci-about-assisted-installer.adoc
+++ b/modules/installing-oci-about-assisted-installer.adoc
@@ -10,9 +10,6 @@ You can run cluster workloads on {oci-first} infrastructure that supports dedica
 
 The {ai-full} supports the {oci} platform, and you can use the {ai-full} to access an intuitive interactive workflow for the purposes of automating cluster installation tasks on {oci}.
 
-:FeatureName: Using the {ai-full} to install an {product-title} cluster on OCI
-include::snippets/technology-preview.adoc[]
-
 {oci} provides services that can meet your needs for regulatory compliance, performance, and cost-effectiveness. You can access {oci} Resource Manager configurations to provision and configure {oci} resources.
 
 [IMPORTANT]
diff --git a/modules/installing-ocp-agent-boot.adoc b/modules/installing-ocp-agent-boot.adoc
index 45cd8812b1ca..97cb3a50a5db 100644
--- a/modules/installing-ocp-agent-boot.adoc
+++ b/modules/installing-ocp-agent-boot.adoc
@@ -19,4 +19,4 @@ $ openshift-install --dir <install_directory> agent create image
 +
 NOTE: Red Hat Enterprise Linux CoreOS (RHCOS) supports multipathing on the primary disk, allowing stronger resilience to hardware failure to achieve higher host availability. Multipathing is enabled by default in the agent ISO image, with a default `/etc/multipath.conf` configuration.
 
-. Boot the `agent.x86_64.iso` or `agent.aarch64.iso` image on the bare metal machines.
+. Boot the `agent.x86_64.iso`, `agent.aarch64.iso`, or `agent.s390x.iso` image on the bare metal machines.
\ No newline at end of file
diff --git a/modules/installing-ocp-agent-download.adoc b/modules/installing-ocp-agent-download.adoc
index d2877c3a69e9..b2d999786857 100644
--- a/modules/installing-ocp-agent-download.adoc
+++ b/modules/installing-ocp-agent-download.adoc
@@ -9,11 +9,6 @@
 
 Use this procedure to download the Agent-based Installer and the CLI needed for your installation.
 
-[NOTE]
-====
-Currently, downloading the Agent-based Installer is not supported on the {ibm-z-name} (`s390x`) architecture. The recommended method is by creating PXE assets.
-====
-
 .Procedure
 
 . Log in to the {product-title} web console using your login credentials.
diff --git a/modules/installing-ocp-agent-ibm-z-kvm.adoc b/modules/installing-ocp-agent-ibm-z-kvm.adoc
index 26f7a83afd75..142a8a45bb9f 100644
--- a/modules/installing-ocp-agent-ibm-z-kvm.adoc
+++ b/modules/installing-ocp-agent-ibm-z-kvm.adoc
@@ -1,6 +1,11 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_with_agent_based_installer/prepare-pxe-infra-agent.adoc
+// * installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc
+
+ifeval::["{context}" == "prepare-pxe-assets-agent"]
+:pxe-boot:
+endif::[]
 
 :_mod-docs-content-type: PROCEDURE
 [id="installing-ocp-agent-ibm-z-kvm_{context}"]
@@ -8,11 +13,18 @@
 
 Use the following procedure to manually add {ibm-z-name} agents with {op-system-base} KVM.
 
+[NOTE]
+====
+Currently, ISO boot support on {ibm-z-name} (`s390x`) is available only for {op-system-base} KVM, which provides the flexibility to choose either PXE or ISO-based installation.
+For installations with z/VM, only PXE boot is supported.
+====
 .Procedure
 
 . Boot your {op-system-base} KVM machine.
 
 . To deploy the virtual server, run the `virt-install` command with the following parameters:
+
+ifdef::pxe-boot[]
 +
 [source,terminal]
 ----
@@ -37,4 +49,30 @@ $ virt-install \
    --extra-args "coreos.inst.persistent-kargs=console=tty1 console=ttyS1,115200n8" \
    --osinfo detect=on,require=off
 ----
-<1> For the `--location` parameter, specify the location of the kernel/initrd on the HTTP or HTTPS server.
\ No newline at end of file
+<1> For the `--location` parameter, specify the location of the kernel/initrd on the HTTP or HTTPS server.
+endif::pxe-boot[]
+
+ifndef::pxe-boot[]
++
+[source,terminal]
+----
+$ virt-install
+    --name <vm_name> \
+    --autostart \
+    --memory=<memory> \
+    --cpu host \
+    --vcpus=<vcpus> \
+    --cdrom <agent.iso_image> \ <1>
+    --disk pool=default,size=<disk_pool_size> \
+    --network network:default,mac=<mac_address> \
+    --graphics none \
+    --noautoconsole \
+    --os-variant rhel9.0 \
+    --wait=-1
+----
+<1> For the `--cdrom` parameter, specify the location of the ISO image on the HTTP or HTTPS server.
+endif::pxe-boot[]
+
+ifeval::["{context}" == "prepare-pxe-assets-agent"]
+:!pxe-boot:
+endif::[]
\ No newline at end of file
diff --git a/modules/installing-ocp-agent-ibm-z.adoc b/modules/installing-ocp-agent-ibm-z.adoc
index 15d4ab15516c..167f52fe1579 100644
--- a/modules/installing-ocp-agent-ibm-z.adoc
+++ b/modules/installing-ocp-agent-ibm-z.adoc
@@ -8,11 +8,6 @@
 
 After creating the PXE assets, you can add {ibm-z-name} agents.
 
-[NOTE]
-====
-Currently ISO boot is not supported on {ibm-z-name} (`s390x`) architecture. Therefore, manually adding {ibm-z-name} agents is required for Agent-based installations on {ibm-z-name}.
-====
-
 Depending on your {ibm-z-name} environment, you can choose from the following options:
 
 * Adding {ibm-z-name} agents with z/VM
diff --git a/modules/installing-ocp-agent-inputs.adoc b/modules/installing-ocp-agent-inputs.adoc
index bd3263a44dc8..617740739189 100644
--- a/modules/installing-ocp-agent-inputs.adoc
+++ b/modules/installing-ocp-agent-inputs.adoc
@@ -77,7 +77,9 @@ pullSecret: '<pull_secret>' // <5>
 sshKey: '<ssh_pub_key>' // <6>
 EOF
 ----
-<1> Specify the system architecture, valid values are `amd64`, `arm64`, `ppc64le`, and `s390x`.
+<1> Specify the system architecture. Valid values are `amd64`, `arm64`, `ppc64le`, and `s390x`. 
++
+If you are using the release image with the `multi` payload, you can install the cluster on different architectures such as `arm64`, `amd64`, `s390x`, and `ppc64le`. Otherwise, you can install the cluster only on the `release architecture` displayed in the output of the `openshift-install version` command. For more information, see "Verifying the supported architecture for installing an Agent-based Installer cluster".
 <2> Required. Specify your cluster name.
 <3> The cluster network plugin to install. The default value `OVNKubernetes` is the only supported value.
 <4> Specify your platform.
diff --git a/modules/ipi-install-additional-install-config-parameters.adoc b/modules/ipi-install-additional-install-config-parameters.adoc
index 987b0e710632..6ead5f9074a9 100644
--- a/modules/ipi-install-additional-install-config-parameters.adoc
+++ b/modules/ipi-install-additional-install-config-parameters.adoc
@@ -38,7 +38,7 @@ and the `bmc` parameter for the `install-config.yaml` file.
 
 | `sshKey`
 |
-| The `sshKey` configuration setting contains the key in the `~/.ssh/id_rsa.pub` file required to access the control plane nodes and worker nodes. Typically, this key is from the `provisioner` node.
+| The `sshKey` configuration setting contains the key in the `~/.ssh/id_rsa.pub` file required to access the control plane nodes and compute nodes. Typically, this key is from the `provisioner` node.
 
 | `pullSecret`
 |
@@ -69,7 +69,7 @@ compute:
   - name: worker
 ----
 |
-|The {product-title} cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.
+|The {product-title} cluster requires a name be provided for compute nodes even if there are zero nodes.
 
 
 a|
@@ -78,7 +78,7 @@ compute:
     replicas: 2
 ----
 |
-|Replicas sets the number of worker (or compute) nodes in the {product-title} cluster.
+|Replicas sets the number of compute nodes in the {product-title} cluster.
 
 
 a|
@@ -87,7 +87,7 @@ controlPlane:
     name: master
 ----
 |
-|The {product-title} cluster requires a name for control plane (master) nodes.
+|The {product-title} cluster requires a name for control plane nodes.
 
 
 a|
@@ -96,7 +96,7 @@ controlPlane:
     replicas: 3
 ----
 |
-|Replicas sets the number of control plane (master) nodes included as part of the {product-title} cluster.
+|Replicas sets the number of control plane nodes included as part of the {product-title} cluster.
 
 a| `provisioningNetworkInterface` |  | The name of the network interface on nodes connected to the provisioning network. For {product-title} 4.9 and later releases, use the `bootMACAddress` configuration setting to enable Ironic to identify the IP address of the NIC instead of using the `provisioningNetworkInterface` configuration setting to identify the name of the NIC.
 
@@ -211,7 +211,7 @@ The `hosts` parameter is a list of separate bare metal assets used to build the
 
 | `role`
 |
-| The role of the bare metal node. Either `master` or `worker`.
+| The role of the bare metal node. Either `master` (control plane node) or `worker` (compute node).
 
 
 | `bmc`
diff --git a/modules/ipi-install-bmc-addressing.adoc b/modules/ipi-install-bmc-addressing.adoc
index 3af78860f1d1..c6fab569edd4 100644
--- a/modules/ipi-install-bmc-addressing.adoc
+++ b/modules/ipi-install-bmc-addressing.adoc
@@ -8,6 +8,8 @@
 
 Most vendors support Baseboard Management Controller (BMC) addressing with the Intelligent Platform Management Interface (IPMI). IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center (SDDC). Redfish is human readable and machine capable, and leverages common internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.
 
+You can modify the BMC address during installation while the node is in the `Registering` state. If you need to modify the BMC address after the node leaves the `Registering` state, you must disconnect the node from Ironic, edit the `BareMetalHost` resource, and reconnect the node to Ironic. See the _Editing a BareMetalHost resource_ section for details.
+
 [discrete]
 == IPMI
 
@@ -64,62 +66,4 @@ platform:
           password: <password>
           disableCertificateVerification: True
 ----
-[discrete]
-== Redfish APIs
-
-Several redfish API endpoints are called onto your BCM when using the bare-metal installer-provisioned infrastructure.
-
-[IMPORTANT]
-====
-You need to ensure that your BMC supports all of the redfish APIs before installation.
-====
 
-List of redfish APIs::
-* Power on
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "On"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
-----
-* Power off
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "ForceOff"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
-----
-* Temporary boot using `pxe`
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json"  https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "pxe", "BootSourceOverrideEnabled": "Once"}}
-----
-* Set BIOS boot mode using `Legacy` or `UEFI`
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json"  https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideMode":"UEFI"}}
-----
-
-List of redfish-virtualmedia APIs::
-* Set temporary boot device using `cd` or `dvd`
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "cd", "BootSourceOverrideEnabled": "Once"}}'
-----
-* Mount virtual media
-+
-[source,terminal]
-----
-curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" -H "If-Match: *" https://$Server/redfish/v1/Managers/$ManagerID/VirtualMedia/$VmediaId -d '{"Image": "https://example.com/test.iso", "TransferProtocolType": "HTTPS", "UserName": "", "Password":""}'
-----
-
-[NOTE]
-====
-The `PowerOn` and `PowerOff` commands for redfish APIs are the same for the redfish-virtualmedia APIs.
-====
-
-[IMPORTANT]
-====
-`HTTPS` and `HTTP` are the only supported parameter types for `TransferProtocolTypes`.
-====
diff --git a/modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc b/modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc
index 048a99ffeaa5..b53b3e83e941 100644
--- a/modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc
+++ b/modules/ipi-install-configure-network-components-to-run-on-the-control-plane.adoc
@@ -12,18 +12,18 @@ endif::[]
 [id='configure-network-components-to-run-on-the-control-plane_{context}']
 = Configuring network components to run on the control plane
 
-You can configure networking components to run exclusively on the control plane nodes. By default, {product-title} allows any node in the machine config pool to host the `ingressVIP` virtual IP address. However, some environments deploy worker nodes in separate subnets from the control plane nodes, which requires configuring the `ingressVIP` virtual IP address to run on the control plane nodes.
+You can configure networking components to run exclusively on the control plane nodes. By default, {product-title} allows any node in the machine config pool to host the `ingressVIP` virtual IP address. However, some environments deploy compute nodes in separate subnets from the control plane nodes, which requires configuring the `ingressVIP` virtual IP address to run on the control plane nodes.
 
 ifdef::vSphere[]
 [NOTE]
 ====
-You can scale the remote workers by creating a worker machineset in a separate subnet.
+You can scale the remote nodes by creating a compute machine set in a separate subnet.
 ====
 endif::vSphere[]
 
 [IMPORTANT]
 ====
-When deploying remote workers in separate subnets, you must place the `ingressVIP` virtual IP address exclusively with the control plane nodes.
+When deploying remote nodes in separate subnets, you must place the `ingressVIP` virtual IP address exclusively with the control plane nodes.
 ====
 
 ifdef::bare[]
diff --git a/modules/ipi-install-configuring-host-network-interfaces-for-subnets.adoc b/modules/ipi-install-configuring-host-network-interfaces-for-subnets.adoc
index e9512fac5dc4..a0b1a06752fe 100644
--- a/modules/ipi-install-configuring-host-network-interfaces-for-subnets.adoc
+++ b/modules/ipi-install-configuring-host-network-interfaces-for-subnets.adoc
@@ -33,7 +33,7 @@ networking:
   networkType: OVNKubernetes
 ----
 
-. Add the gateway and DNS configuration to the `networkConfig` parameter of each edge worker node using NMState syntax when using a static IP address or advanced networking such as bonds:
+. Add the gateway and DNS configuration to the `networkConfig` parameter of each edge compute node using NMState syntax when using a static IP address or advanced networking such as bonds:
 +
 [source,yaml]
 ----
diff --git a/modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc b/modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc
index 28e59d63d1a7..e5fdbf54dfa3 100644
--- a/modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc
+++ b/modules/ipi-install-configuring-ntp-for-disconnected-clusters.adoc
@@ -12,15 +12,15 @@
 
 {product-title} installs the `chrony` Network Time Protocol (NTP) service on the cluster nodes.
 ifeval::["{context}" == "ipi-install-configuration-files"]
-Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes before deployment.
+Use the following procedure to configure NTP servers on the control plane nodes and configure compute nodes as NTP clients of the control plane nodes before deployment.
 endif::[]
 ifeval::["{context}" == "ipi-install-post-installation-configuration"]
-Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes after a successful deployment.
+Use the following procedure to configure NTP servers on the control plane nodes and configure compute nodes as NTP clients of the control plane nodes after a successful deployment.
 endif::[]
 
 image::152_OpenShift_Config_NTP_0421.png[Configuring NTP for disconnected clusters]
 
-{product-title} nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.
+{product-title} nodes must agree on a date and time to run properly. When compute nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.
 
 .Procedure
 
@@ -69,7 +69,7 @@ storage:
           logdir /var/log/chrony
 
           # Configure the control plane nodes to serve as local NTP servers
-          # for all worker nodes, even if they are not in sync with an
+          # for all compute nodes, even if they are not in sync with an
           # upstream NTP server.
 
           # Allow NTP client access from the local network.
@@ -87,7 +87,7 @@ storage:
 $ butane 99-master-chrony-conf-override.bu -o 99-master-chrony-conf-override.yaml
 ----
 
-. Create a Butane config, `99-worker-chrony-conf-override.bu`, including the contents of the `chrony.conf` file for the worker nodes that references the NTP servers on the control plane nodes.
+. Create a Butane config, `99-worker-chrony-conf-override.bu`, including the contents of the `chrony.conf` file for the compute nodes that references the NTP servers on the control plane nodes.
 +
 [source,yaml,subs="attributes+"]
 .Butane config example
@@ -161,7 +161,7 @@ $ oc apply -f 99-master-chrony-conf-override.yaml
 machineconfig.machineconfiguration.openshift.io/99-master-chrony-conf-override created
 ----
 
-. Apply the `99-worker-chrony-conf-override.yaml` policy to the worker nodes.
+. Apply the `99-worker-chrony-conf-override.yaml` policy to the compute nodes.
 +
 [source,terminal]
 ----
diff --git a/modules/ipi-install-configuring-the-install-config-file.adoc b/modules/ipi-install-configuring-the-install-config-file.adoc
index 1e88f80709b6..f55412c29dac 100644
--- a/modules/ipi-install-configuring-the-install-config-file.adoc
+++ b/modules/ipi-install-configuring-the-install-config-file.adoc
@@ -93,7 +93,7 @@ sshKey: '<ssh_pub_key>'
 ----
 +
 --
-<1> Scale the worker machines based on the number of worker nodes that are part of the {product-title} cluster. Valid options for the `replicas` value are `0` and integers greater than or equal to `2`. Set the number of replicas to `0` to deploy a three-node cluster, which contains only three control plane machines. A three-node cluster is a smaller, more resource-efficient cluster that can be used for testing, development, and production. You cannot install the cluster with only one worker.
+<1> Scale the compute machines based on the number of compute nodes that are part of the {product-title} cluster. Valid options for the `replicas` value are `0` and integers greater than or equal to `2`. Set the number of replicas to `0` to deploy a three-node cluster, which contains only three control plane machines. A three-node cluster is a smaller, more resource-efficient cluster that can be used for testing, development, and production. You cannot install the cluster with only one compute node.
 <2> When deploying a cluster with static IP addresses, you must set the `bootstrapExternalStaticIP` configuration setting to specify the static IP address of the bootstrap VM when there is no DHCP server on the bare-metal network.
 <3> When deploying a cluster with static IP addresses, you must set the `bootstrapExternalStaticGateway` configuration setting to specify the gateway IP address for the bootstrap VM when there is no DHCP server on the bare-metal network.
 <4> When deploying a cluster with static IP addresses, you must set the `bootstrapExternalStaticDNS` configuration setting to specify the DNS address for the bootstrap VM when there is no DHCP server on the bare-metal network.
diff --git a/modules/ipi-install-deploying-routers-on-worker-nodes.adoc b/modules/ipi-install-deploying-routers-on-worker-nodes.adoc
index c0066f4bfe6a..f0434bfb92ef 100644
--- a/modules/ipi-install-deploying-routers-on-worker-nodes.adoc
+++ b/modules/ipi-install-deploying-routers-on-worker-nodes.adoc
@@ -5,18 +5,18 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="deploying-routers-on-worker-nodes_{context}"]
-= Optional: Deploying routers on worker nodes
+= Optional: Deploying routers on compute nodes
 
-During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If a deployed cluster requires additional routers to handle external traffic loads destined for services within the {product-title} cluster, you can create a `yaml` file to set an appropriate number of router replicas.
+During installation, the installation program deploys router pods on compute nodes. By default, the installation program installs two router pods. If a deployed cluster requires additional routers to handle external traffic loads destined for services within the {product-title} cluster, you can create a `yaml` file to set an appropriate number of router replicas.
 
 [IMPORTANT]
 ====
-Deploying a cluster with only one worker node is not supported. While modifying the router replicas will address issues with the `degraded` state when deploying with one worker, the cluster loses high availability for the ingress API, which is not suitable for production environments.
+Deploying a cluster with only one compute node is not supported. While modifying the router replicas will address issues with the `degraded` state when deploying with one compute node, the cluster loses high availability for the ingress API, which is not suitable for production environments.
 ====
 
 [NOTE]
 ====
-By default, the installer deploys two routers. If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default.
+By default, the installation program deploys two routers. If the cluster has no compute nodes, the installation program deploys the two routers on the control plane nodes by default.
 ====
 
 .Procedure
@@ -42,7 +42,7 @@ spec:
 +
 [NOTE]
 ====
-Replace `<num-of-router-pods>` with an appropriate value. If working with just one worker node, set `replicas:` to `1`. If working with more than 3 worker nodes, you can increase `replicas:` from the default value `2` as appropriate.
+Replace `<num-of-router-pods>` with an appropriate value. If working with just one compute node, set `replicas:` to `1`. If working with more than 3 compute nodes, you can increase `replicas:` from the default value `2` as appropriate.
 ====
 
 . Save and copy the `router-replicas.yaml` file to the `clusterconfigs/openshift` directory:
diff --git a/modules/ipi-install-establishing-communication-between-subnets.adoc b/modules/ipi-install-establishing-communication-between-subnets.adoc
index 85f3260beb8f..8dd2d4df5ffa 100644
--- a/modules/ipi-install-establishing-communication-between-subnets.adoc
+++ b/modules/ipi-install-establishing-communication-between-subnets.adoc
@@ -23,7 +23,7 @@ Running control plane nodes in a multiple subnet environment requires completion
 Deploying a cluster with multiple subnets requires using virtual media, such as `redfish-virtualmedia` and `idrac-virtualmedia`.
 ====
 
-The procedure details the network configuration required to allow the remote nodes in the second subnet to communicate effectively with the control plane nodes in the first subnet and to allow the control plane nodes in the first subnet to communicate effectively with the remote nodes in the second subnet.
+This procedure details the network configuration required to allow the remote compute nodes in the second subnet to communicate effectively with the control plane nodes in the first subnet and to allow the control plane nodes in the first subnet to communicate effectively with the remote compute nodes in the second subnet.
 
 In this procedure, the cluster spans two subnets:
 
@@ -89,7 +89,7 @@ Adjust the commands to match your actual interface names and gateway.
 
 . Configure the second subnet to communicate with the first subnet:
 
-.. Log in as `root` to a remote worker node by running the following command:
+.. Log in as `root` to a remote compute node by running the following command:
 +
 [source,terminal]
 ----
@@ -135,7 +135,7 @@ Replace `<interface_name>` with the interface name.
 # ip route
 ----
 
-.. Repeat the previous steps for each worker node in the second subnet.
+.. Repeat the previous steps for each compute node in the second subnet.
 +
 [NOTE]
 ====
@@ -160,4 +160,4 @@ If the ping is successful, it means the control plane nodes in the first subnet
 $ ping <control_plane_node_ip_address>
 ----
 +
-If the ping is successful, it means the remote nodes in the second subnet can reach the control plane in the first subnet. If you do not receive a response, review the network configurations and repeat the procedure for the node.
+If the ping is successful, it means the remote compute nodes in the second subnet can reach the control plane in the first subnet. If you do not receive a response, review the network configurations and repeat the procedure for the node.
diff --git a/modules/ipi-install-modifying-install-config-for-dual-stack-network.adoc b/modules/ipi-install-modifying-install-config-for-dual-stack-network.adoc
index 4c7dd83fb007..4d5326a44d0b 100644
--- a/modules/ipi-install-modifying-install-config-for-dual-stack-network.adoc
+++ b/modules/ipi-install-modifying-install-config-for-dual-stack-network.adoc
@@ -28,9 +28,10 @@ serviceNetwork:
 - fd03::/112
 ----
 
+ifndef::vsphere[]
 [IMPORTANT]
 ====
-If you specified an NMState configuration in the `networkConfig` section of your `install-config.yaml` file, ensure you add `interfaces.wait-ip: ipv4+ipv6` to the NMState YAML file to resolve an issue that prevents your cluster from deploying on a dual-stack network.
+On a bare-metal platform, if you specified an NMState configuration in the `networkConfig` section of your `install-config.yaml` file, add `interfaces.wait-ip: ipv4+ipv6` to the NMState YAML file to resolve an issue that prevents your cluster from deploying on a dual-stack network.
 
 .Example NMState YAML configuration file that includes the `wait-ip` parameter
 [source,yaml]
@@ -44,6 +45,7 @@ networkConfig:
 # ...
 ----
 ====
+endif::vsphere[]
 
 To provide an interface to the cluster for applications that use IPv4 and IPv6 addresses, configure IPv4 and IPv6 virtual IP (VIP) address endpoints for the Ingress VIP and API VIP services. To configure IPv4 and IPv6 address endpoints, edit the `apiVIPs` and `ingressVIPs` configuration settings in the `install-config.yaml` file . The `apiVIPs` and `ingressVIPs` configuration settings use a list format. The order of the list indicates the primary and secondary VIP address for each service.
 
diff --git a/modules/ipi-install-replacing-a-bare-metal-control-plane-node.adoc b/modules/ipi-install-replacing-a-bare-metal-control-plane-node.adoc
index 34fd4521d282..57f7fa4484ef 100644
--- a/modules/ipi-install-replacing-a-bare-metal-control-plane-node.adoc
+++ b/modules/ipi-install-replacing-a-bare-metal-control-plane-node.adoc
@@ -82,7 +82,6 @@ spec:
   bootMACAddress: <NIC1_mac_address> <5>
   bootMode: UEFI
   externallyProvisioned: false
-  hardwareProfile: unknown
   online: true
 EOF
 ----
diff --git a/modules/ipi-install-troubleshooting-cluster-nodes-will-not-pxe.adoc b/modules/ipi-install-troubleshooting-cluster-nodes-will-not-pxe.adoc
index de7c53a063ac..af1bd44f5959 100644
--- a/modules/ipi-install-troubleshooting-cluster-nodes-will-not-pxe.adoc
+++ b/modules/ipi-install-troubleshooting-cluster-nodes-will-not-pxe.adoc
@@ -14,18 +14,16 @@ When {product-title} cluster nodes will not PXE boot, execute the following chec
 
 . Ensure PXE is enabled on the NIC for the `provisioning` network and PXE is disabled for all other NICs.
 
-. Verify that the `install-config.yaml` configuration file has the proper hardware profile and boot MAC address for the NIC connected to the `provisioning` network. For example:
+. Verify that the `install-config.yaml` configuration file includes the `rootDeviceHints` parameter and boot MAC address for the NIC connected to the `provisioning` network. For example:
 +
 .control plane node settings
 +
 ----
 bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
-hardwareProfile: default          #control plane node settings
 ----
 +
 .Worker node settings
 +
 ----
 bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
-hardwareProfile: unknown          #worker node settings
 ----
diff --git a/modules/ipi-install-troubleshooting-investigating-an-unavailable-kubernetes-api.adoc b/modules/ipi-install-troubleshooting-investigating-an-unavailable-kubernetes-api.adoc
index da84830e2a61..cb3e39e1a977 100644
--- a/modules/ipi-install-troubleshooting-investigating-an-unavailable-kubernetes-api.adoc
+++ b/modules/ipi-install-troubleshooting-investigating-an-unavailable-kubernetes-api.adoc
@@ -1,4 +1,4 @@
-// This module is included in the following assemblies: 
+// This module is included in the following assemblies:
 //
 // installing/installing_bare_metal_ipi/ipi-install-troubleshooting.adoc
 
@@ -17,7 +17,7 @@ When the Kubernetes API is unavailable, check the control plane nodes to ensure
 $ sudo crictl logs $(sudo crictl ps --pod=$(sudo crictl pods --name=etcd-member --quiet) --quiet)
 ----
 
-. If the previous command fails, ensure that Kublet created the `etcd` pods by running the following command:
+. If the previous command fails, ensure that Kubelet created the `etcd` pods by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/ipi-install-validation-checklist-for-installation.adoc b/modules/ipi-install-validation-checklist-for-installation.adoc
index c7d24b1bd802..782c41d0eb66 100644
--- a/modules/ipi-install-validation-checklist-for-installation.adoc
+++ b/modules/ipi-install-validation-checklist-for-installation.adoc
@@ -13,6 +13,6 @@
 * [ ] The `bmc` parameter for the `install-config.yaml` has been configured.
 * [ ] Conventions for the values configured in the `bmc` `address` field have been applied.
 * [ ] Created the {product-title} manifests.
-* [ ] (Optional) Deployed routers on worker nodes.
+* [ ] (Optional) Deployed routers on compute nodes.
 * [ ] (Optional) Created a disconnected registry.
 * [ ] (Optional) Validate disconnected registry settings if in use.
diff --git a/modules/ipi-install-verifying-support-for-redfish-apis.adoc b/modules/ipi-install-verifying-support-for-redfish-apis.adoc
new file mode 100644
index 000000000000..e111bf5a58af
--- /dev/null
+++ b/modules/ipi-install-verifying-support-for-redfish-apis.adoc
@@ -0,0 +1,84 @@
+// This is included in the following assemblies:
+//
+// installing/installing_bare_metal_ipi/ipi-install-configuration-files.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id='verifying-support-for-redfish-apis_{context}']
+
+= Verifying support for Redfish APIs
+
+When installing using the Redfish API, the installation program calls several Redfish endpoints on the baseboard management controller (BMC) when using installer-provisioned infrastructure on bare metal. If you use Redfish, ensure that your BMC supports all of the Redfish APIs before installation.
+
+.Procedure
+
+. Set the IP address or hostname of the BMC by running the following command:
++
+[source,terminal]
+----
+$ export SERVER=<ip_address> <1>
+----
+<1> Replace `<ip_address>` with the IP address or hostname of the BMC.
+
+. Set the ID of the system by running the following command:
++
+[source,terminal]
+----
+$ export SystemID=<system_id> <1>
+----
+<1> Replace `<system_id>` with the system ID. For example, `System.Embedded.1` or `1`. See the following vendor-specific BMC sections for details.
+
+.List of Redfish APIs:
+
+. Check `power on` support by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "On"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
+----
+
+. Check `power off` support by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "ForceOff"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
+----
+
+. Check the temporary boot implementation that uses `pxe` by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json"  https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "pxe", "BootSourceOverrideEnabled": "Once"}}
+----
+
+. Check the status of setting the BIOS boot mode that uses `Legacy` or `UEFI` by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json"  https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideMode":"UEFI"}}
+----
+
+.List of Redfish virtual media APIs:
+
+. Check the ability to set the temporary boot device that uses `cd` or `dvd` by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "cd", "BootSourceOverrideEnabled": "Once"}}'
+----
+
+. Check the ability to mount virtual media by running the following command:
++
+[source,terminal]
+----
+$ curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" -H "If-Match: *" https://$Server/redfish/v1/Managers/$ManagerID/VirtualMedia/$VmediaId -d '{"Image": "https://example.com/test.iso", "TransferProtocolType": "HTTPS", "UserName": "", "Password":""}'
+----
+
+[NOTE]
+====
+The `PowerOn` and `PowerOff` commands for Redfish APIs are the same for the Redfish virtual media APIs.
+====
+
+[IMPORTANT]
+====
+`HTTPS` and `HTTP` are the only supported parameter types for `TransferProtocolTypes`.
+====
diff --git a/modules/ipi-preparing-reinstall-cluster-bare-metal.adoc b/modules/ipi-preparing-reinstall-cluster-bare-metal.adoc
index 62159eabffda..892251b348ea 100644
--- a/modules/ipi-preparing-reinstall-cluster-bare-metal.adoc
+++ b/modules/ipi-preparing-reinstall-cluster-bare-metal.adoc
@@ -7,7 +7,7 @@
 Before you reinstall a cluster on bare metal, you must perform cleanup operations.
 
 .Procedure
-. Remove or reformat the disks for the bootstrap, control plane node, and worker nodes. If you are working in a hypervisor environment, you must add any disks you removed.
+. Remove or reformat the disks for the bootstrap, control plane node, and compute nodes. If you are working in a hypervisor environment, you must add any disks you removed.
 . Delete the artifacts that the previous installation generated:
 +
 [source,terminal]
diff --git a/modules/k8s-nmstate-deploying-nmstate-CLI.adoc b/modules/k8s-nmstate-deploying-nmstate-CLI.adoc
index 60d611848bb4..977795038b4a 100644
--- a/modules/k8s-nmstate-deploying-nmstate-CLI.adoc
+++ b/modules/k8s-nmstate-deploying-nmstate-CLI.adoc
@@ -84,7 +84,7 @@ $ oc get clusterserviceversion -n openshift-nmstate \
 [source, terminal,subs="attributes+"]
 ----
 Name                                             Phase
-kubernetes-nmstate-operator.4.15.0-202210210157   Succeeded
+kubernetes-nmstate-operator.4.16.0-202210210157   Succeeded
 ----
 
 . Create an instance of the `nmstate` Operator:
diff --git a/modules/kmm-build-validation-stage.adoc b/modules/kmm-build-validation-stage.adoc
index caf7e07aaa5e..0d1dc597ede3 100644
--- a/modules/kmm-build-validation-stage.adoc
+++ b/modules/kmm-build-validation-stage.adoc
@@ -11,13 +11,15 @@ Build validation is executed only when image validation has failed and there is
 [NOTE]
 ====
 You must specify the kernel version when running `depmod`, as shown here:
+
 [source,terminal]
 ----
 $ RUN depmod -b /opt ${KERNEL_VERSION}
 ----
 ====
 
-If the `PushBuiltImage` flag is defined in the `PreflightValidationOCP` custom resource (CR), it will also try to push the resulting image into its repository. The resulting image name is taken from the definition of the `containerImage` field of the `Module` CR.
+
+If the `PushBuiltImage` flag is defined in the `PreflightValidationOCP` custom resource (CR), it also tries to push the resulting image into its repository. The resulting image name is taken from the definition of the `containerImage` field of the `Module` CR.
 
 [NOTE]
 ====
diff --git a/modules/kmm-building-in-cluster.adoc b/modules/kmm-building-in-cluster.adoc
index 05ad21f0100f..2c98a55c6a05 100644
--- a/modules/kmm-building-in-cluster.adoc
+++ b/modules/kmm-building-in-cluster.adoc
@@ -45,3 +45,5 @@ Otherwise, KMM creates a `Build` resource to build your image. After the image i
 <6> Required.
 <7> Optional: Avoid using this parameter. If set to `true`, KMM will be allowed to check if the container image already exists using plain HTTP.
 <8> Optional: Avoid using this parameter. If set to `true`, KMM will skip any TLS server certificate validation when checking if the container image already exists.
+
+Successful build pods are garbage collected immediately, unless the `job.gcDelay` parameter is set in the Operator configuration. Failed build pods are always preserved and must be deleted manually by the administrator for the build to be restarted.
diff --git a/modules/kmm-configuring-kmmo.adoc b/modules/kmm-configuring-kmmo.adoc
index 9e08606c56e5..5f120d1eb7dd 100644
--- a/modules/kmm-configuring-kmmo.adoc
+++ b/modules/kmm-configuring-kmmo.adoc
@@ -24,6 +24,8 @@ $ oc edit configmap -n "$namespace" kmm-operator-manager-config
 [source,yaml]
 ----
 healthProbeBindAddress: :8081
+job:
+  gcDelay: 1h
 leaderElection:
   enabled: true
   resourceID: kmm.sigs.x-k8s.io
@@ -49,6 +51,9 @@ worker:
 | `healthProbeBindAddress`
 | Defines the address on which the Operator monitors for kubelet health probes. The recommended value is `:8081`.
 
+|`job.gcDelay`
+|Defines the duration that successful build pods should be preserved for before they are deleted. There is no recommended value for this setting. For information about the valid values for this setting, see link:https://pkg.go.dev/time#ParseDuration[ParseDuration].
+
 |`leaderElection.enabled`
 |Determines whether leader election is used to ensure that only one replica of the KMM Operator is running at any time. For more information, see https://kubernetes.io/docs/concepts/architecture/leases/[Leases]. The recommended value is `true`.
 
diff --git a/modules/kmm-example-cr.adoc b/modules/kmm-example-cr.adoc
index 7ffda037c6f9..728630408775 100644
--- a/modules/kmm-example-cr.adoc
+++ b/modules/kmm-example-cr.adoc
@@ -8,22 +8,22 @@
 
 This section shows an example of the `PreflightValidationOCP` resource in the YAML format.
 
-The example verifies all the currently present modules against the upcoming kernel version included in the {product-title} release 4.11.18, which the following release image points to:
+The example verifies all of the currently present modules against the upcoming kernel version included in the {product-title} release 4.11.18, which the following release image points to:
 
 [source,terminal]
 ----
 quay.io/openshift-release-dev/ocp-release@sha256:22e149142517dfccb47be828f012659b1ccf71d26620e6f62468c264a7ce7863
 ----
 
-Because `.spec.pushBuiltImage` is set to `true`, KMM pushes the resulting images of Build/Sign into the defined repositories.
+Because `.spec.pushBuiltImage` is set to `true`, KMM pushes the resulting images of Build/Sign in to the defined repositories.
 
 [source,yaml]
 ----
-apiVersion: kmm.sigs.x-k8s.io/v1beta1
+apiVersion: kmm.sigs.x-k8s.io/v1beta2
 kind: PreflightValidationOCP
 metadata:
- name: preflight
+  name: preflight
 spec:
- releaseImage: quay.io/openshift-release-dev/ocp-release@sha256:22e149142517dfccb47be828f012659b1ccf71d26620e6f62468c264a7ce7863
- pushBuiltImage: true
+  releaseImage: quay.io/openshift-release-dev/ocp-release@sha256:22e149142517dfccb47be828f012659b1ccf71d26620e6f62468c264a7ce7863
+  pushBuiltImage: true
 ----
diff --git a/modules/kmm-example-module-cr.adoc b/modules/kmm-example-module-cr.adoc
index ea0a85382dda..2609a206262e 100644
--- a/modules/kmm-example-module-cr.adoc
+++ b/modules/kmm-example-module-cr.adoc
@@ -81,7 +81,12 @@ spec:
 <7> For any other kernel, build the image using the Dockerfile in the `my-kmod` ConfigMap.
 <8> Optional.
 <9> Optional: A value for `some-kubernetes-secret` can be obtained from the build environment at `/run/secrets/some-kubernetes-secret`.
-<10> Optional: Avoid using this parameter. If set to `true`, the build is allowed to pull the image in the Dockerfile `FROM` instruction using plain HTTP.
+<10> This field has no effect. When building kmod images or signing kmods within a kmod image,
+you might sometimes need to pull base images from a registry that serves a certificate signed by an
+untrusted Certificate Authority (CA). In order for KMM to trust that CA, it must also trust the new CA
+by replacing the cluster's CA bundle.
++
+See "Additional resources" to learn how to replace the cluster's CA bundle.
 <11> Optional: Avoid using this parameter. If set to `true`, the build will skip any TLS server certificate validation when pulling the image in the Dockerfile `FROM` instruction using plain HTTP.
 <12> Required.
 <13> Required: A secret holding the public secureboot key with the key 'cert'.
diff --git a/modules/kmm-image-validation-stage.adoc b/modules/kmm-image-validation-stage.adoc
index 11d824a67d32..7f185f1810ca 100644
--- a/modules/kmm-image-validation-stage.adoc
+++ b/modules/kmm-image-validation-stage.adoc
@@ -12,6 +12,4 @@ Image validation consists of two stages:
 
 . Image existence and accessibility. The code tries to access the image defined for the upgraded kernel in the module and get its manifests.
 
-. Verify the presence of the kernel module defined in the `Module` in the correct path for future `modprobe` execution. The correct path is `<dirname>/lib/modules/<upgraded_kernel>/`.
-
-If this validation is successful, it probably means that the kernel module was compiled with the correct Linux headers.
+. Verify the presence of the kernel module defined in the `Module` in the correct path for future `modprobe` execution. If this validation is successful, it probably means that the kernel module was compiled with the correct Linux headers. The correct path is `<dirname>/lib/modules/<upgraded_kernel>/`.
diff --git a/modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc b/modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc
index 3a674f1dfc06..d0fa0b02596c 100644
--- a/modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc
+++ b/modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc
@@ -10,7 +10,7 @@ You can use Kernel Module Management (KMM) to build kernel modules that can be l
 
 Dynamically loaded modules include in-tree modules and out-of-tree (OOT) modules. In-tree modules are internal to the Linux kernel tree, that is, they are already part of the kernel. Out-of-tree modules are external to the Linux kernel tree. They are generally written for development and testing purposes, such as testing the new version of a kernel module that is shipped in-tree, or to deal with incompatibilities.
 
-Some modules loaded by KMM could replace in-tree modules already loaded on the node. To unload an in-tree module before loading your module, set the `.spec.moduleLoader.container.inTreeModuleToRemove` field. The following is an example for module replacement for all kernel mappings:
+Some modules that are loaded by KMM could replace in-tree modules that are already loaded on the node. To unload in-tree modules before loading your module, set the value of the `.spec.moduleLoader.container.inTreeModulesToRemove` field to the modules that you want to unload. The following example demonstrates module replacement for all kernel mappings:
 
 [source,yaml]
 ----
@@ -21,12 +21,10 @@ spec:
       modprobe:
         moduleName: mod_a
 
-      inTreeModuleToRemove: mod_b
+      inTreeModulesToRemove: [mod_a, mod_b]
 ----
 
-In this example, the `moduleLoader` pod uses `inTreeModuleToRemove` to unload the in-tree `mod_b` before loading `mod_a`
-from the `moduleLoader` image.
-When the `moduleLoader`pod is terminated and `mod_a` is unloaded, `mod_b` is not loaded again.
+In this example, the `moduleLoader` pod uses `inTreeModulesToRemove` to unload the in-tree `mod_a` and `mod_b` before loading `mod_a` from the `moduleLoader` image. When the `moduleLoader`pod is terminated and `mod_a` is unloaded, `mod_b` is not loaded again.
 
 The following is an example for module replacement for specific kernel mappings:
 
@@ -38,6 +36,6 @@ spec:
     container:
       kernelMappings:
         - literal: 6.0.15-300.fc37.x86_64
-          containerImage: some.registry/org/my-kmod:6.0.15-300.fc37.x86_64
-          inTreeModuleToRemove: <module_name>
+          containerImage: "some.registry/org/my-kmod:${KERNEL_FULL_VERSION}"
+          inTreeModulesToRemove: [<module_name>, <module_name>]
 ----
diff --git a/modules/kmm-sign-validation-stage.adoc b/modules/kmm-sign-validation-stage.adoc
index 6a87ae084779..12fd190d3dc7 100644
--- a/modules/kmm-sign-validation-stage.adoc
+++ b/modules/kmm-sign-validation-stage.adoc
@@ -6,11 +6,9 @@
 [id="kmm-sign-validation-stage_{context}"]
 = Sign validation stage
 
-Sign validation is executed only when image validation has failed, there is a `sign` section in the `Module` that is relevant for the upgrade kernel, and build validation finished successfully in the event there was a `build` section in the `Module` relevant for the upgraded kernel. Sign validation will try to run the sign job and validate that it finishes successfully.
+Sign validation is executed only when image validation has failed. There is a `sign` section in the `Module` resource that is relevant for the upgrade kernel, and build validation finishes successfully in case there was a `build` section in the `Module` relevant for the upgraded kernel. Sign validation attempts to run the sign job and validate that it finishes successfully.
 
-If the `PushBuiltImage` flag is defined in the `PreflightValidationOCP` CR, sign validation will also try to push the resulting image to its registry.
-
-The resulting image is always the image defined in the `containerImage` field of the `Module`. The input image is either the output of the Build stage, or an image defined in the `UnsignedImage` field.
+If the `PushBuiltImage` flag is defined in the `PreflightValidationOCP` CR, sign validation also tries to push the resulting image to its registry. The resulting image is always the image defined in the `ContainerImage` field of the `Module`. The input image is either the output of the Build stage, or an image defined in the `UnsignedImage` field.
 
 [NOTE]
 ====
diff --git a/modules/kmm-validation-kickoff.adoc b/modules/kmm-validation-kickoff.adoc
index 906267f90490..c2636dc3ddbb 100644
--- a/modules/kmm-validation-kickoff.adoc
+++ b/modules/kmm-validation-kickoff.adoc
@@ -8,19 +8,6 @@
 
 Preflight validation is triggered by creating a `PreflightValidationOCP` resource in the cluster. This spec contains two fields:
 
-[source,terminal]
-----
-type PreflightValidationOCPSpec struct {
-	// releaseImage describes the OCP release image that all Modules need to be checked against.
-	// +kubebuilder:validation:Required
-	ReleaseImage string `json:"releaseImage"` <1>
-	// Boolean flag that determines whether images build during preflight must also
-	// be pushed to a defined repository
-	// +optional
-	PushBuiltImage bool `json:"pushBuiltImage"` <2>
-}
-----
+`releaseImage`:: Mandatory field that provides the name of the release image for the {product-title} version the cluster is upgraded to.
 
-<1> `ReleaseImage` - Mandatory field that provides the name of the release image for the {product-title} version the cluster is upgraded to.
-
-<2> `PushBuiltImage` - If `true`, then the images created during the Build and Sign validation are pushed to their repositories (`false` by default).
+`pushBuiltImage`:: If `true`, then the images created during the Build and Sign validation are pushed to their repositories. This field is `false` by default.
diff --git a/modules/kmm-validation-lifecycle.adoc b/modules/kmm-validation-lifecycle.adoc
index fa7e39a7462f..4eed2e38a517 100644
--- a/modules/kmm-validation-lifecycle.adoc
+++ b/modules/kmm-validation-lifecycle.adoc
@@ -6,6 +6,6 @@
 [id="kmm-validation-lifecycle_{context}"]
 = Validation lifecycle
 
-Preflight validation attempts to validate every module loaded in the cluster. Preflight will stop running validation on a `Module` resource after the validation is successful. In case module validation has failed, you can change the module definitions and Preflight will try to validate the module again in the next loop.
+Preflight validation attempts to validate every module loaded in the cluster. Preflight stops running validation on a `Module` resource after the validation is successful. If module validation fails, you can change the module definitions and Preflight tries to validate the module again in the next loop.
 
 If you want to run Preflight validation for an additional kernel, then you should create another `PreflightValidationOCP` resource for that kernel. After all the modules have been validated, it is recommended to delete the `PreflightValidationOCP` resource.
diff --git a/modules/kmm-validation-status.adoc b/modules/kmm-validation-status.adoc
index f3d50623702e..34a3c66c28ee 100644
--- a/modules/kmm-validation-status.adoc
+++ b/modules/kmm-validation-status.adoc
@@ -6,43 +6,23 @@
 [id="kmm-validation-status_{context}"]
 = Validation status
 
-Preflight reports the status and progress of each module in the cluster that it attempts to
-validate.
-
-[source,terminal]
-----
-type CRStatus struct {
-	// Status of Module CR verification: true (verified), false (verification failed),
-	// error (error during verification process), unknown (verification has not started yet)
-	// +required
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Enum=True;False
-	VerificationStatus string `json:"verificationStatus"` <1>
-	// StatusReason contains a string describing the status source.
-	// +optional
-	StatusReason string `json:"statusReason,omitempty"` <2>
-	// Current stage of the verification process:
-	// image (image existence verification), build(build process verification)
-	// +required
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Enum=Image;Build;Sign;Requeued;Done
-	VerificationStage string `json:"verificationStage"` <3>
-	// LastTransitionTime is the last time the CR status transitioned from one status to another.
-	// This should be when the underlying status changed.  If that is not known, then using the time when the API field changed is acceptable.
-	// +required
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Format=date-time
-	LastTransitionTime metav1.Time `json:"lastTransitionTime" protobuf:"bytes,4,opt,name=lastTransitionTime"` <4>
-}
-----
-
-The following fields apply to each module:
-
-<1> `VerificationStatus` - `true` or `false`, validated or not.
-
-<2> `StatusReason` - Verbal explanation regarding the status.
-
-<3> `VerificationStage` - Describes the validation stage being executed (Image, Build, Sign).
-
-<4> `LastTransitionTime` - The time of the last update to the status.
+A `PreflightValidationOCP` resource reports the status and progress of each module in the cluster that it attempts or has attempted to validate in its `.status.modules` list. Elements of that list contain the following fields:
+
+`lastTransitionTime`:: The last time the `Module` resource status transitioned from one status to another. This should be when the underlying status has changed. If that is not known, then using the time when the API field changed is acceptable.
+
+`name`:: The name of the `Module` resource.
+
+`namespace`:: The namespace of the `Module` resource.
+
+`statusReason`:: Verbal explanation regarding the status.
+
+`verificationStage`:: Describes the validation stage being executed: +
+* `image`: Image existence verification
+* `build`: Build process verification
+* `sign`: Sign process verification
+
+`verificationStatus`:: The status of the Module verification: +
+* `true`: Verified
+* `false`: Verification failed
+* `error`: Error during the verification process
+* `unknown`: Verification has not started
diff --git a/modules/life-cycle-install.adoc b/modules/life-cycle-install.adoc
index a0415581c610..3d6a30e6f030 100644
--- a/modules/life-cycle-install.adoc
+++ b/modules/life-cycle-install.adoc
@@ -6,5 +6,5 @@
 [id="rosa-install-policy_{context}"]
 = Installation policy
 
-While Red Hat recommends installation of the latest support release, {product-title} supports
+While Red{nbsp}Hat recommends installation of the latest support release, {product-title} supports
 installation of any supported release as covered by the preceding policy.
diff --git a/modules/life-cycle-limited-support.adoc b/modules/life-cycle-limited-support.adoc
index ea0bda34c836..c8d96b5012b6 100644
--- a/modules/life-cycle-limited-support.adoc
+++ b/modules/life-cycle-limited-support.adoc
@@ -11,17 +11,17 @@ endif::[]
 [id="rosa-limited-support_{context}"]
 = Limited support status
 
-When a cluster transitions to a _Limited Support_ status, Red Hat no longer proactively monitors the cluster, the SLA is no longer applicable, and credits requested against the SLA are denied. It does not mean that you no longer have product support. In some cases, the cluster can return to a fully-supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
+When a cluster transitions to a _Limited Support_ status, Red{nbsp}Hat no longer proactively monitors the cluster, the SLA is no longer applicable, and credits requested against the SLA are denied. It does not mean that you no longer have product support. In some cases, the cluster can return to a fully-supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
 
 A cluster might transition to a Limited Support status for many reasons, including the following scenarios:
 
 ifndef::rosa-with-hcp[]
-If you do not upgrade a cluster to a supported version before the end-of-life date:: Red Hat does not make any runtime or SLA guarantees for versions after their end-of-life date. To receive continued support, upgrade the cluster to a supported version prior to the end-of-life date. If you do not upgrade the cluster prior to the end-of-life date, the cluster transitions to a Limited Support status until it is upgraded to a supported version.
+If you do not upgrade a cluster to a supported version before the end-of-life date:: Red{nbsp}Hat does not make any runtime or SLA guarantees for versions after their end-of-life date. To receive continued support, upgrade the cluster to a supported version before the end-of-life date. If you do not upgrade the cluster before the end-of-life date, the cluster transitions to a Limited Support status until it is upgraded to a supported version.
 +
-Red Hat provides commercially reasonable support to upgrade from an unsupported version to a supported version. However, if a supported upgrade path is no longer available, you might have to create a new cluster and migrate your workloads.
+Red{nbsp}Hat provides commercially reasonable support to upgrade from an unsupported version to a supported version. However, if a supported upgrade path is no longer available, you might have to create a new cluster and migrate your workloads.
 endif::rosa-with-hcp[]
 
-If you remove or replace any native {product-title} components or any other component that is installed and managed by Red Hat:: If cluster administrator permissions were used, Red Hat is not responsible for any of your or your authorized users’ actions, including those that affect infrastructure services, service availability, or data loss. If Red Hat detects any such actions, the cluster might transition to a Limited Support status. Red Hat notifies you of the status change and you should either revert the action or create a support case to explore remediation steps that might require you to delete and recreate the cluster.
+If you remove or replace any native {product-title} components or any other component that is installed and managed by Red{nbsp}Hat:: If cluster administrator permissions were used, Red{nbsp}Hat is not responsible for any of your or your authorized users’ actions, including those that affect infrastructure services, service availability, or data loss. If Red{nbsp}Hat detects any such actions, the cluster might transition to a Limited Support status. Red{nbsp}Hat notifies you of the status change and you should either revert the action or create a support case to explore remediation steps that might require you to delete and recreate the cluster.
 
 If you have questions about a specific action that might cause a cluster to transition to a Limited Support status or need further assistance, open a support ticket.
 
diff --git a/modules/life-cycle-mandatory-upgrades.adoc b/modules/life-cycle-mandatory-upgrades.adoc
index 9ce1bfa86a32..52e7615bf7d0 100644
--- a/modules/life-cycle-mandatory-upgrades.adoc
+++ b/modules/life-cycle-mandatory-upgrades.adoc
@@ -11,16 +11,16 @@ endif::[]
 [id="rosa-mandatory-upgrades_{context}"]
 = Mandatory upgrades
 
-If a critical or important CVE, or other bug identified by Red Hat, significantly impacts the security or stability of the cluster, the customer must upgrade to the next supported patch release within two link:https://access.redhat.com/articles/2623321[business days].
+If a critical or important CVE, or other bug identified by Red{nbsp}Hat, significantly impacts the security or stability of the cluster, the customer must upgrade to the next supported patch release within two link:https://access.redhat.com/articles/2623321[business days].
 
-In extreme circumstances and based on Red Hat's assessment of the CVE criticality to the environment, Red Hat will notify customers that they have two link:https://access.redhat.com/articles/2623321[business days] to schedule or manually update their cluster to the latest, secure patch release. In the case that an update is not performed after two link:https://access.redhat.com/articles/2623321[business days], Red Hat will automatically update the
+In extreme circumstances and based on Red{nbsp}Hat's assessment of the CVE criticality to the environment, Red{nbsp}Hat will notify customers that they have two link:https://access.redhat.com/articles/2623321[business days] to schedule or manually update their cluster to the latest, secure patch release. In the case that an update is not performed after two link:https://access.redhat.com/articles/2623321[business days], Red{nbsp}Hat will automatically update the
 ifdef::rosa-with-hcp[]
 cluster's control plane
 endif::rosa-with-hcp[]
 ifndef::rosa-with-hcp[]
 cluster
 endif::rosa-with-hcp[]
-to the latest, secure patch release to mitigate potential security breach(es) or instability. Red Hat might, at its own discretion, temporarily delay an automated update if requested by a customer through a link:https://access.redhat.com/support[support case].
+to the latest, secure patch release to mitigate potential security breach(es) or instability. Red{nbsp}Hat might, at its own discretion, temporarily delay an automated update if requested by a customer through a link:https://access.redhat.com/support[support case].
 
 ifeval::["{context}" == "rosa-hcp-life-cycle"]
 :!rosa-with-hcp:
diff --git a/modules/life-cycle-minor-versions.adoc b/modules/life-cycle-minor-versions.adoc
index b8e384c818f0..df4074be8d88 100644
--- a/modules/life-cycle-minor-versions.adoc
+++ b/modules/life-cycle-minor-versions.adoc
@@ -10,11 +10,11 @@ endif::[]
 [id="rosa-minor-versions_{context}"]
 = Minor versions (x.Y.z)
 
-Starting with the 4.8 OpenShift Container Platform minor version, Red Hat supports all minor versions for at least a 16 month period following general availability of the given minor version. Patch versions are not affected by the support period.
+Starting with the 4.8 OpenShift Container Platform minor version, Red{nbsp}Hat supports all minor versions for at least a 16 month period following general availability of the given minor version. Patch versions are not affected by the support period.
 
 Customers are notified 60, 30, and 15 days before the end of the support period. Clusters must be upgraded to the latest patch version of the oldest supported minor version before the end of the support period, or
 ifdef::rosa-with-hcp[]
-Red Hat will automatically upgrade the control plane to the next supported minor version.
+Red{nbsp}Hat will automatically upgrade the control plane to the next supported minor version.
 endif::rosa-with-hcp[]
 ifndef::rosa-with-hcp[]
 the cluster will enter a "Limited Support" status.
diff --git a/modules/life-cycle-overview.adoc b/modules/life-cycle-overview.adoc
index 9a95f519572b..1020ed576bd6 100644
--- a/modules/life-cycle-overview.adoc
+++ b/modules/life-cycle-overview.adoc
@@ -7,13 +7,6 @@
 [id="life-cycle-overview_{context}"]
 = Overview
 
-Red Hat provides a published product life cycle for {product-title} in order for customers and
-partners to effectively plan, deploy, and support their applications running on the platform. Red
-Hat publishes this life cycle in order to provide as much transparency as possible and might make
-exceptions from these policies as conflicts arise.
+Red{nbsp}Hat provides a published product life cycle for {product-title} in order for customers and partners to effectively plan, deploy, and support their applications running on the platform. Red{nbsp}Hat publishes this life cycle to provide as much transparency as possible and might make exceptions from these policies as conflicts arise.
 
-{product-title} is a managed instance of Red Hat OpenShift and maintains an independent release
-schedule. More details about the managed offering can be found in the {product-title} service
-definition. The availability of Security Advisories and Bug Fix Advisories for a specific version
-are dependent upon the Red Hat OpenShift Container Platform life cycle policy and subject to the
-{product-title} maintenance schedule.
+{product-title} is a managed instance of Red{nbsp}Hat OpenShift and maintains an independent release schedule. More details about the managed offering can be found in the {product-title} service definition. The availability of Security Advisories and Bug Fix Advisories for a specific version are dependent upon the Red{nbsp}Hat OpenShift Container Platform life cycle policy and subject to the {product-title} maintenance schedule.
diff --git a/modules/life-cycle-patch-versions.adoc b/modules/life-cycle-patch-versions.adoc
index c8772bff5dda..81fdc10f9fa8 100644
--- a/modules/life-cycle-patch-versions.adoc
+++ b/modules/life-cycle-patch-versions.adoc
@@ -6,11 +6,9 @@
 [id="rosa-patch-versions_{context}"]
 = Patch versions (x.y.Z)
 
-During the period in which a minor version is supported, Red Hat supports all OpenShift Container
-Platform patch versions unless otherwise specified.
+During the period in which a minor version is supported, Red{nbsp}Hat supports all OpenShift Container Platform patch versions unless otherwise specified.
 
-For reasons of platform security and stability, a patch release may be deprecated, which would
-prevent installations of that release and trigger mandatory upgrades off that release.
+For reasons of platform security and stability, a patch release may be deprecated, which would prevent installations of that release and trigger mandatory upgrades off that release.
 
 .Example
 . 4.7.6 is found to contain a critical CVE.
diff --git a/modules/life-cycle-supported-versions.adoc b/modules/life-cycle-supported-versions.adoc
index fa6f54927c85..d6afa4eb82a6 100644
--- a/modules/life-cycle-supported-versions.adoc
+++ b/modules/life-cycle-supported-versions.adoc
@@ -6,6 +6,4 @@
 [id="rosa-supported-versions_{context}"]
 = Supported versions exception policy
 
-Red Hat reserves the right to add or remove new or existing versions, or delay upcoming minor
-release versions, that have been identified to have one or more critical production impacting bugs
-or security issues without advance notice.
+Red{nbsp}Hat reserves the right to add or remove new or existing versions, or delay upcoming minor release versions, that have been identified to have one or more critical production impacting bugs or security issues without advance notice.
diff --git a/modules/live-migration-metrics-information.adoc b/modules/live-migration-metrics-information.adoc
new file mode 100644
index 000000000000..b52d4e0b91b9
--- /dev/null
+++ b/modules/live-migration-metrics-information.adoc
@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="live-migration-metrics-information"]
+= Information about limited live migration metrics
+
+The following table shows you the available metrics and the label values populated from the `openshift_network_operator_live_migration_procedure` expression. Use this information to monitor progress or to troubleshoot the migration.
+
+
+.Limited live migration metrics
+[cols="1a,1a",options="header"]
+|===
+| Metric | Label values
+| 
+*`openshift_network_operator_live_migration_blocked:`*::
++
+--
+A Prometheus gauge vector metric. A metric that contains a constant `1` value labeled with the reason that the CNI limited live migration might not have started. This metric is available when the CNI limited live migration has started by annotating the `Network` custom resource. +
+This metric is not published unless the limited live migration is blocked. 
+--
+| 
+The list of label values includes the following::
++
+--
+* `UnsupportedCNI`: Unable to migrate to the unsupported target CNI. Valid CNI is `OVNKubernetes` when migrating from OpenShift SDN.
+* `UnsupportedHyperShiftCluster`: Limited live migration is unsupported within an HCP cluster.
+* `UnsupportedSDNNetworkIsolationMode`: OpenShift SDN is configured with an unsupported network isolation mode `Multitenant`. Migrate to a supported network isolation mode before performing limited live migration.
+* `UnsupportedMACVLANInterface`: Remove the egress router or any pods which contain the pod annotation `pod.network.openshift.io/assign-macvlan`. 
+Find the offending pod's namespace or pod name with the following command: +
+ +
+`oc get pods -Ao=jsonpath='{range .items[?(@.metadata.annotations.pod\.network\.openshift\.io/assign-macvlan=="")]}{@.metadata.namespace}{"\t"}{@.metadata.name}{"\n"}'`.
+--
+
+| 
+*`openshift_network_operator_live_migration_condition:`*::
++
+--
+A metric which represents the status of each condition type for the CNI limited live migration. The set of status condition types is defined for `network.config` to support observability of the CNI limited live migration. +
+A `1` value represents condition status `true`. A `0` value represents `false`. `-1` represents unknown. This metric is available when the CNI limited live migration has started by annotating the `Network` custom resource (CR). +
+This metric is only available when the limited live migration has been triggered by adding the relevant annotation to the `Network` CR cluster, otherwise, it is not published. If the following condition types are not present within the Network CR cluster, the metric and their labels are cleared.
+--
+| 
+The list of label values includes the following::
++
+--
+* `NetworkTypeMigrationInProgress`
+* `NetworkTypeMigrationTargetCNIAvailable`
+* `NetworkTypeMigrationTargetCNIInUse`
+* `NetworkTypeMigrationOriginalCNIPurged`
+* `NetworkTypeMigrationMTUReady`
+--
+|===
diff --git a/modules/logging-collector-alerts.adoc b/modules/logging-collector-alerts.adoc
new file mode 100644
index 000000000000..db65573383bc
--- /dev/null
+++ b/modules/logging-collector-alerts.adoc
@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * logging/logging_alerts/default-logging-alerts.adoc
+
+:_content-type: REFERENCE
+[id="logging-collector-alerts_{context}"]
+= Logging collector alerts
+
+In logging 5.8 and later versions, the following alerts are generated by the {clo}. You can view these alerts in the {product-title} web console.
+
+[cols="4", options="header"]
+|===
+| Alert Name | Message | Description | Severity
+
+| CollectorNodeDown
+| Prometheus could not scrape `namespace`/`pod` collector component for more than 10m.
+| Collector cannot be scraped.
+| Critical
+
+| CollectorHighErrorRate
+| `value`% of records have resulted in an error by `namespace`/`pod` collector component.
+| `namespace`/`pod` collector component errors are high.
+| Critical
+
+| CollectorVeryHighErrorRate
+| `value`% of records have resulted in an error by `namespace`/`pod` collector component.
+| `namespace`/`pod` collector component errors are very high.
+| Critical
+|===
diff --git a/modules/logging-in-by-using-the-web-console.adoc b/modules/logging-in-by-using-the-web-console.adoc
index e92587dcec52..2449e1b4a02d 100644
--- a/modules/logging-in-by-using-the-web-console.adoc
+++ b/modules/logging-in-by-using-the-web-console.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-china.adoc.
 // * installing/installing_aws/installing-aws-secret-region.adoc
 // *installing/validating-an-installation.adoc
diff --git a/modules/logging-loki-storage-odf.adoc b/modules/logging-loki-storage-odf.adoc
index dc6e321aff3e..ca63c7d126ea 100644
--- a/modules/logging-loki-storage-odf.adoc
+++ b/modules/logging-loki-storage-odf.adoc
@@ -10,7 +10,7 @@
 * You installed the {loki-op}.
 * You installed the {oc-first}.
 * You deployed link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/[{rh-storage}].
-* You configured your {rh-storage} cluster link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.15/html/managing_and_allocating_storage_resources/adding-file-and-object-storage-to-an-existing-external-ocs-cluster[for object storage].
+* You configured your {rh-storage} cluster link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.16/html/managing_and_allocating_storage_resources/adding-file-and-object-storage-to-an-existing-external-ocs-cluster[for object storage].
 
 .Procedure
 
diff --git a/modules/logging-release-notes-5-9-2.adoc b/modules/logging-release-notes-5-9-2.adoc
index 6b314e4ae57b..928aa474a73b 100644
--- a/modules/logging-release-notes-5-9-2.adoc
+++ b/modules/logging-release-notes-5-9-2.adoc
@@ -1,4 +1,4 @@
-/module included in logging-5-9-release-notes.adoc
+// module included in logging-5-9-release-notes.adoc
 :_mod-docs-content-type: REFERENCE
 [id="logging-release-notes-5-9-2_{context}"]
 = Logging 5.9.2
diff --git a/modules/logging-release-notes-5-9-3.adoc b/modules/logging-release-notes-5-9-3.adoc
new file mode 100644
index 000000000000..e13553abca85
--- /dev/null
+++ b/modules/logging-release-notes-5-9-3.adoc
@@ -0,0 +1,21 @@
+// module included in logging-5-9-release-notes.adoc
+:_mod-docs-content-type: REFERENCE
+[id="logging-release-notes-5-9-3_{context}"]
+= Logging 5.9.3
+This release includes link:https://access.redhat.com/errata/RHBA-2024:3736[OpenShift Logging Bug Fix Release 5.9.3]
+
+[id="logging-release-notes-5-9-3-bug-fixes"]
+== Bug Fixes
+
+* Before this update, there was a delay in restarting Ingesters when configuring `LokiStack`, because the {loki-op} sets the write-ahead log `replay_memory_ceiling` to zero bytes for the `1x.demo` size. With this update, the minimum value used for the `replay_memory_ceiling` has been increased to avoid delays. (link:https://issues.redhat.com/browse/LOG-5614[LOG-5614])
+
+* Before this update, monitoring the Vector collector output buffer state was not possible. With this update, monitoring and alerting the Vector collector output buffer size is possible that improves observability capabilities and helps keep the system running optimally. (link:https://issues.redhat.com/browse/LOG-5586[LOG-5586])
+
+[id="logging-release-notes-5-9-3-CVEs"]
+== CVEs
+* link:https://access.redhat.com/security/cve/CVE-2024-2961[CVE-2024-2961]
+* link:https://access.redhat.com/security/cve/CVE-2024-28182[CVE-2024-28182]
+* link:https://access.redhat.com/security/cve/CVE-2024-33599[CVE-2024-33599]
+* link:https://access.redhat.com/security/cve/CVE-2024-33600[CVE-2024-33600]
+* link:https://access.redhat.com/security/cve/CVE-2024-33601[CVE-2024-33601]
+* link:https://access.redhat.com/security/cve/CVE-2024-33602[CVE-2024-33602]
\ No newline at end of file
diff --git a/modules/logging-set-input-rate-limit.adoc b/modules/logging-set-input-rate-limit.adoc
index 34862bb65eca..f4fd4268db37 100644
--- a/modules/logging-set-input-rate-limit.adoc
+++ b/modules/logging-set-input-rate-limit.adoc
@@ -33,7 +33,7 @@ spec:
       application:
         selector:
           matchLabels: { example: label } <2>
-      containerLimit:
+        containerLimit:
           maxRecordsPerSecond: 0 <3>
 # ...
 ----
@@ -54,12 +54,12 @@ spec:
     - name: <input_name> <1>
       application:
         namespaces: [ example-ns-1, example-ns-2 ] <2>
-      containerLimit:
-        maxRecordsPerSecond: 10 <3>
+        containerLimit:
+          maxRecordsPerSecond: 10 <3>
     - name: <input_name>
       application:
         namespaces: [ test ]
-      containerLimit:
+        containerLimit:
           maxRecordsPerSecond: 1000
 # ...
 ----
diff --git a/modules/lvms-about-adding-devices-to-a-vg.adoc b/modules/lvms-about-adding-devices-to-a-vg.adoc
index 7780b3b16f05..82831a91c91c 100644
--- a/modules/lvms-about-adding-devices-to-a-vg.adoc
+++ b/modules/lvms-about-adding-devices-to-a-vg.adoc
@@ -6,11 +6,23 @@
 [id="about-adding-devices-to-a-vg_{context}"]
 = About adding devices to a volume group
 
-The `deviceSelector` field in the `LVMCluster` CR contains the configuration to specify the paths to the devices that you want to add to the LVM volume group (VG).
+The `deviceSelector` field in the `LVMCluster` CR contains the configuration to specify the paths to the devices that you want to add to the Logical Volume Manager (LVM) volume group.
 
-You can specify the device paths in the `deviceSelector.paths` field, the `deviceSelector.optionalPaths` field, or both. If you do not specify the device paths in both the `deviceSelector.paths` field and the `deviceSelector.optionalPaths` field, {lvms} adds the supported unused devices to the VG. 
+You can specify the device paths in the `deviceSelector.paths` field, the `deviceSelector.optionalPaths` field, or both. If you do not specify the device paths in both the `deviceSelector.paths` field and the `deviceSelector.optionalPaths` field, {lvms} adds the supported unused devices to the volume group (VG). 
 
-You can also add the path to the RAID arrays to integrate the RAID arrays with {lvms}. For more information, see "Integrating RAID arrays with {lvms}".
+You can add the path to the Redundant Array of Independent Disks (RAID) arrays in the `deviceSelector` field to integrate the RAID arrays with {lvms}. You can create the RAID array by using the `mdadm` utility. {lvms} does not support creating a software RAID.
+
+[NOTE]
+====
+You can create a RAID array only during an {product-title} installation. For information on creating a RAID array, see the following sections:
+
+* "Configuring a RAID-enabled data volume" in "Additional resources".
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#creating-a-software-raid-on-an-installed-system_managing-raid[Creating a software RAID on an installed system]
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#replacing-a-failed-disk-in-raid_managing-raid[Replacing a failed disk in RAID]
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#repairing-raid-disks_managing-raid[Repairing RAID disks]
+====
+
+You can also add encrypted devices to the volume group. You can enable disk encryption on the cluster nodes during an {product-title} installation. After encrypting a device, you can specify the path to the LUKS encrypted device in the `deviceSelector` field. For information on disk encryption, see "About disk encryption" and "Configuring disk encryption and mirroring".
 
 The devices that you want to add to the VG must be supported by {lvms}. For information about unsupported devices, see "Devices not supported by {lvms}".
 
diff --git a/modules/lvms-about-lvmcluster-cr.adoc b/modules/lvms-about-lvmcluster-cr.adoc
index 8a2911bc71c2..178021358488 100644
--- a/modules/lvms-about-lvmcluster-cr.adoc
+++ b/modules/lvms-about-lvmcluster-cr.adoc
@@ -38,7 +38,7 @@ LVM Storage creates a storage class and volume snapshot class for each device cl
 |`string`
 |Specify a name for the LVM volume group (VG). 
 
-You can also configure this field to reuse a volume group that you created in the previous installation. For more information, see "Reusing a volume group from the previous LVM Storage installation" in the "Additional resources" section.
+You can also configure this field to reuse a volume group that you created in the previous installation. For more information, see "Reusing a volume group from the previous LVM Storage installation".
 
 |`deviceClasses.fstype`
 |`string`
@@ -65,7 +65,7 @@ On the control-plane node, {lvms} detects and uses the additional worker nodes w
 * Specify the paths to the devices that you want to add to the LVM volume group.
 * Force wipe the devices that are added to the LVM volume group.
 
-For more information, see "About adding devices to a volume group" in the "Additional resources" section.
+For more information, see "About adding devices to a volume group".
 
 |`deviceSelector.paths`
 |`array`
diff --git a/modules/lvms-about-scaling-storage-of-clusters.adoc b/modules/lvms-about-scaling-storage-of-clusters.adoc
index e0e14f8bdf4e..7896ea96325f 100644
--- a/modules/lvms-about-scaling-storage-of-clusters.adoc
+++ b/modules/lvms-about-scaling-storage-of-clusters.adoc
@@ -20,5 +20,5 @@ You can add the `deviceSelector` field in the `LVMCluster` CR only while creatin
 If you do not add the `deviceSelector` field in the `LVMCluster` CR, {lvms} automatically adds the new devices when the devices are available.
 [NOTE]
 ====
-{lvms} adds only the supported devices. For information about unsupported devices, see "Devices not supported by LVM Storage" in the "Additional resources" section.
+{lvms} adds only the supported devices. For information about unsupported devices, see "Devices not supported by LVM Storage".
 ====
diff --git a/modules/lvms-about-volume-snapshots.adoc b/modules/lvms-about-volume-snapshots.adoc
index 57737ec61674..9020dc18d897 100644
--- a/modules/lvms-about-volume-snapshots.adoc
+++ b/modules/lvms-about-volume-snapshots.adoc
@@ -14,7 +14,7 @@ You can perform the following actions using the volume snapshots:
 +
 [IMPORTANT]
 ====
-Volume snapshots are located on the same devices as the original data. To use the volume snapshots as backups, you must move the snapshots to a secure location. You can use OpenShift API for Data Protection (OADP) backup and restore solutions. For information about OADP, see "OADP features" in the "Additional resources" section.
+Volume snapshots are located on the same devices as the original data. To use the volume snapshots as backups, you must move the snapshots to a secure location. You can use OpenShift API for Data Protection (OADP) backup and restore solutions. For information about OADP, see "OADP features".
 ====
 
 * Revert to a state at which the volume snapshot was taken.
diff --git a/modules/lvms-creating-lvmcluster-using-rhacm.adoc b/modules/lvms-creating-lvmcluster-using-rhacm.adoc
index 132e9e84d149..7eb4e8ff0650 100644
--- a/modules/lvms-creating-lvmcluster-using-rhacm.adoc
+++ b/modules/lvms-creating-lvmcluster-using-rhacm.adoc
@@ -12,7 +12,7 @@ After you have installed {lvms} by using {rh-rhacm}, you must create an `LVMClus
 
 * You have installed {lvms} by using {rh-rhacm}.
 * You have access to the {rh-rhacm} cluster using an account with `cluster-admin` permissions.
-* You read the "About the LVMCluster custom resource" section. See the "Additional resources" section.
+* You read the "About the LVMCluster custom resource" section.
 
 .Procedure
 
diff --git a/modules/lvms-creating-lvms-cluster-using-cli.adoc b/modules/lvms-creating-lvms-cluster-using-cli.adoc
index 52014f506421..10a67da07526 100644
--- a/modules/lvms-creating-lvms-cluster-using-cli.adoc
+++ b/modules/lvms-creating-lvms-cluster-using-cli.adoc
@@ -23,7 +23,7 @@ You can only create a single instance of the `LVMCluster` custom resource (CR) o
 
 * You have installed a worker node in the cluster.
 
-* You read the "About the LVMCluster custom resource" section. See the "Additional resources" section.
+* You read the "About the LVMCluster custom resource" section.
 
 .Procedure
 
diff --git a/modules/lvms-creating-lvms-cluster-using-web-console.adoc b/modules/lvms-creating-lvms-cluster-using-web-console.adoc
index a020854304f3..9105fc7593fb 100644
--- a/modules/lvms-creating-lvms-cluster-using-web-console.adoc
+++ b/modules/lvms-creating-lvms-cluster-using-web-console.adoc
@@ -21,7 +21,7 @@ You can only create a single instance of the `LVMCluster` custom resource (CR) o
 
 * You have installed a worker node in the cluster.
 
-* You read the "About the LVMCluster custom resource" section. See the "Additional resources" section.
+* You read the "About the LVMCluster custom resource" section.
 
 .Procedure
 
diff --git a/modules/lvms-installing-logical-volume-manager-operator-using-rhacm.adoc b/modules/lvms-installing-logical-volume-manager-operator-using-rhacm.adoc
index 507a590d7cbf..a65cc48969f2 100644
--- a/modules/lvms-installing-logical-volume-manager-operator-using-rhacm.adoc
+++ b/modules/lvms-installing-logical-volume-manager-operator-using-rhacm.adoc
@@ -16,7 +16,7 @@ The `Policy` CR that is created to install {lvms} is also applied to the cluster
 .Prerequisites
 * You have access to the {rh-rhacm} cluster using an account with `cluster-admin` and Operator installation permissions.
 * You have dedicated disks that {lvms} can use on each cluster.
-* The cluster must be be managed by {rh-rhacm}.
+* The cluster must be managed by {rh-rhacm}.
 
 .Procedure
 
@@ -129,8 +129,8 @@ spec:
 $ oc create -f <file_name> -n <namespace>
 ----
 +
-Upon creating the `Policy` CR, the following custom resources are created on the clusters that match the selection criteria configured in the `PlacementRule` CR: 
+Upon creating the `Policy` CR, the following custom resources are created on the clusters that match the selection criteria configured in the `PlacementRule` CR:
 
 * `Namespace`
 * `OperatorGroup`
-* `Subscription`
\ No newline at end of file
+* `Subscription`
diff --git a/modules/lvms-integrating-software-raid-arrays.adoc b/modules/lvms-integrating-software-raid-arrays.adoc
deleted file mode 100644
index 2a1c957a0420..000000000000
--- a/modules/lvms-integrating-software-raid-arrays.adoc
+++ /dev/null
@@ -1,62 +0,0 @@
-// Module included in the following assemblies:
-//
-// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="lvms-integrating-software-raid-arrays_{context}"]
-= Integrating software RAID arrays with LVM Storage
-
-You can create the Redundant Array of Independent Disks (RAID) array by using the `mdadm` utility, and integrate the RAID array with {lvms}. Logical Volume Manager (LVM) does not support creating a software RAID.
-
-You can integrate the RAID array with {lvms} while creating the `LVMCluster` custom resource (CR). If you have already created an `LVMCluster` CR, you can edit the existing `LVMCluster` CR to add the RAID array.
-
-.Prerequisites
-
-* You created a software RAID during the {product-title} installation.
-+
-[IMPORTANT]
-====
-You can only create the RAID array during the installation of {product-title}.
-====
-
-* You have installed {lvms}.
-
-.Procedure
-
-. Open the `LVMCluster` CR YAML file. If you have already created the `LVMCluster` CR, edit the existing `LVMCluster` CR by running the following command:
-+
-[source,terminal]
-----
-$ oc edit <lvmcluster_file_name> -n <namespace>
-----
-
-. Add the path to the RAID array in the `deviceSelector` field of the `LVMCluster` CR YAML file.
-+
-.Example of RAID array paths in deviceSelector field
-[source,yaml]
-----
-apiVersion: lvm.topolvm.io/v1alpha1
-kind: LVMCluster
-metadata:
-  name: my-lvmcluster
-spec:
-  storage:
-    deviceClasses:
-# ...
-      deviceSelector:  <1>
-        paths:
-        - /dev/md/md-var  <2>
-        - /dev/md0  <3>
-        optionalPaths:
-# ...
-----
-<1> Contains the paths to the devices that are used to create the LVM volume group. You can specify the device paths in the `paths` field, the `optionalPaths` field, or both. You cannot remove or replace a device after adding it to the LVM volume group.
-<2> Example of a path to the RAID array that was created by using the `mdadm` utility. In this example, `md-var` is the RAID array.
-<3> In this device path example, `md0` is the RAID array
-
-. Save the `LVMCluster` CR YAML file.
-
-[NOTE]
-====
-If you do not add the path to the RAID array in the `deviceSelector` field, {lvms} does not recognize the RAID array.
-====
\ No newline at end of file
diff --git a/modules/lvms-limitations-to-configure-size-of-devices.adoc b/modules/lvms-limitations-to-configure-size-of-devices.adoc
index 54be6ec9de4f..963687a8f3a0 100644
--- a/modules/lvms-limitations-to-configure-size-of-devices.adoc
+++ b/modules/lvms-limitations-to-configure-size-of-devices.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
+// * microshift_storage/microshift-storage-plugin-overview.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="limitations-to-configure-size-of-devices_{context}"]
@@ -13,7 +14,15 @@ The limitations to configure the size of the devices that you can use to provisi
 ** You can define the size of PE and LE during the physical and logical device creation.
 ** The default PE and LE size is 4 MB.
 ** If the size of the PE is increased, the maximum size of the LVM is determined by the kernel limits and your disk space.
-
+ifdef::microshift[]
+** The size limit for {op-system-base-full} 9 using the default PE and LE size is 8 EB.
+** The following are the minimum storage sizes that you can request for each file system type:
+*** `block`: 8 MiB
+*** `xfs`: 300 MiB
+*** `ext4`: 32 MiB
+endif::microshift[]
+
+ifndef::microshift[]
 .Size limits for different architectures using the default PE and LE size
 [cols="1,1,1,1,1", width="100%", options="header"]
 |====
@@ -45,4 +54,5 @@ The limitations to configure the size of the devices that you can use to provisi
 --
 1. Theoretical size.
 2. Tested size.
---
\ No newline at end of file
+--
+endif::microshift[]
\ No newline at end of file
diff --git a/modules/lvms-restoring-volume-snapshots.adoc b/modules/lvms-restoring-volume-snapshots.adoc
index 5aab9a9fb6ed..716426644abc 100644
--- a/modules/lvms-restoring-volume-snapshots.adoc
+++ b/modules/lvms-restoring-volume-snapshots.adoc
@@ -6,7 +6,7 @@
 [id="lvms-restoring-volume-snapshots_{context}"]
 = Restoring volume snapshots
 
-To restore a volume snapshot, you must create a persistent volume claim (PVC) with the `dataSource.name` field set to the name of the volume snapshot. 
+To restore a volume snapshot, you must create a persistent volume claim (PVC) with the `dataSource.name` field set to the name of the volume snapshot.
 
 The restored PVC is independent of the volume snapshot and the source PVC.
 
@@ -43,9 +43,9 @@ spec:
 ----
 <1> Specify the storage size of the restored PVC. The storage size of the requested PVC must be greater than or equal to the stoage size of the volume snapshot that you want to restore. If a larger PVC is required, you can also resize the PVC after restoring the volume snapshot.
 <2> Set this field to the value of the `storageClassName` field in the source PVC of the volume snapshot that you want to restore.
-<3> Set this field to the name of the volume snapshot that you want to restore. 
+<3> Set this field to the name of the volume snapshot that you want to restore.
 
-. Create the PVC in the namespace where you created the the volume snapshot by running the following command:
+. Create the PVC in the namespace where you created the volume snapshot by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc b/modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc
index 2f163cc13c4b..47ae8880bf16 100644
--- a/modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc
+++ b/modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc
@@ -57,7 +57,7 @@ apiVersion: policy.open-cluster-management.io/v1
 <1> Contains the configuration to specify the paths to the devices that you want to add to the LVM volume group.
 You can specify the device paths in the `paths` field, the `optionalPaths` field, or both. If you do not specify the device paths in both `paths` and `optionalPaths`, {lvms-first} adds the supported unused devices to the LVM volume group. {lvms} adds the devices to the LVM volume group only if the following conditions are met:
 * The device path exists.
-* The device is supported by {lvms}. For information about unsupported devices, see "Devices not supported by {lvms}" in the "Additional resources" section.
+* The device is supported by {lvms}. For information about unsupported devices, see "Devices not supported by {lvms}".
 <2> Specify the device paths. If the device path specified in this field does not exist, or the device is not supported by {lvms}, the `LVMCluster` CR moves to the `Failed` state.
 <3> Specify the optional device paths. If the device path specified in this field does not exist, or the device is not supported by {lvms}, {lvms} ignores the device without causing an error. 
 +
diff --git a/modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc b/modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc
index b9c981fcf33e..f89f7c304f72 100644
--- a/modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc
+++ b/modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc
@@ -1,20 +1,23 @@
-// This module is included in the following assemblies:
+// Module included in the following assemblies:
 //
-// storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="investigating-a-pvc-stuck-in-the-pending-state_{context}"]
 = Investigating a PVC stuck in the Pending state
 
-A persistent volume claim (PVC) can get stuck in a `Pending` state for a number of reasons. For example:
+A persistent volume claim (PVC) can get stuck in the `Pending` state for the following reasons:
 
-- Insufficient computing resources
-- Network problems
-- Mismatched storage class or node selector
-- No available volumes
-- The node with the persistent volume (PV) is in a `Not Ready` state
+- Insufficient computing resources.
+- Network problems.
+- Mismatched storage class or node selector.
+- No available persistent volumes (PVs).
+- The node with the PV is in the `Not Ready` state.
 
-Identify the cause by using the `oc describe` command to review details about the stuck PVC.
+.Prerequisites
+
+* You have installed the {oc-first}.
+* You have logged in to the {oc-first} as a user with `cluster-admin` permissions.
 
 .Procedure
 
diff --git a/modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc b/modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc
index 8e53ef18ccf4..9eccaa5bd204 100644
--- a/modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc
+++ b/modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc
@@ -1,18 +1,22 @@
-// This module is included in the following assemblies:
+// Module included in the following assemblies:
 //
-// storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="performing-a-forced-cleanup_{context}"]
-= Performing a forced cleanup
+= Performing a forced clean-up
 
-If disk- or node-related problems persist after you complete the troubleshooting procedures, it might be necessary to perform a forced cleanup procedure. A forced cleanup is used to comprehensively address persistent issues and ensure the proper functioning of the LVMS.
+If the disk or node-related problems persist even after you have completed the troubleshooting procedures, you must perform a forced clean-up. A forced clean-up is used to address persistent issues and ensure the proper functioning of {lvms-first}.
 
 .Prerequisites
 
-. All of the persistent volume claims (PVCs) created using the logical volume manager storage (LVMS) driver have been removed.
+* You have installed the {oc-first}.
 
-. The pods using those PVCs have been stopped.
+* You have logged in to the {oc-first} as a user with `cluster-admin` permissions.
+
+* You have deleted all the persistent volume claims (PVCs) that were created by using {lvms}.
+
+* You have stopped the pods that are using the PVCs that were created by using {lvms}.
 
 
 .Procedure
@@ -24,74 +28,70 @@ If disk- or node-related problems persist after you complete the troubleshooting
 $ oc project openshift-storage
 ----
 
-. Ensure there is no `Logical Volume` custom resource (CR) remaining by running the following command:
+. Check if the `LogicalVolume` custom resources (CRs) are present by running the following command:
 +
 [source,terminal]
 ----
 $ oc get logicalvolume
 ----
-+
-.Example output
-[source,terminal]
-----
-No resources found
-----
 
-.. If there are any `LogicalVolume` CRs remaining, remove their finalizers by running the following command:
+.. If the `LogicalVolume` CRs are present, delete them by running the following command:
 +
 [source,terminal]
 ----
-$ oc patch logicalvolume <name> -p '{"metadata":{"finalizers":[]}}' --type=merge <1>
+$ oc delete logicalvolume <name> <1>
 ----
-<1> Replace `<name>` with the name of the CR.
+<1> Replace `<name>` with the name of the `LogicalVolume` CR.
 
-.. After removing their finalizers, delete the CRs by running the following command:
+.. After deleting the `LogicalVolume` CRs, remove their finalizers by running the following command:
 +
 [source,terminal]
 ----
-$ oc delete logicalvolume <name> <1>
+$ oc patch logicalvolume <name> -p '{"metadata":{"finalizers":[]}}' --type=merge <1>
 ----
-<1> Replace `<name>` with the name of the CR.
+<1> Replace `<name>` with the name of the `LogicalVolume` CR.
 
-. Make sure there are no `LVMVolumeGroup` CRs left by running the following command:
+. Check if the `LVMVolumeGroup` CRs are present by running the following command:
 +
 [source,terminal]
 ----
 $ oc get lvmvolumegroup
 ----
+
+.. If the `LVMVolumeGroup` CRs are present, delete them by running the following command:
 +
-.Example output
 [source,terminal]
 ----
-No resources found
+$ oc delete lvmvolumegroup <name> <1>
 ----
+<1> Replace `<name>` with the name of the `LVMVolumeGroup` CR.
 
-.. If there are any `LVMVolumeGroup` CRs left, remove their finalizers by running the following command:
+.. After deleting the `LVMVolumeGroup` CRs, remove their finalizers by running the following command:
 +
 [source,terminal]
 ----
 $ oc patch lvmvolumegroup <name> -p '{"metadata":{"finalizers":[]}}' --type=merge <1>
 ----
-<1> Replace `<name>` with the name of the CR.
+<1> Replace `<name>` with the name of the `LVMVolumeGroup` CR. 
 
-.. After removing their finalizers, delete the CRs by running the following command:
+. Delete any `LVMVolumeGroupNodeStatus` CRs by running the following command:
 +
 [source,terminal]
 ----
-$ oc delete lvmvolumegroup <name> <1>
+$ oc delete lvmvolumegroupnodestatus --all
 ----
-<1> Replace `<name>` with the name of the CR.
 
-. Remove any `LVMVolumeGroupNodeStatus` CRs by running the following command:
+. Delete the `LVMCluster` CR by running the following command:
 +
 [source,terminal]
 ----
-$ oc delete lvmvolumegroupnodestatus --all
+$ oc delete lvmcluster --all
 ----
 
-. Remove the `LVMCluster` CR by running the following command:
+.. After deleting the `LVMCluster` CR, remove its finalizer by running the following command:
 +
 [source,terminal]
 ----
-$ oc delete lvmcluster --all
+$ oc patch lvmcluster <name> -p '{"metadata":{"finalizers":[]}}' --type=merge <1>
 ----
+<1> Replace `<name>` with the name of the `LVMCluster` CR. 
diff --git a/modules/lvms-troubleshooting-persistent-storage.adoc b/modules/lvms-troubleshooting-persistent-storage.adoc
new file mode 100644
index 000000000000..3dffe9fa4f12
--- /dev/null
+++ b/modules/lvms-troubleshooting-persistent-storage.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="lvms-troubleshooting-persistent-storage_{context}"]
+= Troubleshooting persistent storage
+
+While configuring persistent storage using {lvms-first}, you can encounter several issues that require troubleshooting.
\ No newline at end of file
diff --git a/modules/lvms-troubleshooting-recovering-from-disk-failure.adoc b/modules/lvms-troubleshooting-recovering-from-disk-failure.adoc
index 182f12c42b69..633fe15cd9ad 100644
--- a/modules/lvms-troubleshooting-recovering-from-disk-failure.adoc
+++ b/modules/lvms-troubleshooting-recovering-from-disk-failure.adoc
@@ -1,12 +1,44 @@
-// This module is included in the following assemblies:
+// Module included in the following assemblies:
 //
-// storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="recovering-from-disk-failure_{context}"]
 = Recovering from disk failure
 
-If you see a failure message while inspecting the events associated with the persistent volume claim (PVC), there might be a problem with the underlying volume or disk. Disk and volume provisioning issues often result with a generic error first, such as `Failed to provision volume with StorageClass <storage_class_name>`. A second, more specific error message usually follows.
+If you see a failure message while inspecting the events associated with the persistent volume claim (PVC), there can be a problem with the underlying volume or disk. 
+
+Disk and volume provisioning issues result with a generic error message such as `Failed to provision volume with storage class <storage_class_name>`. The generic error message is followed by a specific volume failure error message.
+
+The following table describes the volume failure error messages:
+
+.Volume failure error messages
+[%autowidth, options="header"]
+|===
+
+|Error message |Description
+
+|`Failed to check volume existence` 
+|Indicates a problem in verifying whether the volume already exists. Volume verification failure can be caused by network connectivity problems or other failures.
+
+|`Failed to bind volume` 
+|Failure to bind a volume can happen if the persistent volume (PV) that is available does not match the requirements of the PVC.
+
+|`FailedMount` or `FailedAttachVolume`
+|This error indicates problems when trying to mount the volume to a node. If the disk has failed, this error can appear when a pod tries to use the PVC.
+
+|`FailedUnMount`
+|This error indicates problems when trying to unmount a volume from a node. If the disk has failed, this error can appear when a pod tries to use the PVC.
+
+|`Volume is already exclusively attached to one node and cannot be attached to another` 
+|This error can appear with storage solutions that do not support `ReadWriteMany` access modes.
+
+|===
+
+.Prerequisites
+
+* You have installed the {oc-first}.
+* You have logged in to the {oc-first} as a user with `cluster-admin` permissions.
 
 .Procedure
 
@@ -16,18 +48,12 @@ If you see a failure message while inspecting the events associated with the per
 ----
 $ oc describe pvc <pvc_name> <1>
 ----
-<1> Replace `<pvc_name>` with the name of the PVC. Here are some examples of disk or volume failure error messages and their causes:
-+
-- *Failed to check volume existence:* Indicates a problem in verifying whether the volume already exists. Volume verification failure can be caused by network connectivity problems or other failures.
-+
-- *Failed to bind volume:* Failure to bind a volume can happen if the persistent volume (PV) that is available does not match the requirements of the PVC.
-+
-- *FailedMount or FailedUnMount:* This error indicates problems when trying to mount the volume to a node or unmount a volume from a node. If the disk has failed, this error might appear when a pod tries to use the PVC.
-+
-- *Volume is already exclusively attached to one node and cannot be attached to another:* This error can appear with storage solutions that do not support `ReadWriteMany` access modes.
+<1> Replace `<pvc_name>` with the name of the PVC.
 
 . Establish a direct connection to the host where the problem is occurring.
 
 . Resolve the disk issue.
 
-After you have resolved the issue with the disk, you might need to perform the forced cleanup procedure if failure messages persist or reoccur.
\ No newline at end of file
+.Next steps
+
+* If the volume failure messages persist or recur even after you have resolved the issue with the disk, you must perform a forced clean-up. For more information, see "Performing a forced clean-up".
\ No newline at end of file
diff --git a/modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc b/modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc
index 4d695306c4fe..404f862d1fd4 100644
--- a/modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc
+++ b/modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc
@@ -1,16 +1,21 @@
-// This module is included in the following assemblies:
+// Module included in the following assemblies:
 //
-// storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="recovering-from-missing-lvms-or-operator-components_{context}"]
-= Recovering from missing LVMS or Operator components
+= Recovering from a missing storage class
 
-If you encounter a storage class "not found" error, check the `LVMCluster` resource and ensure that all the logical volume manager storage (LVMS) pods are running. You can create an `LVMCluster` resource if it does not exist.
+If you encounter the `storage class not found` error, check the `LVMCluster` custom resource (CR) and ensure that all the {lvms-first} pods are in the `Running` state. 
+
+.Prerequisites
+
+* You have installed the {oc-first}.
+* You have logged in to the {oc-first} as a user with `cluster-admin` permissions.
 
 .Procedure
 
-. Verify the presence of the LVMCluster resource by running the following command:
+. Verify that the `LVMCluster` CR is present by running the following command:
 +
 [source,terminal]
 ----
@@ -24,33 +29,9 @@ NAME            AGE
 my-lvmcluster   65m
 ----
 
-. If the cluster does not have an `LVMCluster` resource, create one by running the following command:
-+
-[source,terminal]
-----
-$ oc create -n openshift-storage -f <custom_resource> <1>
-----
-<1> Replace `<custom_resource>` with a custom resource URL or file tailored to your requirements.
-+
-.Example custom resource
-[source,yaml,options="nowrap",role="white-space-pre"]
-----
-apiVersion: lvm.topolvm.io/v1alpha1
-kind: LVMCluster
-metadata:
-  name: my-lvmcluster
-spec:
-  storage:
-    deviceClasses:
-    - name: vg1
-      default: true
-      thinPoolConfig:
-        name: thin-pool-1
-        sizePercent: 90
-        overprovisionRatio: 10
-----
+. If the `LVMCluster` CR is not present, create an `LVMCluster` CR. For more information, see "Ways to create an LVMCluster custom resource".
 
-. Check that all the pods from LVMS are in the `Running` state in the `openshift-storage` namespace by running the following command:
+. In the `openshift-storage` namespace, check that all the {lvms} pods are in the `Running` state by running the following command:
 +
 [source,terminal]
 ----
@@ -67,9 +48,12 @@ topolvm-node-dr26h                    4/4     Running   0             66m
 vg-manager-r6zdv                      1/1     Running   0             66m
 ----
 +
-The expected output is one running instance of `lvms-operator` and `vg-manager`. One instance of `topolvm-controller` and `topolvm-node` is expected for each node.
+The output of this command must contain a running instance of the following pods:
+
+* `lvms-operator`
+* `vg-manager`
 +
-If `topolvm-node` is stuck in the `Init` state, there is a failure to locate an available disk for LVMS to use. To retrieve the information necessary to troubleshoot, review the logs of the `vg-manager` pod by running the following command:
+If the `vg-manager` pod is stuck while loading a configuration file, it is due to a failure to locate an available disk for {lvms} to use. To retrieve the necessary information to troubleshoot this issue, review the logs of the `vg-manager` pod by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/lvms-troubleshooting-recovering-from-node-failure.adoc b/modules/lvms-troubleshooting-recovering-from-node-failure.adoc
index 17ab0696ae58..4463637c537c 100644
--- a/modules/lvms-troubleshooting-recovering-from-node-failure.adoc
+++ b/modules/lvms-troubleshooting-recovering-from-node-failure.adoc
@@ -1,12 +1,19 @@
-// This module is included in the following assemblies:
+// Module included in the following assemblies:
 //
-// storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="recovering-from-node-failure_{context}"]
 = Recovering from node failure
 
-Sometimes a persistent volume claim (PVC) is stuck in a `Pending` state because a particular node in the cluster has failed. To identify the failed node, you can examine the restart count of the `topolvm-node` pod. An increased restart count indicates potential problems with the underlying node, which may require further investigation and troubleshooting.
+A persistent volume claim (PVC) can be stuck in the `Pending` state due to a node failure in the cluster. 
+
+To identify the failed node, you can examine the restart count of the `topolvm-node` pod. An increased restart count indicates potential problems with the underlying node, which might require further investigation and troubleshooting.
+
+.Prerequisites
+
+* You have installed the {oc-first}.
+* You have logged in to the {oc-first} as a user with `cluster-admin` permissions.
 
 .Procedure
 
@@ -30,5 +37,7 @@ vg-manager-r6zdv                      1/1     Running   0             66m
 vg-manager-990ut                      1/1     Running   0             66m
 vg-manager-an118                      1/1     Running   0             66m
 ----
-+
-After you resolve any issues with the node, you might need to perform the forced cleanup procedure if the PVC is still stuck in a `Pending` state.
\ No newline at end of file
+
+.Next steps
+
+* If the PVC is stuck in the `Pending` state even after you have resolved any issues with the node, you must perform a forced clean-up. For more information, see "Performing a forced clean-up".
\ No newline at end of file
diff --git a/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-cli.adoc b/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-cli.adoc
new file mode 100644
index 000000000000..ea0aa62c01ff
--- /dev/null
+++ b/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-cli.adoc
@@ -0,0 +1,68 @@
+// Module included in the following assemblies:
+//
+// storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="lvms-unstalling-lvms-using-cli_{context}"]
+= Uninstalling {lvms} by using the CLI
+
+You can uninstall {lvms} by using the {oc-first}.
+
+.Prerequisites
+
+* You have logged in to `oc` as a user with `cluster-admin` permissions.
+* You deleted the persistent volume claims (PVCs), volume snapshots, and volume clones provisioned by {lvms}. You have also deleted the applications that are using these resources.
+* You deleted the `LVMCluster` custom resource (CR).
+
+.Procedure
+
+. Get the `currentCSV` value for the {lvms} Operator by running the following command:
++
+[source,terminal]
+----
+$ oc get subscription.operators.coreos.com lvms-operator -n <namespace> -o yaml | grep currentCSV
+----
++
+.Example output
+[source,terminal]
+----
+currentCSV: lvms-operator.v4.15.3
+----
+
+. Delete the subscription by running the following command:
++
+[source,terminal]
+----
+$ oc delete subscription.operators.coreos.com lvms-operator -n <namespace>
+----
++
+.Example output
+[source,terminal]
+----
+subscription.operators.coreos.com "lvms-operator" deleted
+----
+
+. Delete the CSV for the {lvms} Operator in the target namespace by running the following command:
++
+[source,terminal]
+----
+$ oc delete clusterserviceversion <currentCSV> -n <namespace> <1>
+----
+<1> Replace `<currentCSV>` with the `currentCSV` value for the {lvms} Operator.
++
+.Example output
+[source,terminal]
+----
+clusterserviceversion.operators.coreos.com "lvms-operator.v4.15.3" deleted
+----
+
+.Verification
+
+* To verify that the {lvms} Operator is uninstalled, run the following command:
++
+[source,terminal]
+----
+$ oc get csv -n <namespace>
+----
++
+If the {lvms} Operator was successfully uninstalled, it does not appear in the output of this command.
\ No newline at end of file
diff --git a/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-web-console.adoc b/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-web-console.adoc
index c9b1dd017f6a..9139ae563414 100644
--- a/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-web-console.adoc
+++ b/modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-web-console.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="lvms-unstalling-lvms-with-web-console_{context}"]
-= Uninstalling {lvms} using the web console
+= Uninstalling {lvms} by using the web console
 
 You can uninstall {lvms} using the {product-title} web console.
 
diff --git a/modules/machine-api-vmw-add-tags.adoc b/modules/machine-api-vmw-add-tags.adoc
new file mode 100644
index 000000000000..35c410f9d3b7
--- /dev/null
+++ b/modules/machine-api-vmw-add-tags.adoc
@@ -0,0 +1,72 @@
+// Module included in the following assemblies:
+//
+// * machine_management/creating_machinesets/creating-machineset-vsphere.adoc
+// * machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-vsphere.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="machine-api-vmw-add-tags_{context}"]
+= Adding tags to machines by using machine sets
+
+{product-title} adds a cluster-specific tag to each virtual machine (VM) that it creates.
+The installation program uses these tags to select the VMs to delete when uninstalling a cluster.
+
+In addition to the cluster-specific tags assigned to VMs, you can configure a machine set to add up to 10 additional {vmw-short} tags to the VMs it provisions.
+
+.Prerequisites
+
+* You have access to an {product-title} cluster installed on {vmw-short} using an account with `cluster-admin` permissions.
+* You have access to the VMware vCenter console associated with your cluster.
+* You have created a tag in the vCenter console.
+* You have installed the {oc-first}.
+
+.Procedure
+
+. Use the vCenter console to find the tag ID for any tag that you want to add to your machines:
+
+.. Log in to the vCenter console.
+
+.. From the *Home* menu, click *Tags & Custom Attributes*.
+
+.. Select a tag that you want to add to your machines.
+
+.. Use the browser URL for the tag that you select to identify the tag ID.
++
+.Example tag URL
+[source,text]
+----
+https://vcenter.example.com/ui/app/tags/tag/urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL/permissions
+----
++
+.Example tag ID
+[source,text]
+----
+urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL
+----
+
+. In a text editor, open the YAML file for an existing machine set or create a new one.
+
+. Edit the following lines under the `providerSpec` field:
++
+[source,yaml]
+----
+tag::compute[]
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+end::compute[]
+tag::controlplane[]
+apiVersion: machine.openshift.io/v1
+kind: ControlPlaneMachineSet
+end::controlplane[]
+# ...
+spec:
+  template:
+    spec:
+      providerSpec:
+        value:
+          tagIDs: # <1>
+          - <tag_id_value> # <2>
+# ...
+----
+<1> Specify a list of up to 10 tags to add to the machines that this machine set provisions.
+<2> Specify the value of the tag that you want to add to your machines.
+For example, `urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL`.
\ No newline at end of file
diff --git a/modules/machine-config-daemon-metrics.adoc b/modules/machine-config-daemon-metrics-understanding.adoc
similarity index 95%
rename from modules/machine-config-daemon-metrics.adoc
rename to modules/machine-config-daemon-metrics-understanding.adoc
index 890fd0d4181b..8619f463fc01 100644
--- a/modules/machine-config-daemon-metrics.adoc
+++ b/modules/machine-config-daemon-metrics-understanding.adoc
@@ -1,9 +1,9 @@
 // Module included in the following assemblies:
 //
-// * nodes/nodes/nodes-nodes-machine-config-daemon-metrics.adoc
+// * machine-config/machine-config-daemon-metrics.adoc
 
-[id="machine-config-daemon-metrics_{context}"]
-= Machine Config Daemon metrics
+[id="machine-config-daemon-metrics-understanding_{context}"]
+= Understanding Machine Config Daemon metrics
 
 Beginning with {product-title} 4.3, the Machine Config Daemon provides a set of metrics. These metrics can be accessed using the Prometheus Cluster Monitoring stack.
 
diff --git a/modules/machine-config-drift-detection.adoc b/modules/machine-config-drift-detection.adoc
index 6866e93b4aac..d432095f0f4c 100644
--- a/modules/machine-config-drift-detection.adoc
+++ b/modules/machine-config-drift-detection.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine-configuration/machine-configuration-tasks.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="machine-config-drift-detection_{context}"]
diff --git a/modules/machine-config-node-disruption-config.adoc b/modules/machine-config-node-disruption-config.adoc
new file mode 100644
index 000000000000..9a5c95bd7ce4
--- /dev/null
+++ b/modules/machine-config-node-disruption-config.adoc
@@ -0,0 +1,132 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/machine-configuration-tasks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="machine-config-node-disruption-config_{context}"]
+= Configuring node restart behaviors upon machine config changes
+
+You can create a node disruption policy to define the machine configuration changes that cause a disruption to your cluster, and which changes do not.
+
+You can control how your nodes respond to changes in the files in the `/var` or `/etc` directory, the systemd units, the SSH keys, and the `registries.conf` file.
+
+include::snippets/machine-config-node-disruption-actions.adoc[]
+
+.Prerequisites
+
+* You have enabled the `TechPreviewNoUpgrade` feature set by using the feature gates. For more information, see "Enabling features using feature gates".
++
+[WARNING]
+====
+Enabling the `TechPreviewNoUpgrade` feature set on your cluster prevents minor version updates. The `TechPreviewNoUpgrade` feature set cannot be disabled. Do not enable this feature set on production clusters.
+====
+
+.Procedure
+
+. Edit the `machineconfigurations.operator.openshift.io` object to define the node disruption policy:
++
+[source,terminal]
+----
+$ oc edit MachineConfiguration cluster -n openshift-machine-config-operator
+----
+
+. Add a node disruption policy similar to the following:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+# ...
+spec:
+  nodeDisruptionPolicy: <1>
+    files: # <2>
+    - actions: # <3>
+      - reload: # <4>
+          serviceName: chronyd.service # <5>
+        type: Reload
+      path: /etc/chrony.conf # <6>
+    sshkey: # <7>
+      actions:
+      - type: Drain
+      - reload:
+          serviceName: crio.service
+        type: Reload
+      - type: DaemonReload
+      - restart:
+          serviceName: crio.service
+        type: Restart
+    units: # <8>
+    - actions:
+      - type: Drain
+      - reload:
+          serviceName: crio.service
+        type: Reload
+      - type: DaemonReload
+      - restart:
+          serviceName: crio.service
+        type: Restart
+      name: test.service
+----
+<1> Specifies the node disruption policy. 
+<2> Specifies a list of machine config file definitions and actions to take to changes on those paths. This list supports a maximum of 50 entries.
+<3> Specifies the series of actions to be executed upon changes to the specified files. Actions are applied in the order that they are set in this list. This list supports a maximum of 10 entries.
+<4> Specifies that the listed service is to be reloaded upon changes to the specified files. 
+<5> Specifies the full name of the service to be acted upon. 
+<6> Specifies the location of a file that is managed by a machine config. The actions in the policy apply when changes are made to the file in `path`.
+<7> Specifies a list of service names and actions to take upon changes to the SSH keys in the cluster.
+<8> Specifies a list of systemd unit names and actions to take upon changes to those units.
+
+.Verification
+
+* View the `MachineConfiguration` object file that you created:
++
+----
+$ oc get MachineConfiguration/cluster -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: cluster
+# ...
+status:
+  nodeDisruptionPolicyStatus: <1>
+    clusterPolicies:
+      files:
+# ...
+      - actions:
+        - reload:
+            serviceName: chronyd.service
+          type: Reload
+        path: /etc/chrony.conf
+      sshkey:
+        actions:
+        - type: Drain
+        - reload:
+            serviceName: crio.service
+          type: Reload
+        - type: DaemonReload
+        - restart:
+            serviceName: crio.service
+          type: Restart
+      units:
+      - actions:
+        - type: Drain
+        - reload:
+            serviceName: crio.service
+          type: Reload
+        - type: DaemonReload
+        - restart:
+            serviceName: crio.service
+          type: Restart
+        name: test.se
+# ...
+----
+<1> Specifies the current cluster-validated policies.
diff --git a/modules/machine-config-node-disruption-example.adoc b/modules/machine-config-node-disruption-example.adoc
new file mode 100644
index 000000000000..df8410d7f0de
--- /dev/null
+++ b/modules/machine-config-node-disruption-example.adoc
@@ -0,0 +1,146 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/machine-configuration-tasks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="machine-config-node-disruption-example_{context}"]
+= Example node disruption policies
+
+The following example `MachineConfiguration` objects contain a node disruption policy.
+
+[TIP]
+====
+A `MachineConfiguration` object and a `MachineConfig` object are different objects. A `MachineConfiguration` object is a singleton object in the MCO namespace that contains configuration parameters for the MCO operator. A `MachineConfig` object defines changes that are applied to a machine config pool.
+====
+
+The following example `MachineConfiguration` object shows no user defined policies. The default node disruption policy values are shown in the `status` stanza.
+
+.Default node disruption policy
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+  name: cluster
+spec:
+  logLevel: Normal
+  managementState: Managed
+  operatorLogLevel: Normal
+status:
+  nodeDisruptionPolicyStatus:
+    clusterPolicies:
+      files:
+      - actions:
+        - type: None
+        path: /etc/mco/internal-registry-pull-secret.json
+      - actions:
+        - type: None
+        path: /var/lib/kubelet/config.json
+      - actions:
+        - reload:
+            serviceName: crio.service
+          type: Reload
+        path: /etc/machine-config-daemon/no-reboot/containers-gpg.pub
+      - actions:
+        - reload:
+            serviceName: crio.service
+          type: Reload
+        path: /etc/containers/policy.json
+      - actions:
+        - type: Special
+        path: /etc/containers/registries.conf
+      sshkey:
+        actions:
+        - type: None
+  readyReplicas: 0
+----
+
+In the following example, when changes are made to the SSH keys, the MCO drains the cluster nodes, reloads the `crio.service`, reloads the systemd configuration, and restarts the `crio-service`.
+
+.Example node disruption policy for an SSH key change
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+# ...
+spec:
+  nodeDisruptionPolicy:
+    sshkey:
+      actions:
+      - type: Drain
+      - reload:
+          serviceName: crio.service
+        type: Reload
+      - type: DaemonReload
+      - restart:
+          serviceName: crio.service
+        type: Restart
+# ...
+----
+
+In the following example, when changes are made to the files in the `/etc/chrony.conf` directory, the MCO reloads the `chronyd.service` on the cluster nodes.
+
+.Example node disruption policy for a configuration file change
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+# ...
+spec:
+  nodeDisruptionPolicy:
+    files:
+    - actions:
+      - reload:
+          serviceName: chronyd.service
+        type: Reload
+      path: /etc/chrony.conf
+----
+
+In the following example, when changes are made to the `auditd.service`	systemd unit, the MCO drains the cluster nodes, reloads the `crio.service`, reloads the systemd manager configuration, and restarts the `crio.service`.
+
+.Example node disruption policy for a configuration file change
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+# ...
+spec:
+  nodeDisruptionPolicy:
+    units:
+      - name: auditd.service
+        actions:
+          - type: Drain
+          - type: Reload
+            reload:
+              serviceName: crio.service
+          - type: DaemonReload
+          - type: Restart
+            restart:
+              serviceName: crio.service
+----
+
+In the following example, when changes are made to the files in the `registries.conf` directory, the MCO does not drain or reboot the nodes and applies the changes with no further action.
+
+.Example node disruption policy for a configuration file change
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+# ...
+spec:
+  nodeDisruptionPolicy:
+      - actions:
+        - type: None
+        path: /etc/containers/registries.conf
+----
diff --git a/modules/machine-config-operator.adoc b/modules/machine-config-operator.adoc
index 26286845323d..513112e7a6f3 100644
--- a/modules/machine-config-operator.adoc
+++ b/modules/machine-config-operator.adoc
@@ -1,7 +1,6 @@
 // Module included in the following assemblies:
 //
 // * operators/operator-reference.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
 
 [id="machine-config-operator_{context}"]
 = Machine Config Operator
@@ -20,11 +19,8 @@ There are four components:
 
 include::snippets/mcs-endpoint-limitation.adoc[]
 
-.Additional resources
-
-* xref:../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin].
-
 [discrete]
 == Project
 
 link:https://github.com/openshift/machine-config-operator[openshift-machine-config-operator]
+
diff --git a/modules/machine-config-overview.adoc b/modules/machine-config-overview.adoc
index 390cbea8c32b..a8ed14d46f17 100644
--- a/modules/machine-config-overview.adoc
+++ b/modules/machine-config-overview.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * operators/operator-reference.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/index.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="machine-config-overview-{context}"]
@@ -59,21 +59,21 @@ The kinds of components that MCO can change include:
 * **kernelType**: Optionally identify a non-standard kernel to use instead of the standard kernel. Use `realtime` to use the RT kernel (for RAN). This is only supported on select platforms. Use the `64k-pages` parameter to enable the 64k page size kernel. This setting is exclusive to machines with 64-bit ARM architectures.
 ifndef::openshift-origin[]
 * **fips**: Enable link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#using-the-system-wide-cryptographic-policies_security-hardening[FIPS] mode. FIPS should be set at installation-time setting and not a postinstallation procedure.
++
+--
+include::snippets/fips-snippet.adoc[]
+--
 
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
 endif::openshift-origin[]
 * **extensions**: Extend {op-system} features by adding selected pre-packaged software. For this feature, available extensions include link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#protecting-systems-against-intrusive-usb-devices_security-hardening[usbguard] and kernel modules.
 * **Custom resources (for `ContainerRuntime` and `Kubelet`)**: Outside of machine configs, MCO manages two special custom resources for modifying CRI-O container runtime settings (`ContainerRuntime` CR) and the Kubelet service (`Kubelet` CR).
 
 The MCO is not the only Operator that can change operating system components on {product-title} nodes. Other Operators can modify operating system-level features as well. One example is the Node Tuning Operator, which allows you to do node-level tuning through Tuned daemon profiles.
 
-Tasks for the MCO configuration that can be done postinstallation are included in the following procedures. See descriptions of {op-system} bare metal installation for system configuration tasks that must be done during or before {product-title} installation.
+Tasks for the MCO configuration that can be done after installation are included in the following procedures. See descriptions of {op-system} bare metal installation for system configuration tasks that must be done during or before {product-title} installation. By default, many of the changes you make with the MCO require a reboot. 
 
-There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called _configuration drift_. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node `degraded` until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see _Understanding configuration drift detection_.
+include::snippets/node-icsp-no-drain.adoc[]
 
-== Project
+In other cases, you can mitigate the disruption to your workload when the MCO makes changes by using _node disruption policies_. For information, see _Understanding node restart behaviors after machine config changes_.  
 
-See the link:https://github.com/openshift/machine-config-operator[openshift-machine-config-operator] GitHub site for details.
+There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called _configuration drift_. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node `degraded` until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see _Understanding configuration drift detection_.
diff --git a/modules/machine-pools-hcp.adoc b/modules/machine-pools-hcp.adoc
new file mode 100644
index 000000000000..72439d92bf5a
--- /dev/null
+++ b/modules/machine-pools-hcp.adoc
@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="machine-pools-hcp_{context}"]
+= Machine pools in {hcp-title} clusters
+
+In {hcp-title} clusters, the hosted control plane spans three availability zones (AZ) in the installed cloud region. Each machine pool in a {hcp-title} cluster deploys in a single subnet within a single AZ. Each of these AZs can have only one machine pool. 
+
+Each machine pool in an {hcp-title} cluster upgrades independently. Because the machine pools upgrade independently, they must remain within 2 minor (Y-stream) versions of the hosted control plane. For example, if your hosted control plane is 4.16.z, your machine pools must be at least 4.14.z.
+
+The following image depicts how machine pools work within ROSA and {hcp-title} clusters:
+
+image::hcp-rosa-machine-pools.png[Machine pools on ROSA classic and ROSA with HCP clusters]
+
+[NOTE]
+====
+Machine pools in {hcp-title} clusters each upgrade independently and the machine pool versions must remain within two minor (Y-stream) versions of the control plane.
+====
\ No newline at end of file
diff --git a/modules/machine-user-infra-machines-ibm-z-kvm.adoc b/modules/machine-user-infra-machines-ibm-z-kvm.adoc
index 72471a526914..d90215ae2a3a 100644
--- a/modules/machine-user-infra-machines-ibm-z-kvm.adoc
+++ b/modules/machine-user-infra-machines-ibm-z-kvm.adoc
@@ -89,7 +89,7 @@ $ virt-install \
    --connect qemu:///system \
    --name <vm_name> \
    --autostart \
-   --os-variant rhel9.2 \ <1>
+   --os-variant rhel9.4 \ <1>
    --cpu host \
    --vcpus <vcpus> \
    --memory <memory_mb> \
@@ -98,15 +98,15 @@ $ virt-install \
    --location <media_location>,kernel=<rhcos_kernel>,initrd=<rhcos_initrd> \ <2>
    --extra-args "rd.neednet=1" \
    --extra-args "coreos.inst.install_dev=/dev/vda" \
-   --extra-args "coreos.inst.ignition_url=<worker_ign>" \ <3>
-   --extra-args "coreos.live.rootfs_url=<rhcos_rootfs>" \ <4>
-   --extra-args "ip=<ip>::<default_gateway>:<subnet_mask_length>:<hostname>::none:<MTU>" \ <5>
+   --extra-args "coreos.inst.ignition_url=http://<http_server>/worker.ign " \ <3>
+   --extra-args "coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img" \ <4>
+   --extra-args "ip=<ip>::<gateway>:<netmask>:<hostname>::none" \ <5>
    --extra-args "nameserver=<dns>" \
    --extra-args "console=ttysclp0" \
    --noautoconsole \
    --wait
 ----
-<1> For `os-variant`, specify the {op-system-base} version for the {op-system} compute machine. `rhel9.2` is the recommended version. To query the supported {op-system-base} version of your operating system, run the following command:
+<1> For `os-variant`, specify the {op-system-base} version for the {op-system} compute machine. `rhel9.4` is the recommended version. To query the supported {op-system-base} version of your operating system, run the following command:
 +
 [source,terminal]
 ----
@@ -119,8 +119,8 @@ The `os-variant` is case sensitive.
 ====
 +
 <2> For `--location`, specify the location of the kernel/initrd on the HTTP or HTTPS server.
-<3> For `coreos.inst.ignition_url=`, specify the `worker.ign` Ignition file for the machine role. Only HTTP and HTTPS protocols are supported.
-<4> For `coreos.live.rootfs_url=`, specify the matching rootfs artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
+<3> Specify the location of the `worker.ign` config file. Only HTTP and HTTPS protocols are supported.
+<4> Specify the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported
 <5> Optional: For `hostname`, specify the fully qualified hostname of the client machine.
 --
 +
diff --git a/modules/machine-user-infra-machines-ibm-z.adoc b/modules/machine-user-infra-machines-ibm-z.adoc
index d303036e488b..44c215613d49 100644
--- a/modules/machine-user-infra-machines-ibm-z.adoc
+++ b/modules/machine-user-infra-machines-ibm-z.adoc
@@ -53,7 +53,7 @@ $ oc extract -n openshift-machine-api secret/worker-user-data-managed --keys=use
 +
 [source,terminal]
 ----
-$ curl -k http://<HTTP_server>/worker.ign
+$ curl -k http://<http_server>/worker.ign
 ----
 
 . Download the {op-system-base} live `kernel`, `initramfs`, and `rootfs` files by running the following commands:
@@ -93,7 +93,7 @@ $ curl -LO $(oc -n openshift-machine-config-operator get configmap/coreos-bootim
 ** For installations on DASD-type disks, complete the following tasks:
 ... For `coreos.inst.install_dev=`, specify `/dev/dasda`.
 ... Use `rd.dasd=` to specify the DASD where {op-system} is to be installed.
-... Leave all other parameters unchanged.
+... You can adjust further parameters if required.
 +
 The following is an example parameter file, `additional-worker-dasd.parm`:
 +
@@ -102,9 +102,9 @@ The following is an example parameter file, `additional-worker-dasd.parm`:
 rd.neednet=1 \
 console=ttysclp0 \
 coreos.inst.install_dev=/dev/dasda \
-coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
-coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/worker.ign \
-ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \
+coreos.inst.ignition_url=http://<http_server>/worker.ign \
+ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
 rd.znet=qeth,0.0.bdf0,0.0.bdf1,0.0.bdf2,layer2=1,portno=0 \
 zfcp.allow_lun_scan=0 \
 rd.dasd=0.0.3490
@@ -125,7 +125,7 @@ When you install with multiple paths, you must enable multipathing directly afte
 ====
 If additional LUNs are configured with NPIV, FCP requires `zfcp.allow_lun_scan=0`. If you must enable `zfcp.allow_lun_scan=1` because you use a CSI driver, for example, you must configure your NPIV so that each node cannot access the boot partition of another node.
 ====
-... Leave all other parameters unchanged.
+... You can adjust further parameters if required.
 +
 [IMPORTANT]
 ====
@@ -140,9 +140,9 @@ The following is an example parameter file, `additional-worker-fcp.parm` for a w
 rd.neednet=1 \
 console=ttysclp0 \
 coreos.inst.install_dev=/dev/sda \
-coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \
-coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/worker.ign \
-ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \
+coreos.inst.ignition_url=http://<http_server>/worker.ign \
+ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
 rd.znet=qeth,0.0.bdf0,0.0.bdf1,0.0.bdf2,layer2=1,portno=0 \
 zfcp.allow_lun_scan=0 \
 rd.zfcp=0.0.1987,0x50050763070bc5e3,0x4008400B00000000 \
diff --git a/modules/machineconfig-modify-journald.adoc b/modules/machineconfig-modify-journald.adoc
index 14f5ad12155b..45e5ce1051d0 100644
--- a/modules/machineconfig-modify-journald.adoc
+++ b/modules/machineconfig-modify-journald.adoc
@@ -1,7 +1,6 @@
 // Module included in the following assemblies:
 //
-// * installing/post_installation_configuration/machine-configuration-tasks.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="machineconfig-modify-journald_{context}"]
diff --git a/modules/machineset-yaml-osp-sr-iov-port-security.adoc b/modules/machineset-yaml-osp-sr-iov-port-security.adoc
index a6a35ef5b043..149244158a4d 100644
--- a/modules/machineset-yaml-osp-sr-iov-port-security.adoc
+++ b/modules/machineset-yaml-osp-sr-iov-port-security.adoc
@@ -47,7 +47,7 @@ spec:
       metadata: {}
       providerSpec:
         value:
-          apiVersion: openstackproviderconfig.openshift.io/v1alpha1
+          apiVersion: machine.openshift.io/v1alpha1
           cloudName: openstack
           cloudsSecret:
             name: openstack-cloud-credentials
diff --git a/modules/machineset-yaml-osp-sr-iov.adoc b/modules/machineset-yaml-osp-sr-iov.adoc
index 285d18adcd57..6715fa59f6c6 100644
--- a/modules/machineset-yaml-osp-sr-iov.adoc
+++ b/modules/machineset-yaml-osp-sr-iov.adoc
@@ -47,7 +47,7 @@ spec:
       metadata:
       providerSpec:
         value:
-          apiVersion: openstackproviderconfig.openshift.io/v1alpha1
+          apiVersion: machine.openshift.io/v1alpha1
           cloudName: openstack
           cloudsSecret:
             name: openstack-cloud-credentials
diff --git a/modules/machineset-yaml-osp.adoc b/modules/machineset-yaml-osp.adoc
index c9c6f15180e3..dc1055c4a847 100644
--- a/modules/machineset-yaml-osp.adoc
+++ b/modules/machineset-yaml-osp.adoc
@@ -74,7 +74,7 @@ ifdef::infra[]
 endif::infra[]
       providerSpec:
         value:
-          apiVersion: openstackproviderconfig.openshift.io/v1alpha1
+          apiVersion: machine.openshift.io/v1alpha1
           cloudName: openstack
           cloudsSecret:
             name: openstack-cloud-credentials
diff --git a/modules/managed-cluster-add-notification-contacts.adoc b/modules/managed-cluster-add-notification-contacts.adoc
index d3bd0c1d72d5..b9a194f38021 100644
--- a/modules/managed-cluster-add-notification-contacts.adoc
+++ b/modules/managed-cluster-add-notification-contacts.adoc
@@ -21,7 +21,7 @@ By default, only the cluster owner receives cluster notification emails. You can
 . Click the **Support** tab.
 . On the **Support** tab, find the **Notification contacts** section.
 . Click **Add notification contact**.
-. In the **Red Hat username or email** field, enter the email address or the user name of the new recipient.
+. In the **Red{nbsp}Hat username or email** field, enter the email address or the user name of the new recipient.
 //. In the type field, select the types of cluster notification to send to this recipient.
 . Click **Add contact**.
 
diff --git a/modules/managed-cluster-notification-policy.adoc b/modules/managed-cluster-notification-policy.adoc
index 9dade1231b78..d8cb6e05d35b 100644
--- a/modules/managed-cluster-notification-policy.adoc
+++ b/modules/managed-cluster-notification-policy.adoc
@@ -11,20 +11,20 @@ Cluster notifications are designed to keep you informed about the health of your
 
 Most cluster notifications are generated and sent automatically to ensure that you are immediately informed of problems or important changes to the state of your cluster.
 
-In certain situations, Red Hat Site Reliability Engineering (SRE) creates and sends cluster notifications to provide additional context and guidance for a complex issue.
+In certain situations, Red{nbsp}Hat Site Reliability Engineering (SRE) creates and sends cluster notifications to provide additional context and guidance for a complex issue.
 
 Cluster notifications are not sent for low-impact events, low-risk security updates, routine operations and maintenance, or minor, transient issues that are quickly resolved by SRE.
 
-Red Hat services automatically send notifications when:
+Red{nbsp}Hat services automatically send notifications when:
 
 * Remote health monitoring or environment verification checks detect an issue in your cluster, for example, when a worker node has low disk space.
 * Significant cluster life cycle events occur, for example, when scheduled maintenance or upgrades begin, or cluster operations are impacted by an event, but do not require customer intervention.
 * Significant cluster management changes occur, for example, when cluster ownership or administrative control is transferred from one user to another.
-* Your cluster subscription is changed or updated, for example, when Red Hat makes updates to subscription terms or features available to your cluster.
+* Your cluster subscription is changed or updated, for example, when Red{nbsp}Hat makes updates to subscription terms or features available to your cluster.
 
 SRE creates and sends notifications when:
 
 * An incident results in a degradation or outage that impacts your cluster's availability or performance, for example, your cloud provider has a regional outage. SRE sends subsequent notifications to inform you of incident resolution progress, and when the incident is resolved.
 * A security vulnerability, security breach, or unusual activity is detected on your cluster.
-* Red Hat detects that changes you have made are creating or may result in cluster instability.
-* Red Hat detects that your workloads are causing performance degradation or instability in your cluster.
+* Red{nbsp}Hat detects that changes you have made are creating or may result in cluster instability.
+* Red{nbsp}Hat detects that your workloads are causing performance degradation or instability in your cluster.
diff --git a/modules/managed-cluster-notification-severity-levels.adoc b/modules/managed-cluster-notification-severity-levels.adoc
index 099ee5f38f29..4d42cd893b9e 100644
--- a/modules/managed-cluster-notification-severity-levels.adoc
+++ b/modules/managed-cluster-notification-severity-levels.adoc
@@ -9,7 +9,7 @@
 
 Each cluster notification has an associated severity level to help you identify notifications with the greatest impact to your business. You can filter cluster notifications according to these severity levels in the {hybrid-console}, in the **Cluster history** tab for your cluster.
 
-Red Hat uses the following severity levels for cluster notifications, from most to least severe:
+Red{nbsp}Hat uses the following severity levels for cluster notifications, from most to least severe:
 
 Critical:: Immediate action is required. One or more key functions of a service or cluster is not working, or will stop working soon. A critical alert is important enough to page on-call staff and interrupt regular workflows.
 Major:: Immediate action is strongly recommended. One or more key functions of the cluster will soon stop working. A major issue may lead to a critical issue if it is not addressed in a timely manner.
diff --git a/modules/managed-cluster-notification-types.adoc b/modules/managed-cluster-notification-types.adoc
index e54f6f2239d1..2e911339b2a4 100644
--- a/modules/managed-cluster-notification-types.adoc
+++ b/modules/managed-cluster-notification-types.adoc
@@ -9,7 +9,7 @@
 
 Each cluster notification has an associated notification type to help you identify notifications that are relevant to your role and responsibilities. You can filter cluster notifications according to these types in the {hybrid-console}, in the **Cluster history** tab for your cluster.
 
-Red Hat uses the following notification types to indicate notification relevance.
+Red{nbsp}Hat uses the following notification types to indicate notification relevance.
 
 Capacity management:: Notifications for events related to updating, creating, or deleting node pools, machine pools, compute replicas or quotas (load balancer, storage, etc.).
 Cluster access:: Notifications for events related to adding or deleting groups, roles or identity providers, for example, when SRE cannot access your cluster because STS credentials have expired, when there is a configuration problem with your AWS roles, or when you add or remove identity providers.
diff --git a/modules/manually-creating-alibaba-manifests.adoc b/modules/manually-creating-alibaba-manifests.adoc
deleted file mode 100644
index ff53ae53c69a..000000000000
--- a/modules/manually-creating-alibaba-manifests.adoc
+++ /dev/null
@@ -1,24 +0,0 @@
-// Module included in the following assemblies:
-//
-// * installing/installing_alibaba/installing-alibaba-default.adoc
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="manually-creating-alibaba-manifests_{context}"]
-= Generating the required installation manifests
-
-You must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
-
-.Procedure
-
-. Generate the manifests by running the following command from the directory that contains the installation program:
-+
-[source,terminal]
-----
-$ openshift-install create manifests --dir <installation_directory>
-----
-+
-where:
-
-`<installation_directory>`:: Specifies the directory in which the installation program creates files.
diff --git a/modules/manually-creating-alibaba-ram-user.adoc b/modules/manually-creating-alibaba-ram-user.adoc
deleted file mode 100644
index 881c889c1a6c..000000000000
--- a/modules/manually-creating-alibaba-ram-user.adoc
+++ /dev/null
@@ -1,247 +0,0 @@
-// Module included in the following assemblies:
-//
-// * installing/installing_alibaba/manually-creating-alibaba-ram.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="manually-creating-alibaba-ram-user_{context}"]
-= Creating the required RAM user
-
-// https://github.com/openshift/cloud-credential-operator/pull/412/files#diff-2480a11ca4927139d6eaa9883946b6f4cb38358cd98def8c57dd73e9319dbc9cR232
-
-You must have a Alibaba Cloud Resource Access Management (RAM) user for the installation that has sufficient privileges. You can use the Alibaba Cloud Resource Access Management console to create a new user or modify an existing user. Later, you create credentials in {product-title} based on this user's permissions.
-
-When you configure the RAM user, be sure to consider the following requirements:
-
-* The user must have an Alibaba Cloud AccessKey ID and AccessKey secret pair.
-
-** For a new user, you can select `Open API Access` for the Access Mode when creating the user. This mode generates the required AccessKey pair.
-** For an existing user, you can add an AccessKey pair or you can link:https://www.alibabacloud.com/help/en/doc-detail/53045.htm[obtain the AccessKey pair] for that user.
-+
-[NOTE]
-====
-When created, the AccessKey secret is displayed only once. You must immediately save the AccessKey pair because the AccessKey pair is required for API calls.
-====
-
-* Add the AccessKey ID and secret to the link:https://www.alibabacloud.com/help/en/doc-detail/311667.htm#h2-sls-mfm-3p3[`~/.alibabacloud/credentials` file] on your local computer. Alibaba Cloud automatically creates this file when you log in to the console. The Cloud Credential Operator (CCO) utility, ccoutil, uses these credentials when processing `Credential Request` objects.
-+
-For example:
-+
-[source,terminal]
-----
-[default]                          # Default client
-type = access_key                  # Certification type: access_key
-access_key_id = LTAI5t8cefXKmt                # Key <1>
-access_key_secret = wYx56mszAN4Uunfh            # Secret
-----
-<1> Add your AccessKeyID and AccessKeySecret here.
-
-* The RAM user must have the `AdministratorAccess` policy to ensure that the account has sufficient permission to create the {product-title} cluster. This policy grants permissions to manage all Alibaba Cloud resources.
-+
-When you attach the `AdministratorAccess` policy to a RAM user, you grant that user full access to all Alibaba Cloud services and resources. If you do not want to create a user with full access, create a custom policy with the following actions that you can add to your RAM user for installation. These actions are sufficient to install {product-title}.
-+
-[TIP]
-====
-You can copy and paste the following JSON code into the Alibaba Cloud console to create a custom poicy. For information on creating custom policies, see link:https://www.alibabacloud.com/help/en/doc-detail/93733.html[Create a custom policy] in the Alibaba Cloud documentation.
-====
-+
-.Example custom policy JSON file
-[%collapsible]
-====
-[source,json]
-----
-{
-  "Version": "1",
-  "Statement": [
-    {
-      "Action": [
-        "tag:ListTagResources",
-        "tag:UntagResources"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "vpc:DescribeVpcs",
-        "vpc:DeleteVpc",
-        "vpc:DescribeVSwitches",
-        "vpc:DeleteVSwitch",
-        "vpc:DescribeEipAddresses",
-        "vpc:DescribeNatGateways",
-        "vpc:ReleaseEipAddress",
-        "vpc:DeleteNatGateway",
-        "vpc:DescribeSnatTableEntries",
-        "vpc:CreateSnatEntry",
-        "vpc:AssociateEipAddress",
-        "vpc:ListTagResources",
-        "vpc:TagResources",
-        "vpc:DescribeVSwitchAttributes",
-        "vpc:CreateVSwitch",
-        "vpc:CreateNatGateway",
-        "vpc:DescribeRouteTableList",
-        "vpc:CreateVpc",
-        "vpc:AllocateEipAddress",
-        "vpc:ListEnhanhcedNatGatewayAvailableZones"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "ecs:ModifyInstanceAttribute",
-        "ecs:DescribeSecurityGroups",
-        "ecs:DeleteSecurityGroup",
-        "ecs:DescribeSecurityGroupReferences",
-        "ecs:DescribeSecurityGroupAttribute",
-        "ecs:RevokeSecurityGroup",
-        "ecs:DescribeInstances",
-        "ecs:DeleteInstances",
-        "ecs:DescribeNetworkInterfaces",
-        "ecs:DescribeInstanceRamRole",
-        "ecs:DescribeUserData",
-        "ecs:DescribeDisks",
-        "ecs:ListTagResources",
-        "ecs:AuthorizeSecurityGroup",
-        "ecs:RunInstances",
-        "ecs:TagResources",
-        "ecs:ModifySecurityGroupPolicy",
-        "ecs:CreateSecurityGroup",
-        "ecs:DescribeAvailableResource",
-        "ecs:DescribeRegions",
-        "ecs:AttachInstanceRamRole"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "pvtz:DescribeRegions",
-        "pvtz:DescribeZones",
-        "pvtz:DeleteZone",
-        "pvtz:DeleteZoneRecord",
-        "pvtz:BindZoneVpc",
-        "pvtz:DescribeZoneRecords",
-        "pvtz:AddZoneRecord",
-        "pvtz:SetZoneRecordStatus",
-        "pvtz:DescribeZoneInfo",
-        "pvtz:DescribeSyncEcsHostTask",
-        "pvtz:AddZone"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "slb:DescribeLoadBalancers",
-        "slb:SetLoadBalancerDeleteProtection",
-        "slb:DeleteLoadBalancer",
-        "slb:SetLoadBalancerModificationProtection",
-        "slb:DescribeLoadBalancerAttribute",
-        "slb:AddBackendServers",
-        "slb:DescribeLoadBalancerTCPListenerAttribute",
-        "slb:SetLoadBalancerTCPListenerAttribute",
-        "slb:StartLoadBalancerListener",
-        "slb:CreateLoadBalancerTCPListener",
-        "slb:ListTagResources",
-        "slb:TagResources",
-        "slb:CreateLoadBalancer"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "ram:ListResourceGroups",
-        "ram:DeleteResourceGroup",
-        "ram:ListPolicyAttachments",
-        "ram:DetachPolicy",
-        "ram:GetResourceGroup",
-        "ram:CreateResourceGroup",
-        "ram:DeleteRole",
-        "ram:GetPolicy",
-        "ram:DeletePolicy",
-        "ram:ListPoliciesForRole",
-        "ram:CreateRole",
-        "ram:AttachPolicyToRole",
-        "ram:GetRole",
-        "ram:CreatePolicy",
-        "ram:CreateUser",
-        "ram:DetachPolicyFromRole",
-        "ram:CreatePolicyVersion",
-        "ram:DetachPolicyFromUser",
-        "ram:ListPoliciesForUser",
-        "ram:AttachPolicyToUser",
-        "ram:CreateUser",
-        "ram:GetUser",
-        "ram:DeleteUser",
-        "ram:CreateAccessKey",
-        "ram:ListAccessKeys",
-        "ram:DeleteAccessKey",
-        "ram:ListUsers",
-        "ram:ListPolicyVersions"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "oss:DeleteBucket",
-        "oss:DeleteBucketTagging",
-        "oss:GetBucketTagging",
-        "oss:GetBucketCors",
-        "oss:GetBucketPolicy",
-        "oss:GetBucketLifecycle",
-        "oss:GetBucketReferer",
-        "oss:GetBucketTransferAcceleration",
-        "oss:GetBucketLog",
-        "oss:GetBucketWebSite",
-        "oss:GetBucketInfo",
-        "oss:PutBucketTagging",
-        "oss:PutBucket",
-        "oss:OpenOssService",
-        "oss:ListBuckets",
-        "oss:GetService",
-        "oss:PutBucketACL",
-        "oss:GetBucketLogging",
-        "oss:ListObjects",
-        "oss:GetObject",
-        "oss:PutObject",
-        "oss:DeleteObject"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "alidns:DescribeDomainRecords",
-        "alidns:DeleteDomainRecord",
-        "alidns:DescribeDomains",
-        "alidns:DescribeDomainRecordInfo",
-        "alidns:AddDomainRecord",
-        "alidns:SetDomainRecordStatus"
-      ],
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": "bssapi:CreateInstance",
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": "ram:PassRole",
-      "Resource": "*",
-      "Effect": "Allow",
-      "Condition": {
-        "StringEquals": {
-          "acs:Service": "ecs.aliyuncs.com"
-        }
-      }
-    }
-  ]
-}
-----
-====
-
-For more information about creating a RAM user and granting permissions, see link:https://www.alibabacloud.com/help/en/doc-detail/93720.htm[Create a RAM user] and link:https://www.alibabacloud.com/help/en/doc-detail/116146.htm[Grant permissions to a RAM user] in the Alibaba Cloud documentation.
-
diff --git a/modules/manually-maintained-credentials-upgrade-extract.adoc b/modules/manually-maintained-credentials-upgrade-extract.adoc
index f1d721468f62..ed946477f7ce 100644
--- a/modules/manually-maintained-credentials-upgrade-extract.adoc
+++ b/modules/manually-maintained-credentials-upgrade-extract.adoc
@@ -32,7 +32,7 @@ The output of this command includes pull specs for the available updates similar
 Recommended updates:
 
 VERSION IMAGE
-4.15.0  quay.io/openshift-release-dev/ocp-release@sha256:6a899c54dda6b844bb12a247e324a0f6cde367e880b73ba110c056df6d018032
+4.16.0  quay.io/openshift-release-dev/ocp-release@sha256:6a899c54dda6b844bb12a247e324a0f6cde367e880b73ba110c056df6d018032
 ...
 ----
 
diff --git a/modules/mco-update-boot-images-configuring.adoc b/modules/mco-update-boot-images-configuring.adoc
new file mode 100644
index 000000000000..cbfc08ff7b1c
--- /dev/null
+++ b/modules/mco-update-boot-images-configuring.adoc
@@ -0,0 +1,116 @@
+// Module included in the following assemblies:
+//
+// * machine-configuration/mco-update-boot-images.adoc
+// * nodes/nodes-nodes-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="mco-update-boot-images-configuring_{context}"]
+= Configuring updated boot images
+
+By default, {product-title} does not manage the boot image. You can configure your cluster to update the boot image whenever you update your cluster by modifying the `MachineConfiguration` object.
+
+.Prerequisites
+
+* You have enabled the `TechPreviewNoUpgrade` feature set by using the feature gates. For more information, see "Enabling features using feature gates" in the _Additional resources_  section.
+
+.Procedure
+
+. Edit the `MachineConfiguration` object, named `cluster`, to enable the updating of boot images by running the following command:
++
+[source,terminal]
+----
+$ oc edit MachineConfiguration cluster
+----
+
+.. Optional: Configure the boot image update feature for all the machine sets:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+spec:
+# ...
+  managedBootImages: <1>
+    machineManagers:
+    - resource: machinesets
+      apiGroup: machine.openshift.io
+      selection:
+        mode: All <2>
+----
+<1> Activates the boot image update feature.
+<2> Specifies that all the machine sets in the cluster are to be updated.
+
+.. Optional: Configure the boot image update feature for specific machine sets:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+spec:
+# ...
+  managedBootImages: <1>
+    machineManagers:
+    - resource: machinesets
+      apiGroup: machine.openshift.io
+      selection:
+        mode: Partial
+          partial:
+            machineResourceSelector:
+              matchLabels:
+                update-boot-image: "true" <2>
+----
+<1> Activates the boot image update feature.
+<2> Specifies that any machine set with this label is to be updated.
++
+[TIP]
+====
+If an appropriate label is not present on the machine set, add a key/value pair by running a command similar to following:
+
+----
+$ oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a update-boot-image=true -n openshift-machine-api
+----
+====
+
+.Verification
+
+. Get the boot image version by running the following command:
++
+[source,terminal]
+----
+$ oc get machinesets <machineset_name> -n openshift-machine-api -o yaml
+----
++
+.Example machine set with the boot image reference
++
+[source,yaml]
+----
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+metadata:
+  labels:
+    machine.openshift.io/cluster-api-cluster: ci-ln-77hmkpt-72292-d4pxp
+    update-boot-image: "true"
+  name: ci-ln-77hmkpt-72292-d4pxp-worker-a
+  namespace: openshift-machine-api
+spec:
+# ...
+  template:
+# ...
+    spec:
+# ...
+      providerSpec:
+# ...
+        value:
+          disks:
+          - autoDelete: true
+            boot: true
+            image: projects/rhcos-cloud/global/images/rhcos-416-92-202402201450-0-gcp-x86-64 <1>
+# ...
+----
+<1> This boot image is the same as the current {product-title} version.
diff --git a/modules/mco-update-boot-images-disable.adoc b/modules/mco-update-boot-images-disable.adoc
new file mode 100644
index 000000000000..137351b21f68
--- /dev/null
+++ b/modules/mco-update-boot-images-disable.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/machine-configuration-tasks.adoc
+// * nodes/nodes-nodes-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="mco-update-boot-images-disable_{context}"]
+= Disabling updated boot images
+
+To disable the updated boot image feature, edit the `MachineConfiguration` object to remove the `managedBootImages` stanza.
+
+If you disable this feature after some nodes have been created with the new boot image version, any existing nodes retain their current boot image. Turning off this feature does not rollback the nodes or machine sets to the originally-installed boot image. The machine sets retain the boot image version that was present when the feature was enabled and is not updated again when the cluster is upgraded to a new {product-title} version in the future.
+
+.Procedure
+
+. Disable updated boot images by editing the `MachineConfiguration` object:
++
+[source,terminal]
+----
+$ oc edit MachineConfiguration cluster
+----
+
+. Remove the `managedBootImages` stanza:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+spec:
+# ...
+  managedBootImages: <1>
+    machineManagers:
+    - resource: machinesets
+      apiGroup: machine.openshift.io
+      selection:
+        mode: All
+----
+<1> Remove the entire stanza to disable updated boot images.
diff --git a/modules/mco-update-boot-images.adoc b/modules/mco-update-boot-images.adoc
new file mode 100644
index 000000000000..bbd1be743cfe
--- /dev/null
+++ b/modules/mco-update-boot-images.adoc
@@ -0,0 +1,159 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/machine-configuration-tasks.adoc
+// * nodes/nodes-nodes-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="mco-update-boot-images_{context}"]
+= Updating boot images
+
+The Machine Config Operator (MCO) uses a boot image to bring up a {op-system-first} node. By default, {product-title} does not manage the boot image.
+
+This means that the boot image in your cluster is not updated along with your cluster. For example, if your cluster was originally created with {product-title} 4.12, the boot image that the cluster uses to create nodes is the same 4.12 version, even if your cluster is at a later version. If the cluster is later upgraded to 4.13 or later, new nodes continue to scale with the same 4.12 image.
+
+This process could cause the following issues:
+
+* Extra time to start up nodes
+* Certificate expiration issues
+* Version skew issues
+
+To avoid these issues, you can configure your cluster to update the boot image whenever you update your cluster. By modifying the `MachineConfiguration` object, you can enable this feature. Currently, the ability to update the boot image is available for only Google Cloud Platform (GCP) clusters and is not supported for {cluster-capi-operator} managed clusters.
+
+:FeatureName: The updating boot image feature
+include::snippets/technology-preview.adoc[]
+
+To view the current boot image used in your cluster, examine a machine set:
+
+.Example machine set with the boot image reference
+
+[source,yaml]
+----
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+metadata:
+  name: ci-ln-hmy310k-72292-5f87z-worker-a
+  namespace: openshift-machine-api
+spec:
+# ...
+  template:
+# ...
+    spec:
+# ...
+      providerSpec:
+# ...
+        value:
+          disks:
+          - autoDelete: true
+            boot: true
+            image: projects/rhcos-cloud/global/images/rhcos-412-85-202203181601-0-gcp-x86-64 <1>
+# ...
+----
+<1> This boot image is the same as the originally-installed {product-title} version, in this example {product-title} 4.12, regardless of the current version of the cluster. The way that the boot image is represented in the machine set depends on the platform, as the structure of the `providerSpec` field differs from platform to platform.
+
+If you configure your cluster to update your boot images, the boot image referenced in your machine sets matches the current version of the cluster.
+
+.Prerequisites
+
+* You have enabled the `TechPreviewNoUpgrade` feature set by using the feature gates. For more information, see "Enabling features using feature gates" in the "Additional resources"  section.
+
+.Procedure
+
+. Edit the `MachineConfiguration` object, named `cluster`, to enable the updating of boot images by running the following command:
++
+[source,terminal]
+----
+$ oc edit MachineConfiguration cluster
+----
+
+.. Optional: Configure the boot image update feature for all the machine sets:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+spec:
+# ...
+  managedBootImages: <1>
+    machineManagers:
+    - resource: machinesets
+      apiGroup: machine.openshift.io
+      selection:
+        mode: All <2>
+----
+<1> Activates the boot image update feature.
+<2> Specifies that all the machine sets in the cluster are to be updated.
+
+.. Optional: Configure the boot image update feature for specific machine sets:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: MachineConfiguration
+metadata:
+  name: cluster
+  namespace: openshift-machine-config-operator
+spec:
+# ...
+  managedBootImages: <1>
+    machineManagers:
+    - resource: machinesets
+      apiGroup: machine.openshift.io
+      selection:
+        mode: Partial
+          partial:
+            machineResourceSelector:
+              matchLabels:
+                update-boot-image: "true" <2>
+----
+<1> Activates the boot image update feature.
+<2> Specifies that any machine set with this label is to be updated.
++
+[TIP]
+====
+If an appropriate label is not present on the machine set, add a key/value pair by running a command similar to following:
+
+----
+$ oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a update-boot-image=true -n openshift-machine-api
+----
+====
+
+.Verification
+
+. Get the boot image version by running the following command:
++
+[source,terminal]
+----
+$ oc get machinesets <machineset_name> -n openshift-machine-api -o yaml
+----
++
+.Example machine set with the boot image reference
++
+[source,yaml]
+----
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+metadata:
+  labels:
+    machine.openshift.io/cluster-api-cluster: ci-ln-77hmkpt-72292-d4pxp
+    update-boot-image: "true"
+  name: ci-ln-77hmkpt-72292-d4pxp-worker-a
+  namespace: openshift-machine-api
+spec:
+# ...
+  template:
+# ...
+    spec:
+# ...
+      providerSpec:
+# ...
+        value:
+          disks:
+          - autoDelete: true
+            boot: true
+            image: projects/rhcos-cloud/global/images/rhcos-416-92-202402201450-0-gcp-x86-64 <1>
+# ...
+----
+<1> This boot image is the same as the current {product-title} version.
diff --git a/modules/microshift-adding-service-to-blueprint.adoc b/modules/microshift-adding-service-to-blueprint.adoc
index 96deaa63dd42..1b35bec459dc 100644
--- a/modules/microshift-adding-service-to-blueprint.adoc
+++ b/modules/microshift-adding-service-to-blueprint.adoc
@@ -48,7 +48,7 @@ EOF
 +
 [NOTE]
 ====
-The wildcard `*` in the commands uses the latest {microshift-short} RPMs. If you need a specific version, substitute the wildcard for the version you want. For example, insert `4.15.0` to download the {microshift-short} 4.15.0 RPMs.
+The wildcard `*` in the commands uses the latest {microshift-short} RPMs. If you need a specific version, substitute the wildcard for the version you want. For example, insert `4.16.0` to download the {microshift-short} 4.16.0 RPMs.
 ====
 
 . Optional. Use the blueprint installed in the `/usr/share/microshift/blueprint` directory that is specific to your platform architecture. See the following example snippet for an explanation of the blueprint sections:
@@ -58,14 +58,14 @@ The wildcard `*` in the commands uses the latest {microshift-short} RPMs. If you
 [source,text]
 ----
 name = "microshift_blueprint"
-description = "MicroShift 4.15.1 on x86_64 platform"
+description = "MicroShift 4.16.1 on x86_64 platform"
 version = "0.0.1"
 modules = []
 groups = []
 
 [[packages]] <1>
 name = "microshift"
-version = "4.15.1"
+version = "4.16.1"
 ...
 ...
 
@@ -115,11 +115,11 @@ $ sudo composer-cli blueprints depsolve __<microshift_blueprint>__ | grep micros
 [source,terminal]
 ----
 blueprint: microshift_blueprint v0.0.1
-    microshift-greenboot-4.15.1-202305250827.p0.g4105d3b.assembly.4.15.1.el9.noarch
-    microshift-networking-4.15.1-202305250827.p0.g4105d3b.assembly.4.15.1.el9.x86_64
-    microshift-release-info-4.15.1-202305250827.p0.g4105d3b.assembly.4.15.1.el9.noarch
-    microshift-4.15.1-202305250827.p0.g4105d3b.assembly.4.15.1.el9.x86_64
-    microshift-selinux-4.15.1-202305250827.p0.g4105d3b.assembly.4.15.1.el9.noarch
+    microshift-greenboot-4.16.1-202305250827.p0.g4105d3b.assembly.4.16.1.el9.noarch
+    microshift-networking-4.16.1-202305250827.p0.g4105d3b.assembly.4.16.1.el9.x86_64
+    microshift-release-info-4.16.1-202305250827.p0.g4105d3b.assembly.4.16.1.el9.noarch
+    microshift-4.16.1-202305250827.p0.g4105d3b.assembly.4.16.1.el9.x86_64
+    microshift-selinux-4.16.1-202305250827.p0.g4105d3b.assembly.4.16.1.el9.noarch
 ----
 //need updated example output
 . Optional: Verify the Image Builder configuration listing all components to be installed by running the following command:
diff --git a/modules/microshift-audit-logs-config-intro.adoc b/modules/microshift-audit-logs-config-intro.adoc
index 1a62eda02ee5..c5a70512898c 100644
--- a/modules/microshift-audit-logs-config-intro.adoc
+++ b/modules/microshift-audit-logs-config-intro.adoc
@@ -20,11 +20,18 @@ You can set fields in combination to define a maximum storage limit for retained
 
 {microshift-short} includes the following default audit log rotation values:
 
-* `maxFileSize`: 200Mb
-* `maxFiles`: 10 files
-* `maxFileAge`: 0, This value means that no default age limit is set.
-* `profile`: Default, This profile logs only metadata for read and write requests.
+.{microshift-short} default audit log values
+[cols="20%,20%,50%",options="header"]
+|===
 
-The maximum default storage usage for audit log retention is 2000Mb, provided that there are 10 or fewer files.
+|Audit log parameter|Default setting|Definition
+|`maxFileAge`:|`0`|How long log files are retained before automatic deletion. The default value means that a log file is never deleted based on age. This value can be configured.
+|`maxFiles`:|`10`|The total number of log files retained. By default, {microshift-short} retains 10 log files. The oldest is deleted when an excess file is created. This value can be configured.
+|`maxFileSize`:|`200`|By default, when the `audit.log` file reaches the `maxFileSize` limit, the `audit.log` file is rotated and {microshift-short} begins writing to a new `audit.log` file. This value is in megabytes and can be configured.
+|`profile`:|`Default`|The `Default` profile setting only logs metadata for read and write requests; request bodies are not logged except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.
+
+|===
+
+The maximum default storage usage for audit log retention is 2000Mb if there are 10 or fewer files.
 
 If you do not specify a value for a field, the default value is used. If you remove a previously set field value, the default value is restored after the next {microshift-short} service restart.
diff --git a/modules/microshift-audit-logs-config-proc.adoc b/modules/microshift-audit-logs-config-proc.adoc
index 709a3216a6ce..eac1a949686b 100644
--- a/modules/microshift-audit-logs-config-proc.adoc
+++ b/modules/microshift-audit-logs-config-proc.adoc
@@ -20,16 +20,16 @@ You can configure audit log settings by using the {microshift-short} service con
 apiServer:
 # ....
   auditLog:
-    maxFileSize: 200 # <1>
-    maxFiles: 1 # <2>
-    maxFileAge: 7 # <3>
+    maxFileAge: 7 # <1>
+    maxFileSize: 200 # <2>
+    maxFiles: 1 # <3>
     profile: Default # <4>
 # ....
 ----
-<1> The maximum audit log file size in megabytes. If the value is 0, the limit is disabled.  In this example, the file is rotated as soon as the live log reaches the 200 MB limit.
-<2> The maximum number of rotated audit log files retained. After the limit is reached, the log files in order from oldest to newest are deleted. When the value is 0, the limit is disabled. In this example, the value `1` results in only 1 file of size `maxFileSize` being retained in addition to the current active log.
-<3> Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. If the value is 0, the limit is disabled. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the `maxFileSize` field. File age is determined by the timestamp written in the name of the rotated log file, for example, `audit-2024-05-16T17-03-59.994.log`.
-<4> Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the Default profile is used.
+<1> Specifies the maximum time in days that log files are kept. Files older than this limit are deleted. In this example, after a log file is more than 7 days old, it is deleted. The files are deleted regardless of whether or not the live log has reached the maximum file size specified in the `maxFileSize` field. File age is determined by the timestamp written in the name of the rotated log file, for example, `audit-2024-05-16T17-03-59.994.log`. When the value is `0`, the limit is disabled.
+<2> The maximum audit log file size in megabytes. In this example, the file is rotated as soon as the live log reaches the 200 MB limit. When the value is set to `0`, the limit is disabled.
+<3> The maximum number of rotated audit log files retained. After the limit is reached, the log files are deleted in order from oldest to newest. In this example, the value `1` results in only 1 file of size `maxFileSize` being retained in addition to the current active log. When the value is set to `0`, the limit is disabled.
+<4> Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.
 
 . Optional: To specify a new directory for logs, you can stop {microshift-short}, and then move the `/var/log/kube-apiserver` directory to your desired location:
 
diff --git a/modules/microshift-check-cluster-status.adoc b/modules/microshift-check-cluster-status.adoc
index 7c42fc63d6d2..530bf0fe6543 100644
--- a/modules/microshift-check-cluster-status.adoc
+++ b/modules/microshift-check-cluster-status.adoc
@@ -6,33 +6,50 @@
 [id="microshift-check-cluster-status_{context}"]
 = Checking the status of a cluster
 
-You can check the status of a {microshift-short} cluster or see active pods by running a simple command. Given in the following procedure are three commands you can use to check cluster status. You can choose to run one, two, or all commands to help you retrieve the information you need to troubleshoot the cluster.
+You can check the status of a {microshift-short} cluster or see active pods. Given in the following procedure are three different commands you can use to check cluster status. You can choose to run one, two, or all commands to help you get the information you need to troubleshoot the cluster.
 
 .Procedure
-* You can check the system status, which returns the cluster status, by running the following command:
+* Check the system status, which returns the cluster status, by running the following command:
 +
 [source,terminal]
 ----
 $ sudo systemctl status microshift
 ----
 +
-If {microshift-short} is failing to start, this command returns the logs from the previous run.
+If {microshift-short} fails to start, this command returns the logs from the previous run.
++
+.Example healthy output
+[source,text]
+----
+● microshift.service - MicroShift
+     Loaded: loaded (/usr/lib/systemd/system/microshift.service; enabled; preset: disabled)
+     Active: active (running) since <day> <date> 12:39:06 UTC; 47min ago
+   Main PID: 20926 (microshift)
+      Tasks: 14 (limit: 48063)
+     Memory: 542.9M
+        CPU: 2min 41.185s
+     CGroup: /system.slice/microshift.service
+             └─20926 microshift run
+
+<Month-Day> 13:23:06 i-06166fbb376f14a8b.<hostname> microshift[20926]: kube-apiserver I0528 13:23:06.876001   20926 controll>
+<Month-Day> 13:23:06 i-06166fbb376f14a8b.<hostname> microshift[20926]: kube-apiserver I0528 13:23:06.876574   20926 controll>
+# ...
+----
 
-* Optional: You can view the logs by running the following command:
+* Optional: Get comprehensive logs by running the following command:
 +
 [source,terminal]
 ----
 $ sudo journalctl -u microshift
 ----
-
++
 [NOTE]
 ====
 The default configuration of the `systemd` journal service stores data in a volatile directory. To persist system logs across system starts and restarts, enable log persistence and set limits on the maximum journal data size.
 ====
 
-* Optional: If {microshift-short} is running, you can see active pods by entering the following command:
+* Optional: If {microshift-short} is running, check the status of active pods by entering the following command:
 +
-[source,terminal]
-----
-$ oc get pods -A
-----
\ No newline at end of file
+--
+include::snippets/microshift-healthy-pods-snip.adoc[leveloffset=+1]
+--
\ No newline at end of file
diff --git a/modules/microshift-check-journal-logs-updates.adoc b/modules/microshift-check-journal-logs-updates.adoc
index 79d18535a285..8c2ce8c62dbb 100644
--- a/modules/microshift-check-journal-logs-updates.adoc
+++ b/modules/microshift-check-journal-logs-updates.adoc
@@ -15,7 +15,7 @@ The default configuration of the `systemd` journal service stores data in a vola
 
 .Procedure
 
-* Check the {microshift-short} journal logs by running the following command:
+* Get comprehensive {microshift-short} journal logs by running the following command:
 +
 [source,terminal]
 ----
@@ -29,25 +29,36 @@ $ sudo journalctl -u microshift
 $ sudo journalctl -u greenboot-healthcheck
 ----
 
-* Check the journal logs for a boot of a specific service by running the following command:
+* Examining the comprehensive logs of a specific boot uses three steps. First list the boots, then select the one you want from the list you obtained:
+
+** List the boots present in the journal logs by running the following command:
 +
 [source,terminal]
 ----
-$ sudo journalctl --boot <boot> -u <service-name>
+$ sudo journalctl --list-boots
+----
++
+.Example output
+[source,text]
+----
+IDX  BOOT ID                          	FIRST ENTRY                 LAST ENTRY
+ 0   681ece6f5c3047e183e9d43268c5527f 	<Day> <Date> 12:27:58 UTC 	<Day> <Date>> 13:39:41 UTC
+#....
 ----
 
-* Examining the comprehensive logs of a specific boot uses two steps. First list the boots, then select the one you want from the list you obtained:
-
-** List the boots present in the journal logs by running the following command:
+** Check the journal logs for the specific boot you want by running the following command:
 +
 [source,terminal]
 ----
-$ sudo journalctl --list-boots
+$ sudo journalctl --boot <-my_boot_ID> <1>
 ----
+<1> Replace _<-my-boot-ID>_ with the number assigned to the specific boot that you want to check.
 
-** Check the journal logs for the boot you want by running the following command:
+** Check the journal logs for the boot of a specific service by running the following command:
 +
 [source,terminal]
 ----
-$ sudo journalctl --boot <-my-boot-number>
+$ sudo journalctl --boot <-my_boot_ID> -u <service_name> <1> <2>
 ----
+<1> Replace _<-my-boot-ID>_ with the number assigned to the specific boot that you want to check.
+<2> Replace _<service_name>_ with the name of the service that you want to check.
\ No newline at end of file
diff --git a/modules/microshift-cni-customization-matrix.adoc b/modules/microshift-cni-customization-matrix.adoc
index 22608bb7ea19..f6c977cd8e61 100644
--- a/modules/microshift-cni-customization-matrix.adoc
+++ b/modules/microshift-cni-customization-matrix.adoc
@@ -1,14 +1,14 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="microshift-nw-customization-matrix_{context}"]
-= {microshift-short} networking customization matrix
+= {microshift-short} networking configuration matrix
 
 The following table summarizes the status of networking features and capabilities that are either present as defaults, supported for configuration, or not available with the {microshift-short} service:
 
-.{microshift-short} networking capabilities and customization status
+.{microshift-short} networking features and capabilities overview
 [cols="50%,20%,30%",options="header"]
 |===
-|Network feature|Availability|Customization supported
+|Network capability|Availability|Configuration supported
 
 |Advertise address|Yes|Yes ^[1]^
 
@@ -39,10 +39,15 @@ The following table summarizes the status of networking features and capabilitie
 |IPsec encryption for intra-cluster communication|Not available|N/A
 
 |IPv6|Not available ^[5]^|N/A
+
+|Ingress router|Yes|Yes ^[6]^
+
+|Multiple networks plug-in|Yes|Yes
 |===
 
 1. If unset, the default value is set to the next immediate subnet after the service network. For example, when the service network is `10.43.0.0/16`, the `advertiseAddress` is set to `10.44.0.0/32`.
 2. You can use the multicast DNS protocol (mDNS) to allow name resolution and service discovery within a Local Area Network (LAN) using multicast exposed on the `5353/UDP` port.
 3. There is no built-in transparent proxying of egress traffic in {microshift-short}. Egress must be manually configured.
 4. Setting up the firewalld service is supported by {op-system-ostree}.
-5. IPv6 is not available in any configuration.
+5. IPv6 is not supported. IPv6 can only be used by connecting to other networks with the {microshift-short} Multus CNI plugin.
+6. Configure by using the {microshift-short} `config.yaml` file.
\ No newline at end of file
diff --git a/modules/microshift-config-etcd.adoc b/modules/microshift-config-etcd.adoc
index 8aa0d43226c9..6d10b4f70920 100644
--- a/modules/microshift-config-etcd.adoc
+++ b/modules/microshift-config-etcd.adoc
@@ -6,7 +6,7 @@
 [id="microshift-config-etcd_{context}"]
 = Configuring the memoryLimitMB value to set parameters for the etcd server
 
-By default, etcd will use as much memory as necessary to handle the load on the system. In some memory constrained systems, it might be necessary to limit the amount of memory etcd is allowed to use at a given time.
+By default, etcd uses as much memory as necessary to handle the load on the system. In memory-constrained systems, you might need to limit the amount of memory etcd uses.
 
 .Procedure
 
@@ -20,7 +20,7 @@ etcd:
 +
 [NOTE]
 ====
-The minimum permissible value for `memoryLimitMB` on {microshift-short} is 128 MB. Values close to the minimum value are more likely to impact etcd performance. The lower the limit, the longer etcd takes to respond to queries. If the limit is too low or the etcd usage is high, queries time out.
+The minimum required value for `memoryLimitMB` on {microshift-short} is 128 MB. Values close to the minimum value are more likely to impact etcd performance. The lower the limit, the longer etcd takes to respond to queries. If the limit is too low or the etcd usage is high, queries time out.
 ====
 
 .Verification
diff --git a/modules/microshift-custom-ca-cert-cleaning.adoc b/modules/microshift-custom-ca-cert-cleaning.adoc
new file mode 100644
index 000000000000..62bca2705060
--- /dev/null
+++ b/modules/microshift-custom-ca-cert-cleaning.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * microshift_security_compliance/microshift-custom-ca.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-custom-ca-certificates-cleaning_{context}"]
+= Cleaning up and recreating the custom certificates
+
+To stop the {microshift-short} services, clean up the custom certificates and recreate the custom certificates, use the following steps.
+
+.Procedure
+
+. Stop the {microshift-short} services and clean up the custom certificates by running the following command:
++
+[source,terminal]
+----
+$ sudo microshift-cleanup-data --cert
+----
++
+.Example output
+[source,terminal]
+----
+Stopping MicroShift services
+Removing MicroShift certificates
+MicroShift service was stopped
+Cleanup succeeded
+----
+
+. Restart the {microshift-short} services to recreate the custom certificates by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl start microshift
+----
diff --git a/modules/microshift-custom-ca-con.adoc b/modules/microshift-custom-ca-con.adoc
index 2975d3e3c381..d4b850f30a1c 100644
--- a/modules/microshift-custom-ca-con.adoc
+++ b/modules/microshift-custom-ca-con.adoc
@@ -41,5 +41,5 @@ If any validation fails, the {microshift-short} service skips the custom configu
 
 [IMPORTANT]
 ====
-Custom server certificates have to be validated against CA data configured in the trust root of the host operating system.
+Custom server certificates have to be validated against CA data configured in the trust root of the host operating system. For information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/securing_networks/using-shared-system-certificates_securing-networks#the-system-wide-trust-store_using-shared-system-certificates[The system-wide truststore].
 ====
diff --git a/modules/microshift-default-settings.adoc b/modules/microshift-default-settings.adoc
index 608e66c7e83d..c05a404d01d8 100644
--- a/modules/microshift-default-settings.adoc
+++ b/modules/microshift-default-settings.adoc
@@ -21,32 +21,32 @@ $ microshift show-config
 apiServer:
   advertiseAddress: 10.44.0.0/32 # <1>
   auditLog:
-    maxFileAge: 10
-    maxFileSize: 200
-    maxFiles: 10
-    profile: Default
+    maxFileAge: 0 # <2>
+    maxFileSize: 200 # <3>
+    maxFiles: 10 # <4>
+    profile: Default # <5>
   namedCertificates:
     - certPath: ""
       keyPath: ""
       names:
         - ""
-  subjectAltNames: [] # <2>
+  subjectAltNames: [] # <6>
 debugging:
-  logLevel: "Normal" # <3>
+  logLevel: "Normal" # <7>
 dns:
-  baseDomain: microshift.example.com <4>
+  baseDomain: microshift.example.com # <8>
 etcd:
-  memoryLimitMB: 0 # <5>
+  memoryLimitMB: 0 # <9>
 ingress:
   listenAddress:
-    - ""
-  ports:
+    - "" # <10>
+  ports: # <11>
     http: 80
     https: 443
   routeAdmissionPolicy:
-    namespaceOwnership: InterNamespaceAllowed # <6>
-  status: Managed # <7>
-manifests: # <8>
+    namespaceOwnership: InterNamespaceAllowed # <12>
+  status: Managed # <13>
+manifests: # <14>
   kustomizePaths:
     - /usr/lib/microshift/manifests
     - /usr/lib/microshift/manifests.d/*
@@ -54,24 +54,30 @@ manifests: # <8>
     - /etc/microshift/manifests.d/*
 network:
   clusterNetwork:
-    - 10.42.0.0/16 # <9>
+    - 10.42.0.0/16 # <15>
   serviceNetwork:
-    - 10.43.0.0/16 # <10>
-  serviceNodePortRange: 30000-32767 # <11>
+    - 10.43.0.0/16 # <16>
+  serviceNodePortRange: 30000-32767 # <17>
 node:
-  hostnameOverride: "" # <12>
-  nodeIP: "" # <13>
+  hostnameOverride: "" # <18>
+  nodeIP: "" # <19>
 ----
 <1> A string that specifies the IP address from which the API server is advertised to members of the cluster. The default value is calculated based on the address of the service network.
-<2> Subject Alternative Names for API server certificates.
-<3> Log verbosity. Valid values for this field are `Normal`, `Debug`, `Trace`, or `TraceAll`.
-<4> By default, `etcd` uses as much memory as needed to handle the load on the system. However, in memory constrained systems, it might be preferred or necessary to limit the amount of memory `etcd` can to use at a given time.
-<5> Base domain of the cluster. All managed DNS records are subdomains of this base.
-<6> Describes how host name claims across namespaces are handled. By default, allows routes to claim different paths of the same host name across namespaces. Can also be set as `Strict` to not allow routes in different namespaces to claim the same host. If the value is deleted and a new one is not added, `InterNamespaceAllowed` is automatically set.
-<7> Default router status, can be `Managed` or `Removed`.
-<8> The locations on the filesystem to scan for `kustomization` files to use to load manifests. Set to a list of paths to scan only those paths. Set to an empty list to disable loading manifests. The entries in the list can be glob patterns to match multiple subdirectories.
-<9> A block of IP addresses from which Pod IP addresses are allocated. This field is immutable after installation.
-<10> A block of virtual IP addresses for Kubernetes services. IP address pool for services. A single entry is supported. This field is immutable after installation.
-<11> The port range allowed for Kubernetes services of type NodePort. If not specified, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after the cluster is installed.
-<12> The name of the node. The default value is the hostname. If non-empty, this string is used to identify the node instead of the hostname.
-<13> The IP address of the node. The default value is the IP address of the default route.
+<2> How long log files are kept before automatic deletion. The default value of `0` in the `maxFileAge` parameter means a log file is never deleted based on age. This value can be configured.
+<3> By default, when the `audit.log` file reaches the `maxFileSize` limit, the `audit.log` file is rotated and {microshift-short} begins writing to a new `audit.log` file. This value can be configured.
+<4> The total number of log files kept. By default, {microshift-short} retains 10 log files. The oldest is deleted when an excess file is created. This value can be configured.
+<5> Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.
+<6> Subject Alternative Names for API server certificates.
+<7> Log verbosity. Valid values for this field are `Normal`, `Debug`, `Trace`, or `TraceAll`.
+<8> By default, `etcd` uses as much memory as needed to handle the load on the system. However, in memory constrained systems, it might be preferred or necessary to limit the amount of memory `etcd` can to use at a given time.
+<9> Base domain of the cluster. All managed DNS records are subdomains of this base.
+<10> The `ingress.listenAddress` value defaults to the entire network of the host. The valid configurable value is a list that can be either a single IP address or NIC name or multiple IP addresses and NIC names.
+<11> Default ports shown. Configurable. Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the `ports.http` and `ports.https` fields cannot be the same.
+<12> Describes how hostname claims across namespaces are handled. By default, allows routes to claim different paths of the same hostname across namespaces. Valid values are `Strict` and `InterNamespaceAllowed`. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short} `config.yaml`, the `InterNamespaceAllowed` value is automatically set.
+<13> Default router status, can be `Managed` or `Removed`.
+<14> The locations on the file system to scan for `kustomization` files to use to load manifests. Set to a list of paths to scan only those paths. Set to an empty list to disable loading manifests. The entries in the list can be glob patterns to match multiple subdirectories.
+<15> A block of IP addresses from which pod IP addresses are allocated. This field is immutable after installation.
+<16> A block of virtual IP addresses for Kubernetes services. IP address pool for services. A single entry is supported. This field is immutable after installation.
+<17> The port range allowed for Kubernetes services of type `NodePort`. If not specified, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after the cluster is installed.
+<18> The name of the node. The default value is the hostname. If non-empty, this string is used to identify the node instead of the hostname.
+<19> The IP address of the node. The default value is the IP address of the default route.
diff --git a/modules/microshift-deploying-a-load-balancer.adoc b/modules/microshift-deploying-a-load-balancer.adoc
index f054c26af4e9..4779a68b6ef1 100644
--- a/modules/microshift-deploying-a-load-balancer.adoc
+++ b/modules/microshift-deploying-a-load-balancer.adoc
@@ -4,43 +4,65 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-deploying-a-load-balancer_{context}"]
-= Deploying a load balancer for a workload
+= Deploying a load balancer for an application
 
-{microshift-short} has a built-in implementation of network load balancers. The following example procedure uses the node IP address as the external IP address for the `LoadBalancer` service configuration file. You can use this example as guidance for how to deploy load balancers for your workloads.
+The following example procedure uses the node IP address as the external IP address for the `LoadBalancer` service configuration file. Use this example as guidance for how to deploy load balancers.
 
 .Prerequisites
 
 * The OpenShift CLI (`oc`) is installed.
-* You have access to the cluster as a user with the cluster administration role.
 * You installed a cluster on an infrastructure configured with the OVN-Kubernetes network plugin.
 * The `KUBECONFIG` environment variable is set.
 
 .Procedure
 
-. Verify that your pods are running by running the following command:
+. Verify that your pods are running by entering the following command:
 +
 [source,terminal]
 ----
 $ oc get pods -A
 ----
++
+.Example output
+[source,terminal]
+----
+NAMESPACE                            NAME                                                     READY   STATUS   RESTARTS  AGE
+default                              i-06166fbb376f14a8bus-west-2computeinternal-debug-qtwcr  1/1     Running	   0		   46m
+kube-system                          csi-snapshot-controller-5c6586d546-lprv4                 1/1     Running	   0		   51m
+kube-system                          csi-snapshot-webhook-6bf8ddc7f5-kz6k9                    1/1     Running	   0		   51m
+openshift-dns                        dns-default-45jl7                                        2/2     Running	   0		   50m
+openshift-dns                        node-resolver-7wmzf                                      1/1     Running	   0		   51m
+openshift-ingress                    router-default-78b86fbf9d-qvj9s                          1/1     Running 	 0		   51m
+openshift-multus                     dhcp-daemon-j7qnf                                        1/1     Running    0		   51m
+openshift-multus                     multus-r758z                                             1/1     Running    0		   51m
+openshift-operator-lifecycle-manager catalog-operator-85fb86fcb9-t6zm7                        1/1     Running    0		   51m
+openshift-operator-lifecycle-manager olm-operator-87656d995-fvz84                             1/1     Running    0		   51m
+openshift-ovn-kubernetes             ovnkube-master-5rfhh                                     4/4     Running    0		   51m
+openshift-ovn-kubernetes             ovnkube-node-gcnt6                                       1/1     Running    0		   51m
+openshift-service-ca                 service-ca-bf5b7c9f8-pn6rk                               1/1     Running    0		   51m
+openshift-storage                    topolvm-controller-549f7fbdd5-7vrmv                      5/5     Running    0		   51m
+openshift-storage                    topolvm-node-rht2m                                       3/3     Running    0		   50m
+----
 
-. Create the example namespace by running the following commands:
+. Create a namespace by running the following commands:
 +
 [source,terminal]
 ----
-$ NAMESPACE=nginx-lb-test
+$ NAMESPACE=<nginx-lb-test> <1>
 ----
+<1> Replace _<nginx-lb-test> with the application namespace that you want to create.
 +
 [source,terminal]
 ----
 $ oc create ns $NAMESPACE
 ----
-
-. The following example deploys three replicas of the test `nginx` application in your namespace:
++
+.Example namespace
+The following example deploys three replicas of the test `nginx` application in the created namespace:
 +
 [source,terminal]
 ----
-$ oc apply -n $NAMESPACE -f - <<EOF
+oc apply -n $NAMESPACE -f - <<EOF
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -97,11 +119,11 @@ EOF
 $ oc get pods -n $NAMESPACE
 ----
 
-. Create a `LoadBalancer` service for the `nginx` test application with the following sample commands:
+. Create a `LoadBalancer` service for the `nginx` test application by running the following command:
 +
 [source,terminal]
 ----
-$ oc create -n $NAMESPACE -f - <<EOF
+oc create -n $NAMESPACE -f - <<EOF
 apiVersion: v1
 kind: Service
 metadata:
@@ -118,7 +140,7 @@ EOF
 +
 [NOTE]
 ====
-You must ensure that the `port` parameter is a host port that is not occupied by other `LoadBalancer` services or {product-title} components.
+You must ensure that the `port` parameter is a host port that is not occupied by other `LoadBalancer` services or {microshift-short} components.
 ====
 
 . Verify that the service file exists, that the external IP address is properly assigned, and that the external IP is identical to the node IP by running the following command:
@@ -137,7 +159,9 @@ nginx   LoadBalancer   10.43.183.104   192.168.1.241   81:32434/TCP   2m
 
 .Verification
 
-* The following command forms five connections to the example `nginx` application using the external IP address of the `LoadBalancer` service configuration. The result of the command is a list of those server IP addresses. Verify that the load balancer sends requests to all the running applications with the following command:
+The following command forms five connections to the example `nginx` application using the external IP address of the `LoadBalancer` service configuration. The result of the command is a list of those server IP addresses.
+
+* Verify that the load balancer sends requests to all the running applications by running the following command:
 +
 [source,terminal]
 ----
@@ -145,7 +169,7 @@ EXTERNAL_IP=192.168.1.241
 seq 5 | xargs -Iz curl -s -I http://$EXTERNAL_IP:81 | grep X-Server-IP
 ----
 +
-The output of the previous command contains different IP addresses if the load balancer is successfully distributing the traffic to the applications, for example:
+The output of the previous command contains different IP addresses if the `LoadBalancer` service is successfully distributing the traffic to the applications, for example:
 +
 .Example output
 [source,terminal]
diff --git a/modules/microshift-embed-microshift-image-offline-deploy.adoc b/modules/microshift-embed-microshift-image-offline-deploy.adoc
index 33ca895a6227..0fb5ec30dcb7 100644
--- a/modules/microshift-embed-microshift-image-offline-deploy.adoc
+++ b/modules/microshift-embed-microshift-image-offline-deploy.adoc
@@ -28,7 +28,7 @@ You can use Image Builder to create `rpm-ostree` system images with embedded {mi
 ----
 $ sudo dnf install -y microshift-release-info-<release_version>
 ----
-Replace `<release_version>` with the numerical value of the release you are deploying, using the entire version number, such as `4.15.0`.
+Replace `<release_version>` with the numerical value of the release you are deploying, using the entire version number, such as `4.16.0`.
 
 .. List the contents of the `/usr/share/microshift/release` directory to verify the presence of the release information files by running the following command:
 +
@@ -54,14 +54,14 @@ If you installed the `microshift-release-info` RPM, you can proceed to step 4.
 ----
 $ sudo dnf download microshift-release-info-<release_version>
 ----
-Replace `<release_version>` with the numerical value of the release you are deploying, using the entire version number, such as `4.15.0`.
+Replace `<release_version>` with the numerical value of the release you are deploying, using the entire version number, such as `4.16.0`.
 +
 .Example rpm
 [source,terminal]
 ----
-microshift-release-info-4.15.0.*.el9.noarch.rpm <1>
+microshift-release-info-4.16.0.*.el9.noarch.rpm <1>
 ----
-<1> The `*` represents the date and commit ID. Your output should contain both, for example `-202311101230.p0.g7dc6a00.assembly.4.15.0`.
+<1> The `*` represents the date and commit ID. Your output should contain both, for example `-202311101230.p0.g7dc6a00.assembly.4.16.0`.
 
 .. Unpack the RPM package without installing it by running the following command:
 +
diff --git a/modules/microshift-etcd-version.adoc b/modules/microshift-etcd-version.adoc
index 9e3f7aabd5d4..1c88e889ccb5 100644
--- a/modules/microshift-etcd-version.adoc
+++ b/modules/microshift-etcd-version.adoc
@@ -7,7 +7,7 @@
 [id="microshift-version-etcd_{context}"]
 = Checking the etcd version
 
-You can get the version information for the etcd database included with your {microshift-short}.
+You can get the version information for the etcd database included with your {microshift-short} by using one or both of the following methods, depending on the level of information that you need.
 
 .Procedure
 
@@ -21,8 +21,8 @@ $ microshift-etcd version
 .Example output
 [source,terminal,subs="attributes+"]
 ----
-microshift-etcd Version: 4.15.1
-Base etcd Version: 3.5.10
+microshift-etcd Version: 4.16.0
+Base etcd Version: 3.5.13
 ----
 
 * To display the full database version information, run the following command:
@@ -37,15 +37,15 @@ $ microshift-etcd version -o json
 ----
 {
   "major": "4",
-  "minor": "15",
-  "gitVersion": "4.15.1",
-  "gitCommit": "2e182312718cc9d267ec71f37dc2fbe2eed01ee2",
+  "minor": "16",
+  "gitVersion": "4.16.0~rc.1",
+  "gitCommit": "140777711962eb4e0b765c39dfd325fb0abb3622",
   "gitTreeState": "clean",
-  "buildDate": "2024-01-09T06:51:40Z",
-  "goVersion": "go1.20.10",
+  "buildDate": "2024-05-10T16:37:53Z",
+  "goVersion": "go1.21.9"
   "compiler": "gc",
   "platform": "linux/amd64",
   "patch": "",
-  "etcdVersion": "3.5.10"
+  "etcdVersion": "3.5.13"
 }
 ----
\ No newline at end of file
diff --git a/modules/microshift-exposed-audit-ports-hostnetwork.adoc b/modules/microshift-exposed-audit-ports-hostnetwork.adoc
index d0bc51d62b53..e498c0235548 100644
--- a/modules/microshift-exposed-audit-ports-hostnetwork.adoc
+++ b/modules/microshift-exposed-audit-ports-hostnetwork.adoc
@@ -5,11 +5,11 @@
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-exposed-audit-ports-hostnetwork_{context}"]
 
-== hostNetwork
+= hostNetwork
 
 When a pod is configured with the `hostNetwork:true` setting, the pod is running in the host network namespace. This configuration can independently open host ports. {microshift-short} component logs cannot be used to track this case, the ports are subject to firewalld rules. If the port opens in firewalld, you can view the port opening in the firewalld debug log.
 
-.Prerequisites 
+.Prerequisites
 
 * You have root user access to your build host.
 
diff --git a/modules/microshift-exposed-audit-ports-hostport.adoc b/modules/microshift-exposed-audit-ports-hostport.adoc
index 34388bc3ecda..511524b86c29 100644
--- a/modules/microshift-exposed-audit-ports-hostport.adoc
+++ b/modules/microshift-exposed-audit-ports-hostport.adoc
@@ -4,13 +4,13 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="microshift-exposed-audit-ports-hostport_{context}"]
-== hostPort
+= hostPort
 
 You can access the hostPort setting logs in {microshift-short}. The following logs are examples for the hostPort setting:
 
 .Procedure
 
-* You can access the logs by running the following command: 
+* You can access the logs by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/microshift-exposed-audit-ports-loadbalancer.adoc b/modules/microshift-exposed-audit-ports-loadbalancer.adoc
index 863fa7c4742e..0b6ac16ee51f 100644
--- a/modules/microshift-exposed-audit-ports-loadbalancer.adoc
+++ b/modules/microshift-exposed-audit-ports-loadbalancer.adoc
@@ -2,16 +2,16 @@
 //
 // * microshift_networking/microshift-networking-settings.adoc
 
-:_mod-docs-content-type: PROCEDURE 
+:_mod-docs-content-type: PROCEDURE
 [id="microshift-exposed-audit-ports-loadbalancer_{context}"]
 
-== NodePort and LoadBalancer service
+= NodePort and LoadBalancer services
 
 OVN-Kubernetes opens host ports for `NodePort` and `LoadBalancer` service types. These services add iptables rules that take the ingress traffic from the host port and forwards it to the clusterIP. Logs for the `NodePort` and `LoadBalancer` services are presented in the following examples:
 
-.Procedure 
+.Procedure
 
-. To access the name of your `ovnkube-master` pods, run the following command: 
+. To access the name of your `ovnkube-master` pods, run the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/microshift-gitops-adding-apps.adoc b/modules/microshift-gitops-adding-apps.adoc
index 8952f8ca2a80..5bb75612e081 100644
--- a/modules/microshift-gitops-adding-apps.adoc
+++ b/modules/microshift-gitops-adding-apps.adoc
@@ -8,51 +8,15 @@
 
 You can create a custom YAML configuration to deploy and manage applications in your {microshift-short} service. To install the necessary packages to run GitOps applications, follow the documentation in "Installing the GitOps Argo CD manifests from an RPM package".
 
-.Prerequisites 
+.Prerequisites
 
-* You installed the `microshift-gitops` packages and the Argo CD pods are running in the `openshift-gitops` namespace.
+* You installed the `microshift-gitops` packages.
 
-.Procedure 
+* The Argo CD pods are running in the `openshift-gitops` namespace.
 
-. Create a YAML file and add your customized configurations for the application: 
-+
-.Example YAML for a `cert-manager` application
-[source,yaml]
-----
-kind: AppProject
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: default
-  namespace: openshift-gitops
-spec:
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  destinations:
-  - namespace: '*'
-    server: '*'
-  sourceRepos:
-  - '*'
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: cert-manager
-  namespace: openshift-gitops
-spec:
-  destination:
-    namespace: cert-manager
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: cert-manager
-    repoURL: https://github.com/anandf/microshift-install
-  syncPolicy:
-    automated: {}
-    syncOptions:
-    - CreateNamespace=true
-    - ServerSideApply=true
-----
+.Procedure
+
+. Create a YAML file and add your customized configurations for the application:
 +
 .Example YAML for a `spring-petclinic` application
 [source,yaml]
@@ -98,10 +62,11 @@ spec:
 +
 [source,terminal]
 ----
-$ oc apply -f <filename>.yaml
+$ oc apply -f <my-app>.yaml <1>
 ----
+<1> Replace _<my-app>_ with the name of your application YAML.
 
-.Verification 
+.Verification
 
 * To verify your application is deployed and synced, run the following command:
 +
@@ -111,10 +76,9 @@ $ oc get applications -A
 ----
 It might take a few minutes for the application to show the `Healthy` status.
 +
-.Example output 
+.Example output
 [source,terminal]
 ----
 NAMESPACE          NAME               SYNC STATUS   HEALTH STATUS
-openshift-gitops   cert-manager       Synced        Healthy
 openshift-gitops   spring-petclinic   Synced        Healthy
 ----
\ No newline at end of file
diff --git a/modules/microshift-multus-intro.adoc b/modules/microshift-multus-intro.adoc
index dec2bb19c95a..cc0843aa287e 100644
--- a/modules/microshift-multus-intro.adoc
+++ b/modules/microshift-multus-intro.adoc
@@ -28,7 +28,7 @@ Setting network policies for additional networks is not supported.
 [id="microshift-additional-network-use-cases_{context}"]
 == Use case: Additional networks for network isolation
 
-You can use an additional network in situations where network isolation is needed, including control plane and data plane separation. You can create additional interfaces for pods to connect to that network in addition to a default. For example, you can configure an additional interface if you want pods to access a network on the host and also communicate with devices deployed to the edge. These edge devices might be on an isolated operator network or are periodically disconnected.
+You can use an additional network in situations where network isolation is needed, including control plane and data plane separation. For example, you can configure an additional interface if you want pods to access a network on the host and also communicate with devices deployed to the edge. These edge devices might be on an isolated operator network or are periodically disconnected.
 
 Isolating network traffic is useful for the following performance and security reasons:
 
diff --git a/modules/microshift-nw-config-route-admission.adoc b/modules/microshift-nw-config-route-admission.adoc
new file mode 100644
index 000000000000..e2d3c5acbf7c
--- /dev/null
+++ b/modules/microshift-nw-config-route-admission.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-nw-router.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-configuring-route-admission_{context}"]
+= Configuring the route admission policy
+
+By default, {microshift-short} allows routes in multiple namespaces to use the same hostname. You can prevent routes from claiming the same hostname in different namespaces by configuring the route admission policy.
+
+.Prerequisites
+
+* You installed {microshift-short}.
+* You created a {microshift-short} `config.yaml` file.
+* You installed the {oc-first}.
++
+[TIP]
+====
+If you complete all the configurations that you need to make in the {microshift-short} `config.yaml` file at the same time, you can minimize system restarts.
+====
+
+.Procedure
+
+. To prevent routes in different namespaces from claiming the same hostname, update the `namespaceOwnership` field value to `Strict` in the {microshift-short} `config.yaml` file. See the following example:
++
+.Example `config.yaml` route admission policy
+[source,yaml]
+----
+# ...
+ingress:
+  routeAdmissionPolicy:
+    namespaceOwnership: Strict <1>
+# ...
+----
+<1> Prevents routes in different namespaces from claiming the same host. Valid values are `Strict` and `InterNamespaceAllowed`. If you delete the value in a customized `config.yaml`, the `InterNamespaceAllowed` value is set automatically.
+. To apply the configuration, restart the {microshift-short} service by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl restart microshift
+----
\ No newline at end of file
diff --git a/modules/microshift-nw-enforcing-hsts-per-domain.adoc b/modules/microshift-nw-enforcing-hsts-per-domain.adoc
new file mode 100644
index 000000000000..9727bc215486
--- /dev/null
+++ b/modules/microshift-nw-enforcing-hsts-per-domain.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-configuring-routes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-nw-enforcing-hsts-per-domain_{context}"]
+= Enforcing HTTP Strict Transport Security per-domain
+
+You can configure a route with a compliant HSTS policy annotation. To handle upgraded clusters with non-compliant HSTS routes, you can update the manifests at the source and apply the updates.
+
+You cannot use `oc expose route` or `oc create route` commands to add a route in a domain that enforces HSTS because the API for these commands does not accept annotations.
+
+[IMPORTANT]
+====
+HSTS cannot be applied to insecure, or non-TLS, routes.
+====
+
+.Prerequisites
+* You have root access to the cluster.
+* You installed the {oc-first}.
+
+.Procedure
+
+* Apply HSTS to all routes in the cluster by running the following `oc annotate command`:
++
+[source,terminal]
+----
+$ oc annotate route --all --all-namespaces --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains"
+----
++
+* Apply HSTS to all routes in a particular namespace by running the following `oc annotate command`:
++
+[source,terminal]
+----
+$ oc annotate route --all -n <my_namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains" <1>
+----
+<1> Replace _<my_namespace> with the namespace you want to use.
+
+.Verification
+* Review the HSTS annotations on all routes by running the following command:
++
+[source,terminal]
+----
+$ oc get route  --all-namespaces -o go-template='{{range .items}}{{if .metadata.annotations}}{{$a := index .metadata.annotations "haproxy.router.openshift.io/hsts_header"}}{{$n := .metadata.name}}{{with $a}}Name: {{$n}} HSTS: {{$a}}{{"\n"}}{{else}}{{""}}{{end}}{{end}}{{end}}'
+----
++
+.Example output
+[source,terminal]
+----
+Name: <_routename_> HSTS: max-age=31536000;preload;includeSubDomains
+----
diff --git a/modules/microshift-nw-multus-add-pod.adoc b/modules/microshift-nw-multus-add-pod.adoc
index 6ce10592a9ef..845ff3e76915 100644
--- a/modules/microshift-nw-multus-add-pod.adoc
+++ b/modules/microshift-nw-multus-add-pod.adoc
@@ -28,7 +28,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    k8s.v1.cni.cncf.io/networks: <network>[,<network>,...] <1>
+    k8s.v1.cni.cncf.io/networks: <network>[,<network>,...] # <1>
 # ...
 ----
 <1> Replace `<network>` with the name of the additional network to associate with the pod. To specify more than one additional network, separate each network with a comma. Do not include whitespace between the comma. If you specify the same additional network multiple times, that pod will have multiple network interfaces attached to that network.
@@ -56,9 +56,9 @@ metadata:
     k8s.v1.cni.cncf.io/networks: |-
       [
         {
-          "name": "<network>", <1>
-          "namespace": "<namespace>", <2>
-          "default-route": ["<default-route>"] <3>
+          "name": "<network>", # <1>
+          "namespace": "<namespace>", # <2>
+          "default-route": ["<default-route>"] # <3>
         }
       ]
 # ...
@@ -151,7 +151,7 @@ kind: Pod
 metadata:
   annotations:
     k8s.v1.cni.cncf.io/networks: bridge-conf
-    k8s.v1.cni.cncf.io/network-status: |- <1>
+    k8s.v1.cni.cncf.io/network-status: |- # <1>
       [{
           "name": "ovn-kubernetes",
           "interface": "eth0",
diff --git a/modules/microshift-nw-router-con.adoc b/modules/microshift-nw-router-con.adoc
new file mode 100644
index 000000000000..7c323576ed0c
--- /dev/null
+++ b/modules/microshift-nw-router-con.adoc
@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-nw-router.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="microshift-about-router-config_{context}"]
+= About configuring the router
+
+To make ingress optional, you can configure {microshift-short} ingress router settings to manage which ports, if any, are exposed to network traffic. Specified routing is an example of ingress load balancing.
+
+* The default ingress router is always on, running on all IP addresses on the `http: 80` and `https: 443` ports.
+* Default router settings allow access to any namespace.
+
+Some applications running on top of {microshift-short} might not require the default router and instead create their own. You can configure the router to control both ingress and namespace access.
+
+[TIP]
+====
+You can check for the presence of the default router in your {microshift-short} installation before you begin configurations by using the `oc get deployment -n openshift-ingress` command, which returns the following output:
+
+[source,terminal]
+----
+NAME             READY   UP-TO-DATE   AVAILABLE   AGE
+router-default   1/1     1            1           2d23h
+----
+====
+
+[id="microshift-router-csettings_{context}"]
+== Router settings and valid values
+
+The ingress router settings consist of the following parameters and valid values:
+
+.Example `config.yaml` router settings
+[source,yaml]
+----
+# ...
+ingress:
+  listenAddress:
+    - ""  # <1>
+  ports: # <2>
+    http: 80
+    https: 443
+  routeAdmissionPolicy:
+    namespaceOwnership: InterNamespaceAllowed # <3>
+  status: Managed # <4>
+# ...
+----
+<1> The `ingress.listenAddress` value defaults to the entire network of the host. Valid customizable values can be a single IP address or host name or a list of IP addresses or host names.
+<2> Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the `ports.http` and `ports.https` fields cannot be the same.
+<3> Default value. Allows routes to claim different paths of the same host name across namespaces.
+<4> Default value. `Managed` is required for the ingress ports to remain open.
+
+[IMPORTANT]
+====
+The firewalld service is bypassed by the default {microshift-short} router and by configurations that enable the router. Ingress and egress must be controlled by setting network policies when the router is active.
+====
diff --git a/modules/microshift-nw-router-config-ip-address.adoc b/modules/microshift-nw-router-config-ip-address.adoc
new file mode 100644
index 000000000000..83a0a3a8bd20
--- /dev/null
+++ b/modules/microshift-nw-router-config-ip-address.adoc
@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-nw-router.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-config-ip-addresses_{context}"]
+= Configuring router IP addresses
+
+You can restrict the network traffic to the router by configuring specific IP addresses. For example:
+
+* Use cases where the router is reachable only on internal networks, but not on northbound public networks
+* Use cases where the router is reachable only by northbound public networks, but not on internal networks
+* Use cases where the router is reachable by both internal networks and northbound public networks, but on separate IP addresses
+
+.Prerequisites
+
+* You installed {microshift-short}.
+* You created a {microshift-short} `config.yaml` file.
+* The {oc-first} is installed.
+
+[TIP]
+====
+If you complete all the configurations that you need to make in the {microshift-short} `config.yaml` file at the same time, you can minimize system restarts.
+====
+
+.Procedure
+
+. Update the list in the `ingress.listenAddress` field in the {microshift-short} `config.yaml` according to your requirements and as shown in the following examples:
++
+.Default router IP address list
+[source,yaml]
+----
+# ...
+ingress:
+  listenAddress:
+    - "<host_network>" # <1>
+# ...
+----
+<1> The `ingress.listenAddress` value defaults to the entire network of the host. To continue to use the default list, remove the `listen.Address` field from the {microshift-short} `config.yaml` file. To customize this parameter, use a list. The list can contain either a single IP address or NIC name or multiple IP addresses and NIC names.
++
+[IMPORTANT]
+====
+You must either remove the `listenAddress` parameter or add values to it in the form of a list when using the `config.yaml` file. Do not leave the field empty or {microshift-short} crashes on restart.
+====
++
+.Example router setting with a single host IP address
+[source,yaml]
+----
+# ...
+ingress:
+  listenAddress:
+    - 10.2.1.100
+# ...
+----
++
+.Example router setting with a combination of IP addresses and NIC names
+[source,yaml]
+----
+# ...
+ingress:
+  listenAddress:
+    - 10.2.1.100
+    - 10.2.2.10
+    - ens3
+# ...
+----
+
+. Restart the {microshift-short} service by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl restart microshift
+----
+
+.Verification
+
+* To verify that your settings are applied, make sure that the `ingress.listenAddress` IP addresses are reachable, then you can `curl` the route with the destination to one of these load balancer IP address.
\ No newline at end of file
diff --git a/modules/microshift-nw-router-config-ports.adoc b/modules/microshift-nw-router-config-ports.adoc
new file mode 100644
index 000000000000..bab4a02067e9
--- /dev/null
+++ b/modules/microshift-nw-router-config-ports.adoc
@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-nw-router.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-config-router-ports_{context}"]
+= Configuring router ports
+
+You can control which ports your devices use by configuring the router ingress fields.
+
+.Prerequisites
+
+* You installed {microshift-short}.
+* You created a {microshift-short} `config.yaml` file.
+* The {oc-first} is installed.
+
+[TIP]
+====
+If you complete all the configurations that you need to make in the {microshift-short} `config.yaml` file at the same time, you can minimize system restarts.
+====
+
+.Procedure
+
+. Update the {microshift-short} `config.yaml` port values in the `ingress.ports.http` and `ingress.ports.https` fields to the ports you want to use:
++
+.Example `config.yaml` router settings
+[source,yaml]
+----
+# ...
+ingress:
+  ports: # <1>
+    http: 80
+    https: 443
+  routeAdmissionPolicy:
+    namespaceOwnership: InterNamespaceAllowed
+  status: Managed # <2>
+# ...
+----
+<1> Default ports shown. Customizable. Valid values for both port entries are a single, unique port in the 1-65535 range. The values of the `ports.http` and `ports.https` fields cannot be the same.
+<2> The default value. `Managed` is required for the ingress ports to remain open.
+
+. Restart the {microshift-short} service by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl restart microshift
+----
\ No newline at end of file
diff --git a/modules/microshift-nw-router-disable.adoc b/modules/microshift-nw-router-disable.adoc
new file mode 100644
index 000000000000..54d66c4c7359
--- /dev/null
+++ b/modules/microshift-nw-router-disable.adoc
@@ -0,0 +1,65 @@
+// Module included in the following assemblies:
+//
+// * microshift_networking/microshift-nw-router.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="microshift-disabling-the-router_{context}"]
+= Disabling the router
+
+In use cases such as industrial IoT spaces where {microshift-short} pods only need to connect to southbound operational systems and northbound cloud-data systems, inbound services are not needed. Use this procedure to disable the router in such egress-only use cases.
+
+.Prerequisites
+
+* You installed {microshift-short}.
+* You created a {microshift-short} `config.yaml` file.
+* The {oc-first} is installed.
+
+[TIP]
+====
+If you complete all the configurations that you need to make in the {microshift-short} `config.yaml` file at the same time, you can minimize system restarts.
+====
+
+.Procedure
+
+. Update the value of `ingress.status` field to `Removed` in the {microshift-short} `config.yaml` file as shown in the following example:
++
+.Example `config.yaml` ingress stanza
+[source,yaml]
+----
+# ...
+ingress:
+  ports:
+    http: 80
+    https: 443
+  routeAdmissionPolicy:
+    namespaceOwnership: InterNamespaceAllowed
+  status: Removed # <1>
+# ...
+----
+<1> When the value is set to `Removed`, the ports listed in `ingress.ports` are automatically closed. Any other settings in the `ingress` stanza are ignored, for example, any values in the `routeAdmissionPolicy.namespaceOwnership` field.
+
+. Restart the {microshift-short} service by running the following command:
++
+[source,terminal]
+----
+$ sudo systemctl restart microshift
+----
++
+[NOTE]
+====
+The {microshift-short} service outputs current configurations during restarts.
+====
+
+.Verification
+* After the system restarts, verify that the router has been removed and that ingress is stopped by running the following command:
++
+[source,terminal]
+----
+$ oc -n openshift-ingress get svc
+----
++
+.Expected output
+[source,text]
+----
+No resources found in openshift-ingress namespace.
+----
diff --git a/modules/microshift-oc-mirror-creating-imageset-config.adoc b/modules/microshift-oc-mirror-creating-imageset-config.adoc
index cb3595819ea3..d87688ee6d5b 100644
--- a/modules/microshift-oc-mirror-creating-imageset-config.adoc
+++ b/modules/microshift-oc-mirror-creating-imageset-config.adoc
@@ -39,19 +39,19 @@ storageConfig:
     imageURL: registry.example.com/oc-mirror
     skipTLS: false
 mirror:
-  platform: <1>
+  platform: # <1>
     channels:
-    - name: stable-4.15
+    - name: stable-4.16
       type: ocp
   operators:
-  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.16
     packages:
     - name: serverless-operator
       channels:
       - name: stable
-  additionalImages: <2>
+  additionalImages: # <2>
   - name: registry.redhat.io/ubi8/ubi:latest
-  helm: {} <3>
+  helm: {} # <3>
 ----
 <1> The `platform` field and related fields are not supported by {microshift-short} and must be deleted.
 <2> Specify any additional images to include in the image set. If you do not need to specify additional images, delete this field.
@@ -70,7 +70,7 @@ storageConfig: <1>
     skipTLS: false
 mirror:
   operators:
-  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 <3>
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.16 <3>
     packages:
     - name: amq-broker-rhel8 <4>
       channels:
diff --git a/modules/microshift-oc-mirror-embed-ops-disconnected-use.adoc b/modules/microshift-oc-mirror-embed-ops-disconnected-use.adoc
index feecec7306ad..bd26f1b46c43 100644
--- a/modules/microshift-oc-mirror-embed-ops-disconnected-use.adoc
+++ b/modules/microshift-oc-mirror-embed-ops-disconnected-use.adoc
@@ -27,14 +27,14 @@ For catalogs made for proprietary Operators, you can format image references for
 +
 [source,terminal]
 ----
-jq -r --slurp '.[] | select(.relatedImages != null) | "[[containers]]\nsource = \"" + .relatedImages[].image + "\"\n"'   ./oc-mirror-workspace/src/catalogs/registry.redhat.io/redhat/redhat-operator-index/v4.15/index/index.json
+jq -r --slurp '.[] | select(.relatedImages != null) | "[[containers]]\nsource = \"" + .relatedImages[].image + "\"\n"'   ./oc-mirror-workspace/src/catalogs/registry.redhat.io/redhat/redhat-operator-index/v4.16/index/index.json
 ----
 
 .. If you want to filter out images that cannot be mirrored, filter and parse the catalog `index.json` file by running the following command:
 +
 [source,terminal]
 ----
-$ jq -r --slurp '.[] | select(.relatedImages != null) | .relatedImages[] | select(.name |  contains("ppc") or contains("s390x") | not) | "[[containers]]\\nsource = \\"" + .image + "\\"\\n"' ./oc-mirror-workspace/src/catalogs/registry.redhat.io/redhat/redhat-operator-index/v4.15/index/index.json
+$ jq -r --slurp '.[] | select(.relatedImages != null) | .relatedImages[] | select(.name |  contains("ppc") or contains("s390x") | not) | "[[containers]]\\nsource = \\"" + .image + "\\"\\n"' ./oc-mirror-workspace/src/catalogs/registry.redhat.io/redhat/redhat-operator-index/v4.16/index/index.json
 ----
 +
 [NOTE]
@@ -84,21 +84,21 @@ storageConfig:
     imageURL: registry.example.com/microshift-mirror
 mirror:
   operators:
-  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 <1>
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.16 <1>
     packages:
     - name: amq-broker-rhel8
       channels:
       - name: 7.11.x
 ----
-<1> Use the value in the `mirror.catalog` catalog image reference for the follwing `jq` command to get the image digest. In this example, _<registry.redhat.io/redhat/redhat-operator-index:v4.15>_.
+<1> Use the value in the `mirror.catalog` catalog image reference for the follwing `jq` command to get the image digest. In this example, _<registry.redhat.io/redhat/redhat-operator-index:v4.16>_.
 
 . Get the SHA of the catalog index image by running the following command:
 +
 [source,terminal]
 ----
-$ skopeo inspect docker://<registry.redhat.io/redhat/redhat-operator-index:v4.15> | jq `.Digest` <1>
+$ skopeo inspect docker://<registry.redhat.io/redhat/redhat-operator-index:v4.16> | jq `.Digest` <1>
 ----
-<1> Use the value in the `mirror.catalog` catalog image reference for the `jq` command to get the image digest. In this example, _<registry.redhat.io/redhat/redhat-operator-index:v4.15>_.
+<1> Use the value in the `mirror.catalog` catalog image reference for the `jq` command to get the image digest. In this example, _<registry.redhat.io/redhat/redhat-operator-index:v4.16>_.
 +
 .Example output
 [source,terminal]
@@ -120,14 +120,14 @@ source = "registry.redhat.io/redhat/redhat-operator-index@sha256:7a76c0880a83903
 [source,text]
 ----
 name = "microshift_blueprint"
-description = "MicroShift 4.15.1 on x86_64 platform"
+description = "MicroShift 4.16.1 on x86_64 platform"
 version = "0.0.1"
 modules = []
 groups = []
 
 [[packages]] <1>
 name = "microshift"
-version = "4.15.1"
+version = "4.16.1"
 ...
 ...
 
diff --git a/modules/microshift-oc-mirror-install-catalog-cluster.adoc b/modules/microshift-oc-mirror-install-catalog-cluster.adoc
index 61f94c09b765..d16a4c094564 100644
--- a/modules/microshift-oc-mirror-install-catalog-cluster.adoc
+++ b/modules/microshift-oc-mirror-install-catalog-cluster.adoc
@@ -32,7 +32,7 @@ metadata:
   namespace: openshift-marketplace <1>
 spec:
   sourceType: grpc
-  image: registry.example.com/redhat/redhat-operator-index:v4.15
+  image: registry.example.com/redhat/redhat-operator-index:v4.16
   updateStrategy:
     registryPoll:
       interval: 60m
diff --git a/modules/microshift-oc-mirror-list-ops-catalogs.adoc b/modules/microshift-oc-mirror-list-ops-catalogs.adoc
index 1025dc5b534d..f1ed5b8a4cb5 100644
--- a/modules/microshift-oc-mirror-list-ops-catalogs.adoc
+++ b/modules/microshift-oc-mirror-list-ops-catalogs.adoc
@@ -42,13 +42,13 @@ $ oc mirror list operators <--catalog=<catalog_source>> <1>
 +
 [source,terminal]
 ----
-$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.15 --package=amq-broker-rhel8
+$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.16 --package=amq-broker-rhel8
 ----
 .. Get a list of versions within a channel by running the following command:
 +
 [source,terminal]
 ----
-$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.15 --package=amq-broker-rhel8 --channel=7.11.x
+$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.16 --package=amq-broker-rhel8 --channel=7.11.x
 ----
 
 .Next steps
diff --git a/modules/microshift-ops-config-embed-ostree.adoc b/modules/microshift-ops-config-embed-ostree.adoc
index 264405bd4a16..c6fcc708f021 100644
--- a/modules/microshift-ops-config-embed-ostree.adoc
+++ b/modules/microshift-ops-config-embed-ostree.adoc
@@ -26,7 +26,7 @@ metadata:
   name: cs-redhat-operator-index
   namespace: openshift-marketplace <1>
 spec:
-  image: registry.example.com/redhat/redhat-operator-index:v4.15
+  image: registry.example.com/redhat/redhat-operator-index:v4.16
   sourceType: grpc
   displayName:
   publisher:
diff --git a/modules/microshift-restoring-data-backups.adoc b/modules/microshift-restoring-data-backups.adoc
index dcd2fd78e07c..af5bf2bdeb18 100644
--- a/modules/microshift-restoring-data-backups.adoc
+++ b/modules/microshift-restoring-data-backups.adoc
@@ -17,7 +17,7 @@ On an `rpm-ostree` system, {microshift-short} backs up and restores data automat
 
 * Root access to the host.
 * Full path of the data backup file.
-* {microshift-short} is stopped.
+* The {microshift-short} service is stopped.
 
 .Procedure
 
@@ -48,6 +48,8 @@ Replace `<my_manual_backup>` with the backup name that you used. Optional: You c
 $ sudo microshift restore /<mnt>/<other_backups_location>/<another_manual_backup>
 ----
 Replace `<other_backups_location>` with the directory you used and `<my_manual_backup>` with the backup name you used when creating the backup you are restoring.
-+
+
+. Restart the host. Restarting the host enables all workloads and pods to restart.
+
 .Verification
-* Verify that your backup is restored by restarting {microshift-short} and checking the data.
\ No newline at end of file
+* Use the `oc get pods -A` command to verify that the cluster is running, then check the restored data.
\ No newline at end of file
diff --git a/modules/microshift-updates-troubleshooting.adoc b/modules/microshift-updates-troubleshooting.adoc
index 2ba121914649..3f8ca772c008 100644
--- a/modules/microshift-updates-troubleshooting.adoc
+++ b/modules/microshift-updates-troubleshooting.adoc
@@ -8,28 +8,33 @@
 
 In some cases, {microshift-short} might fail to update. In these events, it is helpful to understand failure types and how to troubleshoot them.
 
-[id="microshift-update-path-blocked-by-version-sequence_{context}"]
-== Update path is blocked by {microshift-short} version sequence
-{microshift-short} requires serial updates. Attempting to update {microshift-short} by skipping a minor version fails:
+//[id="microshift-update-path-blocked-by-version-sequence_{context}"]
+//== Update path is blocked by {microshift-short} version sequence
+//Certain versions of {microshift-short} require serial updates. Attempting to update {microshift-short} by skipping a minor version fails:
 
-* For example, if your current version is `4.14.5`, but you try to update from that version to `4.16.0`, the message, `executable (4.16.0) is too recent compared to existing data (4.14.5): version difference is 2, maximum allowed difference is 1` appears and {microshift-short} fails to start.
+//* For example, if your current version is `4.14.5`, but you try to update from that version to `4.16.0`, the message, `executable (4.16.0) is too recent compared to existing data (4.14.5): version difference is 2, maximum allowed difference is 1` appears and {microshift-short} fails to start.
 
-In this example, you must first update `4.14.5` to a version of `4.15`, and then you can upgrade to `4.16.0`.
+//In this example, you must first update `4.14.5` to a version of `4.15`, and then you can upgrade to `4.16.0`.
 
 [id="microshift-update-path-blocked-by-version-incompatibility_{context}"]
 == Update path is blocked by version incompatibility
 RPM dependency errors result if a {microshift-short} update is incompatible with the version of {op-system-ostree-first} or {op-system-base-full}.
 
+[id="microshift-compatibility-table_{context}"]
+=== Compatibility table
 Check the following compatibility table:
 
 include::snippets/microshift-rhde-compatibility-table-snip.adoc[leveloffset=+2]
 
+[id="microshift-version-compatibility_{context}"]
+=== Version compatibility
 Check the following update paths:
 
 *{product-title} update paths*
 
-* Generally Available Version 4.14.0 to 4.14.z on {op-system-ostree} 9.2
-* Generally Available Version 4.14.0 to 4.14.z on {op-system} 9.2
+* Generally Available Version 4.16.0 to 4.16.z on {op-system-ostree} 9.4
+* Generally Available Version 4.15.0 from {op-system} 9.2 to 4.16.0 on {op-system} 9.4
+* Generally Available Version 4.14.0 from {op-system} 9.2 to 4.16.0 on {op-system} 9.4
 
 [id="microshift-ostree-update-failed_{context}"]
 == OSTree update failed
diff --git a/modules/microshift-updating-rpms-y.adoc b/modules/microshift-updating-rpms-y.adoc
index a43ae5b6c500..6f4093e8b30d 100644
--- a/modules/microshift-updating-rpms-y.adoc
+++ b/modules/microshift-updating-rpms-y.adoc
@@ -6,11 +6,11 @@
 [id="microshift-updating-rpms_{context}"]
 = Applying minor-version updates with RPMs
 
-Updating a {microshift-short} minor version on non `rpm-ostree` systems such as {op-system-base-full} requires downloading then updating the RPMs. For example, use the following procedure to update from 4.14 to 4.15.
+Updating a {microshift-short} minor version on non `rpm-ostree` systems such as {op-system-base-full} requires downloading then updating the RPMs. For example, use the following procedure to update from 4.15 to 4.16.
 
 [IMPORTANT]
 ====
-You can only update {microshift-short} from one version to the next in sequence. Jumping minor versions is not supported. For example, must update 4.14 to 4.15.
+You can only update {microshift-short} from one version to the next in sequence. Jumping minor versions is not supported. For example, must update 4.15 to 4.16.
 ====
 
 .Prerequisites
diff --git a/modules/migration-updating-deprecated-internal-images.adoc b/modules/migration-updating-deprecated-internal-images.adoc
index 05db06943c56..6b1cbb6134aa 100644
--- a/modules/migration-updating-deprecated-internal-images.adoc
+++ b/modules/migration-updating-deprecated-internal-images.adoc
@@ -25,28 +25,39 @@ If an {product-title} 3 image is deprecated in {product-title} {product-version}
 The {product-registry} is exposed by default on {product-title} 4.
 
 . If you are using insecure registries, add your registry host values to the `[registries.insecure]` section of `/etc/container/registries.conf` to ensure that `podman` does not encounter a TLS verification error.
-. Log in to the {product-title} 3 registry:
+. Log in to the {product-title} 3 registry by running the following command:
 +
 [source,terminal]
 ----
 $ podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false <registry_url>:<port>
 ----
 
-. Log in to the {product-title} 4 registry:
+. Log in to the {product-title} 4 registry by running the following command:
 +
 [source,terminal]
 ----
 $ podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false <registry_url>:<port>
 ----
 
-. Pull the {product-title} 3 image:
+. Pull the {product-title} 3 image by running the following command:
 +
 [source,terminal]
 ----
 $ podman pull <registry_url>:<port>/openshift/<image>
 ----
 
-. Tag the {product-title} 3 image for the {product-title} 4 registry:
+. Scan the {product-title} 3 image for deprecated namespaces by running the following command:
++
+[source,terminal]
+----
+$ oc get bc --all-namespaces --template='range .items
+"BuildConfig:" .metadata.namespace/.metadata.name =>
+"\t""ImageStream(FROM):" .spec.strategy.sourceStrategy.from.namespace/.spec.strategy.sourceStrategy.from.name
+"\t""ImageStream(TO):" .spec.output.to.namespace/.spec.output.to.name
+end'
+----
+
+. Tag the {product-title} 3 image for the {product-title} 4 registry by running the following command:
 +
 [source,terminal]
 ----
@@ -56,7 +67,7 @@ $ podman tag <registry_url>:<port>/openshift/<image> \ <1>
 <1> Specify the registry URL and port for the {product-title} 3 cluster.
 <2> Specify the registry URL and port for the {product-title} 4 cluster.
 
-. Push the image to the {product-title} 4 registry:
+. Push the image to the {product-title} 4 registry by running the following command:
 +
 [source,terminal]
 ----
@@ -64,7 +75,7 @@ $ podman push <registry_url>:<port>/openshift/<image> <1>
 ----
 <1> Specify the {product-title} 4 cluster.
 
-. Verify that the image has a valid image stream:
+. Verify that the image has a valid image stream by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc
index 7f5d7f49da17..c45b84d5f1c6 100644
--- a/modules/minimum-required-permissions-ipi-azure.adoc
+++ b/modules/minimum-required-permissions-ipi-azure.adoc
@@ -29,8 +29,8 @@ The following permissions are required for creating an {product-title} cluster o
 .Required permissions for creating compute resources
 [%collapsible]
 ====
-* `Microsoft.Compute/availabilitySets/write`
 * `Microsoft.Compute/availabilitySets/read`
+* `Microsoft.Compute/availabilitySets/write`
 * `Microsoft.Compute/disks/beginGetAccess/action`
 * `Microsoft.Compute/disks/delete`
 * `Microsoft.Compute/disks/read`
@@ -167,6 +167,7 @@ The following permissions are not required to create the private {product-title}
 .Optional permissions for creating compute resources
 [%collapsible]
 ====
+* `Microsoft.Compute/availabilitySets/delete`
 * `Microsoft.Compute/images/read`
 * `Microsoft.Compute/images/write`
 * `Microsoft.Compute/images/delete`
diff --git a/modules/minimum-required-permissions-ipi-gcp-xpn.adoc b/modules/minimum-required-permissions-ipi-gcp-xpn.adoc
index 818f7e69c5ac..0d58a82dbe56 100644
--- a/modules/minimum-required-permissions-ipi-gcp-xpn.adoc
+++ b/modules/minimum-required-permissions-ipi-gcp-xpn.adoc
@@ -8,9 +8,14 @@
 
 When you are installing a cluster to a link:https://cloud.google.com/vpc/docs/shared-vpc[shared VPC], you must configure the service account for both the host project and the service project. If you are not installing to a shared VPC, you can skip this section.
 
-You must apply the minimum roles required for a standard installation as listed above, to the service project. Note that custom roles, and therefore fine-grained permissions, cannot be used in shared VPC installations because GCP does not support adding the required permission `compute.organizations.administerXpn` to custom roles.
+You must apply the minimum roles required for a standard installation as listed above, to the service project.
 
-In addition, the host project must apply one of the following configurations to the service account:
+[IMPORTANT]
+====
+You can use granular permissions for a Cloud Credential Operator that operates in either manual or mint credentials mode. You cannot use granular permissions in passthrough credentials mode.
+====
+
+Ensure that the host project applies one of the following configurations to the service account:
 
 .Required permissions for creating firewalls in the host project
 [%collapsible]
diff --git a/modules/minimum-required-permissions-upi-azure.adoc b/modules/minimum-required-permissions-upi-azure.adoc
index 110c1cbf814a..4f8fd2eedf84 100644
--- a/modules/minimum-required-permissions-upi-azure.adoc
+++ b/modules/minimum-required-permissions-upi-azure.adoc
@@ -152,6 +152,7 @@ The following permissions are required for creating an {product-title} cluster o
 .Optional permissions for creating compute resources
 [%collapsible]
 ====
+* `Microsoft.Compute/availabilitySets/delete`
 * `Microsoft.Compute/availabilitySets/write`
 ====
 
diff --git a/modules/monitoring-about-specifying-limits-and-requests-for-monitoring-components.adoc b/modules/monitoring-about-specifying-limits-and-requests-for-monitoring-components.adoc
index 6d6ec7ca0a12..1131a8e800fa 100644
--- a/modules/monitoring-about-specifying-limits-and-requests-for-monitoring-components.adoc
+++ b/modules/monitoring-about-specifying-limits-and-requests-for-monitoring-components.adoc
@@ -14,7 +14,7 @@ You can configure resource limits and request settings for core platform monitor
 * node-exporter
 * openshift-state-metrics
 * Prometheus (for core platform monitoring and for user-defined projects)
-* Prometheus Adapter
+* Metrics Server
 * Prometheus Operator and its admission webhook service
 * Telemeter Client
 * Thanos Querier
diff --git a/modules/monitoring-common-terms.adoc b/modules/monitoring-common-terms.adoc
index 025f506b4f0b..56318f6a327a 100644
--- a/modules/monitoring-common-terms.adoc
+++ b/modules/monitoring-common-terms.adoc
@@ -54,6 +54,9 @@ Kubernetes scheduler allocates pods to nodes.
 labels::
 Labels are key-value pairs that you can use to organize and select subsets of objects such as a pod.
 
+Metrics Server::
+The Metrics Server monitoring component collects resource metrics and exposes them in the `metrics.k8s.io` Metrics API service for use by other tools and APIs, which frees the core platform Prometheus stack from handling this functionality.
+
 node::
 A worker machine in the {product-title} cluster. A node is either a virtual machine (VM) or a physical machine.
 
@@ -75,9 +78,6 @@ The pod is the smallest logical unit in Kubernetes. A pod is comprised of one or
 Prometheus::
 Prometheus is the monitoring system on which the {product-title} monitoring stack is based. Prometheus is a time-series database and a rule evaluation engine for metrics. Prometheus sends alerts to Alertmanager for processing.
 
-Prometheus adapter::
-The Prometheus Adapter translates Kubernetes node and pod queries for use in Prometheus. The resource metrics that are translated include CPU and memory utilization. The Prometheus Adapter exposes the cluster resource metrics API for horizontal pod autoscaling.
-
 Prometheus Operator::
 The Prometheus Operator (PO) in the `openshift-monitoring` project creates, configures, and manages platform Prometheus and Alertmanager instances. It also automatically generates monitoring target configurations based on Kubernetes label queries.
 
diff --git a/modules/monitoring-configurable-monitoring-components.adoc b/modules/monitoring-configurable-monitoring-components.adoc
index ac31029b3ff6..173a0ad2e257 100644
--- a/modules/monitoring-configurable-monitoring-components.adoc
+++ b/modules/monitoring-configurable-monitoring-components.adoc
@@ -5,9 +5,9 @@
 [id="configurable-monitoring-components_{context}"]
 = Configurable monitoring components
 
-This table shows the monitoring components you can configure and the keys used to specify the components in the 
+This table shows the monitoring components you can configure and the keys used to specify the components in the
 ifndef::openshift-dedicated,openshift-rosa[]
-`cluster-monitoring-config` and 
+`cluster-monitoring-config` and
 endif::openshift-dedicated,openshift-rosa[]
 `user-workload-monitoring-config` `ConfigMap` objects.
 
@@ -30,7 +30,7 @@ ifndef::openshift-dedicated,openshift-rosa[]
 |monitoring-plugin | `monitoringPlugin` |
 |openshift-state-metrics |`openshiftStateMetrics` |
 |Telemeter Client |`telemeterClient` |
-|Prometheus Adapter |`k8sPrometheusAdapter` |
+|Metrics Server |`metricsServer` |
 |Thanos Querier |`thanosQuerier` |
 |Thanos Ruler | |`thanosRuler`
 |====
diff --git a/modules/monitoring-configuring-a-local-persistent-volume-claim.adoc b/modules/monitoring-configuring-a-persistent-volume-claim.adoc
similarity index 60%
rename from modules/monitoring-configuring-a-local-persistent-volume-claim.adoc
rename to modules/monitoring-configuring-a-persistent-volume-claim.adoc
index 0fc74f448d87..8a7bab950c89 100644
--- a/modules/monitoring-configuring-a-local-persistent-volume-claim.adoc
+++ b/modules/monitoring-configuring-a-persistent-volume-claim.adoc
@@ -3,15 +3,11 @@
 // * observability/monitoring/configuring-the-monitoring-stack.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="configuring-a-local-persistent-volume-claim_{context}"]
-ifndef::openshift-dedicated,openshift-rosa[]
-= Configuring a local persistent volume claim
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
+[id="configuring-a-persistent-volume-claim_{context}"]
+
 = Configuring a persistent volume claim
-endif::openshift-dedicated,openshift-rosa[]
 
-For monitoring components to use a persistent volume (PV), you must configure a persistent volume claim (PVC).
+To use a persistent volume (PV) for monitoring components, you must configure a persistent volume claim (PVC).
 
 .Prerequisites
 
@@ -52,18 +48,21 @@ metadata:
   namespace: openshift-monitoring
 data:
   config.yaml: |
-    <component>:
+    <component>: #<1>
       volumeClaimTemplate:
         spec:
-          storageClassName: <storage_class>
+          storageClassName: <storage_class> #<2>
           resources:
             requests:
-              storage: <amount_of_storage>
+              storage: <amount_of_storage> #<3>
 ----
+<1> Specify the core monitoring component for which you want to configure the PVC.
+<2> Specify an existing storage class. If a storage class is not specified, the default storage class is used.
+<3> Specify the amount of required storage.
 +
 See the link:https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims[Kubernetes documentation on PersistentVolumeClaims] for information on how to specify `volumeClaimTemplate`.
 +
-The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors core {product-title} components:
+The following example configures a PVC that claims persistent storage for the Prometheus instance that monitors core {product-title} components:
 +
 [source,yaml]
 ----
@@ -77,33 +76,11 @@ data:
     prometheusK8s:
       volumeClaimTemplate:
         spec:
-          storageClassName: local-storage
+          storageClassName: my-storage-class
           resources:
             requests:
               storage: 40Gi
 ----
-+
-In the above example, the storage class created by the Local Storage Operator is called `local-storage`.
-+
-The following example configures a PVC that claims local persistent storage for Alertmanager:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cluster-monitoring-config
-  namespace: openshift-monitoring
-data:
-  config.yaml: |
-    alertmanagerMain:
-      volumeClaimTemplate:
-        spec:
-          storageClassName: local-storage
-          resources:
-            requests:
-              storage: 10Gi
-----
 
 ** *To configure a PVC for a component that monitors user-defined projects*:
 endif::openshift-dedicated,openshift-rosa[]
@@ -125,58 +102,21 @@ metadata:
   namespace: openshift-user-workload-monitoring
 data:
   config.yaml: |
-    <component>:
+    <component>: #<1>
       volumeClaimTemplate:
         spec:
-          storageClassName: <storage_class>
+          storageClassName: <storage_class> #<2>
           resources:
             requests:
-              storage: <amount_of_storage>
+              storage: <amount_of_storage> #<3>
 ----
+<1> Specify the component for user-defined monitoring for which you want to configure the PVC.
+<2> Specify an existing storage class. If a storage class is not specified, the default storage class is used.
+<3> Specify the amount of required storage.
 +
 See the link:https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims[Kubernetes documentation on PersistentVolumeClaims] for information on how to specify `volumeClaimTemplate`.
 +
-The following example configures a PVC that claims
-ifndef::openshift-dedicated,openshift-rosa[]
-local
-endif::openshift-dedicated,openshift-rosa[]
-persistent storage for the Prometheus instance that monitors user-defined projects:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: user-workload-monitoring-config
-  namespace: openshift-user-workload-monitoring
-data:
-  config.yaml: |
-    prometheus:
-      volumeClaimTemplate:
-        spec:
-ifndef::openshift-dedicated,openshift-rosa[]
-          storageClassName: local-storage
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
-          storageClassName: gp3
-endif::openshift-dedicated,openshift-rosa[]
-          resources:
-            requests:
-              storage: 40Gi
-----
-+
-ifndef::openshift-dedicated,openshift-rosa[]
-In the above example, the storage class created by the Local Storage Operator is called `local-storage`.
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
-The above example uses the `gp3` storage class.
-endif::openshift-dedicated,openshift-rosa[]
-+
-The following example configures a PVC that claims
-ifndef::openshift-dedicated,openshift-rosa[]
-local
-endif::openshift-dedicated,openshift-rosa[]
-persistent storage for Thanos Ruler:
+The following example configures a PVC that claims persistent storage for Thanos Ruler:
 +
 [source,yaml]
 ----
@@ -190,12 +130,7 @@ data:
     thanosRuler:
       volumeClaimTemplate:
         spec:
-ifndef::openshift-dedicated,openshift-rosa[]
-          storageClassName: local-storage
-endif::openshift-dedicated,openshift-rosa[]
-ifdef::openshift-dedicated,openshift-rosa[]
-          storageClassName: gp3
-endif::openshift-dedicated,openshift-rosa[]
+          storageClassName: my-storage-class
           resources:
             requests:
               storage: 10Gi
diff --git a/modules/monitoring-configuring-persistent-storage.adoc b/modules/monitoring-configuring-persistent-storage.adoc
index f50b48ec41fa..94f36b5ca4e9 100644
--- a/modules/monitoring-configuring-persistent-storage.adoc
+++ b/modules/monitoring-configuring-persistent-storage.adoc
@@ -11,9 +11,9 @@ Run cluster monitoring with persistent storage to gain the following benefits:
 * Protect your metrics and alerting data from data loss by storing them in a persistent volume (PV). As a result, they can survive pods being restarted or recreated.
 * Avoid getting duplicate notifications and losing silences for alerts when the Alertmanager pods are restarted.
 
-For production environments, it is highly recommended to configure persistent storage. Because of the high IO demands, it is advantageous to use local storage.
+For production environments, it is highly recommended to configure persistent storage. 
 
-[id="persistent-storage-prerequisites"]
+[id="persistent-storage-prerequisites_{context}"]
 == Persistent storage prerequisites
 
 ifdef::openshift-dedicated,openshift-rosa[]
@@ -21,21 +21,16 @@ ifdef::openshift-dedicated,openshift-rosa[]
 endif::openshift-dedicated,openshift-rosa[]
 
 ifndef::openshift-dedicated,openshift-rosa[]
-* Dedicate sufficient local persistent storage to ensure that the disk does not become full. How much storage you need depends on the number of pods.
-
-* Verify that you have a persistent volume (PV) ready to be claimed by the persistent volume claim (PVC), one PV for each replica. Because Prometheus and Alertmanager both have two replicas, you need four PVs to support the entire monitoring stack. The PVs are available from the Local Storage Operator, but not if you have enabled dynamically provisioned storage.
+* Dedicate sufficient persistent storage to ensure that the disk does not become full.
 
 * Use `Filesystem` as the storage type value for the `volumeMode` parameter when you configure the persistent volume.
 +
-[NOTE]
-====
-If you use a local volume for persistent storage, do not use a raw block volume, which is described with `volumeMode: Block` in the `LocalVolume` object. Prometheus cannot use raw block volumes.
-====
-+
 [IMPORTANT]
 ====
-Prometheus does not support file systems that are not POSIX compliant.
+* Do not use a raw block volume, which is described with `volumeMode: Block` in the `PersistentVolume` resource. Prometheus cannot use raw block volumes.
+
+* Prometheus does not support file systems that are not POSIX compliant.
 For example, some NFS file system implementations are not POSIX compliant.
 If you want to use an NFS file system for storage, verify with the vendor that their NFS implementation is fully POSIX compliant.
 ====
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa[]
\ No newline at end of file
diff --git a/modules/monitoring-creating-scrape-sample-alerts.adoc b/modules/monitoring-creating-scrape-sample-alerts.adoc
index f8343d22ba90..2b96ad1dc137 100644
--- a/modules/monitoring-creating-scrape-sample-alerts.adoc
+++ b/modules/monitoring-creating-scrape-sample-alerts.adoc
@@ -30,38 +30,38 @@ metadata:
   labels:
     prometheus: k8s
     role: alert-rules
-  name: monitoring-stack-alerts <1>
-  namespace: ns1 <2>
+  name: monitoring-stack-alerts #<1>
+  namespace: ns1 #<2>
 spec:
   groups:
   - name: general.rules
     rules:
-    - alert: TargetDown <3>
+    - alert: TargetDown #<3>
       annotations:
         message: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service
-          }} targets in {{ $labels.namespace }} namespace are down.' <4>
+          }} targets in {{ $labels.namespace }} namespace are down.' #<4>
       expr: 100 * (count(up == 0) BY (job, namespace, service) / count(up) BY (job,
         namespace, service)) > 10
-      for: 10m <5>
+      for: 10m #<5>
       labels:
-        severity: warning <6>
-    - alert: ApproachingEnforcedSamplesLimit <7>
+        severity: warning #<6>
+    - alert: ApproachingEnforcedSamplesLimit #<7>
       annotations:
-        message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' <8>
-      expr: scrape_samples_scraped/50000 > 0.8 <9>
-      for: 10m <10>
+        message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' #<8>
+      expr: (scrape_samples_post_metric_relabeling / (scrape_sample_limit > 0)) > 0.9 #<9>
+      for: 10m #<10>
       labels:
-        severity: warning <11>
+        severity: warning #<11>
 ----
 <1> Defines the name of the alerting rule.
-<2> Specifies the user-defined project where the alerting rule will be deployed.
-<3> The `TargetDown` alert will fire if the target cannot be scraped or is not available for the `for` duration.
-<4> The message that will be output when the `TargetDown` alert fires.
+<2> Specifies the user-defined project where the alerting rule is deployed.
+<3> The `TargetDown` alert fires if the target cannot be scraped and is not available for the `for` duration.
+<4> The message that is displayed when the `TargetDown` alert fires.
 <5> The conditions for the `TargetDown` alert must be true for this duration before the alert is fired.
 <6> Defines the severity for the `TargetDown` alert.
-<7> The `ApproachingEnforcedSamplesLimit` alert will fire when the defined scrape sample threshold is reached or exceeded for the specified `for` duration.
-<8> The message that will be output when the `ApproachingEnforcedSamplesLimit` alert fires.
-<9> The threshold for the `ApproachingEnforcedSamplesLimit` alert. In this example the alert will fire when the number of samples per target scrape has exceeded 80% of the enforced sample limit of `50000`. The `for` duration must also have passed before the alert will fire. The `<number>` in the expression `scrape_samples_scraped/<number> > <threshold>` must match the `enforcedSampleLimit` value defined in the `user-workload-monitoring-config` `ConfigMap` object.
+<7> The `ApproachingEnforcedSamplesLimit` alert fires when the defined scrape sample threshold is exceeded and lasts for the specified `for` duration.
+<8> The message that is displayed when the `ApproachingEnforcedSamplesLimit` alert fires.
+<9> The threshold for the `ApproachingEnforcedSamplesLimit` alert. In this example, the alert fires when the number of ingested samples exceeds 90% of the configured limit.
 <10> The conditions for the `ApproachingEnforcedSamplesLimit` alert must be true for this duration before the alert is fired.
 <11> Defines the severity for the `ApproachingEnforcedSamplesLimit` alert.
 
@@ -71,3 +71,9 @@ spec:
 ----
 $ oc apply -f monitoring-stack-alerts.yaml
 ----
+
+. Additionally, you can check if a target has hit the configured limit:
+
+.. In the *Administrator* perspective of the web console, go to *Observe* -> *Targets* and select an endpoint with a `Down` status that you want to check.
++
+The *Scrape failed: sample limit exceeded* message is displayed if the endpoint failed because of an exceeded sample limit.
diff --git a/modules/monitoring-default-monitoring-components.adoc b/modules/monitoring-default-monitoring-components.adoc
index 38b3780e9530..1b0d93be811b 100644
--- a/modules/monitoring-default-monitoring-components.adoc
+++ b/modules/monitoring-default-monitoring-components.adoc
@@ -23,14 +23,8 @@ By default, the {product-title} {product-version} monitoring stack includes thes
 |Prometheus
 |Prometheus is the monitoring system on which the {product-title} monitoring stack is based. Prometheus is a time-series database and a rule evaluation engine for metrics. Prometheus sends alerts to Alertmanager for processing.
 
-|Prometheus Adapter
-|The Prometheus Adapter (PA in the preceding diagram) translates Kubernetes node and pod queries for use in Prometheus. The resource metrics that are translated include CPU and memory utilization metrics. The Prometheus Adapter exposes the cluster resource metrics API for horizontal pod autoscaling. The Prometheus Adapter is also used by the `oc adm top nodes` and `oc adm top pods` commands.
-
-|Metrics Server (Technology Preview)
-|If enabled, the Metrics Server component collects resource metrics and exposes them in the `metrics.k8s.io` Metrics API service for use by other tools and APIs, which frees the core platform Prometheus stack from handling this functionality.
-
-The Technology Preview of the Metrics Server component is automatically installed instead of Prometheus Adapter if you configure the `FeatureGate` custom resource with the `TechPreviewNoUpgrade` option.
-For more information about the support scope of Red{nbsp}Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
+|Metrics Server
+|The Metrics Server component (MS in the preceding diagram) collects resource metrics and exposes them in the `metrics.k8s.io` Metrics API service for use by other tools and APIs, which frees the core platform Prometheus stack from handling this functionality. Note that with the {product-title} 4.16 release, Metrics Server replaces Prometheus Adapter.
 
 |Alertmanager
 |The Alertmanager service handles alerts received from Prometheus. Alertmanager is also responsible for sending the alerts to external notification systems.
@@ -39,7 +33,7 @@ For more information about the support scope of Red{nbsp}Hat Technology Preview
 |The kube-state-metrics exporter agent (KSM in the preceding diagram) converts Kubernetes objects to metrics that Prometheus can use.
 
 |monitoring-plugin
-|The monitoring-plugin dynamic plugin component deploys the monitoring pages in the *Observe* section of the {product-title} web console. 
+|The monitoring-plugin dynamic plugin component deploys the monitoring pages in the *Observe* section of the {product-title} web console.
 You can use Cluster Monitoring Operator (CMO) config map settings to manage monitoring-plugin resources for the web console pages.
 
 |openshift-state-metrics agent
diff --git a/modules/monitoring-default-monitoring-targets.adoc b/modules/monitoring-default-monitoring-targets.adoc
index a30db8a5dd5b..1cdb350abae0 100644
--- a/modules/monitoring-default-monitoring-targets.adoc
+++ b/modules/monitoring-default-monitoring-targets.adoc
@@ -7,32 +7,42 @@
 = Default monitoring targets
 
 ifndef::openshift-dedicated,openshift-rosa[]
-In addition to the components of the stack itself, the default monitoring stack monitors:
+In addition to the components of the stack itself, the default monitoring stack monitors additional platform components.
+
+The following are examples of monitoring targets:
 endif::openshift-dedicated,openshift-rosa[]
 
 ifdef::openshift-dedicated,openshift-rosa[]
-Red Hat Site Reliability Engineers (SRE) monitor the following platform targets in your {product-title} cluster:
+The following are examples of targets monitored by Red{nbsp}Hat Site Reliability Engineers (SRE) in your {product-title} cluster:
 endif::openshift-dedicated,openshift-rosa[]
 
 * CoreDNS
-* Elasticsearch (if Logging is installed)
 * etcd
-* Fluentd (if Logging is installed)
 * HAProxy
 * Image registry
 * Kubelets
 * Kubernetes API server
 * Kubernetes controller manager
 * Kubernetes scheduler
+ifndef::openshift-rosa[]
 * OpenShift API server
 * OpenShift Controller Manager
 * Operator Lifecycle Manager (OLM)
-* Vector (if Logging is installed)
+endif::openshift-rosa[]
+
+ifdef::openshift-dedicated,openshift-rosa[]
+[NOTE]
+====
+The exact list of targets can vary depending on your cluster capabilities and installed components.
+====
+endif::openshift-dedicated,openshift-rosa[]
 
 ifndef::openshift-dedicated,openshift-rosa[]
 [NOTE]
 ====
-Each {product-title} component is responsible for its monitoring configuration. For problems with the monitoring of an {product-title} component, open a
+* The exact list of targets can vary depending on your cluster capabilities and installed components.
+
+* Each {product-title} component is responsible for its monitoring configuration. For problems with the monitoring of an {product-title} component, open a
 link:https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332330&summary=Monitoring_issue&issuetype=1&priority=10200&versions=12385624[Jira issue] against that component, not against the general monitoring component.
 ====
 
diff --git a/modules/monitoring-example-remote-write-authentication-settings.adoc b/modules/monitoring-example-remote-write-authentication-settings.adoc
index 2139d1ebdb6f..4ce0fa1b02c4 100644
--- a/modules/monitoring-example-remote-write-authentication-settings.adoc
+++ b/modules/monitoring-example-remote-write-authentication-settings.adoc
@@ -183,12 +183,10 @@ metadata:
 stringData:
   id: <oauth2_id> <1>
   secret: <oauth2_secret> <2>
-  token: <oauth2_authentication_token> <3>
 type: Opaque
 ----
 <1> The Oauth 2.0 ID.
 <2> The OAuth 2.0 secret.
-<3> The OAuth 2.0 token.
 
 The following shows an `oauth2` remote write authentication sample configuration that uses a `Secret` object named `oauth2-credentials` in the `{namespace-name}` namespace:
 
diff --git a/modules/monitoring-example-service-endpoint-authentication-settings.adoc b/modules/monitoring-example-service-endpoint-authentication-settings.adoc
new file mode 100644
index 000000000000..969e611fa433
--- /dev/null
+++ b/modules/monitoring-example-service-endpoint-authentication-settings.adoc
@@ -0,0 +1,158 @@
+// Module included in the following assemblies:
+//
+// * observability/monitoring/configuring-the-monitoring-stack.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="example-service-endpoint-authentication-settings_{context}"]
+= Example service endpoint authentication settings
+
+You can configure authentication for service endpoints for user-defined project monitoring by using `ServiceMonitor` and `PodMonitor` custom resource definitions (CRDs). 
+
+The following samples show different authentication settings for a `ServiceMonitor` resource.
+Each sample shows how to configure a corresponding `Secret` object that contains authentication credentials and other relevant settings.
+
+== Sample YAML authentication with a bearer token
+
+The following sample shows bearer token settings for a `Secret` object named `example-bearer-auth` in the `ns1` namespace:
+
+.Example bearer token secret
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-bearer-auth
+  namespace: ns1
+stringData:
+  token: <authentication_token> #<1>
+----
+<1> Specify an authentication token.
+
+The following sample shows bearer token authentication settings for a `ServiceMonitor` CRD. The example uses a `Secret` object named `example-bearer-auth`:
+
+[id="sample-yaml-bearer-token_{context}"]
+.Example bearer token authentication settings
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: prometheus-example-monitor
+  namespace: ns1 
+spec:
+  endpoints: 
+  - authorization:
+      credentials:
+        key: token #<1>
+        name: example-bearer-auth #<2>
+    port: web
+  selector: 
+    matchLabels:
+      app: prometheus-example-app
+----
+<1> The key that contains the authentication token in the specified `Secret` object.
+<2> The name of the `Secret` object that contains the authentication credentials.
+
+[IMPORTANT]
+=====
+Do not use `bearerTokenFile` to configure bearer token. If you use the `bearerTokenFile` configuration, the `ServiceMonitor` resource is rejected.
+=====
+
+[id="sample-yaml-basic-auth_{context}"]
+== Sample YAML for Basic authentication
+
+The following sample shows Basic authentication settings for a `Secret` object named `example-basic-auth` in the `ns1` namespace:
+
+.Example Basic authentication secret
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-basic-auth
+  namespace: ns1
+stringData:
+  user: <basic_username> #<1>
+  password: <basic_password>  #<2>
+----
+<1> Specify a username for authentication.
+<2> Specify a password for authentication.
+
+The following sample shows Basic authentication settings for a `ServiceMonitor` CRD. The example uses a `Secret` object named `example-basic-auth`:
+
+.Example Basic authentication settings
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: prometheus-example-monitor
+  namespace: ns1 
+spec:
+  endpoints: 
+  - basicAuth:
+      username:
+        key: user #<1>
+        name: example-basic-auth #<2>
+      password:
+        key: password #<3>
+        name: example-basic-auth #<2>
+    port: web
+  selector: 
+    matchLabels:
+      app: prometheus-example-app
+----
+<1> The key that contains the username in the specified `Secret` object.
+<2> The name of the `Secret` object that contains the Basic authentication.
+<3> The key that contains the password in the specified `Secret` object.
+
+[id="sample-yaml-oauth-20_{context}"]
+== Sample YAML authentication with OAuth 2.0
+
+The following sample shows OAuth 2.0 settings for a `Secret` object named `example-oauth2` in the `ns1` namespace:
+
+.Example OAuth 2.0 secret
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-oauth2
+  namespace: ns1
+stringData:
+  id: <oauth2_id> #<1>
+  secret: <oauth2_secret> #<2>
+----
+<1> Specify an Oauth 2.0 ID.
+<2> Specify an Oauth 2.0 secret.
+
+The following sample shows OAuth 2.0 authentication settings for a `ServiceMonitor` CRD. The example uses a `Secret` object named `example-oauth2`:
+
+.Example OAuth 2.0 authentication settings
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: prometheus-example-monitor
+  namespace: ns1 
+spec:
+  endpoints: 
+  - oauth2:
+      clientId: 
+        secret:
+          key: id #<1>
+          name: example-oauth2 #<2>
+      clientSecret:
+        key: secret #<3>
+        name: example-oauth2 #<2>
+      tokenUrl: https://example.com/oauth2/token #<4>
+    port: web
+  selector: 
+    matchLabels:
+      app: prometheus-example-app
+----
+<1> The key that contains the OAuth 2.0 ID in the specified `Secret` object.
+<2> The name of the `Secret` object that contains the OAuth 2.0 credentials.
+<3> The key that contains the OAuth 2.0 secret in the specified `Secret` object.
+<4> The URL used to fetch a token with the specified `clientId` and `clientSecret`.
diff --git a/modules/monitoring-resizing-a-persistent-storage-volume.adoc b/modules/monitoring-resizing-a-persistent-storage-volume.adoc
deleted file mode 100644
index e18c19485862..000000000000
--- a/modules/monitoring-resizing-a-persistent-storage-volume.adoc
+++ /dev/null
@@ -1,206 +0,0 @@
-// Module included in the following assemblies:
-//
-// * observability/monitoring/configuring-the-monitoring-stack.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="resizing-a-persistent-storage-volume_{context}"]
-= Resizing a persistent storage volume
-
-{product-title} does not support resizing an existing persistent storage volume used by `StatefulSet` resources, even if the underlying `StorageClass` resource used supports persistent volume sizing.
-Therefore, even if you update the `storage` field for an existing persistent volume claim (PVC) with a larger size, this setting will not be propagated to the associated persistent volume (PV).
-
-However, resizing a PV is still possible by using a manual process. If you want to resize a PV for a monitoring component such as Prometheus, Thanos Ruler, or Alertmanager, you can update the appropriate config map in which the component is configured. Then, patch the PVC, and delete and orphan the pods.
-Orphaning the pods recreates the `StatefulSet` resource immediately and automatically updates the size of the volumes mounted in the pods with the new PVC settings.
-No service disruption occurs during this process.
-
-.Prerequisites
-
-* You have installed the OpenShift CLI (`oc`).
-* *If you are configuring core {product-title} monitoring components*:
-** You have access to the cluster as a user with the `cluster-admin` cluster role.
-** You have created the `cluster-monitoring-config` `ConfigMap` object.
-** You have configured at least one PVC for core {product-title} monitoring components.
-* *If you are configuring components that monitor user-defined projects*:
-** You have access to the cluster as a user with the `cluster-admin` cluster role, or as a user with the `user-workload-monitoring-config-edit` role in the `openshift-user-workload-monitoring` project.
-** A cluster administrator has enabled monitoring for user-defined projects.
-** You have configured at least one PVC for components that monitor user-defined projects.
-
-.Procedure
-
-. Edit the `ConfigMap` object:
-** *To resize a PVC for a component that monitors core {product-title} projects*:
-.. Edit the `cluster-monitoring-config` `ConfigMap` object in the `openshift-monitoring` project:
-+
-[source,terminal]
-----
-$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
-----
-
-.. Add a new storage size for the PVC configuration for the component under `data/config.yaml`:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cluster-monitoring-config
-  namespace: openshift-monitoring
-data:
-  config.yaml: |
-    <component>: <1>
-      volumeClaimTemplate:
-        spec:
-          storageClassName: <storage_class> <2>
-          resources:
-            requests:
-              storage: <amount_of_storage> <3>
-----
-<1> Specify the core monitoring component.
-<2> Specify the storage class.
-<3> Specify the new size for the storage volume.
-+
-The following example configures a PVC that sets the local persistent storage to 100 gigabytes for the Prometheus instance that monitors core {product-title} components:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cluster-monitoring-config
-  namespace: openshift-monitoring
-data:
-  config.yaml: |
-    prometheusK8s:
-      volumeClaimTemplate:
-        spec:
-          storageClassName: local-storage
-          resources:
-            requests:
-              storage: 100Gi
-----
-+
-The following example configures a PVC that sets the local persistent storage for Alertmanager to 40 gigabytes:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cluster-monitoring-config
-  namespace: openshift-monitoring
-data:
-  config.yaml: |
-    alertmanagerMain:
-      volumeClaimTemplate:
-        spec:
-          storageClassName: local-storage
-          resources:
-            requests:
-              storage: 40Gi
-----
-
-** *To resize a PVC for a component that monitors user-defined projects*:
-+
-[NOTE]
-====
-You can resize the volumes for the Thanos Ruler and Prometheus instances that monitor user-defined projects.
-====
-+
-.. Edit the `user-workload-monitoring-config` `ConfigMap` object in the `openshift-user-workload-monitoring` project:
-+
-[source,terminal]
-----
-$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
-----
-
-.. Update the PVC configuration for the monitoring component under `data/config.yaml`:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: user-workload-monitoring-config
-  namespace: openshift-user-workload-monitoring
-data:
-  config.yaml: |
-    <component>: <1>
-      volumeClaimTemplate:
-        spec:
-          storageClassName: <storage_class> <2>
-          resources:
-            requests:
-              storage: <amount_of_storage> <3>
-----
-<1> Specify the core monitoring component.
-<2> Specify the storage class.
-<3> Specify the new size for the storage volume.
-+
-The following example configures the PVC size to 100 gigabytes for the Prometheus instance that monitors user-defined projects:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: user-workload-monitoring-config
-  namespace: openshift-user-workload-monitoring
-data:
-  config.yaml: |
-    prometheus:
-      volumeClaimTemplate:
-        spec:
-          storageClassName: local-storage
-          resources:
-            requests:
-              storage: 100Gi
-----
-+
-The following example sets the PVC size to 20 gigabytes for Thanos Ruler:
-+
-[source,yaml]
-----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: user-workload-monitoring-config
-  namespace: openshift-user-workload-monitoring
-data:
-  config.yaml: |
-    thanosRuler:
-      volumeClaimTemplate:
-        spec:
-          storageClassName: local-storage
-          resources:
-            requests:
-              storage: 20Gi
-----
-+
-[NOTE]
-====
-Storage requirements for the `thanosRuler` component depend on the number of rules that are evaluated and how many samples each rule generates.
-====
-
-. Save the file to apply the changes. The pods affected by the new configuration restart automatically.
-+
-[WARNING]
-====
-When you save changes to a monitoring config map, the pods and other resources in the related project might be redeployed. The monitoring processes running in that project might also be restarted.
-====
-
-. Manually patch every PVC with the updated storage request. The following example resizes the storage size for the Prometheus component in the `openshift-monitoring` namespace to 100Gi:
-+
-[source,terminal]
-----
-$ for p in $(oc -n openshift-monitoring get pvc -l app.kubernetes.io/name=prometheus -o jsonpath='{range .items[*]}{.metadata.name} {end}'); do \
-  oc -n openshift-monitoring patch pvc/${p} --patch '{"spec": {"resources": {"requests": {"storage":"100Gi"}}}}'; \
-  done
-
-----
-
-. Delete the underlying StatefulSet with the `--cascade=orphan` parameter:
-+
-[source,terminal]
-----
-$ oc delete statefulset -l app.kubernetes.io/name=prometheus --cascade=orphan
-----
diff --git a/modules/monitoring-resizing-a-persistent-volume.adoc b/modules/monitoring-resizing-a-persistent-volume.adoc
new file mode 100644
index 000000000000..85798f5c2ea5
--- /dev/null
+++ b/modules/monitoring-resizing-a-persistent-volume.adoc
@@ -0,0 +1,145 @@
+// Module included in the following assemblies:
+//
+// * observability/monitoring/configuring-the-monitoring-stack.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="resizing-a-persistent-volume_{context}"]
+= Resizing a persistent volume
+
+You can resize a persistent volume (PV) for monitoring components, such as Prometheus, Thanos Ruler, or Alertmanager. You need to manually expand a persistent volume claim (PVC), and then update the config map in which the component is configured.
+
+[IMPORTANT]
+====
+You can only expand the size of the PVC. Shrinking the storage size is not possible.
+====
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+* *If you are configuring core {product-title} monitoring components*:
+** You have access to the cluster as a user with the `cluster-admin` cluster role.
+** You have created the `cluster-monitoring-config` `ConfigMap` object.
+** You have configured at least one PVC for core {product-title} monitoring components.
+* *If you are configuring components that monitor user-defined projects*:
+** You have access to the cluster as a user with the `cluster-admin` cluster role, or as a user with the `user-workload-monitoring-config-edit` role in the `openshift-user-workload-monitoring` project.
+** A cluster administrator has enabled monitoring for user-defined projects.
+** You have configured at least one PVC for components that monitor user-defined projects.
+
+.Procedure
+
+. Manually expand a PVC with the updated storage request. For more information, see "Expanding persistent volume claims (PVCs) with a file system" in _Expanding persistent volumes_.
+
+. Edit the `ConfigMap` object:
+** *If you are configuring core {product-title} monitoring components*:
+.. Edit the `cluster-monitoring-config` `ConfigMap` object in the `openshift-monitoring` project:
++
+[source,terminal]
+----
+$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
+----
+
+.. Add a new storage size for the PVC configuration for the component under `data/config.yaml`:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-monitoring-config
+  namespace: openshift-monitoring
+data:
+  config.yaml: |
+    <component>: #<1>
+      volumeClaimTemplate:
+        spec:
+          resources:
+            requests:
+              storage: <amount_of_storage> #<2>
+----
+<1> The component for which you want to change the storage size.
+<2> Specify the new size for the storage volume. It must be greater than the previous value.
++
+The following example sets the new PVC request to 100 gigabytes for the Prometheus instance that monitors core {product-title} components:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-monitoring-config
+  namespace: openshift-monitoring
+data:
+  config.yaml: |
+    prometheusK8s:
+      volumeClaimTemplate:
+        spec:
+          resources:
+            requests:
+              storage: 100Gi
+----
+
+** *If you are configuring components that monitor user-defined projects*:
++
+[NOTE]
+====
+You can resize the volumes for the Thanos Ruler and for instances of Alertmanager and Prometheus that monitor user-defined projects.
+====
++
+.. Edit the `user-workload-monitoring-config` `ConfigMap` object in the `openshift-user-workload-monitoring` project:
++
+[source,terminal]
+----
+$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
+----
+
+.. Update the PVC configuration for the monitoring component under `data/config.yaml`:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: user-workload-monitoring-config
+  namespace: openshift-user-workload-monitoring
+data:
+  config.yaml: |
+    <component>: #<1>
+      volumeClaimTemplate:
+        spec:
+          resources:
+            requests:
+              storage: <amount_of_storage> #<2>
+----
+<1> The component for which you want to change the storage size.
+<2> Specify the new size for the storage volume. It must be greater than the previous value.
++
+The following example sets the new PVC request to 20 gigabytes for Thanos Ruler:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: user-workload-monitoring-config
+  namespace: openshift-user-workload-monitoring
+data:
+  config.yaml: |
+    thanosRuler:
+      volumeClaimTemplate:
+        spec:
+          resources:
+            requests:
+              storage: 20Gi
+----
++
+[NOTE]
+====
+Storage requirements for the `thanosRuler` component depend on the number of rules that are evaluated and how many samples each rule generates.
+====
+
+. Save the file to apply the changes.
++
+[WARNING]
+====
+When you save changes to a monitoring config map, the pods and other resources in the related project are redeployed. The monitoring processes running in that project are restarted.
+====
diff --git a/modules/monitoring-specifying-how-a-service-is-monitored.adoc b/modules/monitoring-specifying-how-a-service-is-monitored.adoc
index bd5c6795b68b..28f974444618 100644
--- a/modules/monitoring-specifying-how-a-service-is-monitored.adoc
+++ b/modules/monitoring-specifying-how-a-service-is-monitored.adoc
@@ -6,7 +6,6 @@
 [id="specifying-how-a-service-is-monitored_{context}"]
 = Specifying how a service is monitored
 
-[role="_abstract"]
 To use the metrics exposed by your service, you must configure {product-title} monitoring to scrape metrics from the `/metrics` endpoint. You can do this using a `ServiceMonitor` custom resource definition (CRD) that specifies how a service should be monitored, or a `PodMonitor` CRD that specifies how a pod should be monitored. The former requires a `Service` object, while the latter does not, allowing Prometheus to directly scrape metrics from the metrics endpoint exposed by a pod.
 
 This procedure shows you how to create a `ServiceMonitor` resource for a service in a user-defined project.
@@ -29,30 +28,29 @@ The `prometheus-example-app` sample service does not support TLS authentication.
 
 .Procedure
 
-. Create a YAML file for the `ServiceMonitor` resource configuration. In this example, the file is called `example-app-service-monitor.yaml`.
+. Create a new YAML configuration file named `example-app-service-monitor.yaml`.
 
-. Add the following `ServiceMonitor` resource configuration details:
+. Add a `ServiceMonitor` resource to the YAML file. The following example creates a service monitor named `prometheus-example-monitor` to scrape metrics exposed by the `prometheus-example-app` service in the `ns1` namespace:
 +
 [source,yaml]
 ----
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  labels:
-    k8s-app: prometheus-example-monitor
   name: prometheus-example-monitor
-  namespace: ns1
+  namespace: ns1 #<1>
 spec:
   endpoints:
   - interval: 30s
-    port: web
+    port: web #<2>
     scheme: http
-  selector:
+  selector: #<3>
     matchLabels:
       app: prometheus-example-app
 ----
-+
-This defines a `ServiceMonitor` resource that scrapes the metrics exposed by the `prometheus-example-app` sample service, which includes the `version` metric.
+<1> Specify a user-defined namespace where your service runs.
+<2> Specify endpoint ports to be scraped by Prometheus.
+<3> Configure a selector to match your service based on its metadata labels.
 +
 [NOTE]
 ====
@@ -68,11 +66,11 @@ $ oc apply -f example-app-service-monitor.yaml
 +
 It takes some time to deploy the `ServiceMonitor` resource.
 
-. You can check that the `ServiceMonitor` resource is running:
+. Verify that the `ServiceMonitor` resource is running:
 +
 [source,terminal]
 ----
-$ oc -n ns1 get servicemonitor
+$ oc -n <namespace> get servicemonitor
 ----
 +
 .Example output
diff --git a/modules/monitoring-specifying-limits-and-requests-for-monitoring-components.adoc b/modules/monitoring-specifying-limits-and-requests-for-monitoring-components.adoc
index 87c1f7ca2503..28e342c764dd 100644
--- a/modules/monitoring-specifying-limits-and-requests-for-monitoring-components.adoc
+++ b/modules/monitoring-specifying-limits-and-requests-for-monitoring-components.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="specifying-limits-and-resource-requests-for-monitoring-components_{context}"]
-= Specifying limits and requests for monitoring components 
+= Specifying limits and requests for monitoring components
 
 To configure CPU and memory resources, specify values for resource limits and requests in the appropriate `ConfigMap` object for the namespace in which the monitoring component is located:
 
@@ -72,13 +72,13 @@ data:
         requests:
           cpu: 200m
           memory: 500Mi
-    k8sPrometheusAdapter:
+    metricsServer:
       resources:
-        limits:
-          cpu: 500m
-          memory: 1Gi
         requests:
-          cpu: 200m
+          cpu: 10m
+          memory: 50Mi
+        limits:
+          cpu: 50m
           memory: 500Mi
     kubeStateMetrics:
       resources:
@@ -146,3 +146,6 @@ When you save changes to the `cluster-monitoring-config` config map, the pods an
 The running monitoring processes in that project might also restart.
 ====
 
+[role="_additional-resources"]
+.Additional resources
+* link:https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits[Kubernetes requests and limits documentation]
diff --git a/modules/monitoring-support-version-matrix-for-monitoring-components.adoc b/modules/monitoring-support-version-matrix-for-monitoring-components.adoc
index 329b054de5f3..edf91f1cd7fa 100644
--- a/modules/monitoring-support-version-matrix-for-monitoring-components.adoc
+++ b/modules/monitoring-support-version-matrix-for-monitoring-components.adoc
@@ -10,17 +10,17 @@ The following matrix contains information about versions of monitoring component
 
 .{product-title} and component versions
 |===
-|{product-title} |Prometheus Operator |Prometheus  |Prometheus Adapter |Metrics Server (Technology Preview) |Alertmanager |kube-state-metrics agent |monitoring-plugin |node-exporter agent |Thanos
+|{product-title} |Prometheus Operator |Prometheus  |Metrics Server |Alertmanager |kube-state-metrics agent |monitoring-plugin |node-exporter agent |Thanos
 
-|4.16 |0.73.2 |2.51.2 |0.11.2 |0.7.1 |0.26.0 |2.12.0 |1.0.0 |1.8.0 |0.35.0
+|4.16 |0.73.2 |2.52.0 |0.7.1 |0.26.0 |2.12.0 |1.0.0 |1.8.0 |0.35.0
 
-|4.15 |0.70.0 |2.48.0 |0.11.2 |0.6.4 |0.26.0 |2.10.1 |1.0.0 |1.7.0 |0.32.5
+|4.15 |0.70.0 |2.48.0 |0.6.4 |0.26.0 |2.10.1 |1.0.0 |1.7.0 |0.32.5
 
-|4.14 |0.67.1 |2.46.0 |0.10.0 |N/A |0.25.0 |2.9.2 |1.0.0 |1.6.1 |0.30.2
+|4.14 |0.67.1 |2.46.0 |N/A |0.25.0 |2.9.2 |1.0.0 |1.6.1 |0.30.2
 
-|4.13 |0.63.0 |2.42.0 |0.10.0 |N/A |0.25.0 |2.8.1 |N/A |1.5.0 |0.30.2
+|4.13 |0.63.0 |2.42.0 |N/A |0.25.0 |2.8.1 |N/A |1.5.0 |0.30.2
 
-|4.12 |0.60.1 |2.39.1 |0.10.0 |N/A |0.24.0 |2.6.0 |N/A |1.4.0 |0.28.1
+|4.12 |0.60.1 |2.39.1 |N/A |0.24.0 |2.6.0 |N/A |1.4.0 |0.28.1
 |===
 
 [NOTE]
diff --git a/modules/multi-arch-creating-podplacment-config-using-cli.adoc b/modules/multi-arch-creating-podplacment-config-using-cli.adoc
new file mode 100644
index 000000000000..e4d0ff8bf189
--- /dev/null
+++ b/modules/multi-arch-creating-podplacment-config-using-cli.adoc
@@ -0,0 +1,58 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-creating-podplacement-config-using-cli_{context}"]
+= Creating the ClusterPodPlacementConfig object by using the CLI
+
+To deploy the pod placement operand that enables architecture-aware workload scheduling, you can create the `ClusterPodPlacementConfig` object by using the {oc-first}.
+
+.Prerequisites
+
+* You have installed `oc`.
+* You have logged in to `oc` as a user with `cluster-admin` privileges.
+* You have installed the Multiarch Tuning Operator.
+
+.Procedure
+
+. Create a `ClusterPodPlacementConfig` object YAML file:
++
+.Example `ClusterPodPlacementConfig` object configuration
+[source,yaml]
+----
+apiVersion: multiarch.openshift.io/v1beta1
+kind: ClusterPodPlacementConfig
+metadata:
+  name: cluster
+spec:
+  logVerbosityLevel: Normal
+  namespaceSelector:
+    matchExpressions:
+      - key: multiarch.openshift.io/exclude-pod-placement 
+        operator: DoesNotExist 
+----
+
+. Create the `ClusterPodPlacementConfig` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the `ClusterPodPlacementConfig` object YAML file.
+
+.Verification
+
+* To check that the `ClusterPodPlacementConfig` object is created, run the following command:
++
+[source,terminal]
+----
+$ oc get clusterpodplacementconfig
+----
++
+.Example output
+[source,terminal]
+----
+NAME      AGE
+cluster   29s
+----
\ No newline at end of file
diff --git a/modules/multi-arch-creating-podplacment-config-using-web-console.adoc b/modules/multi-arch-creating-podplacment-config-using-web-console.adoc
new file mode 100644
index 000000000000..c601ddc0eb0f
--- /dev/null
+++ b/modules/multi-arch-creating-podplacment-config-using-web-console.adoc
@@ -0,0 +1,44 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-creating-podplacement-config-using-web-console_{context}"]
+
+= Creating the ClusterPodPlacementConfig object by using the web console
+
+To deploy the pod placement operand that enables architecture-aware workload scheduling, you can create the `ClusterPodPlacementConfig` object by using the {product-title} web console.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have access to the {product-title} web console.
+* You have installed the Multiarch Tuning Operator.
+
+.Procedure
+
+. Log in to the {product-title} web console.
+
+. Navigate to *Operators* → *Installed Operators*.
+
+. On the *Installed Operators* page, click *Multiarch Tuning Operator*. 
+
+. Click the *Cluster Pod Placement Config* tab.
+
+. Select either *Form view* or *YAML view*.
+
+. Configure the `ClusterPodPlacementConfig` object parameters.
+
+. Click *Create*.
+
+. Optional: If you want to edit the `ClusterPodPlacementConfig` object, perform the following actions:
+
+.. Click the *Cluster Pod Placement Config* tab.
+.. Select *Edit ClusterPodPlacementConfig* from the options menu.
+.. Click *YAML* and edit the `ClusterPodPlacementConfig` object parameters.
+.. Click *Save*.
+
+.Verification
+
+* On the *Cluster Pod Placement Config* page, check that the `ClusterPodPlacementConfig` object is in the `Ready` state.
+
diff --git a/modules/multi-arch-creating-podplacment-config.adoc b/modules/multi-arch-creating-podplacment-config.adoc
new file mode 100644
index 000000000000..c281a362317c
--- /dev/null
+++ b/modules/multi-arch-creating-podplacment-config.adoc
@@ -0,0 +1,50 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="multi-architecture-creating-podplacement-config_{context}"]
+= Creating the ClusterPodPlacementConfig object
+
+After installing the Multiarch Tuning Operator, you must create the `ClusterPodPlacementConfig` object. When you create this object, the Multiarch Tuning Operator deploys an operand that enables architecture-aware workload scheduling.
+
+[NOTE]
+====
+You can create only one instance of the `ClusterPodPlacementConfig` object.
+==== 
+
+.Example `ClusterPodPlacementConfig` object configuration
+[source,yaml]
+----
+apiVersion: multiarch.openshift.io/v1beta1
+kind: ClusterPodPlacementConfig
+metadata:
+  name: cluster <1>
+spec:
+  logVerbosityLevel: Normal <2>
+  namespaceSelector: <3>
+    matchExpressions:
+      - key: multiarch.openshift.io/exclude-pod-placement 
+        operator: DoesNotExist 
+----
+<1> You must set this field value to `cluster`. 
+<2> Optional: You can set the field value to `Normal`, `Debug`, `Trace`, or `TraceAll`. The value is set to `Normal` by default. 
+<3> Optional: You can configure the `namespaceSelector` to select the namespaces in which the Multiarch Tuning Operator's pod placement operand must process the `nodeAffinity` of the pods. All namespaces are considered by default.
+
+In this example, the `operator` field value is set to `DoesNotExist`. Therefore, if the `key` field value (`multiarch.openshift.io/exclude-pod-placement`) is set as a label in a namespace, the operand does not process the `nodeAffinity` of the pods in that namespace. Instead, the operand processes the `nodeAffinity` of the pods in namespaces that do not contain the label.
+
+If you want the operand to process the `nodeAffinity` of the pods only in specific namespaces, you can configure the `namespaceSelector` as follows:
+[source,yaml]
+----
+namespaceSelector:
+  matchExpressions:
+    - key: multiarch.openshift.io/include-pod-placement
+      operator: Exists  
+----
+
+In this example, the `operator` field value is set to `Exists`. Therefore, the operand processes the `nodeAffinity` of the pods only in namespaces that contain the `multiarch.openshift.io/include-pod-placement` label. 
+
+[IMPORTANT]
+====
+The namespaces starting with `openshift-`, `kube-`, and `hypershift-` are excluded.
+====
\ No newline at end of file
diff --git a/modules/multi-arch-deleting-podplacment-config-using-cli.adoc b/modules/multi-arch-deleting-podplacment-config-using-cli.adoc
new file mode 100644
index 000000000000..ada6fdd8c1c9
--- /dev/null
+++ b/modules/multi-arch-deleting-podplacment-config-using-cli.adoc
@@ -0,0 +1,51 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-deleting-podplacement-config-using-cli_{context}"]
+= Deleting the ClusterPodPlacementConfig object by using the CLI
+
+You can create only one instance of the `ClusterPodPlacementConfig` object. If you want to re-create this object, you must first delete the existing instance.
+
+You can delete this object by using the {oc-first}.
+
+.Prerequisites
+
+* You have installed `oc`.
+* You have logged in to `oc` as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Log in to the {oc-first}.
+
+. Delete the `ClusterPodPlacementConfig` object by running the following command:
++
+[source,terminal]
+----
+$ oc delete clusterpodplacementconfig cluster
+----
+
+.Verification
+
+* To check that the `ClusterPodPlacementConfig` object is deleted, run the following command:
++
+[source,terminal]
+----
+$ oc get clusterpodplacementconfig
+----
++
+.Example output
+[source,terminal]
+----
+No resources found
+----
+
+.Next steps
+
+* After deleting the `ClusterPodPlacementConfig` object, ensure that none of the pods are in the `Pending` phase due to the `SchedulingGated` reason. You can delete the scheduling gate from all of the gated pods by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -A -l multiarch.openshift.io/scheduling-gate=gated -o json  | jq 'del(.items[].spec.schedulingGates[] | select(.name=="multiarch.openshift.io/scheduling-gate"))' | oc apply -f -
+----
\ No newline at end of file
diff --git a/modules/multi-arch-deleting-podplacment-config-using-web-console.adoc b/modules/multi-arch-deleting-podplacment-config-using-web-console.adoc
new file mode 100644
index 000000000000..1ce6b6eff588
--- /dev/null
+++ b/modules/multi-arch-deleting-podplacment-config-using-web-console.adoc
@@ -0,0 +1,45 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-deleting-podplacement-config-using-web-console_{context}"]
+
+= Deleting the ClusterPodPlacementConfig object by using the web console
+
+You can create only one instance of the `ClusterPodPlacementConfig` object. If you want to re-create this object, you must first delete the existing instance.
+
+You can delete this object by using the {product-title} web console.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have access to the {product-title} web console.
+* You have created the `ClusterPodPlacementConfig` object.
+
+.Procedure
+
+. Log in to the {product-title} web console.
+
+. Navigate to *Operators* → *Installed Operators*.
+
+. On the *Installed Operators* page, click *Multiarch Tuning Operator*. 
+
+. Click the *Cluster Pod Placement Config* tab.
+
+. Select *Delete ClusterPodPlacementConfig* from the options menu.
+
+. Click *Delete*.
+
+.Verification
+
+* On the *Cluster Pod Placement Config* page, check that the `ClusterPodPlacementConfig` object has been deleted.
+
+.Next steps
+
+* After deleting the `ClusterPodPlacementConfig` object, ensure that none of the pods are in the `Pending` phase due to the `SchedulingGated` reason. You can delete the scheduling gate from all the gated pods by running the following command in the {oc-first}:
++
+[source,terminal]
+----
+$ oc get pods -A -l multiarch.openshift.io/scheduling-gate=gated -o json  | jq 'del(.items[].spec.schedulingGates[] | select(.name=="multiarch.openshift.io/scheduling-gate"))' | oc apply -f -
+----
diff --git a/modules/multi-arch-installing-using-cli.adoc b/modules/multi-arch-installing-using-cli.adoc
new file mode 100644
index 000000000000..64bd1094efa4
--- /dev/null
+++ b/modules/multi-arch-installing-using-cli.adoc
@@ -0,0 +1,126 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-installing-using-cli_{context}"]
+= Installing the Multiarch Tuning Operator by using the CLI
+
+You can install the Multiarch Tuning Operator by using the {oc-first}.
+
+.Prerequisites
+
+* You have installed `oc`.
+* You have logged in to `oc` as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Create a new project named `openshift-multiarch-tuning-operator` by running the following command:
++
+[source,terminal]
+----
+$ oc create ns openshift-multiarch-tuning-operator
+----
+
+. Create an `OperatorGroup` object:
+
+.. Create a YAML file with the configuration for creating an `OperatorGroup` object.
++
+.Example YAML configuration for creating an `OperatorGroup` object:
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: openshift-multiarch-tuning-operator
+  namespace: openshift-multiarch-tuning-operator
+spec: {}
+----
+
+.. Create the `OperatorGroup` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the YAML file that contains the `OperatorGroup` object configuration.
+
+. Create a `Subscription` object:
+
+.. Create a YAML file with the configuration for creating a `Subscription` object.
++
+.Example YAML configuration for creating a `Subscription` object:
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-multiarch-tuning-operator
+  namespace: openshift-multiarch-tuning-operator
+spec:
+  channel: tech-preview
+  name: multiarch-tuning-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Automatic
+  startingCSV: multiarch-tuning-operator.v0.9.0
+----
+
+.. Create the `Subscription` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the YAML file that contains the `Subscription` object configuration.
+
+[NOTE]
+====
+For more details about configuring the `Subscription` object and `OperatorGroup` object, see "Installing from OperatorHub using the CLI".
+====
+
+.Verification
+
+. To verify that the Multiarch Tuning Operator is installed, run the following command:
++
+[source,terminal]
+----
+$ oc get csv -n openshift-multiarch-tuning-operator
+----
++
+.Example output
+[source,terminal]
+----
+NAME                               DISPLAY                     VERSION   REPLACES   PHASE
+multiarch-tuning-operator.v0.9.0   Multiarch Tuning Operator   0.9.0                Succeeded
+----
++
+The installation is successful if the Operator is in `Succeeded` phase.
+
+. Optional: To verify that the `OperatorGroup` object is created, run the following command:
++
+[source,terminal]
+----
+$ oc get operatorgroup -n openshift-multiarch-tuning-operator
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                        AGE
+openshift-multiarch-tuning-operator-q8zbb   133m
+----
+
+. Optional: To verify that the `Subscription` object is created, run the following command:
++
+[source,terminal]
+----
+$ oc get subscription -n openshift-multiarch-tuning-operator
+----
++
+.Example output
+[source,terminal]
+----
+NAME                        PACKAGE                     SOURCE                              CHANNEL
+multiarch-tuning-operator   multiarch-tuning-operator   multiarch-tuning-operator-catalog   tech-preview
+----
diff --git a/modules/multi-arch-installing-using-web-console.adoc b/modules/multi-arch-installing-using-web-console.adoc
new file mode 100644
index 000000000000..1c9a2dbdde7c
--- /dev/null
+++ b/modules/multi-arch-installing-using-web-console.adoc
@@ -0,0 +1,46 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-installing-using-web-console_{context}"]
+= Installing the Multiarch Tuning Operator by using the web console
+
+You can install the Multiarch Tuning Operator by using the {product-title} web console.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+
+* You have access to the {product-title} web console.
+
+.Procedure
+
+. Log in to the {product-title} web console.
+. Navigate to *Operators -> OperatorHub*.
+. Enter *Multiarch Tuning Operator* in the search field.
+. Click *Multiarch Tuning Operator*.
+. Select the *Multiarch Tuning Operator* version from the *Version* list.
+. Click *Install*
+. Set the following options on the *Operator Installation* page:
+.. Set *Update Channel* to *tech-preview*.
+.. Set *Installation Mode* to *All namespaces on the cluster*.
+.. Set *Installed Namespace* to *Operator recommended Namespace* or *Select a Namespace*.
++
+The recommended Operator namespace is `openshift-multiarch-tuning-operator`. If the `openshift-multiarch-tuning-operator` namespace does not exist, it is created during the operator installation.
++
+If you select *Select a namespace*, you must select a namespace for the Operator from the *Select Project* list.
+.. *Update approval* as *Automatic* or *Manual*.
++
+If you select *Automatic* updates, Operator Lifecycle Manager (OLM) automatically updates the running instance of the Multiarch Tuning Operator without any intervention.
++
+If you select *Manual* updates, OLM creates an update request.
+As a cluster administrator, you must manually approve the update request to update the Multiarch Tuning Operator to a newer version.
+
+. Optional: Select the *Enable Operator recommended cluster monitoring on this Namespace* checkbox.
+. Click *Install*.
+
+.Verification
+
+. Navigate to *Operators* → *Installed Operators*.
+. Verify that the *Multiarch Tuning Operator* is listed with the *Status* field as *Succeeded* in the `openshift-multiarch-tuning-operator` namespace.
\ No newline at end of file
diff --git a/modules/multi-arch-uninstalling-using-cli.adoc b/modules/multi-arch-uninstalling-using-cli.adoc
new file mode 100644
index 000000000000..7061ccc5c30b
--- /dev/null
+++ b/modules/multi-arch-uninstalling-using-cli.adoc
@@ -0,0 +1,80 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-uninstalling-using-cli_{context}"]
+= Uninstalling the Multiarch Tuning Operator by using the CLI
+
+You can uninstall the Multiarch Tuning Operator by using the {oc-first}.
+
+.Prerequisites
+
+* You have installed `oc`.
+* You have logged in to `oc` as a user with `cluster-admin` privileges.
+* You deleted the `ClusterPodPlacementConfig` object.
++
+[IMPORTANT]
+====
+You must delete the `ClusterPodPlacementConfig` object before uninstalling the Multiarch Tuning Operator. Uninstalling the Operator without deleting the `ClusterPodPlacementConfig` object can lead to unexpected behavior.
+====
+
+.Procedure
+
+. Get the `currentCSV` value for the Multiarch Tuning Operator by running the following command:
++
+[source,terminal]
+----
+$ oc get subscription.operators.coreos.com multiarch-tuning-operator -n <namespace> -o yaml | grep currentCSV <1>
+----
+<1> Replace `<namespace>` with the name of the namespace where you want to uninstall the Multiarch Tuning Operator.
++
+.Example output
+[source,terminal]
+----
+currentCSV: multiarch-tuning-operator.v0.9.0
+----
+
+. Delete the `Subscription` object by running the following command:
++
+[source,terminal]
+----
+$ oc delete subscription.operators.coreos.com openshift-multiarch-tuning-operator -n <namespace> <1>
+----
+<1> Replace `<namespace>` with the name of the namespace where you want to uninstall the Multiarch Tuning Operator.
++
+.Example output
+[source,terminal]
+----
+subscription.operators.coreos.com "openshift-multiarch-tuning-operator" deleted
+----
+
+. Delete the CSV for the Multiarch Tuning Operator in the target namespace using the `currentCSV` value by running the following command:
++
+[source,terminal]
+----
+$ oc delete clusterserviceversion <currentCSV_value> -n <namespace> <1>
+----
+<1> Replace `<currentCSV>` with the `currentCSV` value for the Multiarch Tuning Operator. For example: `multiarch-tuning-operator.v0.9.0`. Replace `<namespace>` with the name of the namespace where you want to uninstall the Multiarch Tuning Operator.
++
+.Example output
+[source,terminal]
+----
+clusterserviceversion.operators.coreos.com "multiarch-tuning-operator.v0.9.0" deleted
+----
+
+.Verification
+
+* To verify that the Multiarch Tuning Operator is uninstalled, run the following command:
++
+[source,terminal]
+----
+$ oc get csv -n <namespace> <1>
+----
+<1> Replace `<namespace>` with the name of the namespace where you have uninstalled the Multiarch Tuning Operator.
++
+.Example output
+[source,terminal]
+----
+No resources found in openshift-multiarch-tuning-operator namespace.
+----
diff --git a/modules/multi-arch-uninstalling-using-web-console.adoc b/modules/multi-arch-uninstalling-using-web-console.adoc
new file mode 100644
index 000000000000..4f0168e9fb7c
--- /dev/null
+++ b/modules/multi-arch-uninstalling-using-web-console.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies
+//
+// * post_installation_configuration/multiarch-tuning-operator.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-uninstalling-using-web-console_{context}"]
+= Uninstalling the Multiarch Tuning Operator by using the web console
+
+You can uninstall the Multiarch Tuning Operator by using the {product-title} web console.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` permissions.
+* You deleted the `ClusterPodPlacementConfig` object.
++
+[IMPORTANT]
+====
+You must delete the `ClusterPodPlacementConfig` object before uninstalling the Multiarch Tuning Operator. Uninstalling the Operator without deleting the `ClusterPodPlacementConfig` object can lead to unexpected behavior.
+====
+
+.Procedure
+
+. Log in to the {product-title} web console.
+. Navigate to *Operators -> OperatorHub*.
+. Enter *Multiarch Tuning Operator* in the search field.
+. Click *Multiarch Tuning Operator*.
+. Click the *Details* tab. 
+. From the *Actions* menu, select *Uninstall Operator*.
+. When prompted, click *Uninstall*.
+
+.Verification
+
+. Navigate to *Operators* → *Installed Operators*.
+. On the *Installed Operators* page, verify that the *Multiarch Tuning Operator* is not listed.
\ No newline at end of file
diff --git a/modules/multi-architecture-creating-arm64-bootimage.adoc b/modules/multi-architecture-creating-arm64-bootimage.adoc
index 114e0f214329..c841bda453c8 100644
--- a/modules/multi-architecture-creating-arm64-bootimage.adoc
+++ b/modules/multi-architecture-creating-arm64-bootimage.adoc
@@ -5,9 +5,9 @@
 :_mod-docs-content-type: PROCEDURE
 [id="multi-architecture-creating-arm64-bootimage_{context}"]
 
-= Creating an ARM64 boot image using the Azure image gallery
+= Creating a 64-bit ARM boot image using the Azure image gallery
 
-The following procedure describes how to manually generate an ARM64 boot image.
+The following procedure describes how to manually generate a 64-bit ARM boot image.
 
 .Prerequisites
 
@@ -21,7 +21,7 @@ The following procedure describes how to manually generate an ARM64 boot image.
 ----
 $ az login
 ----
-. Create a storage account and upload the `arm64` virtual hard disk (VHD) to your storage account. The {product-title} installation program creates a resource group, however, the boot image can also be uploaded to a custom named resource group:
+. Create a storage account and upload the `aarch64` virtual hard disk (VHD) to your storage account. The {product-title} installation program creates a resource group, however, the boot image can also be uploaded to a custom named resource group:
 +
 [source,terminal]
 ----
diff --git a/modules/multi-architecture-creating-x86_64-bootimage.adoc b/modules/multi-architecture-creating-x86_64-bootimage.adoc
new file mode 100644
index 000000000000..ea4a132461b9
--- /dev/null
+++ b/modules/multi-architecture-creating-x86_64-bootimage.adoc
@@ -0,0 +1,140 @@
+//Module included in the following assemblies
+//
+//post_installation_configuration/cluster-tasks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="multi-architecture-creating-x86-64-bootimage_{context}"]
+= Creating a 64-bit x86 boot image using the Azure image gallery
+
+The following procedure describes how to manually generate a 64-bit x86 boot image.
+
+.Prerequisites
+
+* You installed the Azure CLI (`az`).
+* You created a single-architecture Azure installer-provisioned cluster with the multi-architecture installer binary.
+
+.Procedure
+
+. Log in to your Azure account by running the following command:
++
+[source,terminal]
+----
+$ az login
+----
+. Create a storage account and upload the `x86_64` virtual hard disk (VHD) to your storage account by running the following command. The {product-title} installation program creates a resource group. However, the boot image can also be uploaded to a custom named resource group:
++
+[source,terminal]
+----
+$ az storage account create -n ${STORAGE_ACCOUNT_NAME} -g ${RESOURCE_GROUP} -l westus --sku Standard_LRS <1>
+----
++
+<1> The `westus` object is an example region.
++
+. Create a storage container using the storage account you generated by running the following command:
++
+[source,terminal]
++
+----
+$ az storage container create -n ${CONTAINER_NAME} --account-name ${STORAGE_ACCOUNT_NAME}
+----
+. Use the {product-title} installation program JSON file to extract the URL and `x86_64` VHD name:
+.. Extract the `URL` field and set it to `RHCOS_VHD_ORIGIN_URL` as the file name by running the following command:
++
+[source,terminal]
+----
+$ RHCOS_VHD_ORIGIN_URL=$(oc -n openshift-machine-config-operator get configmap/coreos-bootimages -o jsonpath='{.data.stream}' | jq -r '.architectures.x86_64."rhel-coreos-extensions"."azure-disk".url')
+----
+.. Extract the `x86_64` VHD name and set it to `BLOB_NAME` as the file name by running the following command:
++
+[source,terminal]
+----
+$ BLOB_NAME=rhcos-$(oc -n openshift-machine-config-operator get configmap/coreos-bootimages -o jsonpath='{.data.stream}' | jq -r '.architectures.x86_64."rhel-coreos-extensions"."azure-disk".release')-azure.x86_64.vhd
+----
+. Generate a shared access signature (SAS) token. Use this token to upload the {op-system} VHD to your storage container by running the following commands:
++
+[source,terminal]
+----
+$ end=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'`
+----
++
+[source,terminal]
+----
+$ sas=`az storage container generate-sas -n ${CONTAINER_NAME} --account-name ${STORAGE_ACCOUNT_NAME} --https-only --permissions dlrw --expiry $end -o tsv`
+----
+. Copy the {op-system} VHD into the storage container by running the following command:
++
+[source,terminal]
+----
+$ az storage blob copy start --account-name ${STORAGE_ACCOUNT_NAME} --sas-token "$sas" \
+ --source-uri "${RHCOS_VHD_ORIGIN_URL}" \
+ --destination-blob "${BLOB_NAME}" --destination-container ${CONTAINER_NAME}
+----
++
+You can check the status of the copying process by running the following command:
++
+[source,terminal]
+----
+$ az storage blob show -c ${CONTAINER_NAME} -n ${BLOB_NAME} --account-name ${STORAGE_ACCOUNT_NAME} | jq .properties.copy
+----
++
+.Example output
+[source,terminal]
+----
+{
+ "completionTime": null,
+ "destinationSnapshot": null,
+ "id": "1fd97630-03ca-489a-8c4e-cfe839c9627d",
+ "incrementalCopy": null,
+ "progress": "17179869696/17179869696",
+ "source": "https://rhcos.blob.core.windows.net/imagebucket/rhcos-411.86.202207130959-0-azure.aarch64.vhd",
+ "status": "success", <1>
+ "statusDescription": null
+}
+----
++
+<1> If the `status` parameter displays the `success` object, the copying process is complete.
+
+. Create an image gallery by running the following command:
++
+[source,terminal]
+----
+$ az sig create --resource-group ${RESOURCE_GROUP} --gallery-name ${GALLERY_NAME}
+----
+
+. Use the image gallery to create an image definition by running the following command:
++
+[source,terminal]
+----
+$ az sig image-definition create --resource-group ${RESOURCE_GROUP} --gallery-name ${GALLERY_NAME} --gallery-image-definition rhcos-x86_64 --publisher RedHat --offer x86_64 --sku x86_64 --os-type linux --architecture x64 --hyper-v-generation V2
+----
++
+In this example command, `rhcos-x86_64` is the name of the image definition.
+
+. To get the URL of the VHD and set it to `RHCOS_VHD_URL` as the file name, run the following command:
++
+[source,terminal]
+----
+$ RHCOS_VHD_URL=$(az storage blob url --account-name ${STORAGE_ACCOUNT_NAME} -c ${CONTAINER_NAME} -n "${BLOB_NAME}" -o tsv)
+----
+. Use the `RHCOS_VHD_URL` file, your storage account, resource group, and image gallery to create an image version by running the following command:
++
+[source,terminal]
+----
+$ az sig image-version create --resource-group ${RESOURCE_GROUP} --gallery-name ${GALLERY_NAME} --gallery-image-definition rhcos-arm64 --gallery-image-version 1.0.0 --os-vhd-storage-account ${STORAGE_ACCOUNT_NAME} --os-vhd-uri ${RHCOS_VHD_URL}
+----
++
+In this example, `1.0.0` is the image version.
+
+. Optional: Access the ID of the generated `x86_64` boot image by running the following command:
++
+[source,terminal]
+----
+$ az sig image-version show -r $GALLERY_NAME -g $RESOURCE_GROUP -i rhcos-x86_64 -e 1.0.0
+----
+The following example image ID is used in the `recourseID` parameter of the compute machine set:
++
+.Example `resourceID`
+[source,terminal]
+----
+/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Compute/galleries/${GALLERY_NAME}/images/rhcos-x86_64/versions/1.0.0
+----
\ No newline at end of file
diff --git a/modules/multi-architecture-enabling-64k-pages.adoc b/modules/multi-architecture-enabling-64k-pages.adoc
index 43a14439473b..81e295e723d6 100644
--- a/modules/multi-architecture-enabling-64k-pages.adoc
+++ b/modules/multi-architecture-enabling-64k-pages.adoc
@@ -5,7 +5,7 @@
 :_mod-docs-content-type: PROCEDURE
 [id="multi-architecture-enabling-64k-pages_{context}"]
 
-= Enabling 64k pages on the {op-system-first} kernel 
+= Enabling 64k pages on the {op-system-first} kernel
 
 You can enable the 64k memory page in the {op-system-first} kernel on the 64-bit ARM compute machines in your cluster. The 64k page size kernel specification can be used for large GPU or high memory workloads. This is done using the Machine Config Operator (MCO) which uses a machine config pool to update the kernel. To enable 64k page sizes, you must dedicate a machine config pool for ARM64 to enable on the kernel.
 
@@ -14,11 +14,11 @@ You can enable the 64k memory page in the {op-system-first} kernel on the 64-bit
 Using 64k pages is exclusive to 64-bit ARM architecture compute nodes or clusters installed on 64-bit ARM machines. If you configure the 64k pages kernel on a machine config pool using 64-bit x86 machines, the machine config pool and MCO will degrade.
 ====
 
-.Prerequisites: 
+.Prerequisites
 * You installed the OpenShift CLI (`oc`).
 * You created a cluster with compute nodes of different architecture on one of the supported platforms.
 
-.Procedure: 
+.Procedure
 
 . Label the nodes where you want to run the 64k page size kernel:
 [source,terminal]
@@ -27,7 +27,7 @@ Using 64k pages is exclusive to 64-bit ARM architecture compute nodes or cluster
 $ oc label node <node_name> <label>
 ----
 +
-.Example command 
+.Example command
 [source,terminal]
 ----
 $ oc label node worker-arm64-01 node-role.kubernetes.io/worker-64k-pages=
@@ -55,7 +55,7 @@ spec:
       kubernetes.io/arch: arm64
 ----
 
-. Create a machine config on your compute node to enable `64k-pages` with the `64k-pages` parameter. 
+. Create a machine config on your compute node to enable `64k-pages` with the `64k-pages` parameter.
 +
 [source,terminal]
 ----
@@ -70,11 +70,11 @@ kind: MachineConfig
 metadata:
   labels:
     machineconfiguration.openshift.io/role: "worker-64k-pages" <1>
-  name: 99-worker-64kpages  
+  name: 99-worker-64kpages
 spec:
   kernelType: 64k-pages <2>
 ----
-<1> Specify the value of the `machineconfiguration.openshift.io/role` label in the custom machine config pool. The example MachineConfig uses the `worker-64k-pages` label to enable 64k pages in the `worker-64k-pages` pool. 
+<1> Specify the value of the `machineconfiguration.openshift.io/role` label in the custom machine config pool. The example MachineConfig uses the `worker-64k-pages` label to enable 64k pages in the `worker-64k-pages` pool.
 <2> Specify your desired kernel type. Valid values are `64k-pages` and `default`
 +
 [NOTE]
@@ -82,7 +82,7 @@ spec:
 The `64k-pages` type is supported on only 64-bit ARM architecture based compute nodes. The `realtime` type is supported on only 64-bit x86 architecture based compute nodes.
 ====
 
-.Verification 
+.Verification
 
 * To view your new `worker-64k-pages` machine config pool, run the following command:
 +
@@ -91,11 +91,11 @@ The `64k-pages` type is supported on only 64-bit ARM architecture based compute
 $ oc get mcp
 ----
 +
-.Example output 
+.Example output
 [source,terminal]
 ----
 NAME     CONFIG                                                                UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
 master   rendered-master-9d55ac9a91127c36314e1efe7d77fbf8                      True      False      False      3              3                   3                     0                      361d
 worker   rendered-worker-e7b61751c4a5b7ff995d64b967c421ff                      True      False      False      7              7                   7                     0                      361d
 worker-64k-pages  rendered-worker-64k-pages-e7b61751c4a5b7ff995d64b967c421ff   True      False      False      2              2                   2                     0                      35m
-----
\ No newline at end of file
+----
diff --git a/modules/multi-architecture-modify-machine-set-aws.adoc b/modules/multi-architecture-modify-machine-set-aws.adoc
index f4038ad6838f..a919b8d632e8 100644
--- a/modules/multi-architecture-modify-machine-set-aws.adoc
+++ b/modules/multi-architecture-modify-machine-set-aws.adoc
@@ -1,29 +1,33 @@
-//Module included in the following assembly
+// Module included in the following assembly
 //
-//post_installation_configuration/cluster-tasks.adoc
+// * post_installation_configuration/cluster-tasks.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="multi-architecture-modify-machine-set-aws_{context}"]
+= Adding a multi-architecture compute machine set to your AWS cluster
 
-= Adding an ARM64 compute machine set to your cluster
+After creating a multi-architecture cluster, you can add nodes with different architectures.
 
-To configure a cluster with multi-architecture compute machines, you must create a AWS ARM64 compute machine set. This adds ARM64 compute nodes to your cluster so that your cluster has multi-architecture compute machines.
+You can add multi-architecture compute machines to a multi-architecture cluster in the following ways:
 
-.Prerequisites
+* Adding 64-bit x86 compute machines to a cluster that uses 64-bit ARM control plane machines and already includes 64-bit ARM compute machines. In this case, 64-bit x86 is considered the secondary architecture.
+* Adding 64-bit ARM compute machines to a cluster that uses 64-bit x86 control plane machines and already includes 64-bit x86 compute machines. In this case, 64-bit ARM is considered the secondary architecture.
+
+include::snippets/about-multiarch-tuning-operator.adoc[]
 
-* You installed the OpenShift CLI (`oc`).
-* You used the installation program to create an AMD64 single-architecture AWS cluster with the multi-architecture installer binary.
+.Prerequisites
 
+* You installed the {oc-first}.
+* You used the installation program to create an 64-bit ARM or 64-bit x86 single-architecture AWS cluster with the multi-architecture installer binary.
 
 .Procedure
-* Create and modify a compute machine set, this will control the ARM64 compute nodes in your cluster.
+
+. Log in to the {oc-first}.
+
+. Create a YAML file, and add the configuration to create a compute machine set to control the 64-bit ARM or 64-bit x86 compute nodes in your cluster.
 +
 --
-[source,terminal]
-----
-$ oc create -f aws-arm64-machine-set-0.yaml
-----
-.Sample YAML compute machine set to deploy an ARM64 compute node
+.Example `MachineSet` object for an AWS 64-bit ARM or x86 compute node
 
 [source,yaml]
 ----
@@ -32,7 +36,7 @@ kind: MachineSet
 metadata:
   labels:
     machine.openshift.io/cluster-api-cluster: <infrastructure_id> <1>
-  name: <infrastructure_id>-aws-arm64-machine-set-0 <1>
+  name: <infrastructure_id>-aws-machine-set-0 <1>
   namespace: openshift-machine-api
 spec:
   replicas: 1
@@ -89,7 +93,7 @@ spec:
           userDataSecret:
             name: worker-user-data
 ----
-<1> Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:
+<1> Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the {oc-first} installed, you can obtain the infrastructure ID by running the following command:
 +
 [source,terminal]
 ----
@@ -97,7 +101,7 @@ $ oc get -o jsonpath=‘{.status.infrastructureName}{“\n”}’ infrastructure
 ----
 <2> Specify the infrastructure ID, role node label, and zone.
 <3> Specify the role node label to add.
-<4> Specify an ARM64 supported Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for your AWS zone for your OpenShift Container Platform nodes.
+<4> Specify a Red{nbsp}Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for your AWS zone for the nodes. The RHCOS AMI must be compatible with the machine architecture.
 +
 [source,terminal]
 ----
@@ -106,28 +110,37 @@ $ oc get configmap/coreos-bootimages \
 	  -o jsonpath='{.data.stream}' | jq \
 	  -r '.architectures.<arch>.images.aws.regions."<region>".image'
 ----
-<5> Specify an ARM64 supported machine type. For more information, refer to "Tested instance types for AWS 64-bit ARM"
-<6> Specify the zone, for example `us-east-1a`. Ensure that the zone you select offers 64-bit ARM machines.
-<7> Specify the region, for example, `us-east-1`. Ensure that the zone you select offers 64-bit ARM machines.
+<5> Specify a machine type that aligns with the CPU architecture of the chosen AMI. For more information, see "Tested instance types for AWS 64-bit ARM"
+<6> Specify the zone. For example, `us-east-1a`. Ensure that the zone you select has machines with the required architecture.
+<7> Specify the region. For example, `us-east-1`. Ensure that the zone you select has machines with the required architecture.
 --
 
+. Create the compute machine set by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the YAML file with compute machine set configuration. For example: `aws-arm64-machine-set-0.yaml`, or `aws-amd64-machine-set-0.yaml`.
+
 .Verification
 
-. View the list of compute machine sets by entering the following command:
+. View the list of compute machine sets by running the following command:
 +
 [source,terminal]
 ----
 $ oc get machineset -n openshift-machine-api
 ----
-You can then see your created ARM64 machine set.
++
+The output must include the machine set that you created.
 +
 .Example output
 [source,terminal]
 ----
 NAME                                                DESIRED  CURRENT  READY  AVAILABLE  AGE
-<infrastructure_id>-aws-arm64-machine-set-0                   2        2      2          2  10m
+<infrastructure_id>-aws-machine-set-0                   2        2      2          2  10m
 ----
-. You can check that the nodes are ready and scheduable with the following command:
+. You can check if the nodes are ready and schedulable by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/multi-architecture-modify-machine-set-gcp.adoc b/modules/multi-architecture-modify-machine-set-gcp.adoc
index 2fbdabede970..dc62ba97ae44 100644
--- a/modules/multi-architecture-modify-machine-set-gcp.adoc
+++ b/modules/multi-architecture-modify-machine-set-gcp.adoc
@@ -4,25 +4,30 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="multi-architecture-modify-machine-set-gcp_{context}"]
-= Adding an ARM64 compute machine set to your GCP cluster
+= Adding a multi-architecture compute machine set to your GCP cluster
 
-To configure a cluster with multi-architecture compute machines, you must create a GCP ARM64 compute machine set. This adds ARM64 compute nodes to your cluster.
+After creating a multi-architecture cluster, you can add nodes with different architectures. 
+
+You can add multi-architecture compute machines to a multi-architecture cluster in the following ways:
+
+* Adding 64-bit x86 compute machines to a cluster that uses 64-bit ARM control plane machines and already includes 64-bit ARM compute machines. In this case, 64-bit x86 is considered the secondary architecture.
+* Adding 64-bit ARM compute machines to a cluster that uses 64-bit x86 control plane machines and already includes 64-bit x86 compute machines. In this case, 64-bit ARM is considered the secondary architecture.
+
+include::snippets/about-multiarch-tuning-operator.adoc[]
 
 .Prerequisites
 
 * You installed the {oc-first}.
-* You used the installation program to create an AMD64 single-architecture AWS cluster with the multi-architecture installer binary.
+* You used the installation program to create a 64-bit x86 or 64-bit ARM single-architecture GCP cluster with the multi-architecture installer binary.
 
 .Procedure
-* Create and modify a compute machine set, this controls the ARM64 compute nodes in your cluster:
-+
-[source,terminal]
-----
-$ oc create -f gcp-arm64-machine-set-0.yaml
-----
+
+. Log in to the {oc-first}.
+
+. Create a YAML file, and add the configuration to create a compute machine set to control the 64-bit ARM or 64-bit x86 compute nodes in your cluster.
 +
 --
-.Sample GCP YAML compute machine set to deploy an ARM64 compute node
+.Example `MachineSet` object for a GCP 64-bit ARM or 64-bit x86 compute node
 [source,yaml]
 ----
 apiVersion: machine.openshift.io/v1beta1
@@ -121,27 +126,35 @@ Use the `project` and `name` parameters from the output to create the path to im
 $ projects/<project>/global/images/<image_name>
 ----
 <4> Optional: Specify custom metadata in the form of a `key:value` pair. For example use cases, see the GCP documentation for link:https://cloud.google.com/compute/docs/metadata/setting-custom-metadata[setting custom metadata].
-<5> Specify an ARM64 supported machine type. For more information, refer to _Tested instance types for GCP on 64-bit ARM infrastructures_ in "Additional resources".
+<5> Specify a machine type that aligns with the CPU architecture of the chosen OS image. For more information, see "Tested instance types for GCP on 64-bit ARM infrastructures".
 <6> Specify the name of the GCP project that you use for your cluster.
-<7> Specify the region, for example, `us-central1`. Ensure that the zone you select offers 64-bit ARM machines.
+<7> Specify the region. For example, `us-central1`. Ensure that the zone you select has machines with the required architecture.
 --
 
+. Create the compute machine set by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the YAML file with compute machine set configuration. For example: `gcp-arm64-machine-set-0.yaml`, or `gcp-amd64-machine-set-0.yaml`.
+
 .Verification
-. View the list of compute machine sets by entering the following command:
+. View the list of compute machine sets by running the following command:
 +
 [source,terminal]
 ----
 $ oc get machineset -n openshift-machine-api
 ----
-You can then see your created ARM64 machine set.
+The output must include the machine set that you created.
 +
 .Example output
 [source,terminal]
 ----
 NAME                                                DESIRED  CURRENT  READY  AVAILABLE  AGE
-<infrastructure_id>-gcp-arm64-machine-set-0                   2        2      2          2  10m
+<infrastructure_id>-gcp-machine-set-0                   2        2      2          2  10m
 ----
-. You can check that the nodes are ready and scheduable with the following command:
+. You can check if the nodes are ready and schedulable by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/multi-architecture-modify-machine-set.adoc b/modules/multi-architecture-modify-machine-set.adoc
index 28db16583220..deae4e5b367c 100644
--- a/modules/multi-architecture-modify-machine-set.adoc
+++ b/modules/multi-architecture-modify-machine-set.adoc
@@ -4,24 +4,32 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="multi-architecture-modify-machine-set_{context}"]
+= Adding a multi-architecture compute machine set to your Azure cluster
 
-= Adding a multi-architecture compute machine set to your cluster
+After creating a multi-architecture cluster, you can add nodes with different architectures. 
 
-To add ARM64 compute nodes to your cluster, you must create an Azure compute machine set that uses the ARM64 boot image. To create your own custom compute machine set on Azure, see "Creating a compute machine set on Azure".
+You can add multi-architecture compute machines to a multi-architecture cluster in the following ways:
+
+* Adding 64-bit x86 compute machines to a cluster that uses 64-bit ARM control plane machines and already includes 64-bit ARM compute machines. In this case, 64-bit x86 is considered the secondary architecture.
+* Adding 64-bit ARM compute machines to a cluster that uses 64-bit x86 control plane machines and already includes 64-bit x86 compute machines. In this case, 64-bit ARM is considered the secondary architecture.
+
+To create a custom compute machine set on Azure, see "Creating a compute machine set on Azure".
+
+include::snippets/about-multiarch-tuning-operator.adoc[]
 
 .Prerequisites
 
 * You installed the OpenShift CLI (`oc`).
+* You created a 64-bit ARM or 64-bit x86 boot image.
+* You used the installation program to create a 64-bit ARM or 64-bit x86 single-architecture Azure cluster with the multi-architecture installer binary.
 
 .Procedure
-* Create a compute machine set and modify the `resourceID` and `vmSize` parameters with the following command. This compute machine set will control the `arm64` worker nodes in your cluster:
-+
-[source,terminal]
-----
-$ oc create -f arm64-machine-set-0.yaml
-----
-.Sample YAML compute machine set with `arm64` boot image
+
+. Log in to the {oc-first}.
+
+. Create a YAML file, and add the configuration to create a compute machine set to control the 64-bit ARM or 64-bit x86 compute nodes in your cluster.
 +
+.Example `MachineSet` object for an Azure 64-bit ARM or 64-bit x86 compute node
 [source,yaml]
 ----
 apiVersion: machine.openshift.io/v1beta1
@@ -31,21 +39,21 @@ metadata:
     machine.openshift.io/cluster-api-cluster: <infrastructure_id>
     machine.openshift.io/cluster-api-machine-role: worker
     machine.openshift.io/cluster-api-machine-type: worker
-  name: <infrastructure_id>-arm64-machine-set-0
+  name: <infrastructure_id>-machine-set-0
   namespace: openshift-machine-api
 spec:
   replicas: 2
   selector:
     matchLabels:
       machine.openshift.io/cluster-api-cluster: <infrastructure_id>
-      machine.openshift.io/cluster-api-machineset: <infrastructure_id>-arm64-machine-set-0
+      machine.openshift.io/cluster-api-machineset: <infrastructure_id>-machine-set-0
   template:
     metadata:
       labels:
         machine.openshift.io/cluster-api-cluster: <infrastructure_id>
         machine.openshift.io/cluster-api-machine-role: worker
         machine.openshift.io/cluster-api-machine-type: worker
-        machine.openshift.io/cluster-api-machineset: <infrastructure_id>-arm64-machine-set-0
+        machine.openshift.io/cluster-api-machineset: <infrastructure_id>-machine-set-0
     spec:
       lifecycleHooks: {}
       metadata: {}
@@ -82,24 +90,35 @@ spec:
           vnet: <infrastructure_id>-vnet
           zone: "<zone>"
 ----
-<1> Set the `resourceID` parameter to the `arm64` boot image.
+<1> Set the `resourceID` parameter to either `arm64` or `amd64` boot image.
 <2> Set the `vmSize` parameter to the instance type used in your installation. Some example instance types are `Standard_D4ps_v5` or `D8ps`.
 
+. Create the compute machine set by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name> <1>
+----
+<1> Replace `<file_name>` with the name of the YAML file with compute machine set configuration. For example: `arm64-machine-set-0.yaml`, or ``amd64-machine-set-0.yaml``.
+
 .Verification
-. Verify that the new ARM64 machines are running by entering the following command:
+
+. Verify that the new machines are running by running the following command:
 +
 [source,terminal]
 ----
 $ oc get machineset -n openshift-machine-api
 ----
 +
+The output must include the machine set that you created.
++
 .Example output
 [source,terminal]
 ----
 NAME                                                DESIRED  CURRENT  READY  AVAILABLE  AGE
-<infrastructure_id>-arm64-machine-set-0                   2        2      2          2  10m
+<infrastructure_id>-machine-set-0                   2        2      2          2  10m
 ----
-. You can check that the nodes are ready and scheduable with the following command:
+. You can check if the nodes are ready and schedulable by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/multi-architecture-verifying-cluster-compatibility.adoc b/modules/multi-architecture-verifying-cluster-compatibility.adoc
index 1b132abcda14..9f8cf0e69a73 100644
--- a/modules/multi-architecture-verifying-cluster-compatibility.adoc
+++ b/modules/multi-architecture-verifying-cluster-compatibility.adoc
@@ -21,7 +21,7 @@ Before you can start adding compute nodes of different architectures to your clu
 
 .Prerequisites
 
-* You installed the OpenShift CLI (`oc`)
+* You installed the {oc-first}.
 
 ifdef::ibm-power[]
 [NOTE]
@@ -37,7 +37,9 @@ endif::ibm-power[]
 
 .Procedure
 
-* You can check that your cluster uses the architecture payload by running the following command:
+. Log in to the {oc-first}.
+
+. You can check that your cluster uses the architecture payload by running the following command:
 +
 [source,terminal]
 ----
@@ -46,7 +48,7 @@ $ oc adm release info -o jsonpath="{ .metadata.metadata}"
 
 .Verification
 
-. If you see the following output, then your cluster is using the multi-architecture payload:
+* If you see the following output, your cluster is using the multi-architecture payload:
 +
 [source,terminal]
 ----
@@ -57,7 +59,7 @@ $ oc adm release info -o jsonpath="{ .metadata.metadata}"
 ----
 You can then begin adding multi-arch compute nodes to your cluster.
 
-. If you see the following output, then your cluster is not using the multi-architecture payload:
+* If you see the following output, your cluster is not using the multi-architecture payload:
 +
 [source,terminal]
 ----
diff --git a/modules/network-flow-matrix.adoc b/modules/network-flow-matrix.adoc
new file mode 100644
index 000000000000..0d7f8730b355
--- /dev/null
+++ b/modules/network-flow-matrix.adoc
@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * installing/install_config/configuring-firewall.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="network-flow-matrix_{context}"]
+= {product-title} network flow matrix
+
+The network flow matrix describes the ingress flows to {product-title} services.
+The network information in the matrix is accurate for both bare-metal and cloud environments.
+Use the information in the network flow matrix to help you manage ingress traffic.
+You can restrict ingress traffic to essential flows to improve network security.
+
+To view or download the raw CSV content, see link:https://raw.githubusercontent.com/openshift/openshift-docs/main/snippets/network-flow-matrix.csv[this resource].
+
+Additionally, consider the following dynamic port ranges when managing ingress traffic:
+
+* `9000-9999`: Host level services
+* `3000-32767`: Kubernetes node ports
+* `49152-65535`: Dynamic or private ports
+
+[NOTE]
+====
+The network flow matrix describes ingress traffic flows for a base {product-title} installation. It does not describe network flows for additional components, such as optional Operators available from the Red Hat Marketplace. The matrix does not apply for Hosted-Control-Plane, MicroShift, or standalone clusters.
+====
+
+.Network flow matrix
+[%header,format=csv]
+|===
+include::snippets/network-flow-matrix.csv[]
+|===
diff --git a/modules/network-observability-RTT-overview.adoc b/modules/network-observability-RTT-overview.adoc
index 6c42599c3117..881084351716 100644
--- a/modules/network-observability-RTT-overview.adoc
+++ b/modules/network-observability-RTT-overview.adoc
@@ -5,24 +5,24 @@
 :_mod-docs-content-type: CONCEPT
 [id="network-observability-RTT-overview_{context}"]
 = Round-Trip Time
-You can use TCP handshake Round-Trip Time (RTT) to analyze network flows. You can use RTT captured from the `fentry/tcp_rcv_established` eBPF hookpoint to read SRTT from the TCP socket to help with the following:
+You can use TCP smoothed Round-Trip Time (sRTT) to analyze network flow latencies. You can use RTT captured from the `fentry/tcp_rcv_established` eBPF hookpoint to read sRTT from the TCP socket to help with the following:
 
 
-* Network Monitoring: Gain insights into TCP handshakes, helping
+* Network Monitoring: Gain insights into TCP latencies, helping
   network administrators identify unusual patterns, potential bottlenecks, or
   performance issues.
 * Troubleshooting: Debug TCP-related issues by tracking latency and identifying
   misconfigurations.
 
-By default, when RTT is enabled, you can see the following TCP handshake RTT metrics represented in the *Overview*:
+By default, when RTT is enabled, you can see the following TCP RTT metrics represented in the *Overview*:
 
-* Top X 90th percentile TCP handshake Round Trip Time with overall
-* Top X average TCP handshake Round Trip Time with overall
-* Bottom X minimum TCP handshake Round Trip Time with overall
+* Top X 90th percentile TCP Round Trip Time with overall
+* Top X average TCP Round Trip Time with overall
+* Bottom X minimum TCP Round Trip Time with overall
 
 Other RTT panels can be added in *Manage panels*:
 
-* Top X maximum TCP handshake Round Trip Time with overall
-* Top X 99th percentile TCP handshake Round Trip Time with overall
+* Top X maximum TCP Round Trip Time with overall
+* Top X 99th percentile TCP Round Trip Time with overall
 
 See the _Additional Resources_ in this section for more information about enabling and working with this view.
\ No newline at end of file
diff --git a/modules/network-observability-RTT.adoc b/modules/network-observability-RTT.adoc
index f56205ba0e7f..a7d1c98bdad8 100644
--- a/modules/network-observability-RTT.adoc
+++ b/modules/network-observability-RTT.adoc
@@ -23,7 +23,6 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
   agent:
     type: eBPF
     ebpf:
diff --git a/modules/network-observability-cli-capturing-flows.adoc b/modules/network-observability-cli-capturing-flows.adoc
new file mode 100644
index 000000000000..6f101c610676
--- /dev/null
+++ b/modules/network-observability-cli-capturing-flows.adoc
@@ -0,0 +1,88 @@
+//Module included in the following assemblies:
+//
+// observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-capturing-flows_{context}"]
+= Capturing flows
+
+You can capture flows and filter on any resource or zone in the data to solve use cases, such as displaying Round-Trip Time (RTT) between two zones. Table visualization in the CLI provides viewing and flow search capabilities.
+
+.Prerequisites
+* Install the {oc-first}.
+* Install the Network Observability CLI (`oc netobserv`) plugin.
+
+.Procedure
+. Capture flows with filters enabled by running the following command:
++
+[source,terminal]
+----
+$ oc netobserv flows --enable_filter=true --action=Accept --cidr=0.0.0.0/0 --protocol=TCP --port=49051
+----
+. Add filters to the `live table filter` prompt in the terminal to further refine the incoming flows. For example:
++ 
+[source,terminal]
+----
+live table filter: [SrcK8S_Zone:us-west-1b] press enter to match multiple regular expressions at once
+----
+. To stop capturing, press kbd:[Ctrl+C]. The data that was captured is written to two separate files in an `./output` directory located in the same path used to install the CLI. 
+. View the captured data in the `./output/flow/<capture_date_time>.json` JSON file, which contains JSON arrays of the captured data.
++
+.Example JSON file
+[source,json]
+----
+{
+  "AgentIP": "10.0.1.76",
+  "Bytes": 561,
+  "DnsErrno": 0,
+  "Dscp": 20,
+  "DstAddr": "f904:ece9:ba63:6ac7:8018:1e5:7130:0",
+  "DstMac": "0A:58:0A:80:00:37",
+  "DstPort": 9999,
+  "Duplicate": false,
+  "Etype": 2048,
+  "Flags": 16,
+  "FlowDirection": 0,
+  "IfDirection": 0,
+  "Interface": "ens5",
+  "K8S_FlowLayer": "infra",
+  "Packets": 1,
+  "Proto": 6,
+  "SrcAddr": "3e06:6c10:6440:2:a80:37:b756:270f",
+  "SrcMac": "0A:58:0A:80:00:01",
+  "SrcPort": 46934,
+  "TimeFlowEndMs": 1709741962111,
+  "TimeFlowRttNs": 121000,
+  "TimeFlowStartMs": 1709741962111,
+  "TimeReceived": 1709741964
+}
+----
+. You can use SQLite to inspect the `./output/flow/<capture_date_time>.db` database file. For example:
+.. Open the file by running the following command:
++
+[source,terminal]
+----
+$ sqlite3 ./output/flow/<capture_date_time>.db
+----
+
+.. Query the data by running a SQLite `SELECT` statement, for example:
++
+[source,terminal]
+----
+sqlite> SELECT DnsLatencyMs, DnsFlagsResponseCode, DnsId, DstAddr, DstPort, Interface, Proto, SrcAddr, SrcPort, Bytes, Packets FROM flow WHERE DnsLatencyMs >10 LIMIT 10;
+----
++
+.Example output
+[source,terminal]
+----
+12|NoError|58747|10.128.0.63|57856||17|172.30.0.10|53|284|1
+11|NoError|20486|10.128.0.52|56575||17|169.254.169.254|53|225|1
+11|NoError|59544|10.128.0.103|51089||17|172.30.0.10|53|307|1
+13|NoError|32519|10.128.0.52|55241||17|169.254.169.254|53|254|1
+12|NoError|32519|10.0.0.3|55241||17|169.254.169.254|53|254|1
+15|NoError|57673|10.128.0.19|59051||17|172.30.0.10|53|313|1
+13|NoError|35652|10.0.0.3|46532||17|169.254.169.254|53|183|1
+32|NoError|37326|10.0.0.3|52718||17|169.254.169.254|53|169|1
+14|NoError|14530|10.0.0.3|58203||17|169.254.169.254|53|246|1
+15|NoError|40548|10.0.0.3|45933||17|169.254.169.254|53|174|1
+----
diff --git a/modules/network-observability-cli-capturing-packets.adoc b/modules/network-observability-cli-capturing-packets.adoc
new file mode 100644
index 000000000000..748c96417212
--- /dev/null
+++ b/modules/network-observability-cli-capturing-packets.adoc
@@ -0,0 +1,29 @@
+//Module included in the following assemblies:
+//
+// observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-capturing-packets_{context}"]
+= Capturing packets
+You can capture packets using the Network Observability CLI. 
+
+.Prerequisites
+* Install the {oc-first}.
+* Install the Network Observability CLI (`oc netobserv`) plugin.
+
+.Procedure
+. Run the packet capture with filters enabled:
++
+[source,terminal]
+----
+$ oc netobserv packets --filter=tcp,80
+----
+. Add filters to the `live table filter` prompt in the terminal to refine the incoming packets. An example filter is as follows:
++ 
+[source,terminal]
+----
+live table filter: [SrcK8S_Zone:us-west-1b] press enter to match multiple regular expressions at once
+----
+. To stop capturing, press kbd:[Ctrl+C].
+. View the captured data, which is written to a single file in an `./output/pcap` directory located in the same path that was used to install the CLI:
+.. The `./output/pcap/<capture_date_time>.pcap` file can be opened with Wireshark. 
\ No newline at end of file
diff --git a/modules/network-observability-configuring-custom-metrics.adoc b/modules/network-observability-configuring-custom-metrics.adoc
new file mode 100644
index 000000000000..c73bb1054903
--- /dev/null
+++ b/modules/network-observability-configuring-custom-metrics.adoc
@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-configuring-custom-metrics_{context}"]
+= Configuring custom metrics by using FlowMetric API
+You can configure the `FlowMetric` API to create custom metrics by using flowlogs data fields as Prometheus labels. You can add multiple `FlowMetric` resources to a project to see multiple dashboard views.
+
+.Procedure
+
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. In the *Provided APIs* heading for the *NetObserv Operator*, select *FlowMetric*.
+. In the *Project:*  dropdown list, select the project of the Network Observability Operator instance. 
+. Click *Create FlowMetric*.
+. Configure the `FlowMetric` resource, similar to the following sample configurations:
++
+.Generate a metric that tracks ingress bytes received from cluster external sources
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-traffic
+  namespace: netobserv                              <1>
+spec:
+  metricName: cluster_external_ingress_bytes_total  <2>
+  type: Counter                                     <3>
+  valueField: Bytes
+  direction: Ingress                                <4>
+  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType] <5>
+  filters:                                          <6>
+  - field: SrcSubnetLabel
+    matchType: Absence
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+<2> The name of the Prometheus metric, which in the web console appears with the prefix `netobserv-<metricName>`. 
+<3> The `type` specifies the type of metric. The `Counter` `type` is useful for counting bytes or packets.
+<4> The direction of traffic to capture. If not specified, both ingress and egress are captured, which can lead to duplicated counts. 
+<5> Labels define what the metrics look like and the relationship between the different entities and also define the metrics cardinality. For example, `SrcK8S_Name` is a high cardinality metric.
+<6> Refines results based on the listed criteria. In this example,  selecting only the cluster external traffic is done by matching only flows where `SrcSubnetLabel` is absent. This assumes the subnet labels feature is enabled (via `spec.processor.subnetLabels`), which is done by default.
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Metrics*.
+. In the *Expression* field, type the metric name to view the corresponding result. You can also enter an expression, such as `topk(5, sum(rate(netobserv_cluster_external_ingress_bytes_total{DstK8S_Namespace="my-namespace"}[2m])) by (DstK8S_HostName, DstK8S_OwnerName, DstK8S_OwnerType))`
+====
++
+.Show RTT latency for cluster external ingress traffic
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-rtt
+  namespace: netobserv    <1>
+spec:
+  metricName: cluster_external_ingress_rtt_seconds
+  type: Histogram                 <2>
+  valueField: TimeFlowRttNs
+  direction: Ingress
+  labels: [DstK8S_HostName,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType]
+  filters:
+  - field: SrcSubnetLabel
+    matchType: Absence
+  - field: TimeFlowRttNs
+    matchType: Presence
+  divider: "1000000000"      <3>
+  buckets: [".001", ".005", ".01", ".02", ".03", ".04", ".05", ".075", ".1", ".25", "1"]  <4>
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+<2> The `type` specifies the type of metric. The `Histogram` `type` is useful for a latency value (`TimeFlowRttNs`).
+<3> Since the Round-trip time (RTT) is provided as nanos in flows, use a divider of 1 billion to convert into seconds, which is standard in Prometheus guidelines.
+<4> The custom buckets specify precision on RTT, with optimal precision ranging between 5ms and 250ms.
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Metrics*.
+. In the *Expression* field, you can type the metric name to view the corresponding result. 
+====
+
+
+
diff --git a/modules/network-observability-custom-metrics.adoc b/modules/network-observability-custom-metrics.adoc
new file mode 100644
index 000000000000..eeb505747c12
--- /dev/null
+++ b/modules/network-observability-custom-metrics.adoc
@@ -0,0 +1,8 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-custom-metrics_{context}"]
+= Custom metrics
+You can create custom metrics out of the flowlogs data using the `FlowMetric` API. In every flowlogs data that is collected, there are a number of fields labeled per log, such as source name and destination name. These fields can be leveraged as Prometheus labels to enable the customization of cluster information on your dashboard. 
\ No newline at end of file
diff --git a/modules/network-observability-dns-tracking.adoc b/modules/network-observability-dns-tracking.adoc
index 134cb6c09b31..1bebed820f97 100644
--- a/modules/network-observability-dns-tracking.adoc
+++ b/modules/network-observability-dns-tracking.adoc
@@ -27,7 +27,6 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
   agent:
     type: eBPF
     ebpf:
@@ -36,7 +35,7 @@ spec:
       sampling: 1              <2>
 ----
 <1> You can set the `spec.agent.ebpf.features` parameter list to enable DNS tracking of each network flow in the web console.
-<2> You can set `sampling` to a value of `1` for more accurate metrics.
+<2> You can set `sampling` to a value of `1` for more accurate metrics and to capture *DNS latency*. For a `sampling` value greater than 1, you can observe flows with *DNS Response Code* and *DNS Id*, and it is unlikely that *DNS Latency* can be observed.
 
 . When you refresh the *Network Traffic* page, there are new DNS representations you can choose to view in the *Overview* and *Traffic Flow* views and new filters you can apply.
 .. Select new DNS choices in *Manage panels* to display graphical visualizations and DNS metrics in the *Overview*.
diff --git a/modules/network-observability-ebpf-agent-alert.adoc b/modules/network-observability-ebpf-agent-alert.adoc
new file mode 100644
index 000000000000..f9201d46aa88
--- /dev/null
+++ b/modules/network-observability-ebpf-agent-alert.adoc
@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+// * network_observability/network-observability-operator-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-netobserv-dashboard-ebpf-agent-alerts_{context}"]
+= Using the eBPF agent alert
+
+An alert, `NetObservAgentFlowsDropped`, is triggered when the Network Observability eBPF agent hashmap table is full or when the capacity limiter is triggered. If you see this alert, consider increasing the `cacheMaxFlows` in the `FlowCollector`, as shown in the following example.
+
+[NOTE]
+====
+Increasing the `cacheMaxFlows` might increase the memory usage of the eBPF agent. 
+====
+
+.Procedure
+
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+
+. Under the *Provided APIs* heading for the *Network Observability Operator*, select *Flow Collector*.
+
+. Select *cluster*, and then select the *YAML* tab.
+
+. Increase the `spec.agent.ebpf.cacheMaxFlows` value, as shown in the following YAML sample:
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  namespace: netobserv
+  deploymentModel: Direct
+  agent:
+    type: eBPF                                
+    ebpf:
+      cacheMaxFlows: 200000 <1>
+----
+<1> Increase the `cacheMaxFlows` value from its value at the time of the `NetObservAgentFlowsDropped` alert.
diff --git a/modules/network-observability-ebpf-rule-flow-filter.adoc b/modules/network-observability-ebpf-rule-flow-filter.adoc
new file mode 100644
index 000000000000..b20c6a803514
--- /dev/null
+++ b/modules/network-observability-ebpf-rule-flow-filter.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-ebpf-flow-rule-filter_{context}"]
+= eBPF flow rule filter
+You can use rule-based filtering to control the volume of packets cached in the eBPF flow table. For example, a filter can specify that only packets coming from port 100 should be recorded. Then only the packets that match the filter are cached and the rest are not cached. 
+
+[id="ingress-and-egress-traffic-filtering_{context}"]
+== Ingress and egress traffic filtering
+CIDR notation efficiently represents IP address ranges by combining the base IP address with a prefix length. For both ingress and egress traffic, the source IP address is first used to match filter rules configured with CIDR notation. If there is a match, then the filtering proceeds. If there is no match, then the destination IP is used to match filter rules configured with CIDR notation. 
+
+After matching either the source IP or the destination IP CIDR, you can pinpoint specific endpoints using the `peerIP` to differentiate the destination IP address of the packet. Based on the provisioned action, the flow data is either cached in the eBPF flow table or not cached. 
+
+[id="dashboard-and-metrics-integrations_{context}"]
+== Dashboard and metrics integrations
+When this option is enabled, the *Netobserv/Health* dashboard for *eBPF agent statistics* now has the *Filtered flows rate* view. Additionally, in *Observe* -> *Metrics* you can query `netobserv_agent_filtered_flows_total` to observe metrics with the reason in *FlowFilterAcceptCounter*, *FlowFilterNoMatchCounter* or *FlowFilterRecjectCounter*.
\ No newline at end of file
diff --git a/modules/network-observability-filtering-ebpf-rule.adoc b/modules/network-observability-filtering-ebpf-rule.adoc
new file mode 100644
index 000000000000..85e41e34b28e
--- /dev/null
+++ b/modules/network-observability-filtering-ebpf-rule.adoc
@@ -0,0 +1,74 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-filtering-ebpf-rule_{context}"]
+= Filtering eBPF flow data using a global rule
+You can configure the `FlowCollector` to filter eBPF flows using a global rule to control the flow of packets cached in the eBPF flow table.
+
+.Procedure
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. Under the *Provided APIs* heading for *Network Observability*, select *Flow Collector*.
+. Select *cluster*, then select the *YAML* tab.
+. Configure the `FlowCollector` custom resource, similar to the following sample configurations:
++
+
+[%collapsible]
+.Filter Kubernetes service traffic to a specific Pod IP endpoint
+====
+[source, yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  namespace: netobserv
+  deploymentModel: Direct
+  agent:
+    type: eBPF
+    ebpf:
+      flowFilter:
+        action: Accept  <1>
+        cidr: 172.210.150.1/24 <2>
+        protocol: SCTP
+        direction: Ingress
+        destPortRange: 80-100
+        peerIP: 10.10.10.10
+        enable: true    <3>
+----
+<1> The required `action` parameter describes the action that is taken for the flow filter rule. Possible values are `Accept` or `Reject`. 
+<2> The required `cidr` parameter provides the IP address and CIDR mask for the flow filter rule and supports IPv4 and IPv6 address formats. If you want to match against any IP address, you can use `0.0.0.0/0` for IPv4 or `::/0` for IPv6.
+<3> You must set `spec.agent.ebpf.flowFilter.enable` to `true` to enable this feature.
+====
++
+[%collapsible]
+.See flows to any addresses outside the cluster 
+====
+[source, yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  namespace: netobserv
+  deploymentModel: Direct
+  agent:
+    type: eBPF
+    ebpf:        
+      flowFilter:
+        action: Accept  <1>
+        cidr: 0.0.0.0/0 <2>
+        protocol: TCP
+        direction: Egress
+        sourcePort: 100
+        peerIP: 192.168.127.12 <3>
+        enable: true    <4>
+----       
+<1> You can `Accept` flows based on the criteria in the `flowFilter` specification.
+<2> The `cidr` value of `0.0.0.0/0` matches against any IP address.
+<3> See flows after `peerIP` is configured with `192.168.127.12`. 
+<4> You must set `spec.agent.ebpf.flowFilter.enable` to `true` to enable the feature.
+====
\ No newline at end of file
diff --git a/modules/network-observability-flow-filter-parameters.adoc b/modules/network-observability-flow-filter-parameters.adoc
new file mode 100644
index 000000000000..51e10d254cff
--- /dev/null
+++ b/modules/network-observability-flow-filter-parameters.adoc
@@ -0,0 +1,59 @@
+:_mod-docs-content-type: REFERENCE
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+[id="network-observability-flowcollector-flowfilter-parameters_{context}"]
+= Flow filter configuration parameters
+The flow filter rules consist of required and optional parameters.
+
+.Required configuration parameters
+[cols="3a,8a",options="header"]
+|===
+|Parameter |Description
+
+|`enable`
+| Set `enable` to `true` to enable the eBPF flow filtering feature.
+
+|`cidr`
+| Provides the IP address and CIDR mask for the flow filter rule. Supports both IPv4 and IPv6 address format. If you want to match against any IP, you can use `0.0.0.0/0` for IPv4 or `::/0` for IPv6.
+
+|`action`
+| Describes the action that is taken for the flow filter rule. The possible values are `Accept` or `Reject`.
+
+* For the `Accept` action matching rule, the flow data is cached in the eBPF table and updated with the global metric, `FlowFilterAcceptCounter`.
+* For the `Reject` action matching rule, the flow data is dropped and not cached in the eBPF table. The flow data is updated with the global metric, `FlowFilterRejectCounter`.
+* If the rule is not matched, the flow is cached in the eBPF table and updated with the global metric, `FlowFilterNoMatchCounter`.
+|===
+
+
+.Optional configuration parameters
+[cols="3a,8a",options="header"]
+|===
+|Parameter |Description
+
+|`direction`
+| Defines the direction of the flow filter rule. Possible values are `Ingress` or `Egress`.
+
+|`protocol`
+| Defines the protocol of the flow filter rule. Possible values are `TCP`, `UDP`, `SCTP`, `ICMP`, and `ICMPv6`.
+
+| `ports`
+| Defines the ports to use for filtering flows. It can be used for either source or destination ports. To filter a single port, set a single port as an integer value. For example `ports: 80`. To filter a range of ports, use a "start-end" range in string format. For example `ports: "80-100"`
+
+|`sourcePorts`
+| Defines the source port to use for filtering flows. To filter a single port, set a single port as an integer value, for example `sourcePorts: 80`. To filter a range of ports, use a "start-end" range, string format, for example `sourcePorts: "80-100"`.
+
+
+| `destPorts`
+| DestPorts defines the destination ports to use for filtering flows. To filter a single port, set a single port as an integer value, for example `destPorts: 80`. To filter a range of ports, use a "start-end" range in string format, for example `destPorts: "80-100"`.
+
+| `icmpType`
+| Defines the ICMP type to use for filtering flows.
+
+| `icmpCode`
+| Defines the ICMP code to use for filtering flows.
+
+| `peerIP`
+|  Defines the IP address to use for filtering flows, for example: `10.10.10.10`.
+|===
\ No newline at end of file
diff --git a/modules/network-observability-flowcollector-api-specifications.adoc b/modules/network-observability-flowcollector-api-specifications.adoc
index 3f60dc67b5de..c073318a00e8 100644
--- a/modules/network-observability-flowcollector-api-specifications.adoc
+++ b/modules/network-observability-flowcollector-api-specifications.adoc
@@ -1,4 +1,3 @@
-// Automatically generated by 'openshift-apidocs-gen'. Do not edit.
 :_mod-docs-content-type: REFERENCE
 [id="network-observability-flowcollector-api-specifications_{context}"]
 = FlowCollector API specifications
@@ -35,9 +34,14 @@ Type::
 
 | `spec`
 | `object`
-| Defines the desired state of the FlowCollector resource.  +
+| Defines the desired state of the FlowCollector resource.
  +
- *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.
+ +
+
+*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature
+is not officially supported by Red Hat. It might have been, for example, contributed by the community
+and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+for these features as a best effort only.
 
 |===
 == .metadata
@@ -57,9 +61,14 @@ Type::
 Description::
 +
 --
-Defines the desired state of the FlowCollector resource.  +
+Defines the desired state of the FlowCollector resource.
  +
- *: the mention of "unsupported", or "deprecated" for a feature throughout this document means that this feature is not officially supported by Red Hat. It might have been, for example, contributed by the community and accepted without a formal agreement for maintenance. The product maintainers might provide some support for these features as a best effort only.
+ +
+
+*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature
+is not officially supported by Red Hat. It might have been, for example, contributed by the community
+and accepted without a formal agreement for maintenance. The product maintainers might provide some support
+for these features as a best effort only.
 --
 
 Type::
@@ -83,9 +92,12 @@ Type::
 | `deploymentModel`
 | `string`
 | `deploymentModel` defines the desired type of deployment for flow processing. Possible values are: +
- - `Direct` (default) to make the flow processor listening directly from the agents. +
- - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor. +
- Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
+
+- `Direct` (default) to make the flow processor listen directly from the agents. +
+
+- `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor. +
+
+Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).
 
 | `exporters`
 | `array`
@@ -105,7 +117,12 @@ Type::
 
 | `processor`
 | `object`
-| `processor` defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+| `processor` defines the settings of the component that receives the flows from the agent,
+enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+
+| `prometheus`
+| `object`
+| `prometheus` defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.
 
 |===
 == .spec.agent
@@ -127,25 +144,21 @@ Type::
 
 | `ebpf`
 | `object`
-| `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type` is set to `eBPF`.
-
-| `ipfix`
-| `object`
-| `ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type` is set to `IPFIX`.
+| `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+is set to `eBPF`.
 
 | `type`
 | `string`
-| `type` selects the flows tracing agent. Possible values are: +
- - `eBPF` (default) to use Network Observability eBPF agent. +
- - `IPFIX` [deprecated (*)] - to use the legacy IPFIX collector. +
- `eBPF` is recommended as it offers better performances and should work regardless of the CNI installed on the cluster. `IPFIX` works with OVN-Kubernetes CNI (other CNIs could work if they support exporting IPFIX, but they would require manual configuration).
+| `type` [deprecated (*)] selects the flows tracing agent. Previously, this field allowed to select between `eBPF` or `IPFIX`.
+Only `eBPF` is allowed now, so this field is deprecated and is planned for removal in a future version of the API.
 
 |===
 == .spec.agent.ebpf
 Description::
 +
 --
-`ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type` is set to `eBPF`.
+`ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
+is set to `eBPF`.
 --
 
 Type::
@@ -160,27 +173,44 @@ Type::
 
 | `advanced`
 | `object`
-| `advanced` allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+| `advanced` allows setting some aspects of the internal configuration of the eBPF agent.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 
 | `cacheActiveTimeout`
 | `string`
-| `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending. Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.
+| `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+however you can expect higher memory consumption and an increased latency in the flow collection.
 
 | `cacheMaxFlows`
 | `integer`
-| `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows. Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load, however you can expect higher memory consumption and an increased latency in the flow collection.
+| `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
+however you can expect higher memory consumption and an increased latency in the flow collection.
 
 | `excludeInterfaces`
 | `array (string)`
-| `excludeInterfaces` contains the interface names that are excluded from flow tracing. An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. Otherwise it is matched as a case-sensitive string.
+| `excludeInterfaces` contains the interface names that are excluded from flow tracing.
+An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+Otherwise it is matched as a case-sensitive string.
 
 | `features`
 | `array (string)`
 | List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are: +
- - `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting the kernel debug filesystem, so the eBPF pod has to run as privileged. If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported. +
- - `DNSTracking`: enable the DNS tracking feature. +
- - `FlowRTT`: enable flow latency (RTT) calculations in the eBPF agent during TCP handshakes. This feature better works with `sampling` set to 1. +
 
+- `PacketDrop`: enable the packets drop flows logging feature. This feature requires mounting
+the kernel debug filesystem, so the eBPF pod has to run as privileged.
+If the `spec.agent.ebpf.privileged` parameter is not set, an error is reported. +
+
+- `DNSTracking`: enable the DNS tracking feature. +
+
+- `FlowRTT`: enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic. +
+
+
+| `flowFilter`
+| `object`
+| `flowFilter` defines the eBPF agent configuration regarding flow filtering.
 
 | `imagePullPolicy`
 | `string`
@@ -188,23 +218,35 @@ Type::
 
 | `interfaces`
 | `array (string)`
-| `interfaces` contains the interface names from where flows are collected. If empty, the agent fetches all the interfaces in the system, excepting the ones listed in ExcludeInterfaces. An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression. Otherwise it is matched as a case-sensitive string.
+| `interfaces` contains the interface names from where flows are collected. If empty, the agent
+fetches all the interfaces in the system, excepting the ones listed in `excludeInterfaces`.
+An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
+Otherwise it is matched as a case-sensitive string.
 
 | `kafkaBatchSize`
 | `integer`
-| `kafkaBatchSize` limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 10MB.
+| `kafkaBatchSize` limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 1MB.
 
 | `logLevel`
 | `string`
 | `logLevel` defines the log level for the Network Observability eBPF Agent
 
+| `metrics`
+| `object`
+| `metrics` defines the eBPF agent configuration regarding metrics.
+
 | `privileged`
 | `boolean`
-| Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container. If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF is in use, then you can turn on this mode for more global privileges. Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
+| Privileged mode for the eBPF Agent container. When ignored or set to `false`, the operator sets
+granular capabilities (BPF, PERFMON, NET_ADMIN, SYS_RESOURCE) to the container.
+If for some reason these capabilities cannot be set, such as if an old kernel version not knowing CAP_BPF
+is in use, then you can turn on this mode for more global privileges.
+Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.
 
 | `resources`
 | `object`
-| `resources` are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| `resources` are the compute resources required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 | `sampling`
 | `integer`
@@ -215,7 +257,9 @@ Type::
 Description::
 +
 --
-`advanced` allows setting some aspects of the internal configuration of the eBPF agent. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+`advanced` allows setting some aspects of the internal configuration of the eBPF agent.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 --
 
 Type::
@@ -230,14 +274,21 @@ Type::
 
 | `env`
 | `object (string)`
-| `env` allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.
+| `env` allows passing custom environment variables to underlying components. Useful for passing
+some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+publicly exposed as part of the FlowCollector descriptor, as they are only useful
+in edge debug or support scenarios.
+
+| `scheduling`
+| `object`
+| scheduling controls how the pods are scheduled on nodes.
 
 |===
-== .spec.agent.ebpf.resources
+== .spec.agent.ebpf.advanced.scheduling
 Description::
 +
 --
-`resources` are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+scheduling controls how the pods are scheduled on nodes.
 --
 
 Type::
@@ -250,20 +301,128 @@ Type::
 |===
 | Property | Type | Description
 
-| `limits`
+| `affinity`
+| `object`
+| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+
+| `nodeSelector`
+| `object (string)`
+| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+
+| `priorityClassName`
+| `string`
+| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+If not specified, default priority is used, or zero if there is no default.
+
+| `tolerations`
+| `array`
+| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+
+|===
+== .spec.agent.ebpf.advanced.scheduling.affinity
+Description::
++
+--
+If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `object`
+
+
+
+
+== .spec.agent.ebpf.advanced.scheduling.tolerations
+Description::
++
+--
+`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `array`
+
+
+
+
+== .spec.agent.ebpf.flowFilter
+Description::
++
+--
+`flowFilter` defines the eBPF agent configuration regarding flow filtering.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `action`
+| `string`
+| `action` defines the action to perform on the flows that match the filter.
+
+| `cidr`
+| `string`
+| `cidr` defines the IP CIDR to filter flows by.
+Examples: `10.10.10.0/24` or `100:100:100:100::/64`
+
+| `destPorts`
 | `integer-or-string`
-| Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| `destPorts` defines the destination ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example: `destPorts: 80`.
+To filter a range of ports, use a "start-end" range in string format. For example: `destPorts: "80-100"`.
 
-| `requests`
+| `direction`
+| `string`
+| `direction` defines the direction to filter flows by.
+
+| `enable`
+| `boolean`
+| Set `enable` to `true` to enable the eBPF flow filtering feature.
+
+| `icmpCode`
+| `integer`
+| `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, defines the ICMP code to filter flows by.
+
+| `icmpType`
+| `integer`
+| `icmpType`, for ICMP traffic, defines the ICMP type to filter flows by.
+
+| `peerIP`
+| `string`
+| `peerIP` defines the IP address to filter flows by.
+Example: `10.10.10.10`.
+
+| `ports`
 | `integer-or-string`
-| Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| `ports` defines the ports to filter flows by. It is used both for source and destination ports.
+To filter a single port, set a single port as an integer value. For example: `ports: 80`.
+To filter a range of ports, use a "start-end" range in string format. For example: `ports: "80-100"`.
+
+| `protocol`
+| `string`
+| `protocol` defines the protocol to filter flows by.
+
+| `sourcePorts`
+| `integer-or-string`
+| `sourcePorts` defines the source ports to filter flows by.
+To filter a single port, set a single port as an integer value. For example: `sourcePorts: 80`.
+To filter a range of ports, use a "start-end" range in string format. For example: `sourcePorts: "80-100"`.
 
 |===
-== .spec.agent.ipfix
+== .spec.agent.ebpf.metrics
 Description::
 +
 --
-`ipfix` [deprecated (*)] - describes the settings related to the IPFIX-based flow reporter when `spec.agent.type` is set to `IPFIX`.
+`metrics` defines the eBPF agent configuration regarding metrics.
 --
 
 Type::
@@ -276,36 +435,93 @@ Type::
 |===
 | Property | Type | Description
 
-| `cacheActiveTimeout`
-| `string`
-| `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
+| `disableAlerts`
+| `array (string)`
+| `disableAlerts` is a list of alerts that should be disabled.
+Possible values are: +
 
-| `cacheMaxFlows`
+`NetObservDroppedFlows`, which is triggered when the eBPF agent is dropping flows, such as when the BPF hashmap is full or the capacity limiter is being triggered. +
+
+
+| `enable`
+| `boolean`
+| Set `enable` to `false` to disable eBPF agent metrics collection. It is enabled by default.
+
+| `server`
+| `object`
+| Metrics server endpoint configuration for the Prometheus scraper.
+
+|===
+== .spec.agent.ebpf.metrics.server
+Description::
++
+--
+Metrics server endpoint configuration for the Prometheus scraper.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `port`
 | `integer`
-| `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
+| The metrics server HTTP port.
 
-| `clusterNetworkOperator`
+| `tls`
 | `object`
-| `clusterNetworkOperator` defines the settings related to the {product-title} Cluster Network Operator, when available.
+| TLS configuration.
+
+|===
+== .spec.agent.ebpf.metrics.server.tls
+Description::
++
+--
+TLS configuration.
+--
+
+Type::
+  `object`
 
-| `forceSampleAll`
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `insecureSkipVerify`
 | `boolean`
-| `forceSampleAll` allows disabling sampling in the IPFIX-based flow reporter. It is not recommended to sample all the traffic with IPFIX, as it might generate cluster instability. If you REALLY want to do that, set this flag to `true`. Use at your own risk. When it is set to `true`, the value of `sampling` is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+If set to `true`, the `providedCaFile` field is ignored.
 
-| `ovnKubernetes`
+| `provided`
 | `object`
-| `ovnKubernetes` defines the settings of the OVN-Kubernetes CNI, when available. This configuration is used when using OVN's IPFIX exports, without {product-title}. When using {product-title}, refer to the `clusterNetworkOperator` property instead.
+| TLS configuration when `type` is set to `Provided`.
 
-| `sampling`
-| `integer`
-| `sampling` is the sampling rate on the reporter. 100 means one flow on 100 is sent. To ensure cluster stability, it is not possible to set a value below 2. If you really want to sample every packet, which might impact the cluster stability, refer to `forceSampleAll`. Alternatively, you can use the eBPF Agent instead of IPFIX.
+| `providedCaFile`
+| `object`
+| Reference to the CA file when `type` is set to `Provided`.
+
+| `type`
+| `string`
+| Select the type of TLS configuration: +
+
+- `Disabled` (default) to not configure TLS for the endpoint.
+- `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+- `Auto` to use {product-title} auto generated certificate using annotations.
 
 |===
-== .spec.agent.ipfix.clusterNetworkOperator
+== .spec.agent.ebpf.metrics.server.tls.provided
 Description::
 +
 --
-`clusterNetworkOperator` defines the settings related to the {product-title} Cluster Network Operator, when available.
+TLS configuration when `type` is set to `Provided`.
 --
 
 Type::
@@ -318,16 +534,33 @@ Type::
 |===
 | Property | Type | Description
 
+| `certFile`
+| `string`
+| `certFile` defines the path to the certificate file name within the config map or secret.
+
+| `certKey`
+| `string`
+| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.
+
+| `name`
+| `string`
+| Name of the config map or secret containing certificates.
+
 | `namespace`
 | `string`
-| Namespace  where the config map is going to be deployed.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+
+| `type`
+| `string`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
-== .spec.agent.ipfix.ovnKubernetes
+== .spec.agent.ebpf.metrics.server.tls.providedCaFile
 Description::
 +
 --
-`ovnKubernetes` defines the settings of the OVN-Kubernetes CNI, when available. This configuration is used when using OVN's IPFIX exports, without {product-title}. When using {product-title}, refer to the `clusterNetworkOperator` property instead.
+Reference to the CA file when `type` is set to `Provided`.
 --
 
 Type::
@@ -340,17 +573,53 @@ Type::
 |===
 | Property | Type | Description
 
-| `containerName`
+| `file`
 | `string`
-| `containerName` defines the name of the container to configure for IPFIX.
+| File name within the config map or secret.
 
-| `daemonSetName`
+| `name`
 | `string`
-| `daemonSetName` defines the name of the DaemonSet controlling the OVN-Kubernetes pods.
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace where OVN-Kubernetes pods are deployed.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+
+| `type`
+| `string`
+| Type for the file reference: "configmap" or "secret".
+
+|===
+== .spec.agent.ebpf.resources
+Description::
++
+--
+`resources` are the compute resources required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `limits`
+| `integer-or-string`
+| Limits describes the maximum amount of compute resources allowed.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+| `requests`
+| `integer-or-string`
+| Requests describes the minimum amount of compute resources required.
+If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+otherwise to an implementation-defined value. Requests cannot exceed Limits.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 |===
 == .spec.consolePlugin
@@ -372,7 +641,9 @@ Type::
 
 | `advanced`
 | `object`
-| `advanced` allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+| `advanced` allows setting some aspects of the internal configuration of the console plugin.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 
 | `autoscaler`
 | `object`
@@ -380,7 +651,7 @@ Type::
 
 | `enable`
 | `boolean`
-| Enables the console plugin deployment. `spec.loki.enable` must also be `true`
+| Enables the console plugin deployment.
 
 | `imagePullPolicy`
 | `string`
@@ -404,14 +675,17 @@ Type::
 
 | `resources`
 | `object`
-| `resources`, in terms of compute resources, required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| `resources`, in terms of compute resources, required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 |===
 == .spec.consolePlugin.advanced
 Description::
 +
 --
-`advanced` allows setting some aspects of the internal configuration of the console plugin. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+`advanced` allows setting some aspects of the internal configuration of the console plugin.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 --
 
 Type::
@@ -426,11 +700,17 @@ Type::
 
 | `args`
 | `array (string)`
-| `args` allows passing custom arguments to underlying components. Useful for overriding some parameters, such as an url or a configuration path, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.
+| `args` allows passing custom arguments to underlying components. Useful for overriding
+some parameters, such as a URL or a configuration path, that should not be
+publicly exposed as part of the FlowCollector descriptor, as they are only useful
+in edge debug or support scenarios.
 
 | `env`
 | `object (string)`
-| `env` allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.
+| `env` allows passing custom environment variables to underlying components. Useful for passing
+some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+publicly exposed as part of the FlowCollector descriptor, as they are only useful
+in edge debug or support scenarios.
 
 | `port`
 | `integer`
@@ -438,9 +718,79 @@ Type::
 
 | `register`
 | `boolean`
-| `register` allows, when set to `true`, to automatically register the provided console plugin with the {product-title} Console operator. When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command: `oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+| `register` allows, when set to `true`, to automatically register the provided console plugin with the {product-title} Console operator.
+When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
+`oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`
+
+| `scheduling`
+| `object`
+| `scheduling` controls how the pods are scheduled on nodes.
+
+|===
+== .spec.consolePlugin.advanced.scheduling
+Description::
++
+--
+`scheduling` controls how the pods are scheduled on nodes.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `affinity`
+| `object`
+| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+
+| `nodeSelector`
+| `object (string)`
+| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+
+| `priorityClassName`
+| `string`
+| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+If not specified, default priority is used, or zero if there is no default.
+
+| `tolerations`
+| `array`
+| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
 
 |===
+== .spec.consolePlugin.advanced.scheduling.affinity
+Description::
++
+--
+If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `object`
+
+
+
+
+== .spec.consolePlugin.advanced.scheduling.tolerations
+Description::
++
+--
+`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `array`
+
+
+
+
 == .spec.consolePlugin.autoscaler
 Description::
 +
@@ -477,7 +827,8 @@ Type::
 
 | `portNames`
 | `object (string)`
-| `portNames` defines additional port names to use in the console, for example, `portNames: {"3100": "loki"}`.
+| `portNames` defines additional port names to use in the console,
+for example, `portNames: {"3100": "loki"}`.
 
 |===
 == .spec.consolePlugin.quickFilters
@@ -519,7 +870,8 @@ Required::
 
 | `filter`
 | `object (string)`
-| `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string, for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
+| `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
+for example, `filter: {"src_namespace": "namespace1,namespace2"}`.
 
 | `name`
 | `string`
@@ -530,7 +882,8 @@ Required::
 Description::
 +
 --
-`resources`, in terms of compute resources, required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+`resources`, in terms of compute resources, required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 --
 
 Type::
@@ -545,11 +898,15 @@ Type::
 
 | `limits`
 | `integer-or-string`
-| Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| Limits describes the maximum amount of compute resources allowed.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 | `requests`
 | `integer-or-string`
-| Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| Requests describes the minimum amount of compute resources required.
+If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+otherwise to an implementation-defined value. Requests cannot exceed Limits.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 |===
 == .spec.exporters
@@ -716,19 +1073,20 @@ Type::
 
 | `file`
 | `string`
-| File name within the config map or secret
+| File name within the config map or secret.
 
 | `name`
 | `string`
-| Name of the config map or secret containing the file
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the file reference: "configmap" or "secret"
+| Type for the file reference: "configmap" or "secret".
 
 |===
 == .spec.exporters[].kafka.sasl.clientSecretReference
@@ -750,19 +1108,20 @@ Type::
 
 | `file`
 | `string`
-| File name within the config map or secret
+| File name within the config map or secret.
 
 | `name`
 | `string`
-| Name of the config map or secret containing the file
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the file reference: "configmap" or "secret"
+| Type for the file reference: "configmap" or "secret".
 
 |===
 == .spec.exporters[].kafka.tls
@@ -792,7 +1151,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -818,7 +1178,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -826,15 +1186,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.exporters[].kafka.tls.userCert
@@ -856,7 +1217,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -864,15 +1225,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.kafka
@@ -961,19 +1323,20 @@ Type::
 
 | `file`
 | `string`
-| File name within the config map or secret
+| File name within the config map or secret.
 
 | `name`
 | `string`
-| Name of the config map or secret containing the file
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the file reference: "configmap" or "secret"
+| Type for the file reference: "configmap" or "secret".
 
 |===
 == .spec.kafka.sasl.clientSecretReference
@@ -995,19 +1358,20 @@ Type::
 
 | `file`
 | `string`
-| File name within the config map or secret
+| File name within the config map or secret.
 
 | `name`
 | `string`
-| Name of the config map or secret containing the file
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the file reference: "configmap" or "secret"
+| Type for the file reference: "configmap" or "secret".
 
 |===
 == .spec.kafka.tls
@@ -1037,7 +1401,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -1063,7 +1428,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1071,15 +1436,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.kafka.tls.userCert
@@ -1101,7 +1467,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1109,15 +1475,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki
@@ -1139,40 +1506,57 @@ Type::
 
 | `advanced`
 | `object`
-| `advanced` allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations.
+| `advanced` allows setting some aspects of the internal configuration of the Loki clients.
+This section is aimed mostly for debugging and fine-grained performance optimizations.
 
 | `enable`
 | `boolean`
-| Set `enable` to `true` to store flows in Loki. It is required for the {product-title} Console plugin installation.
+| Set `enable` to `true` to store flows in Loki.
+The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.prometheus.querier`), or both.
+Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+such as getting per-pod information or viewing raw flows.
+If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+If they are both disabled, the Console plugin is not deployed.
 
 | `lokiStack`
 | `object`
-| Loki configuration for `LokiStack` mode. This is useful for an easy loki-operator configuration. It is ignored for other modes.
+| Loki configuration for `LokiStack` mode. This is useful for an easy Loki Operator configuration.
+It is ignored for other modes.
 
 | `manual`
 | `object`
-| Loki configuration for `Manual` mode. This is the most flexible configuration. It is ignored for other modes.
+| Loki configuration for `Manual` mode. This is the most flexible configuration.
+It is ignored for other modes.
 
 | `microservices`
 | `object`
-| Loki configuration for `Microservices` mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes.
+| Loki configuration for `Microservices` mode.
+Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
+It is ignored for other modes.
 
 | `mode`
 | `string`
 | `mode` must be set according to the installation mode of Loki: +
- - Use `LokiStack` when Loki is managed using the Loki Operator +
- - Use `Monolithic` when Loki is installed as a monolithic workload +
- - Use `Microservices` when Loki is installed as microservices, but without Loki Operator +
- - Use `Manual` if none of the options above match your setup +
+
+- Use `LokiStack` when Loki is managed using the Loki Operator +
+
+- Use `Monolithic` when Loki is installed as a monolithic workload +
+
+- Use `Microservices` when Loki is installed as microservices, but without Loki Operator +
+
+- Use `Manual` if none of the options above match your setup +
 
 
 | `monolithic`
 | `object`
-| Loki configuration for `Monolithic` mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes.
+| Loki configuration for `Monolithic` mode.
+Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
+It is ignored for other modes.
 
 | `readTimeout`
 | `string`
-| `readTimeout` is the maximum console plugin loki query total time limit. A timeout of zero means no timeout.
+| `readTimeout` is the maximum console plugin loki query total time limit.
+A timeout of zero means no timeout.
 
 | `writeBatchSize`
 | `integer`
@@ -1184,14 +1568,16 @@ Type::
 
 | `writeTimeout`
 | `string`
-| `writeTimeout` is the maximum Loki time connection / request limit. A timeout of zero means no timeout.
+| `writeTimeout` is the maximum Loki time connection / request limit.
+A timeout of zero means no timeout.
 
 |===
 == .spec.loki.advanced
 Description::
 +
 --
-`advanced` allows setting some aspects of the internal configuration of the Loki clients. This section is aimed mostly for debugging and fine-grained performance optimizations.
+`advanced` allows setting some aspects of the internal configuration of the Loki clients.
+This section is aimed mostly for debugging and fine-grained performance optimizations.
 --
 
 Type::
@@ -1225,7 +1611,8 @@ Type::
 Description::
 +
 --
-Loki configuration for `LokiStack` mode. This is useful for an easy loki-operator configuration. It is ignored for other modes.
+Loki configuration for `LokiStack` mode. This is useful for an easy Loki Operator configuration.
+It is ignored for other modes.
 --
 
 Type::
@@ -1251,7 +1638,8 @@ Type::
 Description::
 +
 --
-Loki configuration for `Manual` mode. This is the most flexible configuration. It is ignored for other modes.
+Loki configuration for `Manual` mode. This is the most flexible configuration.
+It is ignored for other modes.
 --
 
 Type::
@@ -1267,18 +1655,26 @@ Type::
 | `authToken`
 | `string`
 | `authToken` describes the way to get a token to authenticate to Loki. +
- - `Disabled` does not send any token with the request. +
- - `Forward` forwards the user token for authorization. +
- - `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki. +
- When using the Loki Operator, this must be set to `Forward`.
+
+- `Disabled` does not send any token with the request. +
+
+- `Forward` forwards the user token for authorization. +
+
+- `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki. +
+
+When using the Loki Operator, this must be set to `Forward`.
 
 | `ingesterUrl`
 | `string`
-| `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+| `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator,
+set it to the Loki gateway service with the `network` tenant set in path, for example
+https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
 
 | `querierUrl`
 | `string`
-| `querierUrl` specifies the address of the Loki querier service. When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
+| `querierUrl` specifies the address of the Loki querier service.
+When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example
+https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.
 
 | `statusTls`
 | `object`
@@ -1286,11 +1682,17 @@ Type::
 
 | `statusUrl`
 | `string`
-| `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the Loki querier URL. If empty, the `querierUrl` value is used. This is useful to show error messages and some context in the frontend. When using the Loki Operator, set it to the Loki HTTP query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/. `statusTLS` configuration is used when `statusUrl` is set.
+| `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
+Loki querier URL. If empty, the `querierUrl` value is used.
+This is useful to show error messages and some context in the frontend.
+When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
+https://loki-query-frontend-http.netobserv.svc:3100/.
+`statusTLS` configuration is used when `statusUrl` is set.
 
 | `tenantID`
 | `string`
-| `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request. When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
+| `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
+When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.
 
 | `tls`
 | `object`
@@ -1324,7 +1726,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -1350,7 +1753,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1358,15 +1761,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.manual.statusTls.userCert
@@ -1388,7 +1792,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1396,15 +1800,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.manual.tls
@@ -1434,7 +1839,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -1460,7 +1866,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1468,15 +1874,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.manual.tls.userCert
@@ -1498,7 +1905,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1506,22 +1913,25 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.microservices
 Description::
 +
 --
-Loki configuration for `Microservices` mode. Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode). It is ignored for other modes.
+Loki configuration for `Microservices` mode.
+Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
+It is ignored for other modes.
 --
 
 Type::
@@ -1578,7 +1988,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -1604,7 +2015,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1612,15 +2023,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.microservices.tls.userCert
@@ -1642,7 +2054,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1650,22 +2062,25 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.monolithic
 Description::
 +
 --
-Loki configuration for `Monolithic` mode. Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode). It is ignored for other modes.
+Loki configuration for `Monolithic` mode.
+Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
+It is ignored for other modes.
 --
 
 Type::
@@ -1718,7 +2133,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the server certificate. If set to `true`, the `caCert` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
 
 | `userCert`
 | `object`
@@ -1744,7 +2160,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1752,15 +2168,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.loki.monolithic.tls.userCert
@@ -1782,7 +2199,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -1790,22 +2207,24 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.processor
 Description::
 +
 --
-`processor` defines the settings of the component that receives the flows from the agent, enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
+`processor` defines the settings of the component that receives the flows from the agent,
+enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
 --
 
 Type::
@@ -1820,11 +2239,14 @@ Type::
 
 | `addZone`
 | `boolean`
-| `addZone` allows availability zone awareness by labelling flows with their source and destination zones. This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
+| `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
+This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.
 
 | `advanced`
 | `object`
-| `advanced` allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+| `advanced` allows setting some aspects of the internal configuration of the flow processor.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 
 | `clusterName`
 | `string`
@@ -1836,7 +2258,8 @@ Type::
 
 | `kafkaConsumerAutoscaler`
 | `object`
-| `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
+| `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
 
 | `kafkaConsumerBatchSize`
 | `integer`
@@ -1848,7 +2271,8 @@ Type::
 
 | `kafkaConsumerReplicas`
 | `integer`
-| `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages. This setting is ignored when Kafka is disabled.
+| `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+This setting is ignored when Kafka is disabled.
 
 | `logLevel`
 | `string`
@@ -1857,13 +2281,17 @@ Type::
 | `logTypes`
 | `string`
 | `logTypes` defines the desired record types to generate. Possible values are: +
- - `Flows` (default) to export regular network flows +
- - `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates +
- - `EndedConversations` to generate only ended conversations events +
- - `All` to generate both network flows and all conversations events +
 
+- `Flows` (default) to export regular network flows +
 
-| `metrics`
+- `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates +
+
+- `EndedConversations` to generate only ended conversations events +
+
+- `All` to generate both network flows and all conversations events +
+
+
+| `metrics`
 | `object`
 | `Metrics` define the processor configuration regarding metrics
 
@@ -1873,14 +2301,22 @@ Type::
 
 | `resources`
 | `object`
-| `resources` are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| `resources` are the compute resources required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+| `subnetLabels`
+| `object`
+| `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in {product-title}, which is used to identify cluster external traffic.
+When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
 
 |===
 == .spec.processor.advanced
 Description::
 +
 --
-`advanced` allows setting some aspects of the internal configuration of the flow processor. This section is aimed mostly for debugging and fine-grained performance optimizations, such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
+`advanced` allows setting some aspects of the internal configuration of the flow processor.
+This section is aimed mostly for debugging and fine-grained performance optimizations,
+such as `GOGC` and `GOMAXPROCS` env vars. Set these values at your own risk.
 --
 
 Type::
@@ -1895,7 +2331,8 @@ Type::
 
 | `conversationEndTimeout`
 | `string`
-| `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended. This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
+| `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
+This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).
 
 | `conversationHeartbeatInterval`
 | `string`
@@ -1907,7 +2344,7 @@ Type::
 
 | `dropUnusedFields`
 | `boolean`
-| `dropUnusedFields` allows, when set to `true`, to drop fields that are known to be unused by OVS, to save storage space.
+| `dropUnusedFields` [deprecated (*)] this setting is not used anymore.
 
 | `enableKubeProbes`
 | `boolean`
@@ -1915,7 +2352,10 @@ Type::
 
 | `env`
 | `object (string)`
-| `env` allows passing custom environment variables to underlying components. Useful for passing some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be publicly exposed as part of the FlowCollector descriptor, as they are only useful in edge debug or support scenarios.
+| `env` allows passing custom environment variables to underlying components. Useful for passing
+some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
+publicly exposed as part of the FlowCollector descriptor, as they are only useful
+in edge debug or support scenarios.
 
 | `healthPort`
 | `integer`
@@ -1923,18 +2363,89 @@ Type::
 
 | `port`
 | `integer`
-| Port of the flow collector (host port). By convention, some values are forbidden. It must be greater than 1024 and different from 4500, 4789 and 6081.
+| Port of the flow collector (host port).
+By convention, some values are forbidden. It must be greater than 1024 and different from
+4500, 4789 and 6081.
 
 | `profilePort`
 | `integer`
 | `profilePort` allows setting up a Go pprof profiler listening to this port
 
+| `scheduling`
+| `object`
+| scheduling controls how the pods are scheduled on nodes.
+
 |===
+== .spec.processor.advanced.scheduling
+Description::
++
+--
+scheduling controls how the pods are scheduled on nodes.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `affinity`
+| `object`
+| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+
+| `nodeSelector`
+| `object (string)`
+| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
+For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.
+
+| `priorityClassName`
+| `string`
+| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
+If not specified, default priority is used, or zero if there is no default.
+
+| `tolerations`
+| `array`
+| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+
+|===
+== .spec.processor.advanced.scheduling.affinity
+Description::
++
+--
+If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `object`
+
+
+
+
+== .spec.processor.advanced.scheduling.tolerations
+Description::
++
+--
+`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
+For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
+--
+
+Type::
+  `array`
+
+
+
+
 == .spec.processor.kafkaConsumerAutoscaler
 Description::
 +
 --
-`kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages. This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
+`kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
+This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
 --
 
 Type::
@@ -1962,14 +2473,24 @@ Type::
 
 | `disableAlerts`
 | `array (string)`
-| `disableAlerts` is a list of alerts that should be disabled. Possible values are: +
- `NetObservNoFlows`, which is triggered when no flows are being observed for a certain period. +
- `NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors. +
+| `disableAlerts` is a list of alerts that should be disabled.
+Possible values are: +
+
+`NetObservNoFlows`, which is triggered when no flows are being observed for a certain period. +
+
+`NetObservLokiError`, which is triggered when flows are being dropped due to Loki errors. +
 
 
 | `includeList`
 | `array (string)`
-| `includeList` is a list of metric names to specify which ones to generate. The names correspond to the names in Prometheus without the prefix. For example, `namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus. Note that the more metrics you add, the bigger is the impact on Prometheus workload resources. Metrics enabled by default are: `namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled), `namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled). More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
+| `includeList` is a list of metric names to specify which ones to generate.
+The names correspond to the names in Prometheus without the prefix. For example,
+`namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus.
+Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
+Metrics enabled by default are:
+`namespace_flows_total`, `node_ingress_bytes_total`, `workload_ingress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
+`namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled).
+More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md
 
 | `server`
 | `object`
@@ -1995,7 +2516,7 @@ Type::
 
 | `port`
 | `integer`
-| The prometheus HTTP port
+| The metrics server HTTP port.
 
 | `tls`
 | `object`
@@ -2021,7 +2542,8 @@ Type::
 
 | `insecureSkipVerify`
 | `boolean`
-| `insecureSkipVerify` allows skipping client-side verification of the provided certificate. If set to `true`, the `providedCaFile` field is ignored.
+| `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
+If set to `true`, the `providedCaFile` field is ignored.
 
 | `provided`
 | `object`
@@ -2034,7 +2556,10 @@ Type::
 | `type`
 | `string`
 | Select the type of TLS configuration: +
- - `Disabled` (default) to not configure TLS for the endpoint. - `Provided` to manually provide cert file and a key file. - `Auto` to use {product-title} auto generated certificate using annotations.
+
+- `Disabled` (default) to not configure TLS for the endpoint.
+- `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+- `Auto` to use {product-title} auto generated certificate using annotations.
 
 |===
 == .spec.processor.metrics.server.tls.provided
@@ -2056,7 +2581,7 @@ Type::
 
 | `certFile`
 | `string`
-| `certFile` defines the path to the certificate file name within the config map or secret
+| `certFile` defines the path to the certificate file name within the config map or secret.
 
 | `certKey`
 | `string`
@@ -2064,15 +2589,16 @@ Type::
 
 | `name`
 | `string`
-| Name of the config map or secret containing certificates
+| Name of the config map or secret containing certificates.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the certificate reference: `configmap` or `secret`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
 == .spec.processor.metrics.server.tls.providedCaFile
@@ -2094,26 +2620,28 @@ Type::
 
 | `file`
 | `string`
-| File name within the config map or secret
+| File name within the config map or secret.
 
 | `name`
 | `string`
-| Name of the config map or secret containing the file
+| Name of the config map or secret containing the file.
 
 | `namespace`
 | `string`
-| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed. If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
 
 | `type`
 | `string`
-| Type for the file reference: "configmap" or "secret"
+| Type for the file reference: "configmap" or "secret".
 
 |===
 == .spec.processor.resources
 Description::
 +
 --
-`resources` are the compute resources required by this container. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+`resources` are the compute resources required by this container.
+For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 --
 
 Type::
@@ -2128,10 +2656,295 @@ Type::
 
 | `limits`
 | `integer-or-string`
-| Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| Limits describes the maximum amount of compute resources allowed.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 
 | `requests`
 | `integer-or-string`
-| Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+| Requests describes the minimum amount of compute resources required.
+If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+otherwise to an implementation-defined value. Requests cannot exceed Limits.
+More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+|===
+== .spec.processor.subnetLabels
+Description::
++
+--
+`subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in {product-title}, which is used to identify cluster external traffic.
+When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `customLabels`
+| `array`
+| `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+
+| `openShiftAutoDetect`
+| `boolean`
+| `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
+{product-title} install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
+external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on {product-title}.
+
+|===
+== .spec.processor.subnetLabels.customLabels
+Description::
++
+--
+`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
+--
+
+Type::
+  `array`
+
+
+
+
+== .spec.processor.subnetLabels.customLabels[]
+Description::
++
+--
+SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `cidrs`
+| `array (string)`
+| List of CIDRs, such as `["1.2.3.4/32"]`.
+
+| `name`
+| `string`
+| Label name, used to flag matching flows.
+
+|===
+== .spec.prometheus
+Description::
++
+--
+`prometheus` defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `querier`
+| `object`
+| Prometheus querying configuration, such as client settings, used in the Console plugin.
+
+|===
+== .spec.prometheus.querier
+Description::
++
+--
+Prometheus querying configuration, such as client settings, used in the Console plugin.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `enable`
+| `boolean`
+| When `enable` is `true`, the Console plugin queries flow metrics from Prometheus instead of Loki whenever possible.
+It is enbaled by default: set it to `false` to disable this feature.
+The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.loki`), or both.
+Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
+such as getting per-pod information or viewing raw flows.
+If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
+If they are both disabled, the Console plugin is not deployed.
+
+| `manual`
+| `object`
+| Prometheus configuration for `Manual` mode.
+
+| `mode`
+| `string`
+| `mode` must be set according to the type of Prometheus installation that stores Network Observability metrics: +
+
+- Use `Auto` to try configuring automatically. In {product-title}, it uses the Thanos querier from {product-title} Cluster Monitoring +
+
+- Use `Manual` for a manual setup +
+
+
+| `timeout`
+| `string`
+| `timeout` is the read timeout for console plugin queries to Prometheus.
+A timeout of zero means no timeout.
+
+|===
+== .spec.prometheus.querier.manual
+Description::
++
+--
+Prometheus configuration for `Manual` mode.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `forwardUserToken`
+| `boolean`
+| Set `true` to forward logged in user token in queries to Prometheus
+
+| `tls`
+| `object`
+| TLS client configuration for Prometheus URL.
+
+| `url`
+| `string`
+| `url` is the address of an existing Prometheus service to use for querying metrics.
+
+|===
+== .spec.prometheus.querier.manual.tls
+Description::
++
+--
+TLS client configuration for Prometheus URL.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `caCert`
+| `object`
+| `caCert` defines the reference of the certificate for the Certificate Authority
+
+| `enable`
+| `boolean`
+| Enable TLS
+
+| `insecureSkipVerify`
+| `boolean`
+| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
+If set to `true`, the `caCert` field is ignored.
+
+| `userCert`
+| `object`
+| `userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
+
+|===
+== .spec.prometheus.querier.manual.tls.caCert
+Description::
++
+--
+`caCert` defines the reference of the certificate for the Certificate Authority
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `certFile`
+| `string`
+| `certFile` defines the path to the certificate file name within the config map or secret.
+
+| `certKey`
+| `string`
+| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.
+
+| `name`
+| `string`
+| Name of the config map or secret containing certificates.
+
+| `namespace`
+| `string`
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+
+| `type`
+| `string`
+| Type for the certificate reference: `configmap` or `secret`.
+
+|===
+== .spec.prometheus.querier.manual.tls.userCert
+Description::
++
+--
+`userCert` defines the user certificate reference and is used for mTLS (you can ignore it when using one-way TLS)
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `certFile`
+| `string`
+| `certFile` defines the path to the certificate file name within the config map or secret.
+
+| `certKey`
+| `string`
+| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.
+
+| `name`
+| `string`
+| Name of the config map or secret containing certificates.
+
+| `namespace`
+| `string`
+| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
+If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+
+| `type`
+| `string`
+| Type for the certificate reference: `configmap` or `secret`.
 
 |===
\ No newline at end of file
diff --git a/modules/network-observability-flowmetric-api-specifications.adoc b/modules/network-observability-flowmetric-api-specifications.adoc
new file mode 100644
index 000000000000..3bcc0f41dbfd
--- /dev/null
+++ b/modules/network-observability-flowmetric-api-specifications.adoc
@@ -0,0 +1,298 @@
+// Automatically generated by 'openshift-apidocs-gen'. Do not edit.
+:_mod-docs-content-type: REFERENCE
+[id="flowmetric-flows-netobserv-io-v1alpha1"]
+= FlowMetric [flows.netobserv.io/v1alpha1]
+
+
+
+Description::
++
+--
+FlowMetric is the API allowing to create custom metrics from the collected flow logs.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `apiVersion`
+| `string`
+| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and might reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+
+| `kind`
+| `string`
+| Kind is a string value representing the REST resource this object represents. Servers might infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+
+| `metadata`
+| `object`
+| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+
+| `spec`
+| `object`
+| FlowMetricSpec defines the desired state of FlowMetric
+The provided API allows you to customize these metrics according to your needs. +
+
+When adding new metrics or modifying existing labels, you must carefully monitor the memory
+usage of Prometheus workloads as this could potentially have a high impact. Cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric +
+
+To check the cardinality of all Network Observability metrics, run as `promql`: `count({__name__=~"netobserv.*"}) by (__name__)`.
+
+|===
+== .metadata
+Description::
++
+--
+Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+--
+
+Type::
+  `object`
+
+
+
+
+== .spec
+Description::
++
+--
+FlowMetricSpec defines the desired state of FlowMetric
+The provided API allows you to customize these metrics according to your needs. +
+
+When adding new metrics or modifying existing labels, you must carefully monitor the memory
+usage of Prometheus workloads as this could potentially have a high impact. Cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric +
+
+To check the cardinality of all Network Observability metrics, run as `promql`: `count({__name__=~"netobserv.*"}) by (__name__)`.
+--
+
+Type::
+  `object`
+
+Required::
+  - `metricName`
+  - `type`
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `buckets`
+| `array (string)`
+| A list of buckets to use when `type` is "Histogram". The list must be parsable as floats. When not set, Prometheus default buckets are used.
+
+| `charts`
+| `array`
+| Charts configuration, for the {product-title} Console in the administrator view, Dashboards menu.
+
+| `direction`
+| `string`
+| Filter for ingress, egress or any direction flows.
+When set to `Ingress`, it is equivalent to adding the regular expression filter on `FlowDirection`: `0\|2`.
+When set to `Egress`, it is equivalent to adding the regular expression filter on `FlowDirection`: `1\|2`.
+
+| `divider`
+| `string`
+| When nonzero, scale factor (divider) of the value. Metric value = Flow value / Divider.
+
+| `filters`
+| `array`
+| `filters` is a list of fields and values used to restrict which flows are taken into account. Oftentimes, these filters must
+be used to eliminate duplicates: `Duplicate != "true"` and `FlowDirection = "0"`.
+Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+
+| `labels`
+| `array (string)`
+| `labels` is a list of fields that should be used as Prometheus labels, also known as dimensions.
+From choosing labels results the level of granularity of this metric, and the available aggregations at query time.
+It must be done carefully as it impacts the metric cardinality (cf https://rhobs-handbook.netlify.app/products/openshiftmonitoring/telemetry.md/#what-is-the-cardinality-of-a-metric).
+In general, avoid setting very high cardinality labels such as IP or MAC addresses.
+"SrcK8S_OwnerName" or "DstK8S_OwnerName" should be preferred over "SrcK8S_Name" or "DstK8S_Name" as much as possible.
+Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+
+| `metricName`
+| `string`
+| Name of the metric. In Prometheus, it is automatically prefixed with "netobserv_".
+
+| `type`
+| `string`
+| Metric type: "Counter" or "Histogram".
+Use "Counter" for any value that increases over time and on which you can compute a rate, such as Bytes or Packets.
+Use "Histogram" for any value that must be sampled independently, such as latencies.
+
+| `valueField`
+| `string`
+| `valueField` is the flow field that must be used as a value for this metric. This field must hold numeric values.
+Leave empty to count flows rather than a specific value per flow.
+Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+
+|===
+== .spec.charts
+Description::
++
+--
+Charts configuration, for the {product-title} Console in the administrator view, Dashboards menu.
+--
+
+Type::
+  `array`
+
+
+
+
+== .spec.charts[]
+Description::
++
+--
+Configures charts / dashboard generation associated to a metric
+--
+
+Type::
+  `object`
+
+Required::
+  - `dashboardName`
+  - `queries`
+  - `title`
+  - `type`
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `dashboardName`
+| `string`
+| Name of the containing dashboard. If this name does not refer to an existing dashboard, a new dashboard is created.
+
+| `queries`
+| `array`
+| List of queries to be displayed on this chart. If `type` is `SingleStat` and multiple queries are provided,
+this chart is automatically expanded in several panels (one per query).
+
+| `sectionName`
+| `string`
+| Name of the containing dashboard section. If this name does not refer to an existing section, a new section is created.
+If `sectionName` is omitted or empty, the chart is placed in the global top section.
+
+| `title`
+| `string`
+| Title of the chart.
+
+| `type`
+| `string`
+| Type of the chart.
+
+| `unit`
+| `string`
+| Unit of this chart. Only a few units are currently supported. Leave empty to use generic number.
+
+|===
+== .spec.charts[].queries
+Description::
++
+--
+List of queries to be displayed on this chart. If `type` is `SingleStat` and multiple queries are provided,
+this chart is automatically expanded in several panels (one per query).
+--
+
+Type::
+  `array`
+
+
+
+
+== .spec.charts[].queries[]
+Description::
++
+--
+Configures PromQL queries
+--
+
+Type::
+  `object`
+
+Required::
+  - `legend`
+  - `promQL`
+  - `top`
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `legend`
+| `string`
+| The query legend that applies to each timeseries represented in this chart. When multiple timeseries are displayed, you should set a legend
+that distinguishes each of them. It can be done with the following format: `{{ Label }}`. For example, if the `promQL` groups timeseries per
+label such as: `sum(rate($METRIC[2m])) by (Label1, Label2)`, you might write as the legend: `Label1={{ Label1 }}, Label2={{ Label2 }}`.
+
+| `promQL`
+| `string`
+| The `promQL` query to be run against Prometheus. If the chart `type` is `SingleStat`, this query should only return
+a single timeseries. For other types, a top 7 is displayed.
+You can use `$METRIC` to refer to the metric defined in this resource. For example: `sum(rate($METRIC[2m]))`.
+To learn more about `promQL`, refer to the Prometheus documentation: https://prometheus.io/docs/prometheus/latest/querying/basics/
+
+| `top`
+| `integer`
+| Top N series to display per timestamp. Does not apply to `SingleStat` chart type.
+
+|===
+== .spec.filters
+Description::
++
+--
+`filters` is a list of fields and values used to restrict which flows are taken into account. Oftentimes, these filters must
+be used to eliminate duplicates: `Duplicate != "true"` and `FlowDirection = "0"`.
+Refer to the documentation for the list of available fields: https://docs.openshift.com/container-platform/latest/observability/network_observability/json-flows-format-reference.html.
+--
+
+Type::
+  `array`
+
+
+
+
+== .spec.filters[]
+Description::
++
+--
+
+--
+
+Type::
+  `object`
+
+Required::
+  - `field`
+  - `matchType`
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `field`
+| `string`
+| Name of the field to filter on
+
+| `matchType`
+| `string`
+| Type of matching to apply
+
+| `value`
+| `string`
+| Value to filter on. When `matchType` is `Equal` or `NotEqual`, you can use field injection with `$(SomeField)` to refer to any other field of the flow.
+
+|===
\ No newline at end of file
diff --git a/modules/network-observability-flowmetrics-charts.adoc b/modules/network-observability-flowmetrics-charts.adoc
new file mode 100644
index 000000000000..ff0aef792c57
--- /dev/null
+++ b/modules/network-observability-flowmetrics-charts.adoc
@@ -0,0 +1,112 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-custom-charts-flowmetrics_{context}"]
+= Configuring custom charts using FlowMetric API
+You can generate charts for dashboards in the {product-title} web console, which you can view as an administrator in the *Dashboard* menu by defining the `charts` section of the `FlowMetric` resource.
+
+.Procedure
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. In the *Provided APIs* heading for the *NetObserv Operator*, select *FlowMetric*.
+. In the *Project:*  dropdown list, select the project of the Network Observability Operator instance. 
+. Click *Create FlowMetric*.
+. Configure the `FlowMetric` resource, similar to the following sample configurations: 
+
+.Chart for tracking ingress bytes received from cluster external sources
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-traffic
+  namespace: netobserv   <1>
+# ...
+  charts:
+  - dashboardName: Main  <2>
+    title: External ingress traffic
+    unit: Bps
+    type: SingleStat
+    queries:
+    - promQL: "sum(rate($METRIC[2m]))"
+      legend: ""
+  - dashboardName: Main  <2>
+    sectionName: External
+    title: Top external ingress traffic per workload
+    unit: Bps
+    type: StackArea
+    queries:
+    - promQL: "sum(rate($METRIC{DstK8S_Namespace!=\"\"}[2m])) by (DstK8S_Namespace, DstK8S_OwnerName)"
+      legend: "{{DstK8S_Namespace}} / {{DstK8S_OwnerName}}"
+# ...
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Dashboards*.
+. Search for the *NetObserv / Main* dashboard. View two panels under the *NetObserv / Main* dashboard, or optionally a dashboard name that you create:
+
+* A textual single statistic showing the global external ingress rate summed across all dimensions
+* A timeseries graph showing the same metric per destination workload
+
+For more information about the query language, refer to the link:https://prometheus.io/docs/prometheus/latest/querying/basics/[Prometheus documentation].
+====
+
+.Chart for RTT latency for cluster external ingress traffic
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: flowmetric-cluster-external-ingress-traffic
+  namespace: netobserv   <1>
+# ...
+  charts:
+  - dashboardName: Main  <2>
+    title: External ingress TCP latency
+    unit: seconds
+    type: SingleStat
+    queries:
+    - promQL: "histogram_quantile(0.99, sum(rate($METRIC_bucket[2m])) by (le)) > 0"
+      legend: "p99"
+  - dashboardName: Main  <2>
+    sectionName: External
+    title: "Top external ingress sRTT per workload, p50 (ms)"
+    unit: seconds
+    type: Line
+    queries:
+    - promQL: "histogram_quantile(0.5, sum(rate($METRIC_bucket{DstK8S_Namespace!=\"\"}[2m])) by (le,DstK8S_Namespace,DstK8S_OwnerName))*1000 > 0"
+      legend: "{{DstK8S_Namespace}} / {{DstK8S_OwnerName}}"
+  - dashboardName: Main  <2>
+    sectionName: External
+    title: "Top external ingress sRTT per workload, p99 (ms)"
+    unit: seconds
+    type: Line
+    queries:
+    - promQL: "histogram_quantile(0.99, sum(rate($METRIC_bucket{DstK8S_Namespace!=\"\"}[2m])) by (le,DstK8S_Namespace,DstK8S_OwnerName))*1000 > 0"
+      legend: "{{DstK8S_Namespace}} / {{DstK8S_OwnerName}}"
+# ...
+----
+<1> The `FlowMetric` resources need to be created in the namespace defined in the `FlowCollector` `spec.namespace`, which is `netobserv` by default.
+<2> Using a different `dashboardName` creates a new dashboard that is prefixed with `Netobserv`. For example, *Netobserv / <dashboard_name>*.
+
+This example uses the `histogram_quantile` function to show `p50` and `p99`.
+
+You can show averages of histograms by dividing the metric, `$METRIC_sum`, by the metric ,`$METRIC_count`, which are automatically generated when you create a histogram. With the preceding example, the Prometheus query to do this is as follows:
+
+[source,yaml]
+----
+promQL: "(sum(rate($METRIC_sum{DstK8S_Namespace!=\"\"}[2m])) by (DstK8S_Namespace,DstK8S_OwnerName) / sum(rate($METRIC_count{DstK8S_Namespace!=\"\"}[2m])) by (DstK8S_Namespace,DstK8S_OwnerName))*1000"
+----
+
+.Verification
+. Once the pods refresh, navigate to *Observe* -> *Dashboards*.
+. Search for the *NetObserv / Main* dashboard. View the new panel under the *NetObserv / Main* dashboard, or optionally a dashboard name that you create.
+
+For more information about the query language, refer to the link:https://prometheus.io/docs/prometheus/latest/querying/basics/[Prometheus documentation].
+====
diff --git a/modules/network-observability-flows-format.adoc b/modules/network-observability-flows-format.adoc
index 47367884eaeb..72241cf6ab19 100644
--- a/modules/network-observability-flows-format.adoc
+++ b/modules/network-observability-flows-format.adoc
@@ -9,105 +9,131 @@ The "Filter ID" column shows which related name to use when defining Quick Filte
 
 The "Loki label" column is useful when querying Loki directly: label fields need to be selected using link:https://grafana.com/docs/loki/latest/logql/log_queries/#log-stream-selector[stream selectors].
 
+The "Cardinality" column gives information about the implied metric cardinality if this field was to be used as a Prometheus label with the `FlowMetric` API. For more information, see the "FlowMetric API reference". 
 
-[cols="1,1,3,1,1",options="header"]
+[cols="1,1,3,1,1,1",options="header"]
 |===
-| Name | Type | Description | Filter ID | Loki label
+| Name | Type | Description | Filter ID | Loki label | Cardinality
 | `Bytes`
 | number
 | Number of bytes
 | n/a
 | no
+| avoid
 | `DnsErrno`
 | number
 | Error number returned from DNS tracker ebpf hook function
 | `dns_errno`
 | no
+| fine
 | `DnsFlags`
 | number
 | DNS flags for DNS record
 | n/a
 | no
+| fine
 | `DnsFlagsResponseCode`
 | string
 | Parsed DNS header RCODEs name
 | `dns_flag_response_code`
 | no
+| fine
 | `DnsId`
 | number
 | DNS record id
 | `dns_id`
 | no
+| avoid
 | `DnsLatencyMs`
 | number
 | Time between a DNS request and response, in milliseconds
 | `dns_latency`
 | no
+| avoid
 | `Dscp`
 | number
 | Differentiated Services Code Point (DSCP) value
 | `dscp`
 | no
+| fine
 | `DstAddr`
 | string
 | Destination IP address (ipv4 or ipv6)
 | `dst_address`
 | no
+| avoid
 | `DstK8S_HostIP`
 | string
 | Destination node IP
 | `dst_host_address`
 | no
+| fine
 | `DstK8S_HostName`
 | string
 | Destination node name
 | `dst_host_name`
 | no
+| fine
 | `DstK8S_Name`
 | string
 | Name of the destination Kubernetes object, such as Pod name, Service name or Node name.
 | `dst_name`
 | no
+| careful
 | `DstK8S_Namespace`
 | string
 | Destination namespace
 | `dst_namespace`
 | yes
+| fine
 | `DstK8S_OwnerName`
 | string
 | Name of the destination owner, such as Deployment name, StatefulSet name, etc.
 | `dst_owner_name`
 | yes
+| fine
 | `DstK8S_OwnerType`
 | string
 | Kind of the destination owner, such as Deployment, StatefulSet, etc.
 | `dst_kind`
 | no
+| fine
 | `DstK8S_Type`
 | string
 | Kind of the destination Kubernetes object, such as Pod, Service or Node.
 | `dst_kind`
 | yes
+| fine
 | `DstK8S_Zone`
 | string
 | Destination availability zone
 | `dst_zone`
 | yes
+| fine
 | `DstMac`
 | string
 | Destination MAC address
 | `dst_mac`
 | no
+| avoid
 | `DstPort`
 | number
 | Destination port
 | `dst_port`
 | no
+| careful
+| `DstSubnetLabel`
+| string
+| Destination subnet label
+| `dst_subnet_label`
+| no
+| fine
 | `Duplicate`
 | boolean
 | Indicates if this flow was also captured from another interface on the same host
 | n/a
 | yes
+| fine
 | `Flags`
 | number
 | Logical OR combination of unique TCP flags comprised in the flow, as per RFC-9293, with additional custom flags to represent the following per-packet combinations: +
@@ -116,164 +142,202 @@ The "Loki label" column is useful when querying Loki directly: label fields need
 - RST+ACK (0x400)
 | n/a
 | no
+| fine
 | `FlowDirection`
 | number
-| Flow direction from the node observation point. Can be one of: +
+| Flow interpreted direction from the node observation point. Can be one of: +
 - 0: Ingress (incoming traffic, from the node observation point) +
 - 1: Egress (outgoing traffic, from the node observation point) +
 - 2: Inner (with the same source and destination node)
-| `direction`
+| `node_direction`
 | yes
+| fine
 | `IcmpCode`
 | number
 | ICMP code
 | `icmp_code`
 | no
+| fine
 | `IcmpType`
 | number
 | ICMP type
 | `icmp_type`
 | no
-| `IfDirection`
+| fine
+| `IfDirections`
 | number
-| Flow direction from the network interface observation point. Can be one of: +
+| Flow directions from the network interface observation point. Can be one of: +
 - 0: Ingress (interface incoming traffic) +
 - 1: Egress (interface outgoing traffic)
-| n/a
+| `ifdirections`
 | no
-| `Interface`
+| fine
+| `Interfaces`
 | string
-| Network interface
-| `interface`
+| Network interfaces
+| `interfaces`
 | no
+| careful
 | `K8S_ClusterName`
 | string
 | Cluster name or identifier
 | `cluster_name`
 | yes
+| fine
 | `K8S_FlowLayer`
 | string
 | Flow layer: 'app' or 'infra'
 | `flow_layer`
 | no
+| fine
 | `Packets`
 | number
 | Number of packets
 | n/a
 | no
+| avoid
 | `PktDropBytes`
 | number
 | Number of bytes dropped by the kernel
 | n/a
 | no
+| avoid
 | `PktDropLatestDropCause`
 | string
 | Latest drop cause
 | `pkt_drop_cause`
 | no
+| fine
 | `PktDropLatestFlags`
 | number
 | TCP flags on last dropped packet
 | n/a
 | no
+| fine
 | `PktDropLatestState`
 | string
 | TCP state on last dropped packet
 | `pkt_drop_state`
 | no
+| fine
 | `PktDropPackets`
 | number
 | Number of packets dropped by the kernel
 | n/a
 | no
+| avoid
 | `Proto`
 | number
 | L4 protocol
 | `protocol`
 | no
+| fine
 | `SrcAddr`
 | string
 | Source IP address (ipv4 or ipv6)
 | `src_address`
 | no
+| avoid
 | `SrcK8S_HostIP`
 | string
 | Source node IP
 | `src_host_address`
 | no
+| fine
 | `SrcK8S_HostName`
 | string
 | Source node name
 | `src_host_name`
 | no
+| fine
 | `SrcK8S_Name`
 | string
 | Name of the source Kubernetes object, such as Pod name, Service name or Node name.
 | `src_name`
 | no
+| careful
 | `SrcK8S_Namespace`
 | string
 | Source namespace
 | `src_namespace`
 | yes
+| fine
 | `SrcK8S_OwnerName`
 | string
 | Name of the source owner, such as Deployment name, StatefulSet name, etc.
 | `src_owner_name`
 | yes
+| fine
 | `SrcK8S_OwnerType`
 | string
 | Kind of the source owner, such as Deployment, StatefulSet, etc.
 | `src_kind`
 | no
+| fine
 | `SrcK8S_Type`
 | string
 | Kind of the source Kubernetes object, such as Pod, Service or Node.
 | `src_kind`
 | yes
+| fine
 | `SrcK8S_Zone`
 | string
 | Source availability zone
 | `src_zone`
 | yes
+| fine
 | `SrcMac`
 | string
 | Source MAC address
 | `src_mac`
 | no
+| avoid
 | `SrcPort`
 | number
 | Source port
 | `src_port`
 | no
+| careful
+| `SrcSubnetLabel`
+| string
+| Source subnet label
+| `src_subnet_label`
+| no
+| fine
 | `TimeFlowEndMs`
 | number
 | End timestamp of this flow, in milliseconds
 | n/a
 | no
+| avoid
 | `TimeFlowRttNs`
 | number
 | TCP Smoothed Round Trip Time (SRTT), in nanoseconds
 | `time_flow_rtt`
 | no
+| avoid
 | `TimeFlowStartMs`
 | number
 | Start timestamp of this flow, in milliseconds
 | n/a
 | no
+| avoid
 | `TimeReceived`
 | number
 | Timestamp when this flow was received and processed by the flow collector, in seconds
 | n/a
 | no
+| avoid
 | `_HashId`
 | string
 | In conversation tracking, the conversation identifier
 | `id`
 | no
+| avoid
 | `_RecordType`
 | string
 | Type of record: 'flowLog' for regular flow logs, or 'newConnection', 'heartbeat', 'endConnection' for conversation tracking
 | `type`
 | yes
+| fine
 |===
\ No newline at end of file
diff --git a/modules/network-observability-health-alerts-overview.adoc b/modules/network-observability-health-alerts-overview.adoc
new file mode 100644
index 000000000000..ee06e061fdbe
--- /dev/null
+++ b/modules/network-observability-health-alerts-overview.adoc
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * network_observability/network-observability-operator-monitoring.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-health-alert-overview_{context}"]
+= Health alerts
+
+A health alert banner that directs you to the dashboard can appear on the *Network Traffic* and *Home* pages if an alert is triggered. Alerts are generated in the following cases:
+
+* The `NetObservLokiError` alert occurs if the `flowlogs-pipeline` workload is dropping flows because of Loki errors, such as if the Loki ingestion rate limit has been reached.
+* The `NetObservNoFlows` alert occurs if no flows are ingested for a certain amount of time.
+* The `NetObservFlowsDropped` alert occurs if the Network Observability eBPF agent hashmap table is full, and the eBPF agent processes flows with degraded performance, or when the capacity limiter is triggered.
\ No newline at end of file
diff --git a/modules/network-observability-health-dashboard-overview.adoc b/modules/network-observability-health-dashboard-overview.adoc
new file mode 100644
index 000000000000..78729968d437
--- /dev/null
+++ b/modules/network-observability-health-dashboard-overview.adoc
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// * network_observability/network-observability-operator-monitoring.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-health-dashboard-overview_{context}"]
+= Health dashboards
+
+Metrics about health and resource usage of the Network Observability Operator are located in the *Observe* -> *Dashboards* page in the web console. You can view metrics about the health of the Operator in the following categories:
+
+* *Flows per second*
+* *Sampling*
+* *Errors last minute*
+* *Dropped flows per second*
+* *Flowlogs-pipeline statistics*
+* *Flowlogs-pipleine statistics views*
+* *eBPF agent statistics views*
+* *Operator statistics*
+* *Resource usage*
\ No newline at end of file
diff --git a/modules/network-observability-metrics.adoc b/modules/network-observability-metrics-names.adoc
similarity index 77%
rename from modules/network-observability-metrics.adoc
rename to modules/network-observability-metrics-names.adoc
index 9ecab20728af..c2555fe71632 100644
--- a/modules/network-observability-metrics.adoc
+++ b/modules/network-observability-metrics-names.adoc
@@ -5,13 +5,11 @@
 :_mod-docs-content-type: REFERENCE
 [id="network-observability-metrics_{context}"]
 = Network Observability metrics
-Metrics generated by the `flowlogs-pipeline` are configurable in the `spec.processor.metrics.includeList` of the `FlowCollector` custom resource to add or remove metrics. 
-
 You can also create alerts by using the `includeList` metrics in Prometheus rules, as shown in the example "Creating alerts".
 
-When looking for these metrics in Prometheus, such as in the Console through Observe -> Metrics, or when defining alerts, all the metrics names are prefixed with `netobserv_. For example, `netobserv_namespace_flows_total. Available metrics names are as follows.
+When looking for these metrics in Prometheus, such as in the Console through *Observe* -> *Metrics*, or when defining alerts, all the metrics names are prefixed with `netobserv_`. For example, `netobserv_namespace_flows_total`. Available metrics names are as follows:
 
-== includeList metrics names
+includeList metrics names::
 Names followed by an asterisk `*` are enabled by default. 
 
 * `namespace_egress_bytes_total`
@@ -30,7 +28,7 @@ Names followed by an asterisk `*` are enabled by default.
 * `workload_ingress_packets_total`
 * `workload_flows_total`
 
-=== PacketDrop metrics names
+PacketDrop metrics names::
 When the `PacketDrop` feature is enabled in `spec.agent.ebpf.features` (with `privileged` mode), the following additional metrics are available:
 
 * `namespace_drop_bytes_total`
@@ -40,14 +38,14 @@ When the `PacketDrop` feature is enabled in `spec.agent.ebpf.features` (with `pr
 * `workload_drop_bytes_total`
 * `workload_drop_packets_total`
 
-=== DNS metrics names
+DNS metrics names::
 When the `DNSTracking` feature is enabled in `spec.agent.ebpf.features`, the following additional metrics are available:
 
 * `namespace_dns_latency_seconds` *
 * `node_dns_latency_seconds`
 * `workload_dns_latency_seconds`
 
-=== FlowRTT metrics names
+FlowRTT metrics names::
 When the `FlowRTT` feature is enabled in `spec.agent.ebpf.features`, the following additional metrics are available:
 
 * `namespace_rtt_seconds` *
diff --git a/modules/network-observability-netobserv-cli-about.adoc b/modules/network-observability-netobserv-cli-about.adoc
new file mode 100644
index 000000000000..e0005e75dc9b
--- /dev/null
+++ b/modules/network-observability-netobserv-cli-about.adoc
@@ -0,0 +1,14 @@
+//Module included in the following assemblies:
+//
+// observability/network_observability/network-observability-cli/netobserv-cli-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-netoberv-cli-about_{context}"]
+= About the Network Observability CLI
+
+You can quickly debug and troubleshoot networking issues by using the Network Observability CLI (`oc netobserv`). The Network Observability CLI is a flow and packet visualization tool that relies on eBPF agents to stream collected data to an ephemeral collector pod. It requires no persistent storage during the capture. After the run, the output is transferred to your local machine. This enables quick, live insight into packets and flow data without installing the Network Observability Operator.  
+
+[IMPORTANT]
+====
+CLI capture is meant to run only for short durations, such as 8-10 minutes. If it runs for too long, it can be difficult to delete the running process.
+====
\ No newline at end of file
diff --git a/modules/network-observability-netobserv-cli-cleaning.adoc b/modules/network-observability-netobserv-cli-cleaning.adoc
new file mode 100644
index 000000000000..600d0375715c
--- /dev/null
+++ b/modules/network-observability-netobserv-cli-cleaning.adoc
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+
+// * observability/network_observability/netobserv_cli/netobserv-cli-install.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-uninstall_{context}"]
+= Cleaning the Network Observability CLI
+
+You can manually clean the CLI workload by running `oc netobserv cleanup`. This command removes all the CLI components from your cluster.
+
+When you end a capture, this command is run automatically by the client. You might be required to manually run it if you experience connectivity issues.
+
+.Procedure
+* Run the following command:
++
+[source,terminal]
+----
+$ oc netobserv cleanup
+----
\ No newline at end of file
diff --git a/modules/network-observability-netobserv-cli-install.adoc b/modules/network-observability-netobserv-cli-install.adoc
new file mode 100644
index 000000000000..f7e720fdf8aa
--- /dev/null
+++ b/modules/network-observability-netobserv-cli-install.adoc
@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+
+// * observability/network_observability/netobserv_cli/netobserv-cli-install.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="network-observability-cli-install_{context}"]
+= Installing the Network Observability CLI
+Installing the Network Observability CLI (`oc netobserv`) is a separate procedure from the Network Observability Operator installation. This means that, even if you have the Operator installed from OperatorHub, you need to install the CLI separately. 
+
+[NOTE]
+====
+You can optionally use Krew to install the `netobserv` CLI plugin. For more information, see "Installing a CLI plugin with Krew". 
+====
+
+.Prerequisites
+* You must install the {oc-first}. 
+* You must have a macOS or Linux operating system.
+
+.Procedure
+
+. Download the link:https://mirror.openshift.com/pub/openshift-v4/clients/netobserv/latest/[`oc netobserv` CLI tar file].
+. Unpack the archive:
++
+[source,terminal]
+----
+$ tar xvf netobserv-cli.tar.gz
+----
+. Make the file executable:
++
+[source,terminal]
+----
+$ chmod +x ./build/oc-netobserv
+----
+. Move the extracted `netobserv-cli` binary to a directory that is on your `PATH`, such as `/usr/local/bin/`:
++
+[source,terminal]
+----
+$ sudo mv ./build/oc-netobserv /usr/local/bin/
+----
+
+.Verification
+
+* Verify that `oc netobserv` is available:
++
+[source,terminal]
+----
+$ oc netobserv version
+----
++
+.Example output
+[source,terminal]
+----
+Netobserv CLI version <version>
+----
diff --git a/modules/network-observability-netobserv-cli-reference.adoc b/modules/network-observability-netobserv-cli-reference.adoc
new file mode 100644
index 000000000000..abb2d7f606a8
--- /dev/null
+++ b/modules/network-observability-netobserv-cli-reference.adoc
@@ -0,0 +1,195 @@
+// Module included in the following assemblies:
+// * observability/network_observability/netobserv-cli-reference.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="network-observability-netobserv-cli-reference_{context}"]
+= oc netobserv CLI reference 
+The Network Observability CLI (`oc netobserv`) is a CLI tool for capturing flow data and packet data for further analysis.
+
+.`oc netobserv` syntax
+[source,terminal]
+----
+$ oc netobserv [<command>] [<feature_option>] [<command_options>] <1>
+----
+<1> Feature options can only be used with the `oc netobserv flows` command. They cannot be used with the `oc netobserv packets` command.
+
+[cols="3a,8a",options="header"]
+.Basic commands
+|===
+|Command| Description
+
+| `flows`
+| Capture flows information. For subcommands, see the "Flow capture subcommands" table. 
+
+| `packets`
+| Capture packets from a specific protocol or port pair, such as `netobserv packets --filter=tcp,80`. For more information about packet capture, see the "Packet capture subcommand" table.
+
+| `cleanup`
+| Remove the Network Observability CLI components.
+
+| `version`
+| Print the software version.
+
+| `help`
+| Show help.
+|===
+
+[id="network-observability-cli-enrichment_{context}"]
+== Network Observability enrichment
+The Network Observability enrichment to display zone, node, owner and resource names including optional features about packet drops, DNS latencies and Round-trip time can only be enabled when capturing flows. These do not appear in packet capture pcap output file.
+
+.Network Observability enrichment syntax
+[source,terminal]
+----
+$ oc netobserv flows [<enrichment_options>] [<subcommands>]
+----
+
+.Network Observability enrichment options
+|===
+|Option| Description| Possible values| Default
+
+| `--enable_pktdrop` 	
+| Enable packet drop.
+| `true`, `false`
+| `false`
+
+| `--enable_rtt`
+| Enable round trip time. 	
+| `true`, `false` 	
+| `false`
+
+| `--enable_dns`
+| Enable DNS tracking. 	
+| `true`, `false` 	
+| `false`
+
+| `--help`
+| Show help.
+| -
+| -
+
+| `--interfaces`
+| Interfaces to match on the flow. For example, `"eth0,eth1"`.
+| `"<interface>"`
+| -
+|===
+
+[id="cli-reference-flow-capture-options_{context}"]
+== Flow capture options
+Flow capture has mandatory commands as well as additional options, such as enabling extra features about packet drops, DNS latencies, Round-trip time, and filtering.
+
+.`oc netobserv flows` syntax
+[source,terminal]
+----
+$ oc netobserv flows [<feature_option>] [<command_options>]
+----
+
+.Flow capture filter options
+|===
+|Option| Description| Possible values| Mandatory| Default
+
+| `--enable_filter`
+| Enable flow filter.
+| `true`, `false` 	
+| Yes 
+| `false`
+
+| `--action`
+| Action to apply on the flow.
+| `Accept`, `Reject`
+| Yes
+| `Accept`
+
+| `--cidr`
+| CIDR to match on the flow. 
+| `1.1.1.0/24`, `1::100/64`, or `0.0.0.0/0`
+| Yes
+| `0.0.0.0/0`
+
+| `--protocol`
+| Protocol to match on the flow
+| `TCP`, `UDP`, `SCTP`, `ICMP`, or `ICMPv6` 	
+| No
+| -
+
+| `--direction`
+| Direction to match on the flow
+| `Ingress`, `Egress`
+| No
+| -
+
+| `--dport`
+| Destination port to match on the flow.
+| `80`, `443`, or `49051`
+| no
+| -
+
+| `--sport`
+| Source port to match on the flow.
+| `80`, `443`, or `49051`
+| No
+| -
+
+| `--port`
+| Port to match on the flow.
+| `80`, `443`, or `49051`
+| No 
+| -
+
+| `--sport_range`
+| Source port range to match on the flow.
+| `80-100` or `443-445`
+| No 	
+| -
+
+| `--dport_range` 	
+| Destination port range to match on the flow.
+| `80-100`
+| No
+| -
+
+| `--port_range`
+| Port range to match on the flow.
+| `80-100` or `443-445`
+| No
+| -
+
+| `--icmp_type`
+| ICMP type to match on the flow.
+| `8` or `13`
+| No
+| -
+
+| `--icmp_code`
+| ICMP code to match on the flow.
+| `0` or `1`
+| No
+| - 	
+
+| `--peer_ip`
+| Peer IP to match on the flow.
+| `1.1.1.1` or `1::1`
+| No 	
+| -
+|===
+
+[id="cli-reference-packet-capture-options_{context}"]
+== Packet capture options
+You can filter on port and protocol for packet capture data. 
+
+.`oc netobserv packets` syntax
+[source,terminal]
+----
+$ oc netobserv packets [<option>]
+----
+
+.Packet capture filter option
+|===
+|Option| Description| Possible values| Mandatory| Default
+| `--filter`
+| Enable packet capture filtering.
+| `tcp`, `udp`, or `<port>` You can specify filtering options using a comma as delimeter. For example, `tcp,80` specifies the `tcp` protocol and port `80`.
+| Yes
+| -
+|===
+
diff --git a/modules/network-observability-nodes-taints-tolerations.adoc b/modules/network-observability-nodes-taints-tolerations.adoc
new file mode 100644
index 000000000000..15fe8660f63c
--- /dev/null
+++ b/modules/network-observability-nodes-taints-tolerations.adoc
@@ -0,0 +1,44 @@
+// Module included in the following assemblies:
+//
+// network_observability/network-observability-scheduling-resources.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-multi-tenancy{context}"]
+= Network Observability deployment in specific nodes
+You can configure the `FlowCollector` to control the deployment of Network Observability components in specific nodes. The `spec.agent.ebpf.advanced.scheduling`, `spec.processor.advanced.scheduling`, and `spec.consolePlugin.advanced.scheduling` specifications have the following configurable settings: 
+
+* `NodeSelector`
+* `Tolerations`
+* `Affinity`
+* `PriorityClassName`
+
+.Sample `FlowCollector` resource for `spec.<component>.advanced.scheduling` 
+[source,yaml]
+----
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+# ...
+advanced:
+  scheduling:
+    tolerations:
+    - key: "<taint key>"
+      operator: "Equal"
+      value: "<taint value>"
+      effect: "<taint effect>"
+      nodeSelector:
+        <key>: <value>
+      affinity:
+        nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: name
+              operator: In
+              values:
+              - app-worker-node
+      priorityClassName: """
+# ...
+----
\ No newline at end of file
diff --git a/modules/network-observability-operator-install.adoc b/modules/network-observability-operator-install.adoc
index b680d3536908..45b6da23b8e5 100644
--- a/modules/network-observability-operator-install.adoc
+++ b/modules/network-observability-operator-install.adoc
@@ -18,7 +18,7 @@ The actual memory consumption of the Operator depends on your cluster size and t
 * You must have `cluster-admin` privileges.
 * One of the following supported architectures is required: `amd64`, `ppc64le`, `arm64`, or `s390x`.
 * Any CPU supported by Red Hat Enterprise Linux (RHEL) 9.
-* Must be configured with OVN-Kubernetes or OpenShift SDN as the main network plugin, and optionally using secondary interfaces, such as Multus and SR-IOV.
+* Must be configured with OVN-Kubernetes or OpenShift SDN as the main network plugin, and optionally using secondary interfaces with Multus and SR-IOV.
 
 [NOTE]
 ====
diff --git a/modules/network-observability-packet-drops.adoc b/modules/network-observability-packet-drops.adoc
index c56c7e108d39..c90a7e8e4af7 100644
--- a/modules/network-observability-packet-drops.adoc
+++ b/modules/network-observability-packet-drops.adoc
@@ -28,7 +28,6 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
   agent:
     type: eBPF
     ebpf:
diff --git a/modules/network-observability-predefined-metrics.adoc b/modules/network-observability-predefined-metrics.adoc
new file mode 100644
index 000000000000..a00b142c713f
--- /dev/null
+++ b/modules/network-observability-predefined-metrics.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// network_observability/metrics-alerts-dashboards.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-observability-predefined-metrics_{context}"]
+= Predefined metrics
+
+Metrics generated by the `flowlogs-pipeline` are configurable in the `spec.processor.metrics.includeList` of the `FlowCollector` custom resource to add or remove metrics. 
\ No newline at end of file
diff --git a/modules/network-observability-quickfilter.adoc b/modules/network-observability-quickfilter.adoc
index 8bb28fbdbdfb..39664e46b3ac 100644
--- a/modules/network-observability-quickfilter.adoc
+++ b/modules/network-observability-quickfilter.adoc
@@ -11,8 +11,8 @@ Query Options::
 You can use *Query Options* to optimize the search results, as listed below:
 
 ** *Log Type*: The available options *Conversation* and *Flows* provide the ability to query flows by log type, such as flow log, new conversation, completed conversation, and a heartbeat, which is a periodic record with updates for long conversations. A conversation is an aggregation of flows between the same peers.
-** *Duplicated flows*: A flow might be reported from several interfaces, and from both source and destination nodes, making it appear in the data several times. By selecting this query option, you can choose to show duplicated flows. Duplicated flows have the same sources and destinations, including ports, and also have the same protocols, with the exception of `Interface` and `Direction` fields. Duplicates are hidden by default. Use the *Direction* filter in the *Common* section of the dropdown list to switch between ingress and egress traffic.
 ** *Match filters*: You can determine the relation between different filter parameters selected in the advanced filter. The available options are *Match all* and *Match any*. *Match all*  provides results that match all the values, and *Match any* provides results that match any of the values entered. The default value is *Match all*.
+** *Datasource*: You can choose the datasource to use for queries: *Loki*, *Prometheus*, or *Auto*. Notable performance improvements can be realized when using Prometheus as a datasource rather than Loki, but Prometheus supports a limited set of filters and aggregations. The default datasource is *Auto*, which uses Prometheus on supported queries or uses Loki if the query does not support Prometheus.
 ** *Drops filter*: You can view different levels of dropped packets with the following query options:
 *** *Fully dropped* shows flow records with fully dropped packets.
 *** *Containing drops* shows flow records that contain drops but can be sent.
diff --git a/modules/network-observability-viewing-alerts.adoc b/modules/network-observability-viewing-alerts.adoc
index 52684f5721fc..c47097b93dba 100644
--- a/modules/network-observability-viewing-alerts.adoc
+++ b/modules/network-observability-viewing-alerts.adoc
@@ -3,24 +3,9 @@
 // * network_observability/network-observability-operator-monitoring.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="network-observability-alert-dashboard_{context}"]
+[id="network-observability-dashboard-view_{context}"]
 = Viewing health information
-
-You can access metrics about health and resource usage of the Network Observability Operator from the *Dashboards* page in the web console. A health alert banner that directs you to the dashboard can appear on the *Network Traffic* and *Home* pages in the event that an alert is triggered. Alerts are generated in the following cases:
-
-* The `NetObservLokiError` alert occurs if the `flowlogs-pipeline` workload is dropping flows because of Loki errors, such as if the Loki ingestion rate limit has been reached.
-* The `NetObservNoFlows` alert occurs if no flows are ingested for a certain amount of time.
-
-You can also view metrics about the health of the Operator in the following categories:
-
-* *Flows*
-* *Flows Overhead*
-* *Top flow rates per source and destination nodes*
-* *Top flow rates per source and destination namespaces*
-* *Top flow rates per source and destination workloads*
-* *Agents*
-* *Processor*
-* *Operator*
+You can access metrics about health and resource usage of the Network Observability Operator from the *Dashboards* page in the web console. 
 
 .Prerequisites
 
diff --git a/modules/network-observability-without-loki.adoc b/modules/network-observability-without-loki.adoc
index c8ffb5d45f88..367bb796ec4a 100644
--- a/modules/network-observability-without-loki.adoc
+++ b/modules/network-observability-without-loki.adoc
@@ -4,16 +4,25 @@
 :_mod-docs-content-type: REFERENCE
 [id="network-observability-without-loki_{context}"]
 = Network Observability without Loki
-You can use Network Observability without Loki by not performing the Loki installation steps and skipping directly to "Installing the Network Observability Operator". If you only want to export flows to a Kafka consumer or IPFIX collector, or you only need dashboard metrics, then you do not need to install Loki or provide storage for Loki.  Without Loki, there is no *Network Traffic* panel under *Observe*, which means there is no overview charts, flow table, or topology. The following table compares available features with and without Loki:
+You can use Network Observability without Loki by not performing the Loki installation steps and skipping directly to "Installing the Network Observability Operator". If you only want to export flows to a Kafka consumer or IPFIX collector, or you only need dashboard metrics, then you do not need to install Loki or provide storage for Loki. The following table compares available features with and without Loki.
 
 .Comparison of feature availability with and without Loki
 [options="header"]
 |===
 |                                     | *With Loki* | *Without Loki*
-| *Exporters*                         | image:check-solid.png[,10]  | image:check-solid.png[,10]
-| *Flow-based metrics and dashboards*             | image:check-solid.png[,10] | image:check-solid.png[,10]
-| *Traffic Flow Overview, Table and Topology views* | image:check-solid.png[,10] | image:x-solid.png[,10]
-| *Quick Filters*                     | image:check-solid.png[,10] | image:x-solid.png[,10]
-| *{product-title} console Network Traffic tab integration* | image:check-solid.png[,10] | image:x-solid.png[,10]
+| *Exporters*                         | image:check-solid.png[,10] | image:check-solid.png[,10]
+| *Multi-tenancy*                     | image:check-solid.png[,10] | image:x-solid.png[,10]
+| *Complete filtering and aggregations capabilities* ^[1]^| image:check-solid.png[,10] | image:x-solid.png[,10]
+| *Partial filtering and aggregations capabilities* ^[2]^ | image:check-solid.png[,10] | image:check-solid.png[,10]
+| *Flow-based metrics and dashboards* | image:check-solid.png[,10] | image:check-solid.png[,10]
+| *Traffic flows view overview* ^[3]^  | image:check-solid.png[,10] | image:check-solid.png[,10]
+| *Traffic flows view table*       | image:check-solid.png[,10] | image:x-solid.png[,10]
+| *Topology view*                | image:check-solid.png[,10] | image:check-solid.png[,10]
+| *{product-title} console Network Traffic tab integration* | image:check-solid.png[,10] | image:check-solid.png[,10]
 |===
-
+[.small]
+--
+1. Such as per pod.
+2. Such as per workload or namespace.
+3. Statistics on packet drops are only available with Loki.
+--
diff --git a/modules/network-observability-working-with-zones.adoc b/modules/network-observability-working-with-zones.adoc
index 374a5cfe2a99..ea898d6e2e93 100644
--- a/modules/network-observability-working-with-zones.adoc
+++ b/modules/network-observability-working-with-zones.adoc
@@ -23,7 +23,7 @@ metadata:
 spec:
 # ...
  processor:
-  addZone: true
+   addZone: true
 # ...
 ----
 
diff --git a/modules/node-tuning-hosted-cluster.adoc b/modules/node-tuning-hosted-cluster.adoc
index b509da75244e..6dae7b1ef625 100644
--- a/modules/node-tuning-hosted-cluster.adoc
+++ b/modules/node-tuning-hosted-cluster.adoc
@@ -1,13 +1,12 @@
 // Module included in the following assemblies:
 //
 // * scalability_and_performance/using-node-tuning-operator.adoc
+// * hosted_control_planes/hcp-machine-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="node-tuning-hosted-cluster_{context}"]
 = Configuring node tuning in a hosted cluster
 
-//# Manage node-level tuning with the Node Tuning Operator
-
 To set node-level tuning on the nodes in your hosted cluster, you can use the Node Tuning Operator. In {hcp}, you can configure node tuning by creating config maps that contain `Tuned` objects and referencing those config maps in your node pools.
 
 .Procedure
diff --git a/modules/nodes-cluster-enabling-features-about.adoc b/modules/nodes-cluster-enabling-features-about.adoc
index 57f6ffa03121..5605ffb18d4b 100644
--- a/modules/nodes-cluster-enabling-features-about.adoc
+++ b/modules/nodes-cluster-enabling-features-about.adoc
@@ -31,7 +31,6 @@ The following Technology Preview features are enabled by this feature set:
 ** StatefulSet pod availability upgrading limits. Enables users to define the maximum number of statefulset pods unavailable during updates which reduces application downtime. (`MaxUnavailableStatefulSet`)
 ** Admin Network Policy and Baseline Admin Network Policy. Enables `AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` resources, which are part of the Network Policy V2 API, in clusters running the OVN-Kubernetes CNI plugin. Cluster administrators can apply cluster-scoped policies and safeguards for an entire cluster before namespaces are created. Network administrators can secure clusters by enforcing network traffic controls that cannot be overridden by users. Network administrators can enforce optional baseline network traffic controls that can be overridden by users in the cluster, if necessary. Currently, these APIs support only expressing policies for intra-cluster traffic. (`AdminNetworkPolicy`)
 ** `MatchConditions` is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of `matchConditions` matches all requests. (`admissionWebhookMatchConditions`)
-** Gateway API. To enable the {product-title} Gateway API, set the value of the `enabled` field to `true` in the `techPreview.gatewayAPI` specification of the `ServiceMeshControlPlane` resource.(`gateGatewayAPI`)
 ** `gcpLabelsTags`
 ** `vSphereStaticIPs`
 ** `routeExternalCertificate`
@@ -47,6 +46,38 @@ The following Technology Preview features are enabled by this feature set:
 ** `managedBootImages`
 ** `onClusterBuild`
 ** `signatureStores`
+** `DisableKubeletCloudCredentialProviders`
+** `BareMetalLoadBalancer`
+** `ClusterAPIInstallAWS`
+** `ClusterAPIInstallNutanix`
+** `ClusterAPIInstallOpenStack`
+** `ClusterAPIInstallVSphere`
+** `HardwareSpeed`
+** `KMSv1`
+** `NetworkDiagnosticsConfig`
+** `VSphereDriverConfiguration`
+** `ExternalOIDC`
+** `ChunkSizeMiB`
+** `ClusterAPIInstallGCP`
+** `ClusterAPIInstallPowerVS`
+** `EtcdBackendQuota`
+** `Example`
+** `ExternalRouteCertificate`
+** `ImagePolicy`
+** `InsightsConfig`
+** `InsightsOnDemandDataGather`
+** `MetricsCollectionProfiles`
+** `NewOLM`
+** `NodeDisruptionPolicy`
+** `PinnedImages`
+** `PlatformOperators`
+** `ServiceAccountTokenNodeBinding`
+** `ServiceAccountTokenNodeBindingValidation`
+** `ServiceAccountTokenPodNodeInfo`
+** `TranslateStreamCloseWebsocketRequests`
+** `UpgradeStatus`
+** `VSphereMultiVCenters`
+** `VolumeGroupSnapshot`
 --
 
 ////
diff --git a/modules/nodes-clusters-cgroups-2-install.adoc b/modules/nodes-clusters-cgroups-2-install.adoc
index f9a7a6b3bcf5..cf05f83d82b0 100644
--- a/modules/nodes-clusters-cgroups-2-install.adoc
+++ b/modules/nodes-clusters-cgroups-2-install.adoc
@@ -17,7 +17,7 @@ include::snippets/deprecated-feature.adoc[]
 +
 [source,yaml]
 ----
-apiVersion: config.openshift.io/v2
+apiVersion: config.openshift.io/v1
 kind: Node
 metadata:
   name: cluster
diff --git a/modules/nodes-clusters-cgroups-2.adoc b/modules/nodes-clusters-cgroups-2.adoc
index 5d01e7f79e1f..32d9cb906afb 100644
--- a/modules/nodes-clusters-cgroups-2.adoc
+++ b/modules/nodes-clusters-cgroups-2.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * nodes/clusters/nodes-cluster-cgroups-2.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * post_installation_configuration/cluster-tasks.adoc
 
 ifeval::["{context}" == "nodes-cluster-cgroups-2"]
 :nodes:
diff --git a/modules/nodes-nodes-kernel-arguments.adoc b/modules/nodes-nodes-kernel-arguments.adoc
index 34c5b5e3e7a6..85ed0b3a8335 100644
--- a/modules/nodes-nodes-kernel-arguments.adoc
+++ b/modules/nodes-nodes-kernel-arguments.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * nodes/nodes-nodes-managing.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nodes-nodes-kernel-arguments_{context}"]
diff --git a/modules/nodes-nodes-rtkernel-arguments.adoc b/modules/nodes-nodes-rtkernel-arguments.adoc
index cfd0e5507ebe..73aee17f3ab8 100644
--- a/modules/nodes-nodes-rtkernel-arguments.adoc
+++ b/modules/nodes-nodes-rtkernel-arguments.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * nodes/nodes/nodes-nodes-managing.adoc
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nodes-nodes-rtkernel-arguments_{context}"]
diff --git a/modules/nodes-pods-secrets-about.adoc b/modules/nodes-pods-secrets-about.adoc
index b4902a6ed595..95e6df4d0b89 100644
--- a/modules/nodes-pods-secrets-about.adoc
+++ b/modules/nodes-pods-secrets-about.adoc
@@ -64,10 +64,12 @@ which is the default.
 
 Specify one of the following types to trigger minimal server-side validation to ensure the presence of specific key names in the secret data:
 
-* `kubernetes.io/service-account-token`. Uses a service account token.
-* `kubernetes.io/basic-auth`. Use with Basic Authentication.
-* `kubernetes.io/ssh-auth`. Use with SSH Key Authentication.
-* `kubernetes.io/tls`. Use with TLS certificate authorities.
+* `kubernetes.io/basic-auth`: Use with Basic authentication
+* `kubernetes.io/dockercfg`: Use as an image pull secret
+* `kubernetes.io/dockerconfigjson`: Use as an image pull secret
+* `kubernetes.io/service-account-token`: Use to obtain a legacy service account API token
+* `kubernetes.io/ssh-auth`: Use with SSH key authentication
+* `kubernetes.io/tls`: Use with TLS certificate authorities
 
 Specify `type: Opaque` if you do not want validation, which means the secret does not claim to conform to any convention for key names or values.
 An _opaque_ secret, allows for unstructured `key:value` pairs that can contain arbitrary values.
@@ -78,7 +80,7 @@ You can specify other arbitrary types, such as `example.com/my-secret-type`. The
 but indicate that the creator of the secret intended to conform to the key/value requirements of that type.
 ====
 
-For examples of different secret types, see the code samples in _Using Secrets_.
+For examples of creating different types of secrets, see _Understanding how to create secrets_.
 
 [id="nodes-pods-secrets-about-keys_{context}"]
 == Secret data keys
diff --git a/modules/nodes-pods-secrets-creating-sa.adoc b/modules/nodes-pods-secrets-creating-sa.adoc
index 5443175bbd03..2da2c55a88a9 100644
--- a/modules/nodes-pods-secrets-creating-sa.adoc
+++ b/modules/nodes-pods-secrets-creating-sa.adoc
@@ -4,24 +4,30 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="nodes-pods-secrets-creating-sa_{context}"]
-= Creating a service account token secret
+= Creating a legacy service account token secret
 
-As an administrator, you can create a service account token secret, which allows you to distribute a service account token to applications that must authenticate to the API.
+As an administrator, you can create a legacy service account token secret, which allows you to distribute a service account token to applications that must authenticate to the API.
 
-[NOTE]
+[WARNING]
 ====
-It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients.
+It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a nonexpiring token in a readable API object is acceptable to you.
 
-You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you.
+Bound service account tokens are more secure than service account token secrets for the following reasons:
 
-See the Additional resources section that follows for information on creating bound service account tokens.
+* Bound service account tokens have a bounded lifetime.
+* Bound service account tokens contain audiences.
+* Bound service account tokens can be bound to pods or secrets and the bound tokens are invalidated when the bound object is removed.
+
+Workloads are automatically injected with a projected volume to obtain a bound service account token. If your workload needs an additional service account token, add an additional projected volume in your workload manifest.
+
+For more information, see "Configuring bound service account tokens using volume projection".
 ====
 
 .Procedure
 
 . Create a `Secret` object in a YAML file on a control plane node:
 +
-.Example `secret` object:
+.Example `Secret` object
 [source,yaml]
 ----
 apiVersion: v1
diff --git a/modules/nodes-pods-vertical-autoscaler-install.adoc b/modules/nodes-pods-vertical-autoscaler-install.adoc
index 913e970aeea4..3615b691c88b 100644
--- a/modules/nodes-pods-vertical-autoscaler-install.adoc
+++ b/modules/nodes-pods-vertical-autoscaler-install.adoc
@@ -28,6 +28,8 @@ is automatically created if it does not exist.
 
 . Click *Install*.
 
+.Verifiction
+
 . Verify the installation by listing the VPA Operator components:
 
 .. Navigate to *Workloads* -> *Pods*.
@@ -36,7 +38,7 @@ is automatically created if it does not exist.
 
 .. Navigate to *Workloads* -> *Deployments* to verify that there are four deployments running.
 
-. Optional. Verify the installation in the {product-title} CLI using the following command:
+. Optional: Verify the installation in the {product-title} CLI using the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/nodes-pods-vertical-autoscaler-moving-vpa.adoc b/modules/nodes-pods-vertical-autoscaler-moving-vpa.adoc
new file mode 100644
index 000000000000..08cf3a7ab509
--- /dev/null
+++ b/modules/nodes-pods-vertical-autoscaler-moving-vpa.adoc
@@ -0,0 +1,360 @@
+// Module included in the following assemblies:
+//
+// * machine_management/creating-infrastructure-machinesets.adoc
+// * nodes/pods/nodes-pods-vertical-autoscaler
+
+ifeval::["{context}" == "nodes-pods-vertical-autoscaler"]
+:vpa:
+endif::[]
+ifeval::["{context}" == "creating-infrastructure-machinesets"]
+:machinemgmt:
+endif::[]
+
+:_mod-docs-content-type: PROCEDURE
+[id="infrastructure-moving-vpa_{context}"]
+= Moving the Vertical Pod Autoscaler Operator components
+
+ifdef::machinemgmt[]
+The Vertical Pod Autoscaler Operator (VPA) consists of three components: the recommender, updater, and admission controller. The Operator and each component has its own pod in the VPA namespace on the control plane nodes. You can move the VPA Operator and component pods to infrastructure nodes by adding a node selector to the VPA subscription and the `VerticalPodAutoscalerController` CR.
+endif::machinemgmt[]
+ifdef::vpa[]
+The Vertical Pod Autoscaler Operator (VPA) and each component has its own pod in the VPA namespace on the control plane nodes. You can move the VPA Operator and component pods to infrastructure or worker nodes by adding a node selector to the VPA subscription and the `VerticalPodAutoscalerController` CR.
+
+You can create and use infrastructure nodes to host only infrastructure components, such as the default router, the integrated container image registry, and the components for cluster metrics and monitoring. These infrastructure nodes are not counted toward the total number of subscriptions that are required to run the environment. For more information, see _Creating infrastructure machine sets_.
+
+You can move the components to the same node or separate nodes as appropriate for your organization.
+endif::vpa[]
+
+The following example shows the default deployment of the VPA pods to the control plane nodes.
+
+.Example output
+[source,terminal]
+----
+NAME                                                READY   STATUS    RESTARTS   AGE     IP            NODE                  NOMINATED NODE   READINESS GATES
+vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z   1/1     Running   0          7m59s   10.128.2.24   c416-tfsbj-master-1   <none>           <none>
+vpa-admission-plugin-default-6cb78d6f8b-rpcrj       1/1     Running   0          5m37s   10.129.2.22   c416-tfsbj-master-1   <none>           <none>
+vpa-recommender-default-66846bd94c-dsmpp            1/1     Running   0          5m37s   10.129.2.20   c416-tfsbj-master-0   <none>           <none>
+vpa-updater-default-db8b58df-2nkvf                  1/1     Running   0          5m37s   10.129.2.21   c416-tfsbj-master-1   <none>           <none> 
+----
+
+.Procedure
+
+ifdef::machinemgmt[]
+. Move the VPA Operator pod by adding a node selector to the `Subscription` custom resource (CR) for the VPA Operator:
+
+.. Edit the CR:
++
+[source,terminal]
+----
+$ oc edit Subscription vertical-pod-autoscaler -n openshift-vertical-pod-autoscaler
+----
+
+.. Add a node selector to match the node role label on the infra node:
++
+[source,terminal]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/vertical-pod-autoscaler.openshift-vertical-pod-autoscaler: ""
+  name: vertical-pod-autoscaler
+# ...
+spec:
+  config:
+    nodeSelector:
+      node-role.kubernetes.io/infra: "" <1>
+----
+<1> Specifies the node role of an infra node.
++
+[NOTE]
+====
+If the infra node uses taints, you need to add a toleration to the `Subscription` CR.
+
+For example:
+
+[source,terminal]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/vertical-pod-autoscaler.openshift-vertical-pod-autoscaler: ""
+  name: vertical-pod-autoscaler
+# ...
+spec:
+  config:
+    nodeSelector:
+      node-role.kubernetes.io/infra: ""
+    tolerations: <1>
+    - key: "node-role.kubernetes.io/infra"
+      operator: "Exists"
+      effect: "NoSchedule"
+----
+====
+<1> Specifies a toleration for a taint on the infra node.
+
+. Move each VPA component by adding node selectors to the `VerticalPodAutoscaler` custom resource (CR):
+
+.. Edit the CR:
++
+[source,terminal]
+----
+$ oc edit VerticalPodAutoscalerController default -n openshift-vertical-pod-autoscaler
+----
+
+.. Add node selectors to match the node role label on the infra node:
++
+[source,terminal]
+----
+apiVersion: autoscaling.openshift.io/v1
+kind: VerticalPodAutoscalerController
+metadata:
+ name: default
+  namespace: openshift-vertical-pod-autoscaler
+# ...
+spec:
+  deploymentOverrides:
+    admission:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: "" <1>
+    recommender:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: "" <2>
+    updater:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: "" <3>
+----
+<1> Optional: Specifies the node role for the VPA admission pod.
+<2> Optional: Specifies the node role for the VPA recommender pod.
+<3> Optional: Specifies the node role for the VPA updater pod.
++
+[NOTE]
+====
+If a target node uses taints, you need to add a toleration to the `VerticalPodAutoscalerController` CR.
+
+For example:
+
+[source,terminal]
+----
+apiVersion: autoscaling.openshift.io/v1
+kind: VerticalPodAutoscalerController
+metadata:
+ name: default
+  namespace: openshift-vertical-pod-autoscaler
+# ...
+spec:
+  deploymentOverrides:
+    admission:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: ""
+      tolerations: <1>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+    recommender:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: ""
+      tolerations: <2>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+    updater:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/infra: ""
+      tolerations: <3>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+----
+====
+<1> Specifies a toleration for the admission controller pod for a taint on the infra node.
+<2> Specifies a toleration for the recommender pod for a taint on the infra node.
+<3> Specifies a toleration for the updater pod for a taint on the infra node.
+endif::machinemgmt[]
+
+ifdef::vpa[]
+. Move the VPA Operator pod by adding a node selector to the `Subscription` custom resource (CR) for the VPA Operator:
+
+.. Edit the CR:
++
+[source,terminal]
+----
+$ oc edit Subscription vertical-pod-autoscaler -n openshift-vertical-pod-autoscaler
+----
+
+.. Add a node selector to match the node role label on the node where you want to install the VPA Operator pod:
++
+[source,terminal]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/vertical-pod-autoscaler.openshift-vertical-pod-autoscaler: ""
+  name: vertical-pod-autoscaler
+# ...
+spec:
+  config:
+    nodeSelector:
+      node-role.kubernetes.io/<node_role>: "" <1>
+----
+<1> Specifies the node role of the node where you want to move the VPA Operator pod.
++
+[NOTE]
+====
+If the infra node uses taints, you need to add a toleration to the `Subscription` CR.
+
+For example:
+
+[source,terminal]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/vertical-pod-autoscaler.openshift-vertical-pod-autoscaler: ""
+  name: vertical-pod-autoscaler
+# ...
+spec:
+  config:
+    nodeSelector:
+      node-role.kubernetes.io/infra: ""
+    tolerations: <1>
+    - key: "node-role.kubernetes.io/infra"
+      operator: "Exists"
+      effect: "NoSchedule"
+----
+====
+<1> Specifies a toleration for a taint on the node where you want to move the VPA Operator pod.
+
+. Move each VPA component by adding node selectors to the `VerticalPodAutoscaler` custom resource (CR):
+
+.. Edit the CR:
++
+[source,terminal]
+----
+$ oc edit VerticalPodAutoscalerController default -n openshift-vertical-pod-autoscaler
+----
+
+.. Add node selectors to match the node role label on the node where you want to install the VPA components:
++
+[source,terminal]
+----
+apiVersion: autoscaling.openshift.io/v1
+kind: VerticalPodAutoscalerController
+metadata:
+ name: default
+  namespace: openshift-vertical-pod-autoscaler
+# ...
+spec:
+  deploymentOverrides:
+    admission:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/<node_role>: "" <1>
+    recommender:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/<node_role>: "" <2>
+    updater:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/<node_role>: "" <3>
+----
+<1> Optional: Specifies the node role for the VPA admission pod.
+<2> Optional: Specifies the node role for the VPA recommender pod.
+<3> Optional: Specifies the node role for the VPA updater pod.
++
+[NOTE]
+====
+If a target node uses taints, you need to add a toleration to the `VerticalPodAutoscalerController` CR.
+
+For example:
+
+[source,terminal]
+----
+apiVersion: autoscaling.openshift.io/v1
+kind: VerticalPodAutoscalerController
+metadata:
+ name: default
+  namespace: openshift-vertical-pod-autoscaler
+# ...
+spec:
+  deploymentOverrides:
+    admission:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/worker: ""
+      tolerations: <1>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+    recommender:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/worker: ""
+      tolerations: <2>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+    updater:
+      container:
+        resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/worker: ""
+      tolerations: <3>
+      - key: "my-example-node-taint-key"
+        operator: "Exists"
+        effect: "NoSchedule"
+----
+====
+<1> Specifies a toleration for the admission controller pod for a taint on the node where you want to install the pod.
+<2> Specifies a toleration for the recommender pod for a taint on the node where you want to install the pod.
+<3> Specifies a toleration for the updater pod for a taint on the node where you want to install the pod.
+endif::vpa[]
+
+.Verification
+
+* You can verify the pods have moved by using the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-vertical-pod-autoscaler -o wide
+----
++
+The pods are no longer deployed to the control plane nodes.
++
+.Example output
+[source,terminal]
+----
+NAME                                                READY   STATUS    RESTARTS   AGE     IP            NODE                              NOMINATED NODE   READINESS GATES
+vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z   1/1     Running   0          7m59s   10.128.2.24   c416-tfsbj-infra-eastus3-2bndt   <none>           <none>
+vpa-admission-plugin-default-6cb78d6f8b-rpcrj       1/1     Running   0          5m37s   10.129.2.22   c416-tfsbj-infra-eastus1-lrgj8   <none>           <none>
+vpa-recommender-default-66846bd94c-dsmpp            1/1     Running   0          5m37s   10.129.2.20   c416-tfsbj-infra-eastus1-lrgj8   <none>           <none>
+vpa-updater-default-db8b58df-2nkvf                  1/1     Running   0          5m37s   10.129.2.21   c416-tfsbj-infra-eastus1-lrgj8   <none>           <none> 
+----
+
+ifeval::["{context}" == "nodes-pods-vertical-autoscaler"]
+:!vpa:
+endif::[]
+ifeval::["{context}" == "creating-infrastructure-machinesets"]
+:!machinemgmt:
+endif::[]
diff --git a/modules/nodes-sigstore-using-about.adoc b/modules/nodes-sigstore-using-about.adoc
new file mode 100644
index 000000000000..39ffe2ec583e
--- /dev/null
+++ b/modules/nodes-sigstore-using-about.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-sigstore-using.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nodes-sigstore-using-about_{context}"]
+= About the sigstore project
+
+The sigstore project enables developers to sign-off on what they build and administrators to verify signatures and monitor workflows at scale. With the sigstore project, signatures can be stored in the same registry as the build images. A second server is not needed. The identity piece of a signature is tied to the OpenID Connect (OIDC) identity through the Fulcio certificate authority, which simplifies the signature process by allowing key-less signing. Additionally, sigstore includes Rekor, which records signature metadata to an immutable, tamper-resistant ledger.
\ No newline at end of file
diff --git a/modules/nvidia-gpu-enablement.adoc b/modules/nvidia-gpu-enablement.adoc
index c554e5b68aa6..23e9037f2cf8 100644
--- a/modules/nvidia-gpu-enablement.adoc
+++ b/modules/nvidia-gpu-enablement.adoc
@@ -14,5 +14,5 @@ image::512_OpenShift_NVIDIA_GPU_enablement_1223.png[NVIDIA GPU enablement]
 
 [NOTE]
 ====
-MIG is only supported with A30, A100, A100X, A800, AX800, H100, H200, and H800.
+MIG is only supported with A30, A100, A100X, A800, AX800, H100, and H800.
 ====
diff --git a/modules/nw-annotating-a-route-with-a-cookie-name.adoc b/modules/nw-annotating-a-route-with-a-cookie-name.adoc
index fd79f251f24b..a4666281a4f5 100644
--- a/modules/nw-annotating-a-route-with-a-cookie-name.adoc
+++ b/modules/nw-annotating-a-route-with-a-cookie-name.adoc
@@ -5,12 +5,13 @@
 // Module included in the following assemblies:
 //
 // * networking/configuring-routing.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-annotating-a-route-with-a-cookie-name_{context}"]
 = Annotating a route with a cookie
 
-You can set a cookie name to overwrite the default, auto-generated one for the route. This allows the application receiving route traffic to know the cookie name. By deleting the cookie it can force the next request to re-choose an endpoint. So, if a server was overloaded it tries to remove the requests from the client and redistribute them.
+You can set a cookie name to overwrite the default, auto-generated one for the route. This allows the application receiving route traffic to know the cookie name. Deleting the cookie can force the next request to re-choose an endpoint. The result is that if a server is overloaded, that server tries to remove the requests from the client and redistribute them.
 
 .Procedure
 
diff --git a/modules/nw-anp-audit-logging-concept.adoc b/modules/nw-anp-audit-logging-concept.adoc
new file mode 100644
index 000000000000..e06e975d3450
--- /dev/null
+++ b/modules/nw-anp-audit-logging-concept.adoc
@@ -0,0 +1,150 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/AdminNetworkPolicy/logging-anp-policy.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nw-anp-audit-logging_{context}"]
+= AdminNetworkPolicy audit logging
+
+Audit logging is enabled per `AdminNetworkPolicy` CR by annotating an ANP policy with the `k8s.ovn.org/acl-logging` key such as in the following example:
+
+.Example of annotation for `AdminNetworkPolicy` CR
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  annotations:
+    k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert", "pass" : "warning" }'
+  name: anp-tenant-log
+spec:
+  priority: 5
+  subject:
+    namespaces:
+      matchLabels:
+        tenant: backend-storage # Selects all pods owned by storage tenant.
+  ingress:
+    - name: "allow-all-ingress-product-development-and-customer" # Product development and customer tenant ingress to backend storage.
+      action: "Allow"
+      from:
+      - pods:
+          namespaceSelector:
+            matchExpressions:
+            - key: tenant
+              operator: In
+              values:
+              - product-development
+              - customer
+          podSelector: {}
+    - name: "pass-all-ingress-product-security"
+      action: "Pass"
+      from:
+      - namespaces:
+          matchLabels:
+              tenant: product-security
+    - name: "deny-all-ingress" # Ingress to backend from all other pods in the cluster.
+      action: "Deny"
+      from:
+      - namespaces: {}
+  egress:
+    - name: "allow-all-egress-product-development"
+      action: "Allow"
+      to:
+      - pods:
+          namespaceSelector:
+            matchLabels:
+              tenant: product-development
+          podSelector: {}
+    - name: "pass-egress-product-security"
+      action: "Pass"
+      to:
+      - namespaces:
+           matchLabels:
+             tenant: product-security
+    - name: "deny-all-egress" # Egress from backend denied to all other pods.
+      action: "Deny"
+      to:
+      - namespaces: {}
+----
+====
+
+Logs are generated whenever a specific OVN ACL is hit and meets the action criteria set in your logging annotation. For example, an event in which any of the namespaces with the label `tenant: product-development` accesses the namespaces with the label `tenant: backend-storage`, a log is generated.
+
+
+[NOTE]
+====
+ACL logging is limited to 60 characters. If your ANP `name` field is long, the rest of the log will be truncated.
+====
+
+The following is a direction index for the examples log entries that follow:
+
+[cols=".^4,.^6a",options="header"]
+|====
+|Direction|Rule
+
+|Ingress
+|
+Rule0:: Allow from tenant `product-development` and `customer` to tenant `backend-storage`; Ingress0: `Allow`
+Rule1:: Pass from `product-security`to tenant `backend-storage`; Ingress1: `Pass`
+Rule2::	Deny ingress from all pods; Ingress2: `Deny`
+
+|Egress
+|
+Rule0:: Allow to `product-development`; Egress0: `Allow`
+Rule1:: Pass to `product-security`; Egress1: `Pass`
+Rule2:: Deny egress to all other pods; Egress2: `Deny`
+
+|====
+
+.Example ACL log entry for `Allow` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Ingress:0` and `Egress:0`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:27:45.194Z|00052|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1a,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.26,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=57814,tp_dst=8080,tcp_flags=syn
+2024-06-10T16:28:23.130Z|00059|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:18,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.24,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=38620,tp_dst=8080,tcp_flags=ack
+2024-06-10T16:28:38.293Z|00069|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:0", verdict=allow, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1a,nw_src=10.128.2.25,nw_dst=10.128.2.26,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=47566,tp_dst=8080,tcp_flags=fin|ack=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=55704,tp_dst=8080,tcp_flags=ack
+----
+====
+
+.Example ACL log entry for `Pass` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Ingress:1` and `Egress:1`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:33:12.019Z|00075|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:1", verdict=pass, severity=warning, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1b,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.27,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=37394,tp_dst=8080,tcp_flags=ack
+2024-06-10T16:35:04.209Z|00081|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:1", verdict=pass, severity=warning, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:1b,nw_src=10.128.2.25,nw_dst=10.128.2.27,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=34018,tp_dst=8080,tcp_flags=ack
+----
+====
+
+.Example ACL log entry for `Deny` action of the `AdminNetworkPolicy` named `anp-tenant-log` with `Egress:2` and `Ingress2`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T16:43:05.287Z|00087|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Egress:2", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:19,dl_dst=0a:58:0a:80:02:18,nw_src=10.128.2.25,nw_dst=10.128.2.24,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=51598,tp_dst=8080,tcp_flags=syn
+2024-06-10T16:44:43.591Z|00090|acl_log(ovn_pinctrl0)|INFO|name="ANP:anp-tenant-log:Ingress:2", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:1c,dl_dst=0a:58:0a:80:02:19,nw_src=10.128.2.28,nw_dst=10.128.2.25,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=33774,tp_dst=8080,tcp_flags=syn
+----
+====
+
+The following table describes ANP annotation:
+
+.Audit logging AdminNetworkPolicy annotation
+[cols=".^4,.^6a",options="header"]
+|====
+|Annotation|Value
+
+|`k8s.ovn.org/acl-logging`
+|
+You must specify at least one of `Allow`, `Deny`, or `Pass` to enable audit logging for a namespace.
+
+`Deny`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+`Allow`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+`Pass`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+|====
+
diff --git a/modules/nw-anp-banp-metrics.adoc b/modules/nw-anp-banp-metrics.adoc
new file mode 100644
index 000000000000..e1e05da42628
--- /dev/null
+++ b/modules/nw-anp-banp-metrics.adoc
@@ -0,0 +1,39 @@
+// Module included in the following assemblies:
+//
+// * list of assemblies where this module is included:
+// networking/network_security/AdminNetworkPolicy/nw-ovn-k-anp-banp-metric.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="anp-banp-metrics_{context}"]
+= Metrics for AdminNetworkPolicy
+
+[cols="1,1a,1"]
+|===
+| Name | Description |Explanation
+
+|`ovnkube_controller_admin_network_policies`
+|Not applicable
+|The total number of `AdminNetworkPolicy` resources in the cluster.
+
+|`ovnkube_controller_baseline_admin_network_policies`
+|Not applicable
+|The total number of `BaselineAdminNetworkPolicy` resources in the cluster. The value should be 0 or 1.
+
+|`ovnkube_controller_admin_network_policies_rules`
+|* `direction`: specifies either `Ingress` or `Egress`.
+* `action`: specifies either `Pass`, `Allow`, or `Deny`.
+|The total number of rules across all ANP policies in the cluster grouped by `direction` and `action`.
+
+|`ovnkube_controller_baseline_admin_network_policies_rules`
+|* `direction`: specifies either `Ingress` or `Egress`.
+* `action`: specifies either `Allow` or `Deny`.
+|The total number of rules across all BANP policies in the cluster grouped by `direction` and `action`.
+
+|`ovnkube_controller_admin_network_policies_db_objects`
+|`table_name`: specifies either `ACL` or `Address_Set`
+|The total number of OVN Northbound database (nbdb) objects that are created by all the ANP in the cluster grouped by the `table_name`.
+
+|`ovnkube_controller_baseline_admin_network_policies_db_objects`
+|`table_name`: specifies either `ACL` or `Address_Set`
+|The total number of OVN Northbound database (nbdb) objects that are created by all the BANP in the cluster grouped by the `table_name`.
+|===
\ No newline at end of file
diff --git a/modules/nw-anp-nodes-peer-concept.adoc b/modules/nw-anp-nodes-peer-concept.adoc
new file mode 100644
index 000000000000..367c5c11ccf1
--- /dev/null
+++ b/modules/nw-anp-nodes-peer-concept.adoc
@@ -0,0 +1,231 @@
+// Module included in the following assemblies:
+//
+// * networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nw-anp-egress_{context}"]
+= Northbound traffic controls for AdminNetworkPolicy and BaselineAdminNetworkPolicy
+
+In addition to supporting east-west traffic controls, ANP and BANP also allow administrators to control their northbound traffic leaving the cluster or traffic leaving the node to other nodes in the cluster. End-users can do the following:
+
+* Implement egress traffic control towards cluster nodes using `nodes` egress peer
+
+* Implement egress traffic control towards Kubernetes API servers using `nodes` or `networks` egress peers
+
+* Implement egress traffic control towards external destinations outside the cluster using `networks` peer
+
+[NOTE]
+====
+For ANP and BANP, `nodes` and `networks` peers can be specified for egress rules only.
+====
+
+[id="egress-traffic-control-towards-cluster-nodes_{context}"]
+== Using nodes peer to control egress traffic to cluster nodes
+
+Using the `nodes` peer administrators can control egress traffic from pods to nodes in the cluster. A benefit of this is that you do not have to change the policy when nodes are added to or deleted from the cluster.
+
+The following example allows egress traffic to the Kubernetes API server on port `6443` by any of the namespaces with a `restricted`, `confidential`, or `internal` level of security using the node selector peer. It also denies traffic to all worker nodes in your cluster from any of the namespaces with a `restricted`, `confidential`, or `internal` level of security.
+
+.Example of ANP `Allow` egress using `nodes` peer
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: egress-security-allow
+spec:
+  egress:
+  - action: Deny
+    to:
+    - nodes:
+        matchExpressions:
+        - key: node-role.kubernetes.io/worker
+          operator: Exists
+  - action: Allow
+    name: allow-to-kubernetes-api-server-and-engr-dept-pods
+    ports:
+    - portNumber:
+        port: 6443
+        protocol: TCP
+    to:
+    - nodes: <1>
+        matchExpressions:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+    - pods: <2>
+        namespaceSelector:
+          matchLabels:
+            dept: engr
+        podSelector: {}
+  priority: 55
+  subject: <3>
+    namespaces:
+      matchExpressions:
+      - key: security <4>
+        operator: In
+        values:
+        - restricted
+        - confidential
+        - internal
+----
+<1> Specifies a node or set of nodes in the cluster using the `matchExpressions` field.
+<2> Specifies all the pods labeled with `dept: engr`.
+<3> Specifies the subject of the ANP which includes any namespaces that match the labels used by the network policy. The example matches any of the namespaces with `restricted`, `confidential`, or `internal` level of `security`.
+<4> Specifies key/value pairs for `matchExpressions` field.
+====
+
+[id="egress-traffic-control-networks-peer-external-destinations_{context}"]
+== Using networks peer to control egress traffic towards external destinations
+
+Cluster administrators can use CIDR ranges in `networks` peer and apply a policy to control egress traffic leaving from pods and going to a destination configured at the IP address that is within the CIDR range specified with `networks` field.
+
+The following example uses `networks` peer and combines ANP and BANP policies to restrict egress traffic.
+
+[IMPORTANT]
+====
+Use the empty selector ({}) in the `namespace` field for ANP and BANP with caution. When using an empty selector, it also selects OpenShift namespaces.
+
+If you use values of `0.0.0.0/0` in a ANP or BANP `Deny` rule, you must set a higher priority ANP `Allow` rule to necessary destinations before setting the `Deny` to `0.0.0.0/0`.
+====
+
+.Example of ANP and BANP using `networks` peers
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: network-as-egress-peer
+spec:
+  priority: 70
+  subject:
+    namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+  egress:
+  - name: "deny-egress-to-external-dns-servers"
+    action: "Deny"
+    to:
+    - networks:<1>
+      - 8.8.8.8/32
+      - 8.8.4.4/32
+      - 208.67.222.222/32
+    ports:
+      - portNumber:
+          protocol: UDP
+          port: 53
+  - name: "allow-all-egress-to-intranet"
+    action: "Allow"
+    to:
+    - networks: <2>
+      - 89.246.180.0/22
+      - 60.45.72.0/22
+  - name: "allow-all-intra-cluster-traffic"
+    action: "Allow"
+    to:
+    - namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+  - name: "pass-all-egress-to-internet"
+    action: "Pass"
+    to:
+    - networks:
+      - 0.0.0.0/0 <3>
+---
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+  egress:
+  - name: "deny-all-egress-to-internet"
+    action: "Deny"
+    to:
+    - networks:
+      - 0.0.0.0/0 <3>
+---
+----
+<1> Use `networks` to specify a range of CIDR networks outside of the cluster.
+<2> Specifies the CIDR ranges for the intra-cluster traffic from your resources.
+<3> Specifies a `Deny` egress to everything by setting `networks` values to `0.0.0.0/0`. Make sure you have a higher priority `Allow` rule to necessary destinations before setting a `Deny` to `0.0.0.0/0` because this will deny all traffic including to Kubernetes API and DNS servers.
+====
+
+Collectively the `network-as-egress-peer` ANP and `default` BANP using `networks` peers enforces the following egress policy:
+
+* All pods cannot talk to external DNS servers at the listed IP addresses.
+
+* All pods can talk to rest of the company's intranet.
+
+* All pods can talk to other pods, nodes, and services.
+
+* All pods cannot talk to the internet. Combining the last ANP `Pass` rule and the strong BANP `Deny` rule a guardrail policy is created that secures traffic in the cluster.
+
+[id="combined-nodes-peer-networks-peer-anp"]
+== Using nodes peer and networks peer together
+
+Cluster administrators can combine `nodes` and `networks` peer in your ANP and BANP policies.
+
+.Example of `nodes` and `networks` peer
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: egress-peer-1 <1>
+spec:
+  egress: <2>
+  - action: "Allow"
+    name: "allow-egress"
+    to:
+    - nodes:
+        matchExpressions:
+        - key: worker-group
+          operator: In
+          values:
+          - workloads # Egress traffic from nodes with label worker-group: workloads is allowed.
+    - networks:
+      - 104.154.164.170/32
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            apps: external-apps
+        podSelector:
+          matchLabels:
+            app: web # This rule in the policy allows the traffic directed to pods labeled apps: web in projects with apps: external-apps to leave the cluster.
+  - action: "Deny"
+    name: "deny-egress"
+    to:
+    - nodes:
+        matchExpressions:
+        - key: worker-group
+          operator: In
+          values:
+          - infra # Egress traffic from nodes with label worker-group: infra is denied.
+    - networks:
+      - 104.154.164.160/32 # Egress traffic to this IP address from cluster is denied.
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            apps: internal-apps
+        podSelector: {}
+  - action: "Pass"
+    name: "pass-egress"
+    to:
+    - nodes:
+        matchExpressions:
+        - key: node-role.kubernetes.io/worker
+          operator: Exists # All other egress traffic is passed to NetworkPolicy or BANP for evaluation.
+  priority: 30 <3>
+  subject: <4>
+    namespaces:
+      matchLabels:
+        apps: all-apps
+----
+<1> Specifies the name of the policy.
+<2> For `nodes` and `networks` peers, you can only use northbound traffic controls in ANP as `egress`.
+<3> Specifies the priority of the ANP, determining the order in which they should be evaluated. Lower priority rules have higher precedence. ANP accepts values of 0-99 with 0 being the highest priority and 99 being the lowest.
+<4> Specifies the set of pods in the cluster on which the rules of the policy are to be applied. In the example, any pods with the `apps: all-apps` label across all namespaces are the `subject` of the policy.
+====
\ No newline at end of file
diff --git a/modules/nw-anp-np-reference.adoc b/modules/nw-anp-np-reference.adoc
new file mode 100644
index 000000000000..9bfb1487883b
--- /dev/null
+++ b/modules/nw-anp-np-reference.adoc
@@ -0,0 +1,67 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/logging-network-security.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-anp-differences-networkpolicy_{context}"]
+= Key differences between AdminNetworkPolicy and NetworkPolicy custom resources
+
+The following table explains key differences between the cluster scoped `AdminNetworkPolicy` API and the namespace scoped `NetworkPolicy` API.
+
+[cols="1,1,1"]
+|===
+|Policy elements | AdminNetworkPolicy | NetworkPolicy
+
+|Applicable user
+|Cluster administrator or equivalent
+|Namespace owners
+
+|Scope
+|Cluster
+|Namespaced
+
+|Drop traffic
+|Supported with an explicit `Deny` action set as a rule.
+|Supported via implicit `Deny` isolation at policy creation time.
+
+|Delegate traffic
+|Supported with an `Pass` action set as a rule.
+|Not applicable
+
+|Allow traffic
+|Supported with an explicit `Allow` action set as a rule.
+|The default action for all rules is to allow.
+
+|Rule precedence within the policy
+|Depends on the order in which they appear within an ANP. The higher the rule's position the higher the precedence.
+|Rules are additive
+
+|Policy precedence
+|Among ANPs the `priority` field sets the order for evaluation. The lower the priority number higher the policy precedence.
+|There is no policy ordering between policies.
+
+|Feature precedence
+|Evaluated first via tier 1 ACL and BANP is evaluated last via tier 3 ACL.
+|Enforced after ANP and before BANP, they are evaluated in tier 2 of the ACL.
+
+|Matching pod selection
+|Can apply different rules across namespaces.
+|Can apply different rules across pods in single namespace.
+
+|Cluster egress traffic
+|Supported via `nodes` and `networks` peers
+|Supported through `ipBlock` field along with accepted CIDR syntax.
+
+|Cluster ingress traffic
+|Not supported
+|Not supported
+
+|Fully qualified domain names (FQDN) peer support
+|Not supported
+|Not supported
+
+|Namespace selectors
+|Supports advanced selection of Namespaces with the use of `namespaces.matchLabels` field
+|Supports label based namespace selection with the use of `namespaceSelector` field
+
+|===
\ No newline at end of file
diff --git a/modules/nw-audit-configuration.adoc b/modules/nw-audit-configuration.adoc
new file mode 100644
index 000000000000..b677a34c9b3e
--- /dev/null
+++ b/modules/nw-audit-configuration.adoc
@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/logging-network-security.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="network-policy-audit-configuration-{context}"]
+= Audit configuration
+
+The configuration for audit logging is specified as part of the OVN-Kubernetes cluster network provider configuration. The following YAML illustrates the default values for the audit logging:
+
+.Audit logging configuration
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  defaultNetwork:
+    ovnKubernetesConfig:
+      policyAuditConfig:
+        destination: "null"
+        maxFileSize: 50
+        rateLimit: 20
+        syslogFacility: local0
+----
+
+The following table describes the configuration fields for audit logging.
\ No newline at end of file
diff --git a/modules/nw-banp-audit-logging-concept.adoc b/modules/nw-banp-audit-logging-concept.adoc
new file mode 100644
index 000000000000..c051a775732a
--- /dev/null
+++ b/modules/nw-banp-audit-logging-concept.adoc
@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+//
+// * networking/openshift_network_security/AdminNetworkPolicy/logging-anp-policy.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="nw-banp-audit-logging-concept_{context}"]
+= BaselineAdminNetworkPolicy audit logging
+
+Audit logging is enabled in the `BaselineAdminNetworkPolicy` CR by annotating an BANP policy with the `k8s.ovn.org/acl-logging` key such as in the following example:
+
+.Example of annotation for `BaselineAdminNetworkPolicy` CR
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  annotations:
+    k8s.ovn.org/acl-logging: '{ "deny": "alert", "allow": "alert"}'
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+          tenant: workloads # Selects all workload pods in the cluster.
+  ingress:
+  - name: "default-allow-dns" # This rule allows ingress from dns tenant to all workloads.
+    action: "Allow"
+    from:
+    - namespaces:
+          matchLabels:
+            tenant: dns
+  - name: "default-deny-dns" # This rule denies all ingress from all pods to workloads.
+    action: "Deny"
+    from:
+    - namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+  egress:
+  - name: "default-deny-dns" # This rule denies all egress from workloads. It will be applied when no ANP or network policy matches.
+    action: "Deny"
+    to:
+    - namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+----
+====
+
+In the example, an event in which any of the namespaces with the label `tenant: dns` accesses the namespaces with the label `tenant: workloads`, a log is generated.
+
+The following is a direction index for the examples log entries that follow:
+
+[cols=".^4,.^6a",options="header"]
+|====
+|Direction|Rule
+
+|Ingress
+|Rule0:: Allow from tenant `dns` to tenant `workloads`; Ingress0: `Allow`
+Rule1:: Deny to tenant `workloads` from all pods; Ingress1: `Deny`
+
+|Egress
+|Rule0:: Deny to all pods; Egress0: `Deny`
+
+|====
+
+.Example ACL allow log entry for `Allow` action of `default` BANP with `Ingress:0`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T18:11:58.263Z|00022|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:11:58.264Z|00023|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=psh|ack
+2024-06-10T18:11:58.264Z|00024|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ack
+2024-06-10T18:11:58.264Z|00025|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ack
+2024-06-10T18:11:58.264Z|00026|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=fin|ack
+2024-06-10T18:11:58.264Z|00027|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:0", verdict=allow, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:57,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.87,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=60510,tp_dst=8080,tcp_flags=ack
+----
+====
+
+.Example ACL allow log entry for `Allow` action of `default` BANP with `Egress:0` and `Ingress:1`
+
+[%collapsible]
+====
+[source,text]
+----
+2024-06-10T18:09:57.774Z|00016|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:09:58.809Z|00017|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:10:00.857Z|00018|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Egress:0", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:56,dl_dst=0a:58:0a:82:02:57,nw_src=10.130.2.86,nw_dst=10.130.2.87,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=45614,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:10:25.414Z|00019|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:10:26.457Z|00020|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn
+2024-06-10T18:10:28.505Z|00021|acl_log(ovn_pinctrl0)|INFO|name="BANP:default:Ingress:1", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:82:02:58,dl_dst=0a:58:0a:82:02:56,nw_src=10.130.2.88,nw_dst=10.130.2.86,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=40630,tp_dst=8080,tcp_flags=syn
+----
+====
+
+The following table describes BANP annotation:
+
+.Audit logging BaselineAdminNetworkPolicy annotation
+[cols=".^4,.^6a",options="header"]
+|====
+|Annotation|Value
+
+|`k8s.ovn.org/acl-logging`
+|
+You must specify at least one of `Allow` or `Deny` to enable audit logging for a namespace.
+
+`Deny`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+`Allow`:: Optional: Specify `alert`, `warning`, `notice`, `info`, or `debug`.
+|====
\ No newline at end of file
diff --git a/modules/nw-coredns-egress-firewall.adoc b/modules/nw-coredns-egress-firewall.adoc
index c1dfe30186b0..1c847be42a59 100644
--- a/modules/nw-coredns-egress-firewall.adoc
+++ b/modules/nw-coredns-egress-firewall.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
+// * networking/network_security/configuring-egress-firewall-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-coredns-egress-firewall_{context}"]
diff --git a/modules/nw-create-custom-ingress-controller.adoc b/modules/nw-create-custom-ingress-controller.adoc
new file mode 100644
index 000000000000..3a21d5aec02d
--- /dev/null
+++ b/modules/nw-create-custom-ingress-controller.adoc
@@ -0,0 +1,46 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress-operator.adoc
+
+:_content-type: PROCEDURE
+[id="nw-create-custom-ingress-controller_{context}"]
+= Creating a custom Ingress Controller
+
+As a cluster administrator, you can create a new custom Ingress Controller. Because the default Ingress Controller might change during {product-title} updates, creating a custom Ingress Controller can be helpful when maintaining a configuration manually that persists across cluster updates.
+
+This example provides a minimal spec for a custom Ingress Controller. To further customize your custom Ingress Controller, see "Configuring the Ingress Controller".
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Create a YAML file that defines the custom `IngressController` object:
++
+.Example `custom-ingress-controller.yaml` file
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+    name: <custom_name> <1>
+    namespace: openshift-ingress-operator
+spec:
+    defaultCertificate:
+        name: <custom-ingress-custom-certs> <2>
+    replicas: 1 <3>
+    domain: <custom_domain> <4>
+----
+<1> Specify the a custom `name` for the `IngressController` object.
+<2> Specify the name of the secret with the custom wildcard certificate.
+<3> Minimum replica needs to be ONE
+<4> Specify the domain to your domain name. The domain specified on the IngressController object and the domain used for the certificate must match. For example, if the domain value is "custom_domain.mycompany.com", then the certificate must have SAN \*.custom_domain.mycompany.com (with the `*.` added to the domain).
+
+. Create the object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f custom-ingress-controller.yaml
+----
diff --git a/modules/nw-disabling-hsts.adoc b/modules/nw-disabling-hsts.adoc
index f2b8467b6c2a..2c3a9f1dfefa 100644
--- a/modules/nw-disabling-hsts.adoc
+++ b/modules/nw-disabling-hsts.adoc
@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 // * networking/configuring-routing.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-disabling-hsts_{context}"]
@@ -8,9 +9,13 @@
 To disable HTTP strict transport security (HSTS) per-route, you can set the `max-age` value in the route annotation to `0`.
 
 .Prerequisites
-
+ifndef::microshift[]
 * You are logged in to the cluster with a user with administrator privileges for the project.
-* You installed the `oc` CLI.
+endif::microshift[]
+ifdef::microshift[]
+* You have root access to the cluster.
+endif::microshift[]
+* You installed the {oc-first}.
 
 .Procedure
 
diff --git a/modules/nw-dual-stack-convert.adoc b/modules/nw-dual-stack-convert.adoc
index 6d445bc6262c..31ce573af11b 100644
--- a/modules/nw-dual-stack-convert.adoc
+++ b/modules/nw-dual-stack-convert.adoc
@@ -6,13 +6,28 @@ As a cluster administrator, you can convert your single-stack cluster network to
 
 Converting a single-stack cluster network to a dual-stack cluster network consists of creating patches and applying them to the cluster's network and infrastructure.
 
-If you need to add IPv6 Virtual IPs (VIPs) for API and Ingress services to an existing dual-stack-configured cluster, you need to patch only the cluster's infrastructure and not the cluster's network.
-
 [NOTE]
 ====
 Each patch operation that changes `clusterNetwork`, `serviceNetwork`, `apiServerInternalIPs`, and `ingressIP` objects triggers a restart of the cluster. Changing the `MachineNetworks` object does not cause a reboot of the cluster.
 ====
 
+If you need to add IPv6 virtual IPs (VIPs) for API and Ingress services to an existing dual-stack-configured cluster, you need to patch only the cluster's infrastructure and not the cluster's network.
+
+[IMPORTANT]
+====
+If you already upgraded your cluster to {product-title} 4.16 or later and you need to convert the single-stack cluster network to a dual-stack cluster network, you must specify an existing IPv4 `machineNetwork` network configuration from the `install-config.yaml` file for API and Ingress services in the YAML configuration patch file. This configuration ensures that IPv4 traffic exists in the same network interface as the default gateway.
+
+.Example YAML configuration file with an added IPv4 address block for the `machineNetwork` network
+[source,yaml]
+----
+- op: add
+  path: /spec/platformSpec/baremetal/machineNetworks/- <1>
+  value: 192.168.1.0/24
+  # ...
+----
+<1> Ensure that you specify an address block for the `machineNetwork` network where your machines operate. You must select both API and Ingress IP addresses for the machine network.
+====
+
 .Prerequisites
 
 * You installed the OpenShift CLI (`oc`).
@@ -23,7 +38,7 @@ Each patch operation that changes `clusterNetwork`, `serviceNetwork`, `apiServer
 
 .Procedure
 
-. To specify IPv6 address blocks for the cluster and service networks, create a YAML configuration patch file that has a similar configuration to the following example:
+. To specify IPv6 address blocks for cluster and service networks, create a YAML configuration patch file that has a similar configuration to the following example:
 +
 [source,yaml]
 ----
diff --git a/modules/nw-egress-ips-about.adoc b/modules/nw-egress-ips-about.adoc
index 94253a4a9cff..2097acfda4bf 100644
--- a/modules/nw-egress-ips-about.adoc
+++ b/modules/nw-egress-ips-about.adoc
@@ -207,8 +207,6 @@ For users who want an egress IP and traffic to be routed over a particular inter
 
 * If a network interface is removed or if the IP address and subnet mask which allows the egress IP to be hosted on the interface is removed, then the egress IP is reconfigured. Consequently, it could be assigned to another node and interface.
 
-* The Egress IP must be IPv4. IPv6 is currently unsupported.
-
 * IP forwarding must be enabled for the network interface. To enable IP forwarding, you can use the `oc edit network.operator` command and edit the object like the following example:
 +
 [source,yaml]
diff --git a/modules/nw-egressnetworkpolicy-about.adoc b/modules/nw-egressnetworkpolicy-about.adoc
index b07f1a3f3f11..253a014fad28 100644
--- a/modules/nw-egressnetworkpolicy-about.adoc
+++ b/modules/nw-egressnetworkpolicy-about.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
+// * networking/network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "configuring-egress-firewall-ovn"]
 :ovn:
diff --git a/modules/nw-egressnetworkpolicy-create.adoc b/modules/nw-egressnetworkpolicy-create.adoc
index 19e096940ac1..d49fd1aa1cb0 100644
--- a/modules/nw-egressnetworkpolicy-create.adoc
+++ b/modules/nw-egressnetworkpolicy-create.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
+// * networking/network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy
diff --git a/modules/nw-egressnetworkpolicy-object.adoc b/modules/nw-egressnetworkpolicy-object.adoc
index 58d65d46f6ce..1fb10b04e834 100644
--- a/modules/nw-egressnetworkpolicy-object.adoc
+++ b/modules/nw-egressnetworkpolicy-object.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
+// * networking/network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-egress-firewall"]
 :kind: EgressNetworkPolicy
diff --git a/modules/nw-egressnetworkpolicy-view.adoc b/modules/nw-egressnetworkpolicy-view.adoc
index 1fc4c284bd5e..5088adcb11c0 100644
--- a/modules/nw-egressnetworkpolicy-view.adoc
+++ b/modules/nw-egressnetworkpolicy-view.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/openshift_sdn/configuring-egress-firewall.adoc
-// * networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
+// * networking/network_security/configuring-egress-firewall-ovn.adoc
 
 ifeval::["{context}" == "openshift-sdn-viewing-egress-firewall"]
 :kind: EgressNetworkPolicy
diff --git a/modules/nw-enabling-hsts-per-route.adoc b/modules/nw-enabling-hsts-per-route.adoc
index 2c0db08e6594..ba9d069ce890 100644
--- a/modules/nw-enabling-hsts-per-route.adoc
+++ b/modules/nw-enabling-hsts-per-route.adoc
@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 // * networking/configuring-routing.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-enabling-hsts-per-route_{context}"]
@@ -8,9 +9,13 @@
 HTTP strict transport security (HSTS) is implemented in the HAProxy template and applied to edge and re-encrypt routes that have the `haproxy.router.openshift.io/hsts_header` annotation.
 
 .Prerequisites
-
+ifndef::microshift[]
 * You are logged in to the cluster with a user with administrator privileges for the project.
-* You installed the `oc` CLI.
+endif::microshift[]
+ifdef::microshift[]
+* You have root access to the cluster.
+endif::microshift[]
+* You installed the {oc-first}.
 
 .Procedure
 
@@ -21,7 +26,7 @@ HTTP strict transport security (HSTS) is implemented in the HAProxy template and
 $ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;\ <1>
 includeSubDomains;preload"
 ----
-<1> In this example, the maximum age is set to `31536000` ms, which is approximately eight and a half hours.
+<1> In this example, the maximum age is set to `31536000` ms, which is approximately 8.5 hours.
 +
 [NOTE]
 ====
diff --git a/modules/nw-enabling-hsts.adoc b/modules/nw-enabling-hsts.adoc
index 3100cc303805..52c61e4fd872 100644
--- a/modules/nw-enabling-hsts.adoc
+++ b/modules/nw-enabling-hsts.adoc
@@ -1,6 +1,7 @@
 // Module filename: nw-enabling-hsts.adoc
 // Module included in the following assemblies:
 // * networking/configuring-routing.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 [id="nw-enabling-hsts_{context}"]
 = HTTP Strict Transport Security
diff --git a/modules/nw-enforcing-hsts-per-domain.adoc b/modules/nw-enforcing-hsts-per-domain.adoc
index 54d388270375..e9863418aaac 100644
--- a/modules/nw-enforcing-hsts-per-domain.adoc
+++ b/modules/nw-enforcing-hsts-per-domain.adoc
@@ -1,4 +1,5 @@
 // Module included in the following assemblies:
+//
 // * networking/configuring-routing.adoc
 
 :_mod-docs-content-type: PROCEDURE
@@ -25,13 +26,12 @@ HSTS cannot be applied to insecure, or non-TLS routes, even if HSTS is requested
 ====
 
 .Prerequisites
-
 * You are logged in to the cluster with a user with administrator privileges for the project.
-* You installed the `oc` CLI.
+* You installed the {oc-first}.
 
 .Procedure
 
-. Edit the Ingress config file:
+. Edit the Ingress configuration YAML by running the following command and updating fields as needed:
 +
 [source,terminal]
 ----
@@ -47,19 +47,19 @@ metadata:
   name: cluster
 spec:
   domain: 'hello-openshift-default.apps.username.devcluster.openshift.com'
-  requiredHSTSPolicies: <1>
-  - domainPatterns: <2>
+  requiredHSTSPolicies: # <1>
+  - domainPatterns: # <2>
     - '*hello-openshift-default.apps.username.devcluster.openshift.com'
     - '*hello-openshift-default2.apps.username.devcluster.openshift.com'
-    namespaceSelector: <3>
+    namespaceSelector: # <3>
       matchLabels:
         myPolicy: strict
-    maxAge: <4>
+    maxAge: # <4>
       smallestMaxAge: 1
       largestMaxAge: 31536000
-    preloadPolicy: RequirePreload <5>
-    includeSubDomainsPolicy: RequireIncludeSubDomains <6>
-  - domainPatterns: <2>
+    preloadPolicy: RequirePreload # <5>
+    includeSubDomainsPolicy: RequireIncludeSubDomains # <6>
+  - domainPatterns:
     - 'abc.example.com'
     - '*xyz.example.com'
     namespaceSelector:
diff --git a/modules/nw-http-header-configuration.adoc b/modules/nw-http-header-configuration.adoc
index 77ea3831ce06..ec8b51b3fd21 100644
--- a/modules/nw-http-header-configuration.adoc
+++ b/modules/nw-http-header-configuration.adoc
@@ -6,14 +6,29 @@
 :_mod-docs-content-type: CONCEPT
 [id="nw-http-header-configuration_{context}"]
 = HTTP header configuration
-
+ifndef::microshift[]
 {product-title} provides different methods for working with HTTP headers. When setting or deleting headers, you can use specific fields in the Ingress Controller or an individual route to modify request and response headers. You can also set certain headers by using route annotations. The various ways of configuring headers can present challenges when working together.
+endif::microshift[]
+
+ifdef::microshift[]
+When setting or deleting headers, you can use an individual route to modify request and response headers. You can also set certain headers by using route annotations. The various ways of configuring headers can present challenges when working together.
+endif::microshift[]
 
+ifndef::microshift[]
 [NOTE]
 ====
 You can only set or delete headers within an `IngressController` or `Route` CR, you cannot append them. If an HTTP header is set with a value, that value must be complete and not require appending in the future. In situations where it makes sense to append a header, such as the X-Forwarded-For header, use the `spec.httpHeaders.forwardedHeaderPolicy` field, instead of `spec.httpHeaders.actions`.
 ====
+endif::microshift[]
 
+ifdef::microshift[]
+[NOTE]
+====
+You can only set or delete headers within a `Route` CR. You cannot append headers. If an HTTP header is set with a value, that value must be complete and not require appending in the future. In situations where it makes sense to append a header, such as the X-Forwarded-For header, use the `spec.httpHeaders.forwardedHeaderPolicy` field, instead of `spec.httpHeaders.actions`.
+====
+endif::microshift[]
+
+ifndef::microshift[]
 [id="nw-http-header-configuration-order_{context}"]
 == Order of precedence
 
@@ -43,6 +58,7 @@ spec:
 ----
 
 A route owner sets the same response header that the cluster administrator set in the Ingress Controller, but with the value `SAMEORIGIN` using the following configuration:
+endif::microshift[]
 
 .Example `Route` spec
 [source,yaml]
@@ -60,10 +76,10 @@ spec:
           set:
             value: SAMEORIGIN
 ----
+ifndef::microshift[]
+When both the `IngressController` spec and `Route` spec are configuring the X-Frame-Options response header, then the value set for this header at the global level in the Ingress Controller takes precedence, even if a specific route allows frames. For a request header, the `Route` spec value overrides the `IngressController` spec value.
 
-When both the `IngressController` spec and `Route` spec are configuring the X-Frame-Options header, then the value set for this header at the global level in the Ingress Controller will take precedence, even if a specific route allows frames.
-
-This prioritzation occurs because the `haproxy.config` file uses the following logic, where the Ingress Controller is considered the front end and individual routes are considered the back end. The header value `DENY` applied to the front end configurations overrides the same header with the value `SAMEORIGIN` that is set in the back end:
+This prioritization occurs because the `haproxy.config` file uses the following logic, where the Ingress Controller is considered the front end and individual routes are considered the back end. The header value `DENY` applied to the front end configurations overrides the same header with the value `SAMEORIGIN` that is set in the back end:
 
 [source,text]
 ----
@@ -81,12 +97,18 @@ backend be_secure:openshift-monitoring:alertmanager-main
 ----
 
 Additionally, any actions defined in either the Ingress Controller or a route override values set using route annotations.
+endif::microshift[]
+
+ifdef::microshift[]
+Any actions defined in a route override values set using route annotations.
+endif::microshift[]
 
 [id="nw-http-header-configuration-special-cases_{context}"]
 == Special case headers
 
 The following headers are either prevented entirely from being set or deleted, or allowed under specific circumstances:
 
+ifndef::microshift[]
 .Special case header configuration options
 [cols="5*a",options="header"]
 |===
@@ -120,3 +142,34 @@ The following headers are either prevented entirely from being set or deleted, o
 * the `haproxy.router.openshift.io/cookie_name` route annotation
 
 |===
+endif::microshift[]
+
+ifdef::microshift[]
+|===
+|Header name |Configurable using `Route` spec |Reason for disallowment |Configurable using another method
+
+|`proxy`
+|No
+|The `proxy` HTTP request header can be used to exploit vulnerable CGI applications by injecting the header value into the `HTTP_PROXY` environment variable. The `proxy` HTTP request header is also non-standard and prone to error during configuration.
+|No
+
+|`host`
+|Yes
+|When the `host` HTTP request header is set using the `IngressController` CR, HAProxy can fail when looking up the correct route.
+|No
+
+|`strict-transport-security`
+|No
+|The `strict-transport-security` HTTP response header is already handled using route annotations and does not need a separate implementation.
+|Yes: the `haproxy.router.openshift.io/hsts_header` route annotation
+
+|`cookie` and `set-cookie`
+|No
+|The cookies that HAProxy sets are used for session tracking to map client connections to particular back-end servers. Allowing these headers to be set could interfere with HAProxy's session affinity and restrict HAProxy's ownership of a cookie.
+|Yes:
+
+* the `haproxy.router.openshift.io/disable_cookie` route annotation
+* the `haproxy.router.openshift.io/cookie_name` route annotation
+
+|===
+endif::microshift[]
\ No newline at end of file
diff --git a/modules/nw-infw-operator-cr.adoc b/modules/nw-infw-operator-cr.adoc
index c6f26992a09b..0e87fc0a4fcb 100644
--- a/modules/nw-infw-operator-cr.adoc
+++ b/modules/nw-infw-operator-cr.adoc
@@ -17,6 +17,4 @@ The Ingress Node Firewall Operator supports only stateless firewall rules.
 Network interface controllers (NICs) that do not support native XDP drivers will run at a lower performance.
 
 For {product-title} 4.14 or later, you must run Ingress Node Firewall Operator on {op-system-base} 9.0 or later.
-
-Ingress Node Firewall Operator is not supported on {aws-first} with the default OpenShift installation or on {product-rosa} (ROSA). For more information on {product-rosa} support and ingress, see link:https://docs.openshift.com/rosa/networking/ingress-operator.html[Ingress Operator in Red Hat OpenShift Service on AWS].
 ====
diff --git a/modules/nw-ingress-creating-a-route-via-an-ingress.adoc b/modules/nw-ingress-creating-a-route-via-an-ingress.adoc
index c731b15abbad..a70a4926f7d8 100644
--- a/modules/nw-ingress-creating-a-route-via-an-ingress.adoc
+++ b/modules/nw-ingress-creating-a-route-via-an-ingress.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/routes/route-configuration.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ingress-creating-a-route-via-an-ingress_{context}"]
diff --git a/modules/nw-ingress-edge-route-default-certificate.adoc b/modules/nw-ingress-edge-route-default-certificate.adoc
index cb78131f0ede..9dd9c76b7fc9 100644
--- a/modules/nw-ingress-edge-route-default-certificate.adoc
+++ b/modules/nw-ingress-edge-route-default-certificate.adoc
@@ -1,9 +1,10 @@
 // This is included in the following assemblies:
 //
-// networking/routes/route-configuration.adoc
+// * networking/routes/route-configuration.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="creating-edge-route-with-default-certificate_{context}"]
+[id="nw-ingress-edge-route-default-certificate_{context}"]
 = Creating a route using the default certificate through an Ingress object
 
 If you create an Ingress object without specifying any TLS configuration, {product-title} generates an insecure route. To create an Ingress object that generates a secure, edge-terminated route using the default ingress certificate, you can specify an empty TLS configuration as follows.
@@ -42,6 +43,7 @@ $ oc create -f example-ingress.yaml
 ----
 
 .Verification
+
 * Verify that {product-title} has created the expected route for the Ingress object by running the following command:
 +
 [source,terminal]
diff --git a/modules/nw-ingress-integrating-route-secret-certificate.adoc b/modules/nw-ingress-integrating-route-secret-certificate.adoc
new file mode 100644
index 000000000000..4ac39bf62fa0
--- /dev/null
+++ b/modules/nw-ingress-integrating-route-secret-certificate.adoc
@@ -0,0 +1,6 @@
+//
+// * ingress/routes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ingress-integrating-route-secret-certificate_{context}"]
+= Securing route with external certificates in TLS secrets
diff --git a/modules/nw-ingress-reencrypt-route-custom-cert.adoc b/modules/nw-ingress-reencrypt-route-custom-cert.adoc
index b76816bd9c80..a9b11ff079d3 100644
--- a/modules/nw-ingress-reencrypt-route-custom-cert.adoc
+++ b/modules/nw-ingress-reencrypt-route-custom-cert.adoc
@@ -1,9 +1,10 @@
 // This is included in the following assemblies:
 //
-// networking/routes/route-configuration.adoc
+// * networking/routes/route-configuration.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="creating-re-encrypt-route-with-custom-certificate_{context}"]
+[id="nw-ingress-re-encrypt-route-custom-cert_{context}"]
 = Creating a route using the destination CA certificate in the Ingress annotation
 
 The `route.openshift.io/destination-ca-certificate-secret` annotation can be used on an Ingress object to define a route with a custom destination CA certificate.
@@ -14,7 +15,6 @@ The `route.openshift.io/destination-ca-certificate-secret` annotation can be use
 * You must have a separate destination CA certificate in a PEM-encoded file.
 * You must have a service that you want to expose.
 
-
 .Procedure
 
 . Add the `route.openshift.io/destination-ca-certificate-secret` to the Ingress annotations:
diff --git a/modules/nw-ingress-route-secret-load-external-cert.adoc b/modules/nw-ingress-route-secret-load-external-cert.adoc
new file mode 100644
index 000000000000..2b39444ff29c
--- /dev/null
+++ b/modules/nw-ingress-route-secret-load-external-cert.adoc
@@ -0,0 +1,82 @@
+// Module included in the following assemblies:
+//
+// * networking/routes/secured-routes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ingress-route-secret-load-external-cert_{context}"]
+= Creating a route with externally managed certificate
+
+:FeatureName: Securing route with external certificates in TLS secrets
+include::snippets/technology-preview.adoc[]
+
+You can configure {product-title} routes with third-party certificate management solutions by using the `.spec.tls.externalCertificate` field of the route API. You can reference externally managed TLS certificates via secrets, eliminating the need for manual certificate management. Using the externally managed certificate reduces errors ensuring a smoother rollout of certificate updates, enabling the OpenShift router to serve renewed certificates promptly. 
+
+[NOTE]
+====
+This feature applies to both edge routes and re-encrypt routes.
+====
+
+.Prerequisites
+
+* You must enable the `RouteExternalCertificate` feature gate.
+* You must have the `create` and `update` permissions on the `routes/custom-host`.
+* You must have a secret containing a valid certificate/key pair in PEM-encoded format of type `kubernetes.io/tls`, which includes both `tls.key` and `tls.crt` keys.
+* You must place the referenced secret in the same namespace as the route you want to secure.
+
+.Procedure
+
+. Create a `role` in the same namespace as the secret to allow the router service account read access by running the following command:
++
+[source,terminal]
+----
+$ oc create role secret-reader --verb=get,list,watch --resource=secrets --resource-name=<secret-name> \ <1> 
+--namespace=<current-namespace> <2>
+----
+<1> Specify the actual name of your secret.
+<2> Specify the namespace where both your secret and route reside.
+
+. Create a `rolebinding` in the same namespace as the secret and bind the router service account to the newly created role by running the following command:
++
+[source,terminal]
+----
+$ oc create rolebinding secret-reader-binding --role=secret-reader --serviceaccount=openshift-ingress:router --namespace=<current-namespace> <1>
+----
+<1> Specify the namespace where both your secret and route reside.
+
+. Create a YAML file that defines the `route` and specifies the secret containing your certificate using the following example. 
++
+.YAML definition of the secure route
+[source,yaml]
+----
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: myedge
+  namespace: test
+spec:
+  host: myedge-test.apps.example.com
+  tls:
+    externalCertificate:
+      name: <secret-name> <1>
+    termination: edge
+    [...]
+[...]
+----
+<1> Specify the actual name of your secret.
+
+. Create a `route` resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <route.yaml> <1>
+----
+<1> Specify the generated YAML filename.
+
+If the secret exists and has a certificate/key pair, the router will serve the generated certificate if all prerequisites are met.
+
+[NOTE]
+====
+If `.spec.tls.externalCertificate` is not provided, the router will use default generated certificates. 
+
+You cannot provide the `.spec.tls.certificate` field  or the `.spec.tls.key` field when using the `.spec.tls.externalCertificate` field.
+====
diff --git a/modules/nw-metallb-configuring-frr-8ks.adoc b/modules/nw-metallb-configuring-frr-8ks.adoc
new file mode 100644
index 000000000000..34697a818166
--- /dev/null
+++ b/modules/nw-metallb-configuring-frr-8ks.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * networking/metallb/metallb-frr-k8s.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-metallb-configuring-frr-k8s_{context}"]
+= Activating the integration of MetalLB and FRR-K8s
+
+The following procedure shows you how to activate `FRR-K8s` as the backend for `MetalLB`.
+
+.Prerequisites
+
+* You have a cluster installed on bare-metal hardware.
+* You have installed the OpenShift CLI (`oc`).
+* You have logged in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+* Set the `bgpBackend` field of the `MetalLB` CR to `frr-k8s` as in the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: MetalLB
+metadata:
+  name: metallb
+  namespace: metallb-system
+spec:
+  bgpBackend: frr-k8s
+----
\ No newline at end of file
diff --git a/modules/nw-metallb-frr-configurations.adoc b/modules/nw-metallb-frr-configurations.adoc
new file mode 100644
index 000000000000..a449e8e71588
--- /dev/null
+++ b/modules/nw-metallb-frr-configurations.adoc
@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * networking/metallb/metallb-frr-k8s.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-metallb-configuring-frr-k8s-configuratons_{context}"]
+= FRR configurations
+
+You can create multiple `FRRConfiguration` CRs to use `FRR` services in `MetalLB`. 
+`MetalLB` generates an `FRRConfiguration` object which `FRR-K8s` merges with all other configurations that all users have created.
+
+For example, you can configure `FRR-K8s` to receive all of the prefixes advertised by a given neighbor.
+The following example configures `FRR-K8s` to receive all of the prefixes advertised by a `BGPPeer` with host `172.18.0.5`: 
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+ name: test
+ namespace: metallb-system
+spec:
+ bgp:
+   routers:
+   - asn: 64512
+     neighbors:
+     - address: 172.18.0.5
+       asn: 64512
+       toReceive:
+        allowed:
+            mode: all
+----
+
+You can also configure FRR-K8s to always block a set of prefixes, regardless of the configuration applied. 
+This can be useful to avoid routes towards the pods or `ClusterIPs` CIDRs that might result in cluster malfunctions. 
+The following example blocks the set of prefixes `192.168.1.0/24`:
+
+.Example MetalLB CR
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: MetalLB
+metadata:
+  name: metallb
+  namespace: metallb-system
+spec:
+  bgpBackend: frr-k8s
+  frrk8sConfig:
+    alwaysBlock:
+    - 192.168.1.0/24
+----
+You can set `FRR-K8s` to block the `Cluster Network` CIDR and `Service Network` CIDR. 
+You can view the values for these CIDR address specifications by running the following command: 
+
+[source,terminal]
+----
+$ oc describe network.config/cluster
+----
\ No newline at end of file
diff --git a/modules/nw-metallb-frr-k8s-configuration-crd.adoc b/modules/nw-metallb-frr-k8s-configuration-crd.adoc
new file mode 100644
index 000000000000..45c46717bccf
--- /dev/null
+++ b/modules/nw-metallb-frr-k8s-configuration-crd.adoc
@@ -0,0 +1,408 @@
+// Module included in the following assemblies:
+//
+// * networking/metallb/metallb-frr-k8s.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-metallb-frrconfiguration-crd_{context}"]
+= Configuring the FRRConfiguration CRD
+
+The following section provides reference examples that use the `FRRConfiguration` custom resource (CR).
+
+[id="nw-metallb-frrconfiguration-crd-routers_{context}"]
+== The routers field
+
+You can use the `routers` field to configure multiple routers, one for each Virtual Routing and Forwarding (VRF) resource.
+For each router, you must define the Autonomous System Number (ASN). 
+
+You can also define a list of Border Gateway Protocol (BGP) neighbors to connect to, as in the following example:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.30.0.3
+        asn: 4200000000
+        ebgpMultiHop: true
+        port: 180
+      - address: 172.18.0.6
+        asn: 4200000000
+        port: 179
+----
+
+[id="nw-metallb-frrconfiguration-crd-toadvertise_{context}"]
+== The toAdvertise field
+
+By default, `FRR-K8s` does not advertise the prefixes configured as part of a router configuration. 
+In order to advertise them,  you use the `toAdvertise` field.
+
+You can advertise a subset of the prefixes, as in the following example:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.30.0.3
+        asn: 4200000000
+        ebgpMultiHop: true
+        port: 180
+        toAdvertise:
+          allowed:
+            prefixes: <1>
+            - 192.168.2.0/24
+      prefixes:
+        - 192.168.2.0/24
+        - 192.169.2.0/24
+----
+<1> Advertises a subset of prefixes.
+
+The following example shows you how to advertise all of the prefixes:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.30.0.3
+        asn: 4200000000
+        ebgpMultiHop: true
+        port: 180
+        toAdvertise:
+          allowed:
+            mode: all <1>
+      prefixes:
+        - 192.168.2.0/24
+        - 192.169.2.0/24
+----
+<1> Advertises all prefixes.
+
+[id="nw-metallb-frrconfiguration-crd-toreceive_{context}"]
+== The toReceive field
+
+By default, `FRR-K8s` does not process any prefixes advertised by a neighbor. 
+You can use the `toReceive` field  to process such addresses.
+
+You can configure for a subset of the prefixes, as in this example:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.18.0.5
+          asn: 64512
+          port: 179
+          toReceive:
+            allowed:
+              prefixes:
+              - prefix: 192.168.1.0/24
+              - prefix: 192.169.2.0/24
+                ge: 25 <1>
+                le: 28 <1>
+----
+<1> The prefix is applied if the prefix length is less than or equal to the `le` prefix length and greater than or equal to the `ge` prefix length.
+
+The following example configures FRR to handle all the prefixes announced:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.18.0.5
+          asn: 64512
+          port: 179
+          toReceive:
+            allowed:
+              mode: all
+----
+
+[id="nw-metallb-frrconfiguration-crd-bgp_{context}"]
+== The bgp field
+
+You can use the `bgp` field to define various `BFD` profiles and associate them with a neighbor. 
+In the following example, `BFD` backs up the `BGP` session and `FRR` can detect link failures:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+      neighbors:
+      - address: 172.30.0.3
+        asn: 64512
+        port: 180
+        bfdProfile: defaultprofile
+    bfdProfiles:
+      - name: defaultprofile
+----
+
+[id="nw-metallb-frrconfiguration-crd-nodeselector_{context}"]
+== The nodeSelector field
+
+By default, `FRR-K8s` applies the configuration to all nodes where the daemon is running.
+You can use the `nodeSelector` field to specify the nodes to which you want to apply the configuration. For example:
+
+.Example FRRConfiguration CR
+[source,yaml]
+----
+apiVersion: frrk8s.metallb.io/v1beta1
+kind: FRRConfiguration
+metadata:
+  name: test
+  namespace: frr-k8s-system
+spec:
+  bgp:
+    routers:
+    - asn: 64512
+  nodeSelector:
+    labelSelector:
+    foo: "bar"
+----
+
+The fields for the `FRRConfiguration` custom resource are described in the following table:
+
+.MetalLB FRRConfiguration custom resource
+[cols="1,1,3a", options="header"]
+|===
+
+|Field
+|Type
+|Description
+
+|`spec.bgp.routers`
+|`array`
+|Specifies the routers that FRR is to configure (one per VRF).
+
+|`spec.bgp.routers.asn`
+|`integer`
+|The autonomous system number to use for the local end of the session.
+
+|`spec.bgp.routers.id`
+|`string`
+|Specifies the ID of the `bgp` router.
+
+|`spec.bgp.routers.vrf`
+|`string`
+|Specifies the host vrf used to establish sessions from this router.
+
+|`spec.bgp.routers.neighbors`
+|`array`
+|Specifies the neighbors to establish BGP sessions with.
+
+|`spec.bgp.routers.neighbors.asn`
+|`integer`
+|Specifies the autonomous system number to use for the local end of the session.
+
+|`spec.bgp.routers.neighbors.address`
+|`string`
+|Specifies the IP address to establish the session with.
+
+|`spec.bgp.routers.neighbors.port`
+|`integer`
+|Specifies the port to dial when establishing the session. 
+Defaults to 179.
+
+|`spec.bgp.routers.neighbors.password`
+|`string`
+|Specifies the password to use for establishing the BGP session. 
+`Password` and `PasswordSecret` are mutually exclusive.
+
+|`spec.bgp.routers.neighbors.passwordSecret`
+|`string`
+|Specifies the name of the authentication secret for the neighbor. 
+The secret must be of type "kubernetes.io/basic-auth", and in the same namespace as the FRR-K8s daemon. 
+The key "password" stores the password in the secret. 
+`Password` and `PasswordSecret` are mutually exclusive.
+
+|`spec.bgp.routers.neighbors.holdTime`
+|`duration`
+|Specifies the requested BGP hold time, per RFC4271. 
+Defaults to 180s.
+
+|`spec.bgp.routers.neighbors.keepaliveTime`
+|`duration`
+|Specifies the requested BGP keepalive time, per RFC4271.
+Defaults to `60s`.
+
+|`spec.bgp.routers.neighbors.connectTime`
+|`duration`
+|Specifies how long BGP waits between connection attempts to a neighbor.
+
+|`spec.bgp.routers.neighbors.ebgpMultiHop`
+|`boolean`
+|Indicates if the BGPPeer is multi-hops away.
+
+|`spec.bgp.routers.neighbors.bfdProfile`
+|`string`
+|Specifies the name of the BFD Profile to use for the BFD session associated with the BGP session. 
+If not set, the BFD session is not set up.
+
+|`spec.bgp.routers.neighbors.toAdvertise.allowed`
+|`array`
+|Represents the list of prefixes to advertise to a neighbor, and the associated properties.
+
+|`spec.bgp.routers.neighbors.toAdvertise.allowed.prefixes`
+|`string array`
+|Specifies the list of prefixes to advertise to a neighbor. 
+This list must match the prefixes that you define in the router.
+
+|`spec.bgp.routers.neighbors.toAdvertise.allowed.mode`
+|`string`
+|Specifies the mode to use when handling the prefixes. 
+You can set to `filtered` to allow only the prefixes in the prefixes list.
+You can set to `all` to allow all the prefixes configured on the router.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withLocalPref`
+|`array`
+|Specifies the prefixes associated with an advertised local preference. 
+You must specify the prefixes associated with a local preference in the prefixes allowed to be advertised.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withLocalPref.prefixes`
+|`string array`
+|Specifies the prefixes associated with the local preference.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withLocalPref.localPref`
+|`integer`
+|Specifies the local preference associated with the prefixes.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withCommunity`
+|`array`
+|Specifies the prefixes associated with an advertised BGP community.
+You must include the prefixes associated with a local preference in the list of prefixes that you want to advertise.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withCommunity.prefixes`
+|`string array`
+|Specifies the prefixes associated with the community.
+
+|`spec.bgp.routers.neighbors.toAdvertise.withCommunity.community`
+|`string`
+|Specifies the community associated with the prefixes.
+
+|`spec.bgp.routers.neighbors.toReceive`
+|`array`
+|Specifies the prefixes to receive from a neighbor.
+
+|`spec.bgp.routers.neighbors.toReceive.allowed`
+|`array`
+|Specifies the information that you want to receive from a neighbor.
+
+|`spec.bgp.routers.neighbors.toReceive.allowed.prefixes`
+|`array`
+|Specifies the prefixes allowed from a neighbor.
+
+|`spec.bgp.routers.neighbors.toReceive.allowed.mode`
+|`string`
+|Specifies the mode to use when handling the prefixes. 
+When set to `filtered`, only the prefixes in the `prefixes` list are allowed. 
+When set to `all`, all the prefixes configured on the router are allowed.
+
+|`spec.bgp.routers.neighbors.disableMP`
+|`boolean`
+|Disables MP BGP to prevent it from separating IPv4 and IPv6 route exchanges into distinct BGP sessions.
+
+|`spec.bgp.routers.prefixes`
+|`string array`
+|Specifies all prefixes to advertise from this router instance.
+
+|`spec.bgp.bfdProfiles`
+|`array`
+|Specifies the list of bfd profiles to use when configuring the neighbors.
+
+|`spec.bgp.bfdProfiles.name`
+|`string`
+|The name of the BFD Profile to be referenced in other parts of the configuration.
+
+|`spec.bgp.bfdProfiles.receiveInterval`
+|`integer`
+|Specifies the minimum interval at which this system can receive control packets, in milliseconds. 
+Defaults to `300ms`.
+
+|`spec.bgp.bfdProfiles.transmitInterval`
+|`integer`
+|Specifies the minimum transmission interval, excluding jitter, that this system wants to use to send BFD control packets, in milliseconds. 
+Defaults to `300ms`.
+
+|`spec.bgp.bfdProfiles.detectMultiplier`
+|`integer`
+|Configures the detection multiplier to determine packet loss. 
+To determine the connection loss-detection timer, multiply the remote transmission interval by this value.
+
+|`spec.bgp.bfdProfiles.echoInterval`
+|`integer`
+|Configures the minimal echo receive transmission-interval that this system can handle, in milliseconds. 
+Defaults to `50ms`.
+
+|`spec.bgp.bfdProfiles.echoMode`
+|`boolean`
+|Enables or disables the echo transmission mode. 
+This mode is disabled by default, and not supported on multihop setups.
+
+|`spec.bgp.bfdProfiles.passiveMode`
+|`boolean`
+|Mark session as passive. A passive session does not attempt to start the connection and waits for control packets from peers before it begins replying.
+
+|`spec.bgp.bfdProfiles.MinimumTtl`
+|`integer`
+|For multihop sessions only. 
+Configures the minimum expected TTL for an incoming BFD control packet.
+
+|`spec.nodeSelector`
+|`string`
+|Limits the nodes that attempt to apply this configuration. 
+If specified, only those nodes whose labels match the specified selectors attempt to apply the configuration. 
+If it is not specified, all nodes attempt to apply this configuration.
+
+|`status`
+|`string`
+|Defines the observed state of FRRConfiguration.
+
+|===
diff --git a/modules/nw-metallb-frr-k8s-merge-multiple-configurations.adoc b/modules/nw-metallb-frr-k8s-merge-multiple-configurations.adoc
new file mode 100644
index 000000000000..d9439e2a585f
--- /dev/null
+++ b/modules/nw-metallb-frr-k8s-merge-multiple-configurations.adoc
@@ -0,0 +1,46 @@
+// Module included in the following assemblies:
+//
+// * networking/metallb/metallb-frr-k8s.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-metallb-frr-k8s-merge-multiple-configurations_{context}"]
+= How FRR-K8s merges multiple configurations
+
+In a case where multiple users add configurations that select the same node, `FRR-K8s` merges the configurations.
+Each configuration can only extend others. 
+This means that it is possible to add a new neighbor to a router, or to advertise an additional prefix to a neighbor, but not possible to remove a component added by another configuration.
+
+[id="nw-metallb-frr-k8s-merge-multiple-configuration-conflicts_{context}"]
+== Configuration conflicts
+
+Certain configurations can cause conflicts, leading to errors, for example:
+
+* different ASN for the same router (in the same VRF)
+* different ASN for the same neighbor (with the same IP / port)
+* multiple BFD profiles with the same name but different values
+
+When the daemon finds an invalid configuration for a node, it reports the configuration as invalid and reverts to the previous valid `FRR` configuration.
+
+[id="nw-metallb-frr-k8s-merge-multiple-configurations-merging_{context}"]
+== Merging
+
+When merging, it is possible to do the following actions:
+
+* Extend the set of IPs that you want to advertise to a neighbor.
+* Add an extra neighbor with its set of IPs.
+* Extend the set of IPs to which you want to associate a community.
+* Allow incoming routes for a neighbor.
+
+Each configuration must be self contained. This means, for example, that it is not possible to allow prefixes that are not defined in the router section by leveraging prefixes coming from another configuration.
+
+If the configurations to be applied are compatible, merging works as follows:
+
+* `FRR-K8s` combines all the routers.
+* `FRR-K8s` merges all prefixes and neighbors for each router.
+* `FRR-K8s` merges all filters for each neighbor.
+
+[NOTE]
+====
+A less restrictive filter has precedence over a stricter one. For example, a filter accepting some prefixes has precedence over a filter not accepting any, and a filter accepting all prefixes has precedence over one that accepts some.
+====
+
diff --git a/modules/nw-multus-ipam-object.adoc b/modules/nw-multus-ipam-object.adoc
index 1fb3a8c74e64..2afd29357183 100644
--- a/modules/nw-multus-ipam-object.adoc
+++ b/modules/nw-multus-ipam-object.adoc
@@ -192,9 +192,14 @@ spec:
 [id="nw-multus-whereabouts_{context}"]
 == Dynamic IP address assignment configuration with Whereabouts
 
-The Whereabouts CNI plugin allows the dynamic assignment of an IP address to an additional network without the use of a DHCP server.
+The Whereabouts CNI plugin allows the dynamic assignment of an IP address to an additional network without the use of a DHCP server. 
 
-The following table describes the configuration for dynamic IP address assignment with Whereabouts:
+The Whereabouts CNI plugin also supports overlapping IP address ranges and configuration of the same CIDR range multiple times within separate `NetworkAttachmentDefinitions`. This provides greater flexibility and management capabilities in multi-tenant environments.
+
+[id="dynamic-ip-address-assignment-objects_{context}"]
+=== Dynamic IP address configuration objects
+
+The following table describes the configuration objects for dynamic IP address assignment with Whereabouts:
 
 .`ipam` whereabouts configuration object
 [cols=".^2,.^2,.^6",options="header"]
@@ -213,16 +218,18 @@ The following table describes the configuration for dynamic IP address assignmen
 |`array`
 |Optional: A list of zero or more IP addresses and ranges in CIDR notation. IP addresses within an excluded address range are not assigned.
 
+|`network_name`
+|`string`
+| Optional: Helps ensure that each group or domain of pods gets its own set of IP addresses, even if they share the same range of IP addresses. Setting this field is important for keeping networks separate and organized, notably in multi-tenant environments.
+
 |====
 
-////
-[NOTE]
-=====
-Whereabouts can be used for both IPv4 and IPv6 addresses.
-=====
-////
+[id="dynamic-ip-address-assignment-whereabouts_{context}"]
+=== Dynamic IP address assignment configuration that uses Whereabouts
+
+The following example shows a dynamic address assignment configuration that uses Whereabouts:
 
-.Dynamic IP address assignment configuration example that uses Whereabouts
+.Whereabouts dynamic IP address assignment
 [source,json]
 ----
 {
@@ -237,6 +244,37 @@ Whereabouts can be used for both IPv4 and IPv6 addresses.
 }
 ----
 
+[id="dynamic-ip-address-assignment-whereabouts-overlapping-ip-ranges_{context}"]
+=== Dynamic IP address assignment that uses Whereabouts with overlapping IP address ranges
+
+The following example shows a dynamic IP address assignment that uses overlapping IP address ranges for multi-tenant networks. 
+
+.NetworkAttachmentDefinition 1
+[source,json]
+----
+{
+  "ipam": {
+    "type": "whereabouts",
+    "range": "192.0.2.192/29",
+    "network_name": "example_net_common", <1>
+  }
+}
+----
+<1> Optional. If set, must match the `network_name` of NetworkAttachmentDefinition 2.
+
+.NetworkAttachmentDefinition 2
+[source,json]
+----
+{
+  "ipam": {
+    "type": "whereabouts",
+    "range": "192.0.2.192/24",
+    "network_name": "example_net_common", <1>
+  }
+}
+----
+<1> Optional. If set, must match the `network_name` of NetworkAttachmentDefinition 1. 
+
 ifdef::sr-iov[]
 :!sr-iov:
 endif::[]
\ No newline at end of file
diff --git a/modules/nw-mutual-tls-auth.adoc b/modules/nw-mutual-tls-auth.adoc
index 2a7db9c7f441..25319a42e343 100644
--- a/modules/nw-mutual-tls-auth.adoc
+++ b/modules/nw-mutual-tls-auth.adoc
@@ -61,3 +61,9 @@ $ oc edit IngressController default -n openshift-ingress-operator
       allowedSubjectPatterns:
       - "^/CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift$"
 ----
+. Optional, get the Distinguished Name (DN) for `allowedSubjectPatterns` by entering the following command.
+[source,terminal]
+----
+$ openssl  x509 -in custom-cert.pem  -noout -subject
+subject= /CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift
+----
diff --git a/modules/nw-network-plugin-migration-process.adoc b/modules/nw-network-plugin-migration-process.adoc
index c69d1123a464..3334c15e0c4e 100644
--- a/modules/nw-network-plugin-migration-process.adoc
+++ b/modules/nw-network-plugin-migration-process.adoc
@@ -15,11 +15,11 @@ ifeval::["{context}" == "migrate-from-openshift-sdn"]
 endif::[]
 
 [id="how-the-migration-process-works_{context}"]
-= How the migration process works
+= How the offline migration process works
 
 The following table summarizes the migration process by segmenting between the user-initiated steps in the process and the actions that the migration performs in response.
 
-.Migrating to {sdn} from {previous-sdn}
+.Offline migration to {sdn} from {previous-sdn}
 [cols="1,1a",options="header"]
 |===
 
@@ -38,7 +38,7 @@ CNO:: Performs the following actions:
 --
 * Destroys the {previous-sdn} control plane pods.
 * Deploys the {sdn} control plane pods.
-* Updates the Multus objects to reflect the new network plugin.
+* Updates the Multus daemon sets and config map objects to reflect the new network plugin.
 --
 
 |
@@ -48,51 +48,6 @@ Cluster:: As nodes reboot, the cluster assigns IP addresses to pods on the {sdn}
 
 |===
 
-ifeval::["{context}" == "migrate-from-openshift-sdn"]
-If a rollback to OpenShift SDN is required, the following table describes the process.
-
-[IMPORTANT]
-====
-You must wait until the migration process from OpenShift SDN to OVN-Kubernetes network plugin is successful before initiating a rollback.
-====
-
-.Performing a rollback to OpenShift SDN
-[cols="1,1a",options="header"]
-|===
-
-|User-initiated steps|Migration activity
-
-|Suspend the MCO to ensure that it does not interrupt the migration.
-|The MCO stops.
-
-|
-Set the `migration` field of the `Network.operator.openshift.io` custom resource (CR) named `cluster` to `OpenShiftSDN`. Make sure the `migration` field is `null` before setting it to a value.
-|
-CNO:: Updates the status of the `Network.config.openshift.io` CR named `cluster` accordingly.
-
-|Update the `networkType` field.
-|
-CNO:: Performs the following actions:
-+
---
-* Destroys the OVN-Kubernetes control plane pods.
-* Deploys the OpenShift SDN control plane pods.
-* Updates the Multus objects to reflect the new network plugin.
---
-
-|
-Reboot each node in the cluster.
-|
-Cluster:: As nodes reboot, the cluster assigns IP addresses to pods on the OpenShift-SDN network.
-
-|
-Enable the MCO after all nodes in the cluster reboot.
-|
-MCO:: Rolls out an update to the systemd configuration necessary for OpenShift SDN; the MCO updates a single machine per pool at a time by default, so the total time the migration takes increases with the size of the cluster.
-
-|===
-endif::[]
-
 ifdef::sdn[]
 :!sdn:
 endif::[]
diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc
index bc679530b5a6..160403c15294 100644
--- a/modules/nw-networkpolicy-about.adoc
+++ b/modules/nw-networkpolicy-about.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/about-network-policy.adoc
+// * networking/network_security/network_policy/about-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: CONCEPT
diff --git a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc
index b0a875fed92b..c8ea67e9850d 100644
--- a/modules/nw-networkpolicy-allow-application-all-namespaces.adoc
+++ b/modules/nw-networkpolicy-allow-application-all-namespaces.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network
diff --git a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc
index c03b795cb696..a4daf44f7af9 100644
--- a/modules/nw-networkpolicy-allow-application-particular-namespace.adoc
+++ b/modules/nw-networkpolicy-allow-application-particular-namespace.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network
diff --git a/modules/nw-networkpolicy-allow-external-clients.adoc b/modules/nw-networkpolicy-allow-external-clients.adoc
index c7ece7ae4cf0..de385744401d 100644
--- a/modules/nw-networkpolicy-allow-external-clients.adoc
+++ b/modules/nw-networkpolicy-allow-external-clients.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 
 :name: network
 :role: admin
diff --git a/modules/nw-networkpolicy-audit-concept.adoc b/modules/nw-networkpolicy-audit-concept.adoc
index 20bfc0104f8d..57d7dc47bd03 100644
--- a/modules/nw-networkpolicy-audit-concept.adoc
+++ b/modules/nw-networkpolicy-audit-concept.adoc
@@ -1,13 +1,11 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
+// * networking/network_security/logging-network-security.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-networkpolicy-audit-concept_{context}"]
 = Audit logging
 
-The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) ACLs to manage egress firewalls and network policies. Audit logging exposes allow and deny ACL events.
-
 You can configure the destination for audit logs, such as a syslog server or a UNIX domain socket.
 Regardless of any additional configuration, an audit log is always saved to `/var/log/ovn/acl-audit-log.log` on each OVN-Kubernetes pod in the cluster.
 
diff --git a/modules/nw-networkpolicy-audit-configure.adoc b/modules/nw-networkpolicy-audit-configure.adoc
index 5549dba1cfe2..2527f4163198 100644
--- a/modules/nw-networkpolicy-audit-configure.adoc
+++ b/modules/nw-networkpolicy-audit-configure.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
+// * networking/network_security/logging-network-security.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-networkpolicy-audit-configure_{context}"]
diff --git a/modules/nw-networkpolicy-audit-disable.adoc b/modules/nw-networkpolicy-audit-disable.adoc
index 51aaf39d4a29..5b2cf2ccfe49 100644
--- a/modules/nw-networkpolicy-audit-disable.adoc
+++ b/modules/nw-networkpolicy-audit-disable.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
+// * networking/network_security/logging-network-security.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-networkpolicy-audit-disable_{context}"]
diff --git a/modules/nw-networkpolicy-audit-enable.adoc b/modules/nw-networkpolicy-audit-enable.adoc
index b8c9b91e4e62..5d632718033d 100644
--- a/modules/nw-networkpolicy-audit-enable.adoc
+++ b/modules/nw-networkpolicy-audit-enable.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
+// * networking/network_security/logging-network-security.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-networkpolicy-audit-enable_{context}"]
diff --git a/modules/nw-networkpolicy-create-cli.adoc b/modules/nw-networkpolicy-create-cli.adoc
index 15af96ffac3e..5883e5b9d165 100644
--- a/modules/nw-networkpolicy-create-cli.adoc
+++ b/modules/nw-networkpolicy-create-cli.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
diff --git a/modules/nw-networkpolicy-create-ocm.adoc b/modules/nw-networkpolicy-create-ocm.adoc
index 7a2d80ba7453..9aa95a3d9ccd 100644
--- a/modules/nw-networkpolicy-create-ocm.adoc
+++ b/modules/nw-networkpolicy-create-ocm.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
diff --git a/modules/nw-networkpolicy-delete-cli.adoc b/modules/nw-networkpolicy-delete-cli.adoc
index 29616754ff19..2207688fc4bb 100644
--- a/modules/nw-networkpolicy-delete-cli.adoc
+++ b/modules/nw-networkpolicy-delete-cli.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc
+// * networking/network_security/network_policy/deleting-network-policy.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc
 
diff --git a/modules/nw-networkpolicy-delete-ocm.adoc b/modules/nw-networkpolicy-delete-ocm.adoc
index 1865920d7d3a..8748ef83adfd 100644
--- a/modules/nw-networkpolicy-delete-ocm.adoc
+++ b/modules/nw-networkpolicy-delete-ocm.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/deleting-network-policy.adoc
+// * networking/network_security/network_policy/deleting-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE
diff --git a/modules/nw-networkpolicy-deny-all-allowed.adoc b/modules/nw-networkpolicy-deny-all-allowed.adoc
index b0885d2fd617..da3fb2429de4 100644
--- a/modules/nw-networkpolicy-deny-all-allowed.adoc
+++ b/modules/nw-networkpolicy-deny-all-allowed.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 
 :name: network
diff --git a/modules/nw-networkpolicy-edit.adoc b/modules/nw-networkpolicy-edit.adoc
index 08a983fb484c..cc915681d0e5 100644
--- a/modules/nw-networkpolicy-edit.adoc
+++ b/modules/nw-networkpolicy-edit.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/editing-network-policy.adoc
+// * networking/network_security/network_policy/editing-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc
 
 :name: network
diff --git a/modules/nw-networkpolicy-multitenant-isolation.adoc b/modules/nw-networkpolicy-multitenant-isolation.adoc
index ea4f4803bb97..cef382c90d25 100644
--- a/modules/nw-networkpolicy-multitenant-isolation.adoc
+++ b/modules/nw-networkpolicy-multitenant-isolation.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/multitenant-network-policy.adoc
+// * networking/network_security/network_policy/multitenant-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE
diff --git a/modules/nw-networkpolicy-object.adoc b/modules/nw-networkpolicy-object.adoc
index 72770bcd3562..800b71f8aaf1 100644
--- a/modules/nw-networkpolicy-object.adoc
+++ b/modules/nw-networkpolicy-object.adoc
@@ -1,8 +1,8 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/creating-network-policy.adoc
-// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
-// * networking/openshift_network_security/network_policy/editing-network-policy.adoc
+// * networking/network_security/network_policy/creating-network-policy.adoc
+// * networking/network_security/network_policy/viewing-network-policy.adoc
+// * networking/network_security/network_policy/editing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * microshift_networking/microshift-creating-network-policy.adoc
 // * microshift_networking/microshift-network-policy/microshift-editing-network-policy.adoc
diff --git a/modules/nw-networkpolicy-optimize-ovn.adoc b/modules/nw-networkpolicy-optimize-ovn.adoc
index a3d1bf72e5b4..236e7857ec55 100644
--- a/modules/nw-networkpolicy-optimize-ovn.adoc
+++ b/modules/nw-networkpolicy-optimize-ovn.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/about-network-policy.adoc
+// * networking/network_security/network_policy/about-network-policy.adoc
 
 [id="nw-networkpolicy-optimize-ovn_{context}"]
 = Optimizations for network policy with OVN-Kubernetes network plugin
diff --git a/modules/nw-networkpolicy-optimize.adoc b/modules/nw-networkpolicy-optimize.adoc
index 523887a3e15a..c54f742829f0 100644
--- a/modules/nw-networkpolicy-optimize.adoc
+++ b/modules/nw-networkpolicy-optimize.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/about-network-policy.adoc
+// * networking/network_security/network_policy/about-network-policy.adoc
 
 [id="nw-networkpolicy-optimize-sdn_{context}"]
 = Optimizations for network policy with OpenShift SDN
diff --git a/modules/nw-networkpolicy-project-defaults.adoc b/modules/nw-networkpolicy-project-defaults.adoc
index f7f3bac74da2..cce9563c3e0e 100644
--- a/modules/nw-networkpolicy-project-defaults.adoc
+++ b/modules/nw-networkpolicy-project-defaults.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/default-network-policy.adoc
+// * networking/network_security/network_policy/default-network-policy.adoc
 // * networking/configuring-networkpolicy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
diff --git a/modules/nw-networkpolicy-view-cli.adoc b/modules/nw-networkpolicy-view-cli.adoc
index 58678e2c25b5..ef6d65769d7f 100644
--- a/modules/nw-networkpolicy-view-cli.adoc
+++ b/modules/nw-networkpolicy-view-cli.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
+// * networking/network_security/network_policy/viewing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * networking/multiple_networks/configuring-multi-network-policy.adoc
 
diff --git a/modules/nw-networkpolicy-view-ocm.adoc b/modules/nw-networkpolicy-view-ocm.adoc
index 41a55920f5a9..cf356fac3f7a 100644
--- a/modules/nw-networkpolicy-view-ocm.adoc
+++ b/modules/nw-networkpolicy-view-ocm.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/network_policy/viewing-network-policy.adoc
+// * networking/network_security/network_policy/viewing-network-policy.adoc
 // * post_installation_configuration/network-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE
diff --git a/modules/nw-operator-cr.adoc b/modules/nw-operator-cr.adoc
index 9f6e2a8b3464..e5dfaf04420e 100644
--- a/modules/nw-operator-cr.adoc
+++ b/modules/nw-operator-cr.adoc
@@ -15,7 +15,7 @@
 // * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
 // * installing/installing_vsphere/installing-vsphere-network-customizations.adoc
 // * networking/cluster-network-operator.adoc
-// * networking/network_policy/logging-network-policy.adoc
+// * networking/network_security/logging-network-security.adoc
 // * post_installation_configuration/network-configuration.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
 // * installing/installing_ibm_power/installing-ibm-power.adoc
@@ -254,6 +254,14 @@ ifdef::operator[]
 An object describing the IPsec mode for the cluster.
 endif::operator[]
 
+|`ipv4`
+|`object`
+|Specifies a configuration object for IPv4 settings.
+
+|`ipv6`
+|`object`
+|Specifies a configuration object for IPv6 settings.
+
 |`policyAuditConfig`
 |`object`
 |Specify a configuration object for customizing network policy audit logging. If unset, the defaults audit log settings are used.
@@ -267,19 +275,50 @@ endif::operator[]
 While migrating egress traffic, you can expect some disruption to workloads and service traffic until the Cluster Network Operator (CNO) successfully rolls out the changes.
 ====
 
-|`v4InternalSubnet`
+|`v6InternalSubnet`
+|
+|====
+
+.`ovnKubernetesConfig.ipv4` object
+[cols=".^2,.^2,.^6a",options="header"]
+|====
+|Field|Type|Description
+
+|`internalTransitSwitchSubnet`
+|string
+|
+If your existing network infrastructure overlaps with the `100.88.0.0/16` IPv4 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. The subnet for the distributed transit switch that enables east-west traffic. This subnet cannot overlap with any other subnets used by OVN-Kubernetes or on the host itself. It must be large enough to accommodate one IP address per node in your cluster.
+
+The default value is `100.88.0.0/16`.
+
+|`internalJoinSubnet`
+|string
 |
 If your existing network infrastructure overlaps with the `100.64.0.0/16` IPv4 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your {product-title} installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster. For example, if the `clusterNetwork.cidr` value is `10.128.0.0/14` and the `clusterNetwork.hostPrefix` value is `/23`, then the maximum number of nodes is `2^(23-14)=512`.
 
-This field cannot be changed after installation.
-|The default value is `100.64.0.0/16`.
+The default value is `100.64.0.0/16`.
 
-|`v6InternalSubnet`
+|====
+
+.`ovnKubernetesConfig.ipv6` object
+[cols=".^2,.^2,.^6a",options="header"]
+|====
+|Field|Type|Description
+
+|`internalTransitSwitchSubnet`
+|string
 |
-If your existing network infrastructure overlaps with the `fd98::/48` IPv6 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your {product-title} installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster.
+If your existing network infrastructure overlaps with the `fd97::/64` IPv6 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. The subnet for the distributed transit switch that enables east-west traffic. This subnet cannot overlap with any other subnets used by OVN-Kubernetes or on the host itself. It must be large enough to accommodate one IP address per node in your cluster.
+
+The default value is `fd97::/64`.
+
+|`internalJoinSubnet`
+|string
+|
+If your existing network infrastructure overlaps with the `fd98::/64` IPv6 subnet, you can specify a different IP address range for internal use by OVN-Kubernetes. You must ensure that the IP address range does not overlap with any other subnet used by your {product-title} installation. The IP address range must be larger than the maximum number of nodes that can be added to the cluster.
+
+The default value is `fd98::/64`.
 
-This field cannot be changed after installation.
-| The default value is `fd98::/48`.
 |====
 
 // tag::policy-audit[]
@@ -337,6 +376,40 @@ If you set this field to `true`, you do not receive the performance benefits of
 |`object`
 |You can control IP forwarding for all traffic on OVN-Kubernetes managed interfaces by using the `ipForwarding` specification in the `Network` resource. Specify `Restricted` to only allow IP forwarding for Kubernetes related traffic. Specify `Global` to allow forwarding of all IP traffic. For new installations, the default is `Restricted`. For updates to {product-title} 4.14 or later, the default is `Global`.
 
+|`ipv4`
+|`object`
+|Optional: Specify an object to configure the internal OVN-Kubernetes masquerade address for host to service traffic for IPv4 addresses.
+
+|`ipv6`
+|`object`
+|Optional: Specify an object to configure the internal OVN-Kubernetes masquerade address for host to service traffic for IPv6 addresses.
+
+|====
+
+[id="gatewayconfig-ipv4-object_{context}"]
+.`gatewayConfig.ipv4` object
+[cols=".^2,.^2,.^6a",options="header"]
+|====
+|Field|Type|Description
+
+|`internalMasqueradeSubnet`
+|`string`
+|
+The masquerade IPv4 addresses that are used internally to enable host to service traffic. The host is configured with these IP addresses as well as the shared gateway bridge interface. The default value is `169.254.169.0/29`.
+
+|====
+
+[id="gatewayconfig-ipv6-object_{context}"]
+.`gatewayConfig.ipv6` object
+[cols=".^2,.^2,.^6a",options="header"]
+|====
+|Field|Type|Description
+
+|`internalMasqueradeSubnet`
+|`string`
+|
+The masquerade IPv6 addresses that are used internally to enable host to service traffic. The host is configured with these IP addresses as well as the shared gateway bridge interface. The default value is `fd69::/125`.
+
 |====
 
 [id="nw-operator-cr-ipsec_{context}"]
@@ -357,7 +430,6 @@ a|Specifies the behavior of the IPsec implementation. Must be one of the followi
 
 |====
 
-
 ifdef::operator[]
 [NOTE]
 ====
diff --git a/modules/nw-osp-configuring-external-load-balancer.adoc b/modules/nw-osp-configuring-external-load-balancer.adoc
index 5241518b7c73..1a06495b9b98 100644
--- a/modules/nw-osp-configuring-external-load-balancer.adoc
+++ b/modules/nw-osp-configuring-external-load-balancer.adoc
@@ -1,10 +1,11 @@
 // Module included in the following assemblies:
 
-// OpenStack
-// * networking/load-balancing-openstack.adoc
 // Bare metal
 // * installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc
-// * installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc
+// OpenStack
+// * networking/load-balancing-openstack.adoc
+// Nutanix
+// * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
 // vSphere
 // * installing/installing-vsphere-installer-provisioned-customizations.adoc
 // * installing/installing-vsphere-installer-provisioned-network-customizations.adoc
@@ -13,15 +14,30 @@
 ifeval::["{context}" == "ipi-install-installation-workflow"]
 :bare-metal:
 endif::[]
+ifeval::["{context}" == "load-balancing-openstack"]
+:openstack:
+endif::[]
+ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
+:nutanix:
+endif::[]
+ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
+:vsphere:
+endif::[]
+ifeval::["{context}" == "installing-vsphere-installer-provisioned-network-customizations"]
+:vsphere:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
+:vsphere:
+endif::[]
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-osp-configuring-external-load-balancer_{context}"]
 = Configuring a user-managed load balancer
 
 You can configure an {product-title} cluster
-ifeval::["{context}" == "load-balancing-openstack"]
+ifdef::openstack[]
 on {rh-openstack-first}
-endif::[]
+endif::openstack[]
 to use a user-managed load balancer in place of the default load balancer.
 
 [IMPORTANT]
@@ -308,14 +324,24 @@ A record pointing to Load Balancer Front End
 DNS propagation might take some time for each DNS record to become available. Ensure that each DNS record propagates before validating each record.
 ====
 
-ifdef::bare-metal[]
 . For your {product-title} cluster to use the user-managed load balancer, you must specify the following configuration in your cluster's `install-config.yaml` file:
 +
 [source,yaml]
 ----
 # ...
 platform:
+ifdef::bare-metal[]
   baremetal:
+endif::bare-metal[]
+ifdef::openstack[]
+  openstack:
+endif::openstack[]
+ifdef::nutanix[]
+  nutanix:
+endif::nutanix[]
+ifdef::vsphere[]
+  vsphere:
+endif::vsphere[]
     loadBalancer:
       type: UserManaged <1>
       apiVIPs:
@@ -327,7 +353,6 @@ platform:
 <1> Set `UserManaged` for the `type` parameter to specify a user-managed load balancer for your cluster. The parameter defaults to `OpenShiftManagedDefault`, which denotes the default internal load balancer. For services defined in an `openshift-kni-infra` namespace, a user-managed load balancer can deploy the `coredns` service to pods in your cluster but ignores `keepalived` and `haproxy` services.
 <2> Required parameter when you specify a user-managed load balancer. Specify the user-managed load balancer's public IP address, so that the Kubernetes API can communicate with the user-managed load balancer.
 <3> Required parameter when you specify a user-managed load balancer. Specify the user-managed load balancer's public IP address, so that the user-managed load balancer can manage ingress traffic for your cluster.
-endif::bare-metal[]
 
 .Verification
 
@@ -426,3 +451,18 @@ cache-control: private
 ifeval::["{context}" == "ipi-install-installation-workflow"]
 :!bare-metal:
 endif::[]
+ifeval::["{context}" == "load-balancing-openstack"]
+:!openstack:
+endif::[]
+ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
+:!nutanix:
+endif::[]
+ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
+:!vsphere:
+endif::[]
+ifeval::["{context}" == "installing-vsphere-installer-provisioned-network-customizations"]
+:!vsphere:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
+:!vsphere:
+endif::[]
diff --git a/modules/nw-osp-services-external-load-balancer.adoc b/modules/nw-osp-services-external-load-balancer.adoc
index a41932382935..d441f0a344e9 100644
--- a/modules/nw-osp-services-external-load-balancer.adoc
+++ b/modules/nw-osp-services-external-load-balancer.adoc
@@ -1,10 +1,11 @@
 // Module included in the following assemblies:
 
-// OpenStack
-// * networking/load-balancing-openstack.adoc
 // Bare metal
 // * installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc
-// * installing/installing_bare_metal_ipi/ipi-install-post-installation-configuration.adoc
+// OpenStack
+// * networking/load-balancing-openstack.adoc
+// Nutanix
+// * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
 // vSphere
 // * installing/installing-vsphere-installer-provisioned-customizations.adoc
 // * installing/installing-vsphere-installer-provisioned-network-customizations.adoc
diff --git a/modules/nw-ovn-ipsec-enable.adoc b/modules/nw-ovn-ipsec-enable.adoc
index 67f4a7d3dd09..d5a0815b91bf 100644
--- a/modules/nw-ovn-ipsec-enable.adoc
+++ b/modules/nw-ovn-ipsec-enable.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-enable_{context}"]
diff --git a/modules/nw-ovn-ipsec-encryption.adoc b/modules/nw-ovn-ipsec-encryption.adoc
index 4f906ef03861..b1bc122666d6 100644
--- a/modules/nw-ovn-ipsec-encryption.adoc
+++ b/modules/nw-ovn-ipsec-encryption.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-encryption_{context}"]
diff --git a/modules/nw-ovn-ipsec-external.adoc b/modules/nw-ovn-ipsec-external.adoc
index 592ba9b8b6f6..1a3eb3d0e1b5 100644
--- a/modules/nw-ovn-ipsec-external.adoc
+++ b/modules/nw-ovn-ipsec-external.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-external_{context}"]
diff --git a/modules/nw-ovn-ipsec-north-south-disable.adoc b/modules/nw-ovn-ipsec-north-south-disable.adoc
index 6ecf4398654a..4f8df066f7a4 100644
--- a/modules/nw-ovn-ipsec-north-south-disable.adoc
+++ b/modules/nw-ovn-ipsec-north-south-disable.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-north-south-disable_{context}"]
diff --git a/modules/nw-ovn-ipsec-north-south-enable.adoc b/modules/nw-ovn-ipsec-north-south-enable.adoc
index a5e49618d69e..80269d8f50a7 100644
--- a/modules/nw-ovn-ipsec-north-south-enable.adoc
+++ b/modules/nw-ovn-ipsec-north-south-enable.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-ipsec-north-south-enable_{context}"]
diff --git a/modules/nw-ovn-ipsec-traffic.adoc b/modules/nw-ovn-ipsec-traffic.adoc
index b40ea168ba64..c80a43b31ca5 100644
--- a/modules/nw-ovn-ipsec-traffic.adoc
+++ b/modules/nw-ovn-ipsec-traffic.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-traffic_{context}"]
diff --git a/modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc b/modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc
index d8033fbbf152..42224c34f09e 100644
--- a/modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc
+++ b/modules/nw-ovn-k-adminnetwork-policy-action-rules.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn-k-network-policy.adoc
+// * networking/network-policy-apis.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="adminnetworkpolicy-actions-for-rules_{context}"]
@@ -25,15 +25,14 @@ metadata:
 spec:
   priority: 9
   subject:
-    namespaces: {}
+    namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
   ingress:
   - name: "allow-ingress-from-monitoring"
     action: "Allow"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
@@ -64,9 +63,8 @@ spec:
     action: "Deny"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
@@ -99,9 +97,8 @@ spec:
     action: "Pass"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
diff --git a/modules/nw-ovn-k-adminnetwork-policy.adoc b/modules/nw-ovn-k-adminnetwork-policy.adoc
index dc4708171bad..38c8036dce36 100644
--- a/modules/nw-ovn-k-adminnetwork-policy.adoc
+++ b/modules/nw-ovn-k-adminnetwork-policy.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn-k-network-policy.adoc
+// * networking/network-policy-apis.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="adminnetworkpolicy_{context}"]
@@ -14,7 +14,7 @@ An ANP allows administrators to specify the following:
 
 * A `priority` value that determines the order of its evaluation. The lower the value the higher the precedence.
 
-* A `subject` that consists of a set of namespaces or namespace..
+* A set of pods that consists of a set of namespaces or namespace on which the policy is applied.
 
 * A list of ingress rules to be applied for all ingress traffic towards the `subject`.
 
@@ -44,22 +44,20 @@ spec:
     action: "Deny"
     from:
     - pods:
-        namespaces: <6>
-          namespaceSelector:
-            matchLabels:
-              custom-anp: tenant-1
+        namespaceSelector:
+          matchLabels:
+            custom-anp: tenant-1
         podSelector:
           matchLabels:
-            custom-anp: tenant-1 <7>
-  egress:<8>
+            custom-anp: tenant-1 <6>
+  egress:<7>
   - name: "pass-all-egress-to-tenant-1"
     action: "Pass"
     to:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-anp: tenant-1
+        namespaceSelector:
+          matchLabels:
+            custom-anp: tenant-1
         podSelector:
           matchLabels:
             custom-anp: tenant-1
@@ -69,7 +67,6 @@ spec:
 <3> Specify the namespace to apply the ANP resource.
 <4> ANP have both ingress and egress rules. ANP rules for `spec.ingress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
 <5> Specify a name for the `ingress.name`.
-<6> Specify the namespaces to select the pods from to apply the ANP resource.
-<7> Specify `podSelector.matchLabels` name of the pods to apply the ANP resource.
-<8> ANP have both ingress and egress rules. ANP rules for `spec.egress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
+<6> Specify `podSelector.matchLabels` to select pods within the namespaces selected by `namespaceSelector.matchLabels` as ingress peers.
+<7> ANPs have both ingress and egress rules. ANP rules for `spec.egress` field accepts values of `Pass`, `Deny`, and `Allow` for the `action` field.
 ====
\ No newline at end of file
diff --git a/modules/nw-ovn-k-anp-nbctl.adoc b/modules/nw-ovn-k-anp-nbctl.adoc
new file mode 100644
index 000000000000..5c72407b9581
--- /dev/null
+++ b/modules/nw-ovn-k-anp-nbctl.adoc
@@ -0,0 +1,496 @@
+//module included in the following assemblies:
+//
+//networking/network_security/AdminNetworkPolicy/nw-ovn-k-anp-troubleshooting.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="metrics-commands-anp_{context}"]
+== Using nbctl commands for ANP and BANP
+
+To troubleshoot an unsuccessful setup, start by looking at OVN Northbound database (nbdb) objects including `ACL`, `AdressSet`, and `Port_Group`. To view the nbdb, you need to be inside the pod on that node to view the objects in that node's database.
+
+.Prerequisites
+
+* Access to the cluster as a user with the `cluster-admin` role.
+* The OpenShift CLI (`oc`) installed.
+
+[NOTE]
+====
+To run ovn `nbctl` commands in a cluster, you must open a remote shell into the `nbdb`on the relevant node.
+====
+The following policy was used to generate outputs.
+
+.`AdminNetworkPolicy` used to generate outputs
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: cluster-control
+spec:
+  priority: 34
+  subject:
+    namespaces:
+      matchLabels:
+        anp: cluster-control-anp # Only namespaces with this label have this ANP
+  ingress:
+  - name: "allow-from-ingress-router" # rule0
+    action: "Allow"
+    from:
+    - namespaces:
+        matchLabels:
+          policy-group.network.openshift.io/ingress: ""
+  - name: "allow-from-monitoring" # rule1
+    action: "Allow"
+    from:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: 7564
+    - namedPort: "scrape"
+  - name: "allow-from-open-tenants" # rule2
+    action: "Allow"
+    from:
+    - namespaces: # open tenants
+        matchLabels:
+          tenant: open
+  - name: "pass-from-restricted-tenants" # rule3
+    action: "Pass"
+    from:
+    - namespaces: # restricted tenants
+        matchLabels:
+          tenant: restricted
+  - name: "default-deny" # rule4
+    action: "Deny"
+    from:
+    - namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well.
+  egress:
+  - name: "allow-to-dns" # rule0
+    action: "Allow"
+    to:
+    - pods:
+        namespaceSelector:
+          matchlabels:
+            kubernetes.io/metadata.name: openshift-dns
+        podSelector:
+          matchlabels:
+            app: dns
+    ports:
+    - portNumber:
+        protocol: UDP
+        port: 5353
+  - name: "allow-to-kapi-server" # rule1
+    action: "Allow"
+    to:
+    - nodes:
+        matchExpressions:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: 6443
+  - name: "allow-to-splunk" # rule2
+    action: "Allow"
+    to:
+    - namespaces:
+        matchlabels:
+          tenant: splunk
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: 8991
+    - portNumber:
+        protocol: TCP
+        port: 8992
+  - name: "allow-to-open-tenants-and-intranet-and-worker-nodes" # rule3
+    action: "Allow"
+    to:
+    - nodes: # worker-nodes
+        matchExpressions:
+        - key: node-role.kubernetes.io/worker
+          operator: Exists
+    - networks: # intranet
+      - 172.29.0.0/30
+      - 10.0.54.0/19
+      - 10.0.56.38/32
+      - 10.0.69.0/24
+    - namespaces: # open tenants
+        matchLabels:
+          tenant: open
+  - name: "pass-to-restricted-tenants" # rule4
+    action: "Pass"
+    to:
+    - namespaces: # restricted tenants
+        matchLabels:
+          tenant: restricted
+  - name: "default-deny"
+    action: "Deny"
+    to:
+    - networks:
+      - 0.0.0.0/0
+----
+====
+
+.Procedure
+
+. List pods with node information by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-ovn-kubernetes -owide
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                     READY   STATUS    RESTARTS   AGE   IP           NODE                                       NOMINATED NODE   READINESS GATES
+ovnkube-control-plane-5c95487779-8k9fd   2/2     Running   0          34m   10.0.0.5     ci-ln-0tv5gg2-72292-6sjw5-master-0         <none>           <none>
+ovnkube-control-plane-5c95487779-v2xn8   2/2     Running   0          34m   10.0.0.3     ci-ln-0tv5gg2-72292-6sjw5-master-1         <none>           <none>
+ovnkube-node-524dt                       8/8     Running   0          33m   10.0.0.4     ci-ln-0tv5gg2-72292-6sjw5-master-2         <none>           <none>
+ovnkube-node-gbwr9                       8/8     Running   0          24m   10.0.128.4   ci-ln-0tv5gg2-72292-6sjw5-worker-c-s9gqt   <none>           <none>
+ovnkube-node-h4fpx                       8/8     Running   0          33m   10.0.0.5     ci-ln-0tv5gg2-72292-6sjw5-master-0         <none>           <none>
+ovnkube-node-j4hzw                       8/8     Running   0          24m   10.0.128.2   ci-ln-0tv5gg2-72292-6sjw5-worker-a-hzbh5   <none>           <none>
+ovnkube-node-wdhgv                       8/8     Running   0          33m   10.0.0.3     ci-ln-0tv5gg2-72292-6sjw5-master-1         <none>           <none>
+ovnkube-node-wfncn                       8/8     Running   0          24m   10.0.128.3   ci-ln-0tv5gg2-72292-6sjw5-worker-b-5bb7f   <none>           <none>
+----
+
+. Navigate into a pod to look at the northbound database by running the following command:
++
+[source,terminal]
+----
+$ oc rsh -c nbdb -n openshift-ovn-kubernetes ovnkube-node-524dt
+----
++
+. Run the following command to look at the ACLs nbdb:
++
+[source,terminal]
+----
+$ ovn-nbctl find ACL 'external_ids{>=}{"k8s.ovn.org/owner-type"=AdminNetworkPolicy,"k8s.ovn.org/name"=cluster-control}'
+----
++
+--
+Where::
++
+cluster-control:: Specifies the name of the `AdminNetworkPolicy` you are troubleshooting.
++
+AdminNetworkPolicy:: Specifies the type: `AdminNetworkPolicy` or `BaselineAdminNetworkPolicy`.
+--
++
+.Example output for ACLs
+[%collapsible]
+====
+[source,terminal]
+----
+_uuid               : 0d5e4722-b608-4bb1-b625-23c323cc9926
+action              : allow-related
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="2", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:2:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a13730899355151937870))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:2"
+options             : {}
+priority            : 26598
+severity            : []
+tier                : 1
+
+_uuid               : b7be6472-df67-439c-8c9c-f55929f0a6e0
+action              : drop
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="5", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:5:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a11452480169090787059))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:5"
+options             : {apply-after-lb="true"}
+priority            : 26595
+severity            : []
+tier                : 1
+
+_uuid               : 5a6e5bb4-36eb-4209-b8bc-c611983d4624
+action              : pass
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="3", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:3:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a764182844364804195))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:3"
+options             : {}
+priority            : 26597
+severity            : []
+tier                : 1
+
+_uuid               : 04f20275-c410-405c-a923-0e677f767889
+action              : pass
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="4", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:4:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a5972452606168369118))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:4"
+options             : {apply-after-lb="true"}
+priority            : 26596
+severity            : []
+tier                : 1
+
+_uuid               : 4b5d836a-e0a3-4088-825e-f9f0ca58e538
+action              : drop
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="4", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:4:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a13814616246365836720))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:4"
+options             : {}
+priority            : 26596
+severity            : []
+tier                : 1
+
+_uuid               : 5d09957d-d2cc-4f5a-9ddd-b97d9d772023
+action              : allow-related
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="2", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:2:tcp", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=tcp}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a18396736153283155648)) && tcp && tcp.dst=={8991,8992}"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:2"
+options             : {apply-after-lb="true"}
+priority            : 26598
+severity            : []
+tier                : 1
+
+_uuid               : 1a68a5ed-e7f9-47d0-b55c-89184d97e81a
+action              : allow-related
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="1", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:1:tcp", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=tcp}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a10706246167277696183)) && tcp && tcp.dst==6443"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:1"
+options             : {apply-after-lb="true"}
+priority            : 26599
+severity            : []
+tier                : 1
+
+_uuid               : aa1a224d-7960-4952-bdfb-35246bafbac8
+action              : allow-related
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="1", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:1:tcp", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=tcp}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a6786643370959569281)) && tcp && tcp.dst==7564"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:1"
+options             : {}
+priority            : 26599
+severity            : []
+tier                : 1
+
+_uuid               : 1a27d30e-3f96-4915-8ddd-ade7f22c117b
+action              : allow-related
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="3", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:3:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a10622494091691694581))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:3"
+options             : {apply-after-lb="true"}
+priority            : 26597
+severity            : []
+tier                : 1
+
+_uuid               : b23a087f-08f8-4225-8c27-4a9a9ee0c407
+action              : allow-related
+direction           : from-lport
+external_ids        : {direction=Egress, gress-index="0", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:0:udp", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=udp}
+label               : 0
+log                 : false
+match               : "inport == @a14645450421485494999 && ((ip4.dst == $a13517855690389298082)) && udp && udp.dst==5353"
+meter               : acl-logging
+name                : "ANP:cluster-control:Egress:0"
+options             : {apply-after-lb="true"}
+priority            : 26600
+severity            : []
+tier                : 1
+
+_uuid               : d14ed5cf-2e06-496e-8cae-6b76d5dd5ccd
+action              : allow-related
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="0", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:0:None", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=None}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a14545668191619617708))"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:0"
+options             : {}
+priority            : 26600
+severity            : []
+tier                : 1
+
+----
+====
++
+[NOTE]
+====
+The outputs for ingress and egress show you the logic of the policy in the ACL. For example, every time a packet matches the provided `match` the `action` is taken.
+====
+
+.. Examine the specific ACL for the rule by running the following command:
++
+[source,terminal]
+----
+$ ovn-nbctl find ACL 'external_ids{>=}{"k8s.ovn.org/owner-type"=AdminNetworkPolicy,direction=Ingress,"k8s.ovn.org/name"=cluster-control,gress-index="1"}'
+----
++
+--
+Where::
++
+`cluster-control`:: Specifies the `name` of your ANP.
++
+`Ingress`:: Specifies the `direction` of traffic either of type `Ingress` or `Egress`.
++
+`1`:: Specifies the rule you want to look at.
+--
++
+For the example ANP named `cluster-control` at `priority` `34`, the following is an example output for `Ingress` `rule` 1:
++
+.Example output
+[%collapsible]
+====
+[source,terminal]
+----
+_uuid               : aa1a224d-7960-4952-bdfb-35246bafbac8
+action              : allow-related
+direction           : to-lport
+external_ids        : {direction=Ingress, gress-index="1", "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:1:tcp", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy, port-policy-protocol=tcp}
+label               : 0
+log                 : false
+match               : "outport == @a14645450421485494999 && ((ip4.src == $a6786643370959569281)) && tcp && tcp.dst==7564"
+meter               : acl-logging
+name                : "ANP:cluster-control:Ingress:1"
+options             : {}
+priority            : 26599
+severity            : []
+tier                : 1
+----
+====
+
+. Run the following command to look at address sets in the nbdb:
++
+[source,terminal]
+----
+$ ovn-nbctl find Address_Set 'external_ids{>=}{"k8s.ovn.org/owner-type"=AdminNetworkPolicy,"k8s.ovn.org/name"=cluster-control}'
+----
++
+.Example outputs for `Address_Set`
+[%collapsible]
+====
+[source,terminal]
+----
+_uuid               : 56e89601-5552-4238-9fc3-8833f5494869
+addresses           : ["192.168.194.135", "192.168.194.152", "192.168.194.193", "192.168.194.254"]
+external_ids        : {direction=Egress, gress-index="1", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:1:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a10706246167277696183
+
+_uuid               : 7df9330d-380b-4bdb-8acd-4eddeda2419c
+addresses           : ["10.132.0.10", "10.132.0.11", "10.132.0.12", "10.132.0.13", "10.132.0.14", "10.132.0.15", "10.132.0.16", "10.132.0.17", "10.132.0.5", "10.132.0.7", "10.132.0.71", "10.132.0.75", "10.132.0.8", "10.132.0.81", "10.132.0.9", "10.132.2.10", "10.132.2.11", "10.132.2.12", "10.132.2.14", "10.132.2.15", "10.132.2.3", "10.132.2.4", "10.132.2.5", "10.132.2.6", "10.132.2.7", "10.132.2.8", "10.132.2.9", "10.132.3.64", "10.132.3.65", "10.132.3.72", "10.132.3.73", "10.132.3.76", "10.133.0.10", "10.133.0.11", "10.133.0.12", "10.133.0.13", "10.133.0.14", "10.133.0.15", "10.133.0.16", "10.133.0.17", "10.133.0.18", "10.133.0.19", "10.133.0.20", "10.133.0.21", "10.133.0.22", "10.133.0.23", "10.133.0.24", "10.133.0.25", "10.133.0.26", "10.133.0.27", "10.133.0.28", "10.133.0.29", "10.133.0.30", "10.133.0.31", "10.133.0.32", "10.133.0.33", "10.133.0.34", "10.133.0.35", "10.133.0.36", "10.133.0.37", "10.133.0.38", "10.133.0.39", "10.133.0.40", "10.133.0.41", "10.133.0.42", "10.133.0.44", "10.133.0.45", "10.133.0.46", "10.133.0.47", "10.133.0.48", "10.133.0.5", "10.133.0.6", "10.133.0.7", "10.133.0.8", "10.133.0.9", "10.134.0.10", "10.134.0.11", "10.134.0.12", "10.134.0.13", "10.134.0.14", "10.134.0.15", "10.134.0.16", "10.134.0.17", "10.134.0.18", "10.134.0.19", "10.134.0.20", "10.134.0.21", "10.134.0.22", "10.134.0.23", "10.134.0.24", "10.134.0.25", "10.134.0.26", "10.134.0.27", "10.134.0.28", "10.134.0.30", "10.134.0.31", "10.134.0.32", "10.134.0.33", "10.134.0.34", "10.134.0.35", "10.134.0.36", "10.134.0.37", "10.134.0.38", "10.134.0.4", "10.134.0.42", "10.134.0.9", "10.135.0.10", "10.135.0.11", "10.135.0.12", "10.135.0.13", "10.135.0.14", "10.135.0.15", "10.135.0.16", "10.135.0.17", "10.135.0.18", "10.135.0.19", "10.135.0.23", "10.135.0.24", "10.135.0.26", "10.135.0.27", "10.135.0.29", "10.135.0.3", "10.135.0.4", "10.135.0.40", "10.135.0.41", "10.135.0.42", "10.135.0.43", "10.135.0.44", "10.135.0.5", "10.135.0.6", "10.135.0.7", "10.135.0.8", "10.135.0.9"]
+external_ids        : {direction=Ingress, gress-index="4", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:4:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a13814616246365836720
+
+_uuid               : 84d76f13-ad95-4c00-8329-a0b1d023c289
+addresses           : ["10.132.3.76", "10.135.0.44"]
+external_ids        : {direction=Egress, gress-index="4", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:4:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a5972452606168369118
+
+_uuid               : 0c53e917-f7ee-4256-8f3a-9522c0481e52
+addresses           : ["10.132.0.10", "10.132.0.11", "10.132.0.12", "10.132.0.13", "10.132.0.14", "10.132.0.15", "10.132.0.16", "10.132.0.17", "10.132.0.5", "10.132.0.7", "10.132.0.71", "10.132.0.75", "10.132.0.8", "10.132.0.81", "10.132.0.9", "10.132.2.10", "10.132.2.11", "10.132.2.12", "10.132.2.14", "10.132.2.15", "10.132.2.3", "10.132.2.4", "10.132.2.5", "10.132.2.6", "10.132.2.7", "10.132.2.8", "10.132.2.9", "10.132.3.64", "10.132.3.65", "10.132.3.72", "10.132.3.73", "10.132.3.76", "10.133.0.10", "10.133.0.11", "10.133.0.12", "10.133.0.13", "10.133.0.14", "10.133.0.15", "10.133.0.16", "10.133.0.17", "10.133.0.18", "10.133.0.19", "10.133.0.20", "10.133.0.21", "10.133.0.22", "10.133.0.23", "10.133.0.24", "10.133.0.25", "10.133.0.26", "10.133.0.27", "10.133.0.28", "10.133.0.29", "10.133.0.30", "10.133.0.31", "10.133.0.32", "10.133.0.33", "10.133.0.34", "10.133.0.35", "10.133.0.36", "10.133.0.37", "10.133.0.38", "10.133.0.39", "10.133.0.40", "10.133.0.41", "10.133.0.42", "10.133.0.44", "10.133.0.45", "10.133.0.46", "10.133.0.47", "10.133.0.48", "10.133.0.5", "10.133.0.6", "10.133.0.7", "10.133.0.8", "10.133.0.9", "10.134.0.10", "10.134.0.11", "10.134.0.12", "10.134.0.13", "10.134.0.14", "10.134.0.15", "10.134.0.16", "10.134.0.17", "10.134.0.18", "10.134.0.19", "10.134.0.20", "10.134.0.21", "10.134.0.22", "10.134.0.23", "10.134.0.24", "10.134.0.25", "10.134.0.26", "10.134.0.27", "10.134.0.28", "10.134.0.30", "10.134.0.31", "10.134.0.32", "10.134.0.33", "10.134.0.34", "10.134.0.35", "10.134.0.36", "10.134.0.37", "10.134.0.38", "10.134.0.4", "10.134.0.42", "10.134.0.9", "10.135.0.10", "10.135.0.11", "10.135.0.12", "10.135.0.13", "10.135.0.14", "10.135.0.15", "10.135.0.16", "10.135.0.17", "10.135.0.18", "10.135.0.19", "10.135.0.23", "10.135.0.24", "10.135.0.26", "10.135.0.27", "10.135.0.29", "10.135.0.3", "10.135.0.4", "10.135.0.40", "10.135.0.41", "10.135.0.42", "10.135.0.43", "10.135.0.44", "10.135.0.5", "10.135.0.6", "10.135.0.7", "10.135.0.8", "10.135.0.9"]
+external_ids        : {direction=Egress, gress-index="2", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:2:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a18396736153283155648
+
+_uuid               : 5228bf1b-dfd8-40ec-bfa8-95c5bf9aded9
+addresses           : []
+external_ids        : {direction=Ingress, gress-index="0", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:0:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a14545668191619617708
+
+_uuid               : 46530d69-70da-4558-8c63-884ec9dc4f25
+addresses           : ["10.132.2.10", "10.132.2.5", "10.132.2.6", "10.132.2.7", "10.132.2.8", "10.132.2.9", "10.133.0.47", "10.134.0.33", "10.135.0.10", "10.135.0.11", "10.135.0.12", "10.135.0.19", "10.135.0.24", "10.135.0.7", "10.135.0.8", "10.135.0.9"]
+external_ids        : {direction=Ingress, gress-index="1", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:1:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a6786643370959569281
+
+_uuid               : 65fdcdea-0b9f-4318-9884-1b51d231ad1d
+addresses           : ["10.132.3.72", "10.135.0.42"]
+external_ids        : {direction=Ingress, gress-index="2", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:2:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a13730899355151937870
+
+_uuid               : 73eabdb0-36bf-4ca3-b66d-156ac710df4c
+addresses           : ["10.0.32.0/19", "10.0.56.38/32", "10.0.69.0/24", "10.132.3.72", "10.135.0.42", "172.29.0.0/30", "192.168.194.103", "192.168.194.2"]
+external_ids        : {direction=Egress, gress-index="3", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:3:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a10622494091691694581
+
+_uuid               : 50cdbef2-71b5-474b-914c-6fcd1d7712d3
+addresses           : ["10.132.0.10", "10.132.0.11", "10.132.0.12", "10.132.0.13", "10.132.0.14", "10.132.0.15", "10.132.0.16", "10.132.0.17", "10.132.0.5", "10.132.0.7", "10.132.0.71", "10.132.0.75", "10.132.0.8", "10.132.0.81", "10.132.0.9", "10.132.2.10", "10.132.2.11", "10.132.2.12", "10.132.2.14", "10.132.2.15", "10.132.2.3", "10.132.2.4", "10.132.2.5", "10.132.2.6", "10.132.2.7", "10.132.2.8", "10.132.2.9", "10.132.3.64", "10.132.3.65", "10.132.3.72", "10.132.3.73", "10.132.3.76", "10.133.0.10", "10.133.0.11", "10.133.0.12", "10.133.0.13", "10.133.0.14", "10.133.0.15", "10.133.0.16", "10.133.0.17", "10.133.0.18", "10.133.0.19", "10.133.0.20", "10.133.0.21", "10.133.0.22", "10.133.0.23", "10.133.0.24", "10.133.0.25", "10.133.0.26", "10.133.0.27", "10.133.0.28", "10.133.0.29", "10.133.0.30", "10.133.0.31", "10.133.0.32", "10.133.0.33", "10.133.0.34", "10.133.0.35", "10.133.0.36", "10.133.0.37", "10.133.0.38", "10.133.0.39", "10.133.0.40", "10.133.0.41", "10.133.0.42", "10.133.0.44", "10.133.0.45", "10.133.0.46", "10.133.0.47", "10.133.0.48", "10.133.0.5", "10.133.0.6", "10.133.0.7", "10.133.0.8", "10.133.0.9", "10.134.0.10", "10.134.0.11", "10.134.0.12", "10.134.0.13", "10.134.0.14", "10.134.0.15", "10.134.0.16", "10.134.0.17", "10.134.0.18", "10.134.0.19", "10.134.0.20", "10.134.0.21", "10.134.0.22", "10.134.0.23", "10.134.0.24", "10.134.0.25", "10.134.0.26", "10.134.0.27", "10.134.0.28", "10.134.0.30", "10.134.0.31", "10.134.0.32", "10.134.0.33", "10.134.0.34", "10.134.0.35", "10.134.0.36", "10.134.0.37", "10.134.0.38", "10.134.0.4", "10.134.0.42", "10.134.0.9", "10.135.0.10", "10.135.0.11", "10.135.0.12", "10.135.0.13", "10.135.0.14", "10.135.0.15", "10.135.0.16", "10.135.0.17", "10.135.0.18", "10.135.0.19", "10.135.0.23", "10.135.0.24", "10.135.0.26", "10.135.0.27", "10.135.0.29", "10.135.0.3", "10.135.0.4", "10.135.0.40", "10.135.0.41", "10.135.0.42", "10.135.0.43", "10.135.0.44", "10.135.0.5", "10.135.0.6", "10.135.0.7", "10.135.0.8", "10.135.0.9"]
+external_ids        : {direction=Egress, gress-index="0", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:0:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a13517855690389298082
+
+_uuid               : 32a42f32-2d11-43dd-979d-a56d7ee6aa57
+addresses           : ["10.132.3.76", "10.135.0.44"]
+external_ids        : {direction=Ingress, gress-index="3", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Ingress:3:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a764182844364804195
+
+_uuid               : 8fd3b977-6e1c-47aa-82b7-e3e3136c4a72
+addresses           : ["0.0.0.0/0"]
+external_ids        : {direction=Egress, gress-index="5", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:5:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a11452480169090787059
+----
+====
+
+.. Examine the specific address set of the rule  by running the following command:
++
+[source,terminal]
+----
+$ ovn-nbctl find Address_Set 'external_ids{>=}{"k8s.ovn.org/owner-type"=AdminNetworkPolicy,direction=Egress,"k8s.ovn.org/name"=cluster-control,gress-index="5"}'
+----
++
+.Example outputs for `Address_Set`
+[%collapsible]
+====
+[source,terminal]
+----
+_uuid               : 8fd3b977-6e1c-47aa-82b7-e3e3136c4a72
+addresses           : ["0.0.0.0/0"]
+external_ids        : {direction=Egress, gress-index="5", ip-family=v4, "k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control:Egress:5:v4", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a11452480169090787059
+----
+====
+
+. Run the following command to look at the port groups in the nbdb:
++
+[source,terminal]
+----
+$ ovn-nbctl find Port_Group 'external_ids{>=}{"k8s.ovn.org/owner-type"=AdminNetworkPolicy,"k8s.ovn.org/name"=cluster-control}'
+----
++
+.Example outputs for `Port_Group`
+[%collapsible]
+====
+[source,terminal]
+----
+_uuid               : f50acf71-7488-4b9a-b7b8-c8a024e99d21
+acls                : [04f20275-c410-405c-a923-0e677f767889, 0d5e4722-b608-4bb1-b625-23c323cc9926, 1a27d30e-3f96-4915-8ddd-ade7f22c117b, 1a68a5ed-e7f9-47d0-b55c-89184d97e81a, 4b5d836a-e0a3-4088-825e-f9f0ca58e538, 5a6e5bb4-36eb-4209-b8bc-c611983d4624, 5d09957d-d2cc-4f5a-9ddd-b97d9d772023, aa1a224d-7960-4952-bdfb-35246bafbac8, b23a087f-08f8-4225-8c27-4a9a9ee0c407, b7be6472-df67-439c-8c9c-f55929f0a6e0, d14ed5cf-2e06-496e-8cae-6b76d5dd5ccd]
+external_ids        : {"k8s.ovn.org/id"="default-network-controller:AdminNetworkPolicy:cluster-control", "k8s.ovn.org/name"=cluster-control, "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=AdminNetworkPolicy}
+name                : a14645450421485494999
+ports               : [5e75f289-8273-4f8a-8798-8c10f7318833, de7e1b71-6184-445d-93e7-b20acadf41ea]
+----
+====
diff --git a/modules/nw-ovn-k-anp-troubeshooting.adoc b/modules/nw-ovn-k-anp-troubeshooting.adoc
new file mode 100644
index 000000000000..a38ef43de232
--- /dev/null
+++ b/modules/nw-ovn-k-anp-troubeshooting.adoc
@@ -0,0 +1,76 @@
+//module included in the following assemblies:
+//
+//networking/network_security/AdminNetworkPolicy/nw-ovn-k-anp-troubleshooting.adoc
+:_mod-docs-content-type: REFRENCE
+[id="anp-troubleshooting_{context}"]
+= Checking creation of ANP
+
+To check that your `AdminNetworkPolicy` (ANP) and `BaselineAdminNetworkPolicy` (BANP) are created correctly, check the status outputs of the following commands: `oc describe anp` or `oc describe banp`.
+
+A good status indicates `OVN DB plumbing was successful` and the `SetupSucceeded`.
+
+.Example ANP with a good status
+[%collapsible]
+====
+[source,terminal]
+----
+...
+Conditions:
+Last Transition Time:  2024-06-08T20:29:00Z
+Message:               Setting up OVN DB plumbing was successful
+Reason:                SetupSucceeded
+Status:                True
+Type:                  Ready-In-Zone-ovn-control-plane Last Transition Time:  2024-06-08T20:29:00Z
+Message:               Setting up OVN DB plumbing was successful
+Reason:                SetupSucceeded
+Status:                True
+Type:                  Ready-In-Zone-ovn-worker
+Last Transition Time:  2024-06-08T20:29:00Z
+Message:               Setting up OVN DB plumbing was successful
+Reason:                SetupSucceeded
+Status:                True
+Type:                  Ready-In-Zone-ovn-worker2
+...
+----
+====
+
+If plumbing is unsuccessful, an error is reported from the respective zone controller.
+
+.Example of an ANP with a bad status and error message
+[%collapsible]
+====
+[source,terminal]
+----
+...
+Status:
+  Conditions:
+    Last Transition Time:  2024-06-25T12:47:44Z
+    Message:               error attempting to add ANP cluster-control with priority 600 because, OVNK only supports priority ranges 0-99
+    Reason:                SetupFailed
+    Status:                False
+    Type:                  Ready-In-Zone-example-worker-1.example.example-org.net
+    Last Transition Time:  2024-06-25T12:47:45Z
+    Message:               error attempting to add ANP cluster-control with priority 600 because, OVNK only supports priority ranges 0-99
+    Reason:                SetupFailed
+    Status:                False
+    Type:                  Ready-In-Zone-example-worker-0.example.example-org.net
+    Last Transition Time:  2024-06-25T12:47:44Z
+    Message:               error attempting to add ANP cluster-control with priority 600 because, OVNK only supports priority ranges 0-99
+    Reason:                SetupFailed
+    Status:                False
+    Type:                  Ready-In-Zone-example-ctlplane-1.example.example-org.net
+    Last Transition Time:  2024-06-25T12:47:44Z
+    Message:               error attempting to add ANP cluster-control with priority 600 because, OVNK only supports priority ranges 0-99
+    Reason:                SetupFailed
+    Status:                False
+    Type:                  Ready-In-Zone-example-ctlplane-2.example.example-org.net
+    Last Transition Time:  2024-06-25T12:47:44Z
+    Message:               error attempting to add ANP cluster-control with priority 600 because, OVNK only supports priority ranges 0-99
+    Reason:                SetupFailed
+    Status:                False
+    Type:                  Ready-In-Zone-example-ctlplane-0.example.example-org.net
+    ```
+----
+====
+
+See the following section for `nbctl` commands to help troubleshoot unsuccessful policies.
\ No newline at end of file
diff --git a/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc b/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc
index 35bd841fb663..c6458c189797 100644
--- a/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc
+++ b/modules/nw-ovn-k-baseline-adminnetwork-policy.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/ovn-k-network-policy.adoc
+// * networking/network-policy-apis.adoc
 
 :_mod-docs-content-type: Concept
 [id="BaselineAdminNetworkPolicy"_{context}"]
@@ -42,10 +42,9 @@ spec:
     action: "Deny"
     from:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-banp: tenant-1 <5>
+        namespaceSelector:
+          matchLabels:
+            custom-banp: tenant-1 <5>
         podSelector:
           matchLabels:
             custom-banp: tenant-1 <6>
@@ -54,10 +53,9 @@ spec:
     action: "Allow"
     to:
     - pods:
-        namespaces:
-          namespaceSelector:
-            matchLabels:
-              custom-banp: tenant-1
+        namespaceSelector:
+          matchLabels:
+            custom-banp: tenant-1
         podSelector:
           matchLabels:
             custom-banp: tenant-1
@@ -95,9 +93,8 @@ spec:
     action: "Deny"
     from:
     - namespaces:
-        namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: monitoring
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
 # ...
 ----
 ====
diff --git a/modules/nw-ovn-kuberentes-change-join-subnet.adoc b/modules/nw-ovn-kuberentes-change-join-subnet.adoc
new file mode 100644
index 000000000000..85319607b04c
--- /dev/null
+++ b/modules/nw-ovn-kuberentes-change-join-subnet.adoc
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ovn-kubernetes-change-join-subnet_{context}"]
+= Configuring the OVN-Kubernetes join subnet
+
+You can change the join subnet used by OVN-Kubernetes to avoid conflicting with any existing subnets already in use in your environment.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster with a user with `cluster-admin` privileges.
+* Ensure that the cluster uses the OVN-Kubernetes network plugin.
+
+.Procedure
+
+. To change the OVN-Kubernetes join subnet, enter the following command:
++
+[source,terminal]
+----
+$ oc patch network.operator.openshift.io cluster --type='merge' \
+  -p='{"spec":{"defaultNetwork":{"ovnKubernetesConfig":
+    {"ipv4":{"internalJoinSubnet": "<join_subnet>"},
+    "ipv6":{"internalJoinSubnet": "<join_subnet>"}}}}}'
+----
++
+--
+where:
+
+`<join_subnet>`:: Specifies an IP address subnet for internal use by OVN-Kubernetes. The subnet must be larger than the number of nodes in the cluster and it must be large enough to accommodate one IP address per node in the cluster. This subnet cannot overlap with any other subnets used by {product-title} or on the host itself. The default value for IPv4 is `100.64.0.0/16` and the default value for IPv6 is `fd98::/64`.
+--
++
+.Example output
+[source,text]
+----
+network.operator.openshift.io/cluster patched
+----
+
+.Verification
+
+* To confirm that the configuration is active, enter the following command:
++
+[source,terminal]
+----
+$ oc get network.operator.openshift.io \
+  -o jsonpath="{.items[0].spec.defaultNetwork}"
+----
++
+It can take up to 30 minutes for this change to take effect.
++
+.Example output
+----
+{
+  "ovnKubernetesConfig": {
+    "ipv4": {
+      "internalJoinSubnet": "100.64.1.0/16"
+    },
+  },
+  "type": "OVNKubernetes"
+}
+----
diff --git a/modules/nw-ovn-kuberentes-change-transit-subnet.adoc b/modules/nw-ovn-kuberentes-change-transit-subnet.adoc
new file mode 100644
index 000000000000..1f253aede2b1
--- /dev/null
+++ b/modules/nw-ovn-kuberentes-change-transit-subnet.adoc
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ovn-kubernetes-change-transit-subnet_{context}"]
+= Configuring the OVN-Kubernetes transit subnet
+
+You can change the transit subnet used by OVN-Kubernetes to avoid conflicting with any existing subnets already in use in your environment.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster with a user with `cluster-admin` privileges.
+* Ensure that the cluster uses the OVN-Kubernetes network plugin.
+
+.Procedure
+
+. To change the OVN-Kubernetes transit subnet, enter the following command:
++
+[source,terminal]
+----
+$ oc patch network.operator.openshift.io cluster --type='merge' \
+  -p='{"spec":{"defaultNetwork":{"ovnKubernetesConfig":
+    {"ipv4":{"internalTransitSwitchSubnet": "<transit_subnet>"},
+    "ipv6":{"internalTransitSwitchSubnet": "<transit_subnet>"}}}}}'
+----
++
+--
+where:
+
+`<transit_subnet>`:: Specifies an IP address subnet for the distributed transit switch that enables east-west traffic. This subnet cannot overlap with any other subnets used by OVN-Kubernetes or on the host itself. The default value for IPv4 is `100.88.0.0/16` and the default value for IPv6 is `fd97::/64`.
+--
++
+.Example output
+[source,text]
+----
+network.operator.openshift.io/cluster patched
+----
+
+.Verification
+
+* To confirm that the configuration is active, enter the following command:
++
+[source,terminal]
+----
+$ oc get network.operator.openshift.io \
+  -o jsonpath="{.items[0].spec.defaultNetwork}"
+----
++
+It can take up to 30 minutes for this change to take effect.
++
+.Example output
+----
+{
+  "ovnKubernetesConfig": {
+    "ipv4": {
+      "internalTransitSwitchSubnet": "100.88.1.0/16"
+    },
+  },
+  "type": "OVNKubernetes"
+}
+----
diff --git a/modules/nw-ovn-kubernetes-checking-live-migration-metrics.adoc b/modules/nw-ovn-kubernetes-checking-live-migration-metrics.adoc
new file mode 100644
index 000000000000..8d4e6e3a343b
--- /dev/null
+++ b/modules/nw-ovn-kubernetes-checking-live-migration-metrics.adoc
@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="checking-live-migration-metrics"]
+= Checking limited live migration metrics 
+
+Metrics are available to monitor the progress of the limited live migration. Metrics can be viewed on the {product-title} web console, or by using the `oc` CLI.
+
+.Prerequisites
+
+* You have initiated a limited live migration to OVN-Kubernetes.
+
+.Procedure
+
+. To view limited live migration metrics on the {product-title} web console:
+
+.. Click *Observe* -> *Metrics*.
+
+.. In the *Expression* box, type *openshift_network* and click the *openshift_network_operator_live_migration_procedure* option. 
+
+. To view metrics by using the `oc` CLI:
+
+.. Enter the following command to generate a token for the `prometheus-k8s` service account in the `openshift-monitoring` namespace:
++
+[source,terminal]
+----
+$ oc create token prometheus-k8s -n openshift-monitoring
+----
++
+.Example output
++
+[source,terminal]
+----
+eyJhbGciOiJSUzI1NiIsImtpZCI6IlZiSUtwclcwbEJ2VW9We...
+----
+
+.. Enter the following command to request information about the `openshift_network_operator_live_migration_condition` metric:
++
+[source,terminal]
+----
+$ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: <eyJhbGciOiJSUzI1NiIsImtpZCI6IlZiSUtwclcwbEJ2VW9We...>" "https://<openshift_API_endpoint>" --data-urlencode "query=openshift_network_operator_live_migration_condition" | jq`
+----
++
+.Example output
++
+[source,terminal]
+----
+ "status": "success",
+  "data": {
+    "resultType": "vector",
+    "result": [
+      {
+        "metric": {
+          "__name__": "openshift_network_operator_live_migration_condition",
+          "container": "network-operator",
+          "endpoint": "metrics",
+          "instance": "10.0.83.62:9104",
+          "job": "metrics",
+          "namespace": "openshift-network-operator",
+          "pod": "network-operator-6c87754bc6-c8qld",
+          "prometheus": "openshift-monitoring/k8s",
+          "service": "metrics",
+          "type": "NetworkTypeMigrationInProgress"
+        },
+        "value": [
+          1717653579.587,
+          "1"
+        ]
+      },
+...
+----
+
+The table in "Information about limited live migration metrics" shows you the available metrics and the label values populated from the `openshift_network_operator_live_migration_procedure` expression. Use this information to monitor progress or to troubleshoot the migration.
\ No newline at end of file
diff --git a/modules/nw-ovn-kubernetes-live-migration-about.adoc b/modules/nw-ovn-kubernetes-live-migration-about.adoc
new file mode 100644
index 000000000000..a1729dcce176
--- /dev/null
+++ b/modules/nw-ovn-kubernetes-live-migration-about.adoc
@@ -0,0 +1,89 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+[id="nw-ovn-kubernetes-live-migration-about_{context}"]
+= Limited live migration to the OVN-Kubernetes network plugin overview
+
+The limited live migration method is the process in which the OpenShift SDN network plugin and its network configurations, connections, and associated resources, are migrated to the OVN-Kubernetes network plugin without service interruption. It is available for {product-title}, {product-dedicated}, {product-rosa}, and Azure Red Hat OpenShift deployment types. It is not available for HyperShift deployment types. This migration method is valuable for deployment types that require constant service availability and offers the following benefits:
+
+* Continuous service availability
+* Minimized downtime
+* Automatic node rebooting
+* Seamless transition from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin
+
+Although a rollback procedure is provided, the limited live migration is intended to be a one-way process.
+
+include::snippets/sdn-deprecation-statement.adoc[]
+
+The following sections provide more information about the limited live migration method.
+
+[id="supported-platforms-live-migrating-ovn-kubernetes"]
+== Supported platforms when using the limited live migration method
+
+The following table provides information about the supported platforms for the limited live migration type.
+
+.Supported platforms for the limited live migration method
+[cols="1,1", options="header"]
+|===
+| Platform              | Limited Live Migration
+
+| Bare metal hardware (IPI and UPI)             |&#10003;
+| Amazon Web Services (AWS) (IPI and UPI)       |&#10003;
+| Google Cloud Platform (GCP) (IPI and UPI)     |&#10003;
+| {ibm-cloud-name} (IPI and UPI)                |&#10003;
+| Microsoft Azure (IPI and UPI)                 |&#10003;
+| {rh-openstack-first} (IPI and UPI)            |&#10003;
+| VMware vSphere (IPI and UPI)                  |&#10003;
+| AliCloud (IPI and UPI)                        |&#10003;
+| Nutanix (IPI and UPI)                         |&#10003;
+|===
+
+[id="considerations-live-migrating-ovn-kubernetes-network-provider_{context}"]
+== Considerations for limited live migration to the OVN-Kubernetes network plugin
+
+Before using the limited live migration method to the OVN-Kubernetes network plugin, cluster administrators should consider the following information:
+
+* The limited live migration procedure is unsupported for clusters with OpenShift SDN multitenant mode enabled. 
+
+* Egress router pods block the limited live migration process. They must be removed before beginning the limited live migration process.
+
+* During the limited live migration, multicast, egress IP addresses, and egress firewalls are temporarily disabled. They can be migrated from OpenShift SDN to OVN-Kubernetes after the limited live migration process has finished.
+
+* The migration is intended to be a one-way process. However, for users that want to rollback to OpenShift-SDN, migration from OpenShift-SDN to OVN-Kubernetes must have succeeded. Users can follow the same procedure below to migrate to the OpenShift SDN network plugin from the OVN-Kubernetes network plugin.
+
+* The limited live migration is not supported on HyperShift clusters.
+
+* OpenShift SDN does not support IPsec. After the migration, cluster administrators can enable IPsec.
+
+* OpenShift SDN does not support IPv6. After the migration, cluster administrators can enable dual-stack.
+
+* The cluster MTU is the MTU value for pod interfaces. It is always less than your hardware MTU to account for the cluster network overlay overhead. The overhead is 100 bytes for OVN-Kubernetes and 50 bytes for OpenShift SDN.
++
+During the limited live migration, both OVN-Kubernetes and OpenShift SDN run in parallel. OVN-Kubernetes manages the cluster network of some nodes, while OpenShift SDN manages the cluster network of others. To ensure that cross-CNI traffic remains functional, the Cluster Network Operator updates the routable MTU to ensure that both CNIs share the same overlay MTU. As a result, after the migration has completed, the cluster MTU is 50 bytes less.
+
+* Some parameters of OVN-Kubernetes cannot be changed after installation. The following parameters can be set only before starting the limited live migration:
+
+** `InternalTransitSwitchSubnet`
+** `internalJoinSubnet`
+
+* OVN-Kubernetes reserves the `100.64.0.0/16` and `100.88.0.0/16` IP address ranges. If OpenShift SDN has been configured to use either of these IP address ranges, you must patch them to use a different IP address range before starting the limited live migration.
+
+** `100.64.0.0/16`. This IP address range is used for the `internalJoinSubnet` parameter of OVN-Kubernetes by default. If this IP address range is already in use, enter the following command to update it to a different range, for example, `100.63.0.0/16`:
++
+[source,terminal]
+----
+$ oc patch network.operator.openshift.io cluster --type='merge' -p='{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipv4":{"internalJoinSubnet": "100.63.0.0/16"}}}}}'
+----
+** `100.88.0.0/16`. This IP address range is used for the `internalTransSwitchSubnet` parameter of OVN-Kubernetes by default. If this IP address range is already in use, enter the following command to update it to a different range, for example, `100.99.0.0/16`:
++
+[source,terminal]
+----
+$ oc patch network.operator.openshift.io cluster --type='merge' -p='{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"ipv4":{"internalTransitSwitchSubnet": "100.99.0.0/16"}}}}}'
+----
+
+* In most cases, the limited live migration is independent of the secondary interfaces of pods created by the Multus CNI plugin. However, if these secondary interfaces were set up on the default network interface controller (NIC) of the host, for example, using MACVLAN, IPVLAN, SR-IOV, or bridge interfaces with the default NIC as the control node, OVN-Kubernetes might encounter malfunctions. Users should remove such configurations before proceeding with the limited live migration.
+
+* When there are multiple NICs inside of the host, and the default route is not on the interface that has the Kubernetes NodeIP, you must use the offline migration instead.
+
+* All `DaemonSet` objects in the `openshift-sdn` namespace, which are not managed by the Cluster Network Operator (CNO), must be removed before initiating the limited live migration. These unmanaged daemon sets can cause the migration status to remain incomplete if not properly handled.
\ No newline at end of file
diff --git a/modules/nw-ovn-kubernetes-live-migration.adoc b/modules/nw-ovn-kubernetes-live-migration.adoc
new file mode 100644
index 000000000000..8198b0364850
--- /dev/null
+++ b/modules/nw-ovn-kubernetes-live-migration.adoc
@@ -0,0 +1,113 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+// * networking/openshift_sdn/rollback-to-ovn-kubernetes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ovn-kubernetes-live-migration_{context}"]
+= Migrating to the OVN-Kubernetes network plugin by using the limited live migration method
+
+The following procedure checks for egress router resources and uses the limited live migration method to migrate from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin.
+
+.Prerequisites
+
+* A cluster has been configured with the OpenShift SDN CNI network plugin in the network policy isolation mode.
+* You have installed the OpenShift CLI (`oc`).
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have created a recent backup of the etcd database.
+* The cluster is in a known good state without any errors.
+* Before migration to OVN-Kubernetes, a security group rule must be in place to allow UDP packets on port `6081` for all nodes on all cloud platforms.
+* Cluster administrators must remove any egress router pods before beginning the limited live migration. For more information about egress router pods, see "Deploying an egress router pod in redirect mode".
+* You have reviewed the "Considerations for limited live migration to the OVN-Kubernetes network plugin" section of this document.
+
+.Procedure
+
+. Before initiating the limited live migration, you must check for any egress router pods. If there is an egress router pod on the cluster when performing a limited live migration, the Network Operator blocks the migration and returns the following error: 
++
+[source,text]
+----
+The cluster configuration is invalid (network type live migration is not supported for pods with `pod.network.openshift.io/assign-macvlan` annotation. Please remove all egress router pods). Use `oc edit network.config.openshift.io cluster` to fix.
+----
++
+** Enter the following command to locate egress router pods on your cluster:
++
+[source,terminal]
+----
+$ oc get pods --all-namespaces -o json | jq '.items[] | select(.metadata.annotations."pod.network.openshift.io/assign-macvlan" == "true") | {name: .metadata.name, namespace: .metadata.namespace}'
+----
++
+.Example output
++
+[source,terminal]
+----
+{
+  "name": "egress-multi",
+  "namespace": "egress-router-project"
+}
+----
++
+** Alternatively, you can query metrics on the {product-title} web console or by using the `oc` CLI to check for egress router pods. For more information, see "Checking limited live migration metrics".
+
+. Enter the following command to remove an egress router pod:
++
+[source,terminal]
+----
+$ oc delete pod <egress_pod_name> -n <egress_router_project>
+----
+
+ifdef::openshift-rosa,openshift-dedicated[]
+. Enter the following command to add the `unsupported-red-hat-internal-testing` annotation to the cluster-level network configuration:
++
+[source,terminal]
+----
+$ oc patch Network.config.openshift.io cluster --type='merge' --patch '{"metadata":{"annotations":{"unsupported-red-hat-internal-testing": "true"}}}'
+----
+endif::[]
+
+. Enter the following command to patch the cluster-level networking configuration and initiate the migration from OpenShift SDN to OVN-Kubernetes:
++
+[source,terminal]
+----
+$ oc patch Network.config.openshift.io cluster --type='merge' --patch '{"metadata":{"annotations":{"network.openshift.io/network-type-migration":""}},"spec":{"networkType":"OVNKubernetes"}}'
+----
++
+After running these commands, the migration process begins. During this process, the Machine Config Operator reboots the nodes in your cluster twice. It is expected that the migration takes approximately twice as long as a cluster upgrade.
+
+. Optional: You can enter the following commands to ensure that the migration process has completed, and to check the status of the `network.config`:
++
+[source,terminal]
+----
+$ oc get network.config.openshift.io cluster -o jsonpath='{.status.networkType}'
+----
++
+[source,terminal]
+----
+$ oc get network.config cluster -o=jsonpath='{.status.conditions}' | jq .
+----
++
+You can check limited live migration metrics for troubleshooting issues. For more information, see "Checking limited live migration metrics".
+
+. Complete the following steps only if the migration succeeds and your cluster is in a good state:
+
+.. To remove the migration configuration from the `network.config` custom resource, enter the following command:
++
+[source,terminal]
+----
+$ oc patch Network.operator.openshift.io cluster --type='merge' \
+  --patch '{ "spec": { "migration": null } }'
+----
+
+.. To remove custom configuration for the OpenShift SDN network provider, enter the following command:
++
+[source,terminal]
+----
+$ oc patch Network.operator.openshift.io cluster --type='merge' \
+  --patch '{ "spec": { "defaultNetwork": { "openshiftSDNConfig": null } } }'
+----
+
+.. To remove the OpenShift SDN network provider namespace, enter the following command:
++
+[source,terminal]
+----
+$ oc delete namespace openshift-sdn
+----
\ No newline at end of file
diff --git a/modules/nw-ovn-kubernetes-migration-about.adoc b/modules/nw-ovn-kubernetes-migration-about.adoc
index 5ed4f7adb06b..2dc4773966d8 100644
--- a/modules/nw-ovn-kubernetes-migration-about.adoc
+++ b/modules/nw-ovn-kubernetes-migration-about.adoc
@@ -3,30 +3,45 @@
 // * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
 
 [id="nw-ovn-kubernetes-migration-about_{context}"]
-= Migration to the OVN-Kubernetes network plugin
+= Offline migration to the OVN-Kubernetes network plugin overview
 
-Migrating to the OVN-Kubernetes network plugin is a manual process that includes some downtime during which your cluster is unreachable. Although a rollback procedure is provided, the migration is intended to be a one-way process.
+The offline migration method is a manual process that includes some downtime, during which your cluster is unreachable. This method is primarily used for self-managed {product-title} deployments. 
 
-A migration to the OVN-Kubernetes network plugin is supported on the following platforms:
-
-* Bare metal hardware
-* Amazon Web Services (AWS)
-* Google Cloud Platform (GCP)
-* {ibm-cloud-name}
-* Microsoft Azure
-* {rh-openstack-first}
-* VMware vSphere
-* Nutanix
+Although a rollback procedure is provided, the offline migration is intended to be a one-way process.
 
+////
 [IMPORTANT]
 ====
 Migrating to or from the OVN-Kubernetes network plugin is not supported for managed OpenShift cloud services such as {product-dedicated}, Azure Red Hat OpenShift(ARO), and Red Hat OpenShift Service on AWS (ROSA).
 ====
-
+////
 include::snippets/sdn-deprecation-statement.adoc[]
 
+The following sections provide more information about the offline migration method.
+
+[id="supported-platforms-offline-migrating-ovn-kubernetes"]
+== Supported platforms when using the offline migration method
+
+The following table provides information about the supported platforms for the offline migration type.
+
+.Supported platforms for the offline migration method
+[cols="1,1", options="header"]
+|===
+| Platform              | Offline Migration
+
+| Bare metal hardware (IPI and UPI)            |&#10003;         
+| Amazon Web Services (AWS) (IPI and UPI)      |&#10003;         
+| Google Cloud Platform (GCP) (IPI and UPI)    |&#10003;         
+| {ibm-cloud-name} (IPI and UPI)               |&#10003;         
+| Microsoft Azure (IPI and UPI)                |&#10003;         
+| {rh-openstack-first} (IPI and UPI)           |&#10003;         
+| VMware vSphere (IPI and UPI)                 |&#10003;        
+| AliCloud (IPI and UPI)                       |&#10003;                  
+| Nutanix (IPI and UPI)                        |&#10003;                  
+|===
+
 [id="considerations-migrating-ovn-kubernetes-network-provider_{context}"]
-== Considerations for migrating to the OVN-Kubernetes network plugin
+== Considerations for offline migration to the OVN-Kubernetes network plugin
 
 If you have more than 150 nodes in your {product-title} cluster, then open a support case for consultation on your migration to the OVN-Kubernetes network plugin.
 
@@ -53,7 +68,7 @@ OVN-Kubernetes supports only the network policy isolation mode.
 
 [IMPORTANT]
 ====
-If your cluster uses OpenShift SDN configured in either the multitenant or subnet isolation modes, you cannot migrate to the OVN-Kubernetes network plugin.
+For a cluster using OpenShift SDN that is configured in either the multitenant or subnet isolation mode, you can still migrate to the OVN-Kubernetes network plugin. Note that after the migration operation, multitenant isolation mode is dropped, so you must manually configure network policies to achieve the same level of project-level isolation for pods and services.
 ====
 
 [discrete]
@@ -144,4 +159,4 @@ For more information on using multicast in OVN-Kubernetes, see "Enabling multica
 [id="network-policies_{context}"]
 === Network policies
 
-OVN-Kubernetes fully supports the Kubernetes `NetworkPolicy` API in the `networking.k8s.io/v1` API group. No changes are necessary in your network policies when migrating from OpenShift SDN.
+OVN-Kubernetes fully supports the Kubernetes `NetworkPolicy` API in the `networking.k8s.io/v1` API group. No changes are necessary in your network policies when migrating from OpenShift SDN.
\ No newline at end of file
diff --git a/modules/nw-ovn-kubernetes-migration.adoc b/modules/nw-ovn-kubernetes-migration.adoc
index 7bac28001d1a..027275902f15 100644
--- a/modules/nw-ovn-kubernetes-migration.adoc
+++ b/modules/nw-ovn-kubernetes-migration.adoc
@@ -5,7 +5,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-kubernetes-migration_{context}"]
-= Migrating to the OVN-Kubernetes network plugin
+= Migrating to the OVN-Kubernetes network plugin by using the offline migration method
 
 As a cluster administrator, you can change the network plugin for your cluster to OVN-Kubernetes.
 During the migration, you must reboot every node in your cluster.
@@ -24,7 +24,7 @@ Perform the migration only when an interruption in service is acceptable.
 * A recent backup of the etcd database is available.
 * A reboot can be triggered manually for each node.
 * The cluster is in a known good state, without any errors.
-* On all cloud platforms after updating software, a security group rule must be in place to allow UDP packets on port `6081` for all nodes.
+* Before migration to OVN-Kubernetes, a security group rule must be in place to allow UDP packets on port `6081` for all nodes on all cloud platforms.
 
 .Procedure
 
diff --git a/modules/nw-ovn-kubernetes-rollback-live.adoc b/modules/nw-ovn-kubernetes-rollback-live.adoc
new file mode 100644
index 000000000000..6b3b05327dd1
--- /dev/null
+++ b/modules/nw-ovn-kubernetes-rollback-live.adoc
@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/rollback-to-openshift-sdn.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-ovn-kubernetes-rollback-live_{context}"]
+= Using the limited live migration method to roll back to the OpenShift SDN network plugin
+
+As a cluster administrator, you can roll back to the OpenShift SDN Container Network Interface (CNI) network plugin by using the limited live migration method. During the migration with this method, nodes are automatically rebooted and service to the cluster is not interrupted.
+
+[IMPORTANT]
+====
+You must wait until the migration process from OpenShift SDN to OVN-Kubernetes network plugin is successful before initiating a rollback.
+====
+
+If a rollback to OpenShift SDN is required, the following table describes the process.
+
+.Performing a rollback to OpenShift SDN
+[cols="1,1a",options="header"]
+|===
+
+|User-initiated steps|Migration activity
+ifdef::openshift-rosa,openshift-dedicated[]
+| Add the `unsupported-red-hat-internal-testing` annotation to the cluster-level network configuration. 
+| The Cluster Network Operator (CNO) acknowledges the unsupported testing environment.
+endif::[]
+
+| Patch the cluster-level networking configuration by changing the `networkType` from `OVNKubernetes` to `OpenShiftSDN`.
+| 
+Cluster Network Operator (CNO):: Performs the following actions:
++
+--
+* Sets migration related fields in the `network.operator` custom resource (CR) and waits for routable MTUs to be applied to all nodes by the Machine Config Operator (MCO).
+* Patches the `network.operator` CR to set the migration mode to `Live` for OpenShiftSDN and deploys the OpenShiftSDN network plugin in migration mode.
+* Deploys OVN-Kubernetes with hybrid overlay enabled.
+* Waits for both CNI plugins to be deployed and updates the conditions in the status of the `network.config` CR.
+* Triggers the MCO to apply the new machine config to each machine config pool, which includes node cordoning, draining, and rebooting.
+* Removes migration-related fields from the `network.operator` CR and performs cleanup actions, such as deleting OpenShift SDN resources and redeploying OVN-Kubernetes in normal mode with the necessary configurations.
+* Waits for the OpenShiftSDN redeployment and updates the status conditions in the `network.config` CR to indicate migration completion. 
+--
+
+|===
+
+.Prerequisites
+
+* The {oc-first} is installed.
+* Access to the cluster as a user with the cluster-admin role is available.
+* The cluster is installed on infrastructure configured with the OVN-Kubernetes network plugin.
+* A recent backup of the etcd database is available.
+* A manual reboot can be triggered for each node.
+* The cluster is in a known good state, without any errors.
+
+.Procedure
+
+. To initiate the rollback to OpenShift SDN, enter the following command:
++
+[source,terminal]
+----
+$ oc patch Network.config.openshift.io cluster --type='merge' --patch '{"metadata":{"annotations":{"network.openshift.io/network-type-migration":""}},"spec":{"networkType":"OpenShiftSDN"}}'
+----
+
+. To watch the progress of your migration, enter the following command:
++
+[source,terminal]
+----
+$ watch -n1 'oc get network.config/cluster -o json | jq ".status.conditions[]|\"\\(.type) \\(.status) \\(.reason) \\(.message)\""  -r | column --table --table-columns NAME,STATUS,REASON,MESSAGE --table-columns-limit 4; echo; oc get mcp -o wide; echo; oc get node -o "custom-columns=NAME:metadata.name,STATE:metadata.annotations.machineconfiguration\\.openshift\\.io/state,DESIRED:metadata.annotations.machineconfiguration\\.openshift\\.io/desiredConfig,CURRENT:metadata.annotations.machineconfiguration\\.openshift\\.io/currentConfig,REASON:metadata.annotations.machineconfiguration\\.openshift\\.io/reason"'
+----
++
+The command prints the following information every second:
++
+* The conditions on the status of the `network.config.openshift.io/cluster` object, reporting the progress of the migration.
+* The status of different nodes with respect to the `machine-config-operator` resource, including whether they are upgrading or have been upgraded, as well as their current and desired configurations.
+
+. After the rollback procedure has completed, enter the following command to remove the `network.openshift.io/network-type-migration=` annotation from the `network.config` custom resource:
++
+[source,terminal]
+----
+$ oc annotate network.config cluster network.openshift.io/network-type-migration-
+----
\ No newline at end of file
diff --git a/modules/nw-ovn-kubernetes-rollback.adoc b/modules/nw-ovn-kubernetes-rollback.adoc
index f6d8a71f33ed..1ce448662b82 100644
--- a/modules/nw-ovn-kubernetes-rollback.adoc
+++ b/modules/nw-ovn-kubernetes-rollback.adoc
@@ -6,25 +6,60 @@
 // This procedure applies to both a roll back and a migration
 :_mod-docs-content-type: PROCEDURE
 [id="nw-ovn-kubernetes-rollback_{context}"]
-= Migrating to the OpenShift SDN network plugin
+= Using the offline migration method to roll back to the OpenShift SDN network plugin
 
-As a cluster administrator, you can migrate to the OpenShift SDN Container Network Interface (CNI) network plugin.
-During the migration you must reboot every node in your cluster.
+As a cluster administrator, you can roll back to the OpenShift SDN Container Network Interface (CNI) network plugin by using the offline migration method. During the migration you must manually reboot every node in your cluster. With the offline migration method, there is some downtime, during which your cluster is unreachable. 
 
-ifeval::["{context}" == "rollback-to-openshift-sdn"]
 [IMPORTANT]
 ====
-Rollback to OpenShift SDN if the migration to OVN-Kubernetes fails.
+You must wait until the migration process from OpenShift SDN to OVN-Kubernetes network plugin is successful before initiating a rollback.
 ====
-endif::[]
+
+If a rollback to OpenShift SDN is required, the following table describes the process.
+
+.Performing a rollback to OpenShift SDN
+[cols="1,1a",options="header"]
+|===
+
+|User-initiated steps|Migration activity
+
+|Suspend the MCO to ensure that it does not interrupt the migration.
+|The MCO stops.
+
+|
+Set the `migration` field of the `Network.operator.openshift.io` custom resource (CR) named `cluster` to `OpenShiftSDN`. Make sure the `migration` field is `null` before setting it to a value.
+|
+CNO:: Updates the status of the `Network.config.openshift.io` CR named `cluster` accordingly.
+
+|Update the `networkType` field.
+|
+CNO:: Performs the following actions:
++
+--
+* Destroys the OVN-Kubernetes control plane pods.
+* Deploys the OpenShift SDN control plane pods.
+* Updates the Multus objects to reflect the new network plugin.
+--
+
+|
+Reboot each node in the cluster.
+|
+Cluster:: As nodes reboot, the cluster assigns IP addresses to pods on the OpenShift-SDN network.
+
+|
+Enable the MCO after all nodes in the cluster reboot.
+|
+MCO:: Rolls out an update to the systemd configuration necessary for OpenShift SDN; the MCO updates a single machine per pool at a time by default, so the total time the migration takes increases with the size of the cluster.
+
+|===
 
 .Prerequisites
 
-* Install the OpenShift CLI (`oc`).
-* Access to the cluster as a user with the `cluster-admin` role.
-* A cluster installed on infrastructure configured with the OVN-Kubernetes network plugin.
+* The {oc-first} is installed.
+* Access to the cluster as a user with the cluster-admin role is available.
+* The cluster is installed on infrastructure configured with the OVN-Kubernetes network plugin.
 * A recent backup of the etcd database is available.
-* A reboot can be triggered manually for each node.
+* A manual reboot can be triggered for each node.
 * The cluster is in a known good state, without any errors.
 
 .Procedure
diff --git a/modules/nw-ovn-kubernetes-running-network-tools.adoc b/modules/nw-ovn-kubernetes-running-network-tools.adoc
index feb93561ef41..81149e203b88 100644
--- a/modules/nw-ovn-kubernetes-running-network-tools.adoc
+++ b/modules/nw-ovn-kubernetes-running-network-tools.adoc
@@ -16,13 +16,6 @@ Get information about the logical switches and routers by running `network-tools
 
 .Procedure
 
-. Open a remote shell into a pod by running the following command:
-+
-[source,terminal]
-----
-$ oc rsh -n openshift-ovn-kubernetes ovnkube-node-2hsbt
-----
-
 . List the routers by running the following command:
 +
 [source,terminal]
diff --git a/modules/nw-own-ipsec-modes.adoc b/modules/nw-own-ipsec-modes.adoc
index 3ed7639a25b8..c6df6afa377b 100644
--- a/modules/nw-own-ipsec-modes.adoc
+++ b/modules/nw-own-ipsec-modes.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-ovn-ipsec-modes_{context}"]
diff --git a/modules/nw-own-ipsec-required-ports.adoc b/modules/nw-own-ipsec-required-ports.adoc
index af426fbca08f..8ee8f102ad0f 100644
--- a/modules/nw-own-ipsec-required-ports.adoc
+++ b/modules/nw-own-ipsec-required-ports.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * networking/openshift_network_security/configuring-ipsec-ovn.adoc
+// * networking/network_security/configuring-ipsec-ovn.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="network-connectivity-requirements-ipsec_{context}"]
diff --git a/modules/nw-pod-network-connectivity-configuration.adoc b/modules/nw-pod-network-connectivity-configuration.adoc
new file mode 100644
index 000000000000..3e02c669801b
--- /dev/null
+++ b/modules/nw-pod-network-connectivity-configuration.adoc
@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * networking/verifying-connectivity-endpoint.adoc
+
+[id="nw-pod-network-connectivity-configuration_{context}"]
+= Configuring pod connectivity check placement
+
+As a cluster administrator, you can configure which nodes the connectivity check pods run by modifying the `network.config.openshift.io` object named `cluster`.
+
+.Prerequisites
+
+* Install the {oc-first}.
+
+.Procedure
+
+. To edit the connectivity check configuration, enter the following command:
++
+[source,terminal]
+----
+$ oc edit network.config.openshift.io cluster
+----
+
+. In the text editor, update the `networkDiagnostics` stanza to specify the node selectors that you want for the source and target pods.
+
+. To commit your changes, save your changes and exit the text editor.
+
+.Verification
+
+To verify that the source and target pods are running on the intended nodes, enter the following command:
+
+[source,terminal]
+----
+$ oc get pods -n openshift-network-diagnostics -o wide
+----
+
+.Example output
+[source,text]
+----
+NAME                                    READY   STATUS    RESTARTS   AGE     IP           NODE                                        NOMINATED NODE   READINESS GATES
+network-check-source-84c69dbd6b-p8f7n   1/1     Running   0          9h      10.131.0.8   ip-10-0-40-197.us-east-2.compute.internal   <none>           <none>
+network-check-target-46pct              1/1     Running   0          9h      10.131.0.6   ip-10-0-40-197.us-east-2.compute.internal   <none>           <none>
+network-check-target-8kwgf              1/1     Running   0          9h      10.128.2.4   ip-10-0-95-74.us-east-2.compute.internal    <none>           <none>
+network-check-target-jc6n7              1/1     Running   0          9h      10.129.2.4   ip-10-0-21-151.us-east-2.compute.internal   <none>           <none>
+network-check-target-lvwnn              1/1     Running   0          9h      10.128.0.7   ip-10-0-17-129.us-east-2.compute.internal   <none>           <none>
+network-check-target-nslvj              1/1     Running   0          9h      10.130.0.7   ip-10-0-89-148.us-east-2.compute.internal   <none>           <none>
+network-check-target-z2sfx              1/1     Running   0          9h      10.129.0.4   ip-10-0-60-253.us-east-2.compute.internal   <none>           <none>
+----
diff --git a/modules/nw-pod-network-connectivity-implementation.adoc b/modules/nw-pod-network-connectivity-implementation.adoc
index 66c86af6a9d3..3114e356ce3b 100644
--- a/modules/nw-pod-network-connectivity-implementation.adoc
+++ b/modules/nw-pod-network-connectivity-implementation.adoc
@@ -12,3 +12,28 @@ The Cluster Network Operator (CNO) deploys several resources to the cluster to s
 Health check source:: This program deploys in a single pod replica set managed by a `Deployment` object. The program consumes `PodNetworkConnectivity` objects and connects to the `spec.targetEndpoint` specified in each object.
 
 Health check target:: A pod deployed as part of a daemon set on every node in the cluster. The pod listens for inbound health checks. The presence of this pod on every node allows for the testing of connectivity to each node.
+
+You can configure the nodes which network connectivity sources and targets run on with a node selector. Additionally, you can specify permissible _tolerations_ for source and target pods. The configuration is defined in the singleton `cluster` custom resource of the `Network` API in the `config.openshift.io/v1` API group.
+
+Pod scheduling occurs after you have updated the configuration. Therefore, you must apply node labels that you intend to use in your selectors before updating the configuration. Labels applied after updating your network connectivity check pod placement are ignored.
+
+Refer to the default configuration in the following YAML:
+
+.Default configuration for connectivity source and target pods
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  # ...
+    networkDiagnostics: <1>
+      mode: "" <2>
+      sourcePlacement: {} <3>
+      targetPlacement: {} <4>
+----
+<1> Specifies the network diagnostics configuration. If a value is not specified or an empty object is specified, and `spec.disableNetworkDiagnostics=true` is set in the `network.operator.openshift.io` custom resource named `cluster`, network diagnostics are disabled. If set, this value overrides `spec.disableNetworkDiagnostics=true`.
+<2> Specifies the diagnostics mode. The value can be the empty string, `All`, or `Disabled`. The empty string is equivalent to specifying `All`.
+<3> Optional: Specifies a selector for connectivity check source pods.
+<4> Optional: Specifies a selector for connectivity check target pods.
diff --git a/modules/nw-pod-network-connectivity-verify.adoc b/modules/nw-pod-network-connectivity-verify.adoc
index ed47b4432cf4..8a85a15ecbea 100644
--- a/modules/nw-pod-network-connectivity-verify.adoc
+++ b/modules/nw-pod-network-connectivity-verify.adoc
@@ -6,7 +6,7 @@
 [id="nw-pod-network-connectivity-verify_{context}"]
 = Verifying network connectivity for an endpoint
 
-As a cluster administrator, you can verify the connectivity of an endpoint, such as an API server, load balancer, service, or pod.
+As a cluster administrator, you can verify the connectivity of an endpoint, such as an API server, load balancer, service, or pod, and verify that network diagnostics is enabled.
 
 .Prerequisites
 
@@ -15,6 +15,27 @@ As a cluster administrator, you can verify the connectivity of an endpoint, such
 
 .Procedure
 
+. To confirm that network diagnostics are enabled, enter the following command:
++
+[source,terminal]
+----
+$ oc get network.config.openshift.io cluster -o yaml
+----
++
+.Example output
+[source,text]
+----
+  # ...
+  status:
+  # ...
+    conditions:
+    - lastTransitionTime: "2024-05-27T08:28:39Z"
+      message: ""
+      reason: AsExpected
+      status: "True"
+      type: NetworkDiagnosticsAvailable
+----
+
 . To list the current `PodNetworkConnectivityCheck` objects, enter the following command:
 +
 [source,terminal]
diff --git a/modules/nw-ptp-e810-hardware-configuration-reference.adoc b/modules/nw-ptp-e810-hardware-configuration-reference.adoc
index 7a46319ef59c..8e86bfcefcd3 100644
--- a/modules/nw-ptp-e810-hardware-configuration-reference.adoc
+++ b/modules/nw-ptp-e810-hardware-configuration-reference.adoc
@@ -6,7 +6,7 @@
 [id="nw-ptp-wpc-hardware-pins-reference_{context}"]
 = Intel Westport Channel E810 hardware configuration reference
 
-Use this information to understand how to use the link:https://github.com/openshift/linuxptp-daemon/blob/release-4.15/addons/intel/e810.go[Intel E810-XXVDA4T hardware plugin] to configure the E810 network interface as PTP grandmaster clock.
+Use this information to understand how to use the link:https://github.com/openshift/linuxptp-daemon/blob/release-4.16/addons/intel/e810.go[Intel E810-XXVDA4T hardware plugin] to configure the E810 network interface as PTP grandmaster clock.
 Hardware pin configuration determines how the network interface interacts with other components and devices in the system.
 The E810-XXVDA4T NIC has four connectors for external 1PPS signals: `SMA1`, `SMA2`, `U.FL1`, and `U.FL2`.
 
diff --git a/modules/nw-sriov-about-qinq.adoc b/modules/nw-sriov-about-qinq.adoc
index 59fe851ec092..af94f031f68a 100644
--- a/modules/nw-sriov-about-qinq.adoc
+++ b/modules/nw-sriov-about-qinq.adoc
@@ -11,7 +11,13 @@ In traditional VLAN setups, frames typically contain a single VLAN tag, such as
 
 QinQ facilitates the creation of nested VLANs by using double VLAN tagging, enabling finer segmentation and isolation of traffic within a network environment. This approach is particularly valuable in service provider networks where you need to deliver VLAN-based services to multiple customers over a common infrastructure, while ensuring separation and isolation of traffic.
 
-When two VLAN tags are present in a packet, the outer VLAN tag can be either 802.1Q or 802.1ad. The inner VLAN tag must always be 802.1Q.
+The following diagram illustrates how {product-title} can use SR-IOV and QinQ to achieve advanced network segmentation and isolation for containerized workloads.
+
+The diagram shows how double VLAN tagging (QinQ) works in a worker node with SR-IOV support. The SR-IOV virtual function (VF) located in the pod namespace, `ext0` is configured by the SR-IOV Container Network Interface (CNI) with a VLAN ID and VLAN protocol. This corresponds to the S-tag. Inside the pod, the VLAN CNI creates a subinterface using the primary interface `ext0`. This subinterface adds an internal VLAN ID using the 802.1Q protocol, which corresponds to the C-tag.
+
+This demonstrates how QinQ enables finer traffic segmentation and isolation within the network. The Ethernet frame structure is detailed on the right, highlighting the inclusion of both VLAN tags, EtherType, IP, TCP, and Payload sections. QinQ facilitates the delivery of VLAN-based services to multiple customers over a shared infrastructure while ensuring traffic separation and isolation.
+
+image::693_OpenShift_QinQ_SR-IOV_CNI_0624.png[alt="Diagram showing QinQ (double VLAN tagging)"]
 
 The {product-title} SR-IOV solution already supports setting the VLAN protocol on the `SriovNetwork` custom resource (CR). The virtual function (VF) can use this protocol to set the VLAN tag, also known as the outer tag. Pods can then use the VLAN CNI plugin to configure the inner tag.
 
diff --git a/modules/nw-sriov-configuring-operator.adoc b/modules/nw-sriov-configuring-operator.adoc
index de673af9da40..7642656932e5 100644
--- a/modules/nw-sriov-configuring-operator.adoc
+++ b/modules/nw-sriov-configuring-operator.adoc
@@ -6,21 +6,35 @@
 [id="nw-sriov-configuring-operator_{context}"]
 = Configuring the SR-IOV Network Operator
 
-[IMPORTANT]
+* Create a `SriovOperatorConfig` custom resource (CR) to deploy all the SR-IOV Operator components:
+
+.. Create a file named `sriovOperatorConfig.yaml` using the following YAML:
++
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovOperatorConfig
+metadata:
+  name: default 
+  namespace: openshift-sriov-network-operator 
+spec:
+  disableDrain: false
+  enableInjector: true
+  enableOperatorWebhook: true
+  logLevel: 2
+----
++
+[NOTE]
 ====
-Modifying the SR-IOV Network Operator configuration is not normally necessary.
-The default configuration is recommended for most use cases.
-Complete the steps to modify the relevant configuration only if the default behavior of the Operator is not compatible with your use case.
+The only valid name for the `SriovOperatorConfig` resource is `default` and it must be in the namespace where the Operator is deployed. 
 ====
 
-The SR-IOV Network Operator adds the `SriovOperatorConfig.sriovnetwork.openshift.io` CustomResourceDefinition resource.
-The Operator automatically creates a SriovOperatorConfig custom resource (CR) named `default` in the `openshift-sriov-network-operator` namespace.
-
-[NOTE]
-=====
-The `default` CR contains the SR-IOV Network Operator configuration for your cluster.
-To change the Operator configuration, you must modify this CR.
-=====
+.. Create the resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f sriovOperatorConfig.yaml
+----
 
 [id="nw-sriov-operator-cr_{context}"]
 == SR-IOV Network Operator config custom resource
@@ -284,13 +298,11 @@ After performing the following procedure to disable draining workloads, you must
 
 .Procedure
 
-- To set the `disableDrain` field to `true`, enter the following command:
+- To set the `disableDrain` field to `true` and the `configDaemonNodeSelector` field to `node-role.kubernetes.io/master: ""` , enter the following command:
 +
 [source,terminal]
 ----
-$ oc patch sriovoperatorconfig default --type=merge \
-  -n openshift-sriov-network-operator \
-  --patch '{ "spec": { "disableDrain": true } }'
+$ oc patch sriovoperatorconfig default --type=merge -n openshift-sriov-network-operator --patch '{ "spec": { "disableDrain": true, "configDaemonNodeSelector": { "node-role.kubernetes.io/master": "" } } }'
 ----
 +
 [TIP]
@@ -306,5 +318,7 @@ metadata:
   namespace: openshift-sriov-network-operator
 spec:
   disableDrain: true
+  configDaemonNodeSelector:
+   node-role.kubernetes.io/master: ""
 ----
 ====
diff --git a/modules/nw-throughput-troubleshoot.adoc b/modules/nw-throughput-troubleshoot.adoc
index 6059d43c3cde..b35cf6153a4c 100644
--- a/modules/nw-throughput-troubleshoot.adoc
+++ b/modules/nw-throughput-troubleshoot.adoc
@@ -1,6 +1,7 @@
 // Module filename: nw-throughput-troubleshoot.adoc
 // Module included in the following assemblies:
 // * networking/routes/route-configuration.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="nw-throughput-troubleshoot_{context}"]
@@ -33,7 +34,8 @@ $ tcpdump -s 0 -i any -w /tmp/dump.pcap port 4789
 ifdef::openshift-enterprise,openshift-webscale[]
 ** For information on installing and using `iperf`, see this link:https://access.redhat.com/solutions/33103[Red Hat Solution].
 endif::openshift-enterprise,openshift-webscale[]
-
-* In some cases, the cluster may mark the node with the router pod as unhealthy due to latency issues. Use worker latency profiles to adjust the frequency that the cluster waits for a status update from the node before taking action.
+ifndef::microshift[]
+* In some cases, the cluster might mark the node with the router pod as unhealthy due to latency issues. Use worker latency profiles to adjust the frequency that the cluster waits for a status update from the node before taking action.
 
 * If your cluster has designated lower-latency and higher-latency nodes, configure the `spec.nodePlacement` field in the Ingress Controller to control the placement of the router pod.
+endif::microshift[]
diff --git a/modules/nw-using-cookies-keep-route-statefulness.adoc b/modules/nw-using-cookies-keep-route-statefulness.adoc
index 62cbafdd8884..4ab28bd51f15 100644
--- a/modules/nw-using-cookies-keep-route-statefulness.adoc
+++ b/modules/nw-using-cookies-keep-route-statefulness.adoc
@@ -5,20 +5,14 @@
 // Module included in the following assemblies:
 //
 // * networking/configuring-routing.adoc
+// * microshift_networking/microshift-configuring-routes.adoc
+
 [id="nw-using-cookies-keep-route-statefulness_{context}"]
 = Using cookies to keep route statefulness
 
-{product-title} provides sticky sessions, which enables stateful application
-traffic by ensuring all traffic hits the same endpoint. However, if the endpoint
-pod terminates, whether through restart, scaling, or a change in configuration,
-this statefulness can disappear.
+{product-title} provides sticky sessions, which enables stateful application traffic by ensuring all traffic hits the same endpoint. However, if the endpoint pod terminates, whether through restart, scaling, or a change in configuration, this statefulness can disappear.
 
-{product-title} can use cookies to configure session persistence. The Ingress
-controller selects an endpoint to handle any user requests, and creates a cookie
-for the session. The cookie is passed back in the response to the request and
-the user sends the cookie back with the next request in the session. The cookie
-tells the Ingress Controller which endpoint is handling the session, ensuring
-that client requests use the cookie so that they are routed to the same pod.
+{product-title} can use cookies to configure session persistence. The ingress controller selects an endpoint to handle any user requests, and creates a cookie for the session. The cookie is passed back in the response to the request and the user sends the cookie back with the next request in the session. The cookie tells the ingress controller which endpoint is handling the session, ensuring that client requests use the cookie so that they are routed to the same pod.
 
 [NOTE]
 ====
diff --git a/modules/oadp-gcp-wif-cloud-authentication.adoc b/modules/oadp-gcp-wif-cloud-authentication.adoc
index a3061fdfaa2e..dcdbb35e7159 100644
--- a/modules/oadp-gcp-wif-cloud-authentication.adoc
+++ b/modules/oadp-gcp-wif-cloud-authentication.adoc
@@ -25,7 +25,7 @@ If you do not use Google workload identity federation cloud authentication, cont
 
 .Prerequisites
 
-* You have installed a cluster in manual mode with link:https://docs.openshift.com/container-platform/4.15/installing/installing_gcp/installing-gcp-customizations.html#installing-gcp-with-short-term-creds_installing-gcp-customizations[GCP Workload Identity configured].
+* You have installed a cluster in manual mode with link:https://docs.openshift.com/container-platform/4.16/installing/installing_gcp/installing-gcp-customizations.html#installing-gcp-with-short-term-creds_installing-gcp-customizations[GCP Workload Identity configured].
 * You have access to the Cloud Credential Operator utility (`ccoctl`) and to the associated workload identity pool.
 
 .Procedure
diff --git a/modules/oadp-installing-dpa-1-2-and-earlier.adoc b/modules/oadp-installing-dpa-1-2-and-earlier.adoc
index 3cabd4c09d39..41b27f0c3742 100644
--- a/modules/oadp-installing-dpa-1-2-and-earlier.adoc
+++ b/modules/oadp-installing-dpa-1-2-and-earlier.adoc
@@ -18,7 +18,7 @@ You install the Data Protection Application (DPA) by creating an instance of the
 * You must configure object storage as a backup location.
 * If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
 * If the backup and snapshot locations use the same credentials, you must create a `Secret` with the default name, `{credentials}`.
-ifdef::installing-oadp-azure,installing-oadp-gcp,installing-oadp-mcg,installing-oadp-ocs,virt-installing-configuring-oadp[]
+ifdef::installing-oadp-azure,installing-oadp-gcp,installing-oadp-mcg,installing-oadp-ocs[]
 * If the backup and snapshot locations use different credentials, you must create two `Secrets`:
 
 ** `Secret` with a custom name for the backup location. You add this `Secret` to the `DataProtectionApplication` CR.
@@ -299,51 +299,6 @@ spec:
 <10> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
 <11> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes.
 endif::[]
-ifdef::virt-installing-configuring-oadp[]
-+
-[source,yaml,subs="attributes+"]
-----
-apiVersion: oadp.openshift.io/v1alpha1
-kind: DataProtectionApplication
-metadata:
-  name: <dpa_sample>
-  namespace: openshift-adp
-spec:
-  configuration:
-    velero:
-      defaultPlugins:
-        - kubevirt <1>
-        - gcp <2>
-        - csi <3>
-        - openshift <4>
-      resourceTimeout: 10m <5>
-    restic:
-      enable: true <6>
-      podConfig:
-        nodeSelector: <node_selector> <7>
-  backupLocations:
-    - velero:
-        provider: {provider} <8>
-        default: true
-        credential:
-          key: cloud
-          name: <default_secret> <9>
-        objectStorage:
-          bucket: <bucket_name> <10>
-          prefix: <prefix> <11>
-----
-<1> The `kubevirt` plugin is mandatory for {VirtProductName}.
-<2> Specify the plugin for the backup provider, for example, `gcp`, if it exists.
-<3> The `csi` plugin is mandatory for backing up PVs with CSI snapshots. The `csi` plugin uses the link:https://{velero-domain}/docs/main/csi/[Velero CSI beta snapshot APIs]. You do not need to configure a snapshot location.
-<4> The `openshift` plugin is mandatory.
-<5> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m.
-<6> Set this value to `false` if you want to disable the Restic installation. Restic deploys a daemon set, which means that Restic pods run on each working node. In OADP version 1.2 and later, you can configure Restic for backups by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. In OADP version 1.1, add `spec.defaultVolumesToRestic: true` to the `Backup` CR.
-<7> Specify on which nodes Restic is available. By default, Restic runs on all nodes.
-<8> Specify the backup provider.
-<9> Specify the correct default name for the `Secret`, for example, `cloud-credentials-gcp`, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a `Secret` name, the default name is used.
-<10> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
-<11> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes.
-endif::[]
 
 . Click *Create*.
 
diff --git a/modules/oadp-installing-dpa-1-3.adoc b/modules/oadp-installing-dpa-1-3.adoc
index 49f5d87f4220..4ef829853d29 100644
--- a/modules/oadp-installing-dpa-1-3.adoc
+++ b/modules/oadp-installing-dpa-1-3.adoc
@@ -6,6 +6,7 @@
 // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc
 // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc
 // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc
+// * virt/backup_restore/virt-backup-restore-overview.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="oadp-installing-dpa-1-3_{context}"]
@@ -19,7 +20,7 @@ You install the Data Protection Application (DPA) by creating an instance of the
 * You must configure object storage as a backup location.
 * If you use snapshots to back up PVs, your cloud provider must support either a native snapshot API or Container Storage Interface (CSI) snapshots.
 * If the backup and snapshot locations use the same credentials, you must create a `Secret` with the default name, `{credentials}`.
-ifdef::installing-oadp-azure,installing-oadp-gcp,installing-oadp-mcg,installing-oadp-ocs,virt-installing-configuring-oadp[]
+ifdef::installing-oadp-azure,installing-oadp-gcp,installing-oadp-mcg,installing-oadp-ocs[]
 * If the backup and snapshot locations use different credentials, you must create two `Secrets`:
 
 ** `Secret` with a custom name for the backup location. You add this `Secret` to the `DataProtectionApplication` CR.
@@ -321,7 +322,7 @@ spec:
 <14> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes.
 endif::[]
 
-ifdef::installing-oadp-kubevirt,virt-installing-configuring-oadp[]
+ifdef::virt-backup-restore-overview,installing-oadp-kubevirt[]
 +
 [source,yaml,subs="attributes+"]
 ----
diff --git a/modules/oadp-release-notes-1-2-5.adoc b/modules/oadp-release-notes-1-2-5.adoc
new file mode 100644
index 000000000000..c93974eea649
--- /dev/null
+++ b/modules/oadp-release-notes-1-2-5.adoc
@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/oadp-release-notes-1-2.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="migration-oadp-release-notes-1-2-5_{context}"]
+= OADP 1.2.5 release notes
+
+{oadp-first} 1.2.5 is a Container Grade Only (CGO) release, released to refresh the health grades of the containers, with no changes to any code in the product itself compared to that of {oadp-short} 1.2.4.
+
+[id="resolved-issues-1-2-5_{context}"]
+== Resolved issues
+
+// There are no resolved issues in {oadp-short} 1.2.5.
+
+.CVE-2023-2431: `oadp-velero-plugin-for-microsoft-azure-container`: Bypass of seccomp profile enforcement
+
+A flaw was found in Kubernetes, which impacts earlier versions of {oadp-short}. This flaw arises when Kubernetes allows a local authenticated attacker to bypass security restrictions, caused by a flaw when using the localhost type for a `seccomp` profile but specifying an empty profile field. An attacker can bypass the `seccomp` profile enforcement by sending a specially crafted request. This flaw has been resolved in {oadp-short} 1.2.5.
+
+For more details, see link:https://access.redhat.com/security/cve/CVE-2023-2431[(CVE-2023-2431)].
+
+.CSI restore ended with 'PartiallyFailed' status and PVCs not created
+
+CSI restore ended with `PartiallyFailed` status. PVCs are not created, pod are in `Pending` status. This issue has been resolved in {oadp-short} 1.2.5.
+
+link:https://issues.redhat.com/browse/OADP-1956[(OADP-1956)]
+
+.PodVolumeBackup fails on completed pod volumes
+
+In earlier versions of {oadp-short} 1.2, when there is a completed pod that mounted volumes in a namespace used by the Restic `podvolumebackup` or Velero backup, the backup does not complete successfully. This occurs when `defaultVolumesToFsBackup` is set to `true`. This issue has been resolved in {oadp-short} 1.2.5.
+
+link:https://issues.redhat.com/browse/OADP-1870[(OADP-1870)]
+
+
+[id="known-issues-1-2-5_{context}"]
+== Known issues
+
+// The {oadp-short} 1.2.5 has the following known issue:
+
+.Data Protection Application (DPA) does not reconcile when the credentials secret is updated
+
+Currently, the {oadp-short} Operator does not reconcile when you update the `cloud-credentials` secret. This occurs because there are no {oadp-short} specific labels or owner references on the `cloud-credentials` secret. If you create a `cloud-credentials` secret with incorrect credentials, such as empty data, the Operator reconciles and creates a backup storage location (BSL) and registry deployment with the empty data. As a result, when you update the `cloud-credentials` secret with the correct credentials, the {oadp-short} Operator does not immediately reconcile to catch the new credentials.
+
+Workaround: Update to {oadp-short} 1.3.
+
+link:https://issues.redhat.com/browse/OADP-3327[(OADP-3327)]
+
diff --git a/modules/oadp-release-notes-1-3-2.adoc b/modules/oadp-release-notes-1-3-2.adoc
new file mode 100644
index 000000000000..471c43769d17
--- /dev/null
+++ b/modules/oadp-release-notes-1-3-2.adoc
@@ -0,0 +1,64 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/oadp-release-notes-1-3.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="oadp-release-notes-1-3-2_{context}"]
+= {oadp-short} 1.3.2 release notes
+
+The {oadp-first} 1.3.2 release notes list resolved issues and known issues.
+
+//[id="new-features-1-3-2_{context}"]
+//== New features
+
+
+[id="resolved-issues-1-3-2_{context}"]
+== Resolved issues
+
+.DPA fails to reconcile if a valid custom secret is used for BSL
+
+DPA fails to reconcile if a valid custom secret is used for Backup Storage Location (BSL), but the default secret is missing. The workaround is to create the required default `cloud-credentials` initially. When the custom secret is re-created, it can be used and checked for its existence. 
+
+link:https://issues.redhat.com/browse/OADP-3193[OADP-3193]
+
+.CVE-2023-45290: `oadp-velero-container`: Golang `net/http`: Memory exhaustion in `Request.ParseMultipartForm`
+
+A flaw was found in the `net/http` Golang standard library package, which impacts previous versions of {oadp-short}. When parsing a `multipart` form, either explicitly with `Request.ParseMultipartForm` or implicitly with `Request.FormValue`, `Request.PostFormValue`, or `Request.FormFile`, limits on the total size of the parsed form are not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing long lines to cause the allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. This flaw has been resolved in {oadp-short} 1.3.2.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2023-45290[CVE-2023-45290].
+
+.CVE-2023-45289: `oadp-velero-container`: Golang `net/http/cookiejar`: Incorrect forwarding of sensitive headers and cookies on HTTP redirect
+
+A flaw was found in the `net/http/cookiejar` Golang standard library package, which impacts previous versions of {oadp-short}. When following an HTTP redirect to a domain that is not a subdomain match or exact match of the initial domain, an `http.Client` does not forward sensitive headers such as `Authorization` or `Cookie`. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. This flaw has been resolved in {oadp-short} 1.3.2.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2023-45289[CVE-2023-45289].
+
+.CVE-2024-24783: `oadp-velero-container`: Golang `crypto/x509`: Verify panics on certificates with an unknown public key algorithm
+
+A flaw was found in the `crypto/x509` Golang standard library package, which impacts previous versions of {oadp-short}. Verifying a certificate chain that contains a certificate with an unknown public key algorithm causes `Certificate.Verify` to panic. This affects all `crypto/tls` clients and servers that set `Config.ClientAuth` to `VerifyClientCertIfGiven` or `RequireAndVerifyClientCert`. The default behavior is for TLS servers to not verify client certificates. This flaw has been resolved in {oadp-short} 1.3.2.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2024-24783[CVE-2024-24783].
+
+.CVE-2024-24784: `oadp-velero-plugin-container`: Golang `net/mail`: Comments in display names are incorrectly handled
+
+A flaw was found in the `net/mail` Golang standard library package, which impacts previous versions of {oadp-short}. The `ParseAddressList` function incorrectly handles comments, text in parentheses, and display names. Because this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. This flaw has been resolved in {oadp-short} 1.3.2.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2024-24784[CVE-2024-24784].
+
+.CVE-2024-24785: `oadp-velero-container`: Golang: html/template: errors returned from `MarshalJSON` methods may break template escaping
+
+A flaw was found in the `html/template` Golang standard library package, which impacts previous versions of {oadp-short}. If errors returned from `MarshalJSON` methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the HTML/template package, allowing subsequent actions to inject unexpected content into the templates. This flaw has been resolved in {oadp-short} 1.3.2.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2024-24785[CVE-2024-24785].
+
+For a complete list of all issues resolved in this release, see the list of link:https://issues.redhat.com/issues/?filter=12436254[OADP 1.3.2 resolved issues] in Jira.
+
+
+[id="known-issues-1-3-2_{context}"]
+== Known issues
+
+.Cassandra application pods enter into the `CrashLoopBackoff` status after restoring OADP
+
+After {oadp-short} restores, the Cassandra application pods might enter in the `CrashLoopBackoff` status. To work around this problem, delete the `StatefulSet` pods that are returning an error or the `CrashLoopBackoff` state after restoring {oadp-short}. The `StatefulSet` controller recreates these pods and it runs normally.
+
+link:https://issues.redhat.com/browse/OADP-3767[OADP-3767]
diff --git a/modules/oadp-setting-resource-limits-and-requests.adoc b/modules/oadp-setting-resource-limits-and-requests.adoc
index 68810fb34640..5d98dac18a3e 100644
--- a/modules/oadp-setting-resource-limits-and-requests.adoc
+++ b/modules/oadp-setting-resource-limits-and-requests.adoc
@@ -1,7 +1,6 @@
 // Module included in the following assemblies:
 //
 // * backup_and_restore/application_backup_and_restore/configuring-oadp.adoc
-// * virt/backup_restore/virt-installing-configuring-oadp.adoc
 // * backup_and_restore/application_backup_and_restore/oadp-aws-sts/oadp-aws-sts.adoc
 // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc
 // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
diff --git a/modules/oc-adm-by-example-content.adoc b/modules/oc-adm-by-example-content.adoc
index 36cb34afd1ea..3c3fa936f201 100644
--- a/modules/oc-adm-by-example-content.adoc
+++ b/modules/oc-adm-by-example-content.adoc
@@ -16,10 +16,10 @@ Output the inputs and dependencies of your builds
 ----
   # Build the dependency tree for the 'latest' tag in <image-stream>
   oc adm build-chain <image-stream>
-
+  
   # Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
   oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg
-
+  
   # Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
   oc adm build-chain <image-stream> -n test --all
 ----
@@ -34,21 +34,21 @@ Mirror an operator-registry catalog
 ----
   # Mirror an operator-registry image and its contents to a registry
   oc adm catalog mirror quay.io/my/image:latest myregistry.com
-
+  
   # Mirror an operator-registry image and its contents to a particular namespace in a registry
   oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace
-
+  
   # Mirror to an airgapped registry by first mirroring to files
   oc adm catalog mirror quay.io/my/image:latest file:///local/index
   oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com
-
+  
   # Configure a cluster to use a mirrored registry
   oc apply -f manifests/imageDigestMirrorSet.yaml
-
+  
   # Edit the mirroring mappings and mirror with "oc image mirror" manually
   oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
   oc image mirror -f manifests/mapping.txt
-
+  
   # Delete all ImageDigestMirrorSets generated by oc adm catalog mirror
   oc delete imagedigestmirrorset -l operators.openshift.org/catalog=true
 ----
@@ -82,6 +82,14 @@ Deny a certificate signing request
 == oc adm copy-to-node
 Copies specified files to the node.
 
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # copy a new bootstrap kubeconfig file to node-0
+  oc adm copy-to-node --copy=new-bootstrap-kubeconfig=/etc/kubernetes/kubeconfig node/node-0
+----
+
+
 
 == oc adm cordon
 Mark node as unschedulable
@@ -151,7 +159,7 @@ Drain node in preparation for maintenance
 ----
   # Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set on it
   oc adm drain foo --force
-
+  
   # As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set, and use a grace period of 15 minutes
   oc adm drain foo --grace-period=900
 ----
@@ -178,10 +186,10 @@ Create a new group
 ----
   # Add a group with no users
   oc adm groups new my-group
-
+  
   # Add a group with two users
   oc adm groups new my-group user1 user2
-
+  
   # Add a group with one user and shorter output
   oc adm groups new my-group user1 -o name
 ----
@@ -196,13 +204,13 @@ Remove old OpenShift groups referencing missing records from an external provide
 ----
   # Prune all orphaned groups
   oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups except the ones from the denylist file
   oc adm groups prune --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups from a list of specific groups specified in an allowlist file
   oc adm groups prune --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups from a list of specific groups specified in a list
   oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
 ----
@@ -229,16 +237,16 @@ Sync OpenShift groups with records from an external provider
 ----
   # Sync all groups with an LDAP server
   oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Sync all groups except the ones from the blacklist file with an LDAP server
   oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Sync specific groups specified in an allowlist file with an LDAP server
   oc adm groups sync --whitelist=/path/to/allowlist.txt --sync-config=/path/to/sync-config.yaml --confirm
-
+  
   # Sync all OpenShift groups that have been synced previously with an LDAP server
   oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Sync specific OpenShift groups if they have been synced previously with an LDAP server
   oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm
 ----
@@ -253,13 +261,13 @@ Collect debugging data for a given resource
 ----
   # Collect debugging data for the "openshift-apiserver" clusteroperator
   oc adm inspect clusteroperator/openshift-apiserver
-
+  
   # Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
   oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver
-
+  
   # Collect debugging data for all clusteroperators
   oc adm inspect clusteroperator
-
+  
   # Collect debugging data for all clusteroperators and clusterversions
   oc adm inspect clusteroperators,clusterversions
 ----
@@ -286,7 +294,7 @@ Update template instances to point to the latest group-version-kinds
 ----
   # Perform a dry-run of updating all objects
   oc adm migrate template-instances
-
+  
   # To actually perform the update, the confirm flag must be appended
   oc adm migrate template-instances --confirm
 ----
@@ -301,19 +309,19 @@ Launch a new instance of a pod for gathering debug information
 ----
   # Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
   oc adm must-gather
-
+  
   # Gather information with a specific local folder to copy to
   oc adm must-gather --dest-dir=/local/directory
-
+  
   # Gather audit information
   oc adm must-gather -- /usr/bin/gather_audit_logs
-
+  
   # Gather information using multiple plug-in images
   oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather
-
+  
   # Gather information using a specific image stream plug-in
   oc adm must-gather --image-stream=openshift/must-gather:latest
-
+  
   # Gather information using a specific image, command, and pod directory
   oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh
 ----
@@ -340,10 +348,10 @@ Display and filter node logs
 ----
   # Show kubelet logs from all masters
   oc adm node-logs --role master -u kubelet
-
+  
   # See what logs are available in masters in /var/log
   oc adm node-logs --role master --path=/
-
+  
   # Display cron log file from all masters
   oc adm node-logs --role master --path=cron
 ----
@@ -365,16 +373,39 @@ Watch platform certificates.
 == oc adm ocp-certificates regenerate-leaf
 Regenerate client and serving certificates of an OpenShift cluster
 
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # Regenerate a leaf certificate contained in a particular secret.
+  oc adm ocp-certificates regenerate-leaf -n openshift-config-managed secret/kube-controller-manager-client-cert-key
+----
+
 
 
 == oc adm ocp-certificates regenerate-machine-config-server-serving-cert
 Regenerate the machine config operator certificates in an OpenShift cluster
 
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # Regenerate the MCO certs without modifying user-data secrets
+  oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false
+  
+  # Update the user-data secrets to use new MCS certs
+  oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server
+----
+
 
 
 == oc adm ocp-certificates regenerate-top-level
 Regenerate the top level certificates in an OpenShift cluster
 
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # Regenerate the signing certificate contained in a particular secret.
+  oc adm ocp-certificates regenerate-top-level -n openshift-kube-apiserver-operator secret/loadbalancer-serving-signer-key
+----
 
 
 
@@ -384,6 +415,9 @@ Remove old CAs from ConfigMaps representing platform trust bundles in an OpenShi
 .Example usage
 [source,bash,options="nowrap"]
 ----
+  # Remove a trust bundled contained in a particular config map
+  oc adm ocp-certificates remove-old-trust -n openshift-config-managed configmaps/kube-apiserver-aggregator-client-ca --created-before 2023-06-05T14:44:06Z
+  
   #  Remove only CA certificates created before a certain date from all trust bundles
   oc adm ocp-certificates remove-old-trust configmaps -A --all --created-before 2023-06-05T14:44:06Z
 ----
@@ -397,10 +431,10 @@ Update user-data secrets in an OpenShift cluster to use updated MCO certfs
 [source,bash,options="nowrap"]
 ----
   # Regenerate the MCO certs without modifying user-data secrets
-  oc adm certificates regenerate-machine-config-server-serving-cert --update-ignition=false
-
+  oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false
+  
   # Update the user-data secrets to use new MCS certs
-  oc adm certificates update-ignition-ca-bundle-for-machine-config-server
+  oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server
 ----
 
 
@@ -413,7 +447,7 @@ Isolate project network
 ----
   # Provide isolation for project p1
   oc adm pod-network isolate-projects <p1>
-
+  
   # Allow all projects with label name=top-secret to have their own isolated project network
   oc adm pod-network isolate-projects --selector='name=top-secret'
 ----
@@ -428,7 +462,7 @@ Join project network
 ----
   # Allow project p2 to use project p1 network
   oc adm pod-network join-projects --to=<p1> <p2>
-
+  
   # Allow all projects with label name=top-secret to use project p1 network
   oc adm pod-network join-projects --to=<p1> --selector='name=top-secret'
 ----
@@ -443,7 +477,7 @@ Make project network global
 ----
   # Allow project p1 to access all pods in the cluster and vice versa
   oc adm pod-network make-projects-global <p1>
-
+  
   # Allow all projects with label name=share to access all pods in the cluster and vice versa
   oc adm pod-network make-projects-global --selector='name=share'
 ----
@@ -458,7 +492,7 @@ Add a role to users or service accounts for the current project
 ----
   # Add the 'view' role to user1 for the current project
   oc adm policy add-role-to-user view user1
-
+  
   # Add the 'edit' role to serviceaccount1 for the current project
   oc adm policy add-role-to-user edit -z serviceaccount1
 ----
@@ -485,7 +519,7 @@ Add a security context constraint to users or a service account
 ----
   # Add the 'restricted' security context constraint to user1 and user2
   oc adm policy add-scc-to-user restricted user1 user2
-
+  
   # Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
   oc adm policy add-scc-to-user privileged -z serviceaccount1
 ----
@@ -501,13 +535,13 @@ Check which service account can create a pod
   # Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
   # Service Account specified in myresource.yaml file is ignored
   oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml
-
+  
   # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
   oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
-
+  
   # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
   oc adm policy scc-review -f my_resource_with_sa.yaml
-
+  
   # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
   oc adm policy scc-review -f myresource_with_no_sa.yaml
 ----
@@ -522,10 +556,10 @@ Check whether a user or a service account can create a pod
 ----
   # Check whether user bob can create a pod specified in myresource.yaml
   oc adm policy scc-subject-review -u bob -f myresource.yaml
-
+  
   # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
   oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
-
+  
   # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
   oc adm policy scc-subject-review -f myresourcewithsa.yaml
 ----
@@ -541,7 +575,7 @@ Remove old completed and failed builds
   # Dry run deleting older completed and failed builds and also including
   # all builds whose associated build config no longer exists
   oc adm prune builds --orphans
-
+  
   # To actually perform the prune operation, the confirm flag must be appended
   oc adm prune builds --orphans --confirm
 ----
@@ -556,7 +590,7 @@ Remove old completed and failed deployment configs
 ----
   # Dry run deleting all but the last complete deployment for every deployment config
   oc adm prune deployments --keep-complete=1
-
+  
   # To actually perform the prune operation, the confirm flag must be appended
   oc adm prune deployments --keep-complete=1 --confirm
 ----
@@ -571,13 +605,13 @@ Remove old OpenShift groups referencing missing records from an external provide
 ----
   # Prune all orphaned groups
   oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups except the ones from the denylist file
   oc adm prune groups --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups from a list of specific groups specified in an allowlist file
   oc adm prune groups --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
-
+  
   # Prune all orphaned groups from a list of specific groups specified in a list
   oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
 ----
@@ -593,26 +627,65 @@ Remove unreferenced images
   # See what the prune command would delete if only images and their referrers were more than an hour old
   # and obsoleted by 3 newer revisions under the same tag were considered
   oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
-
+  
   # To actually perform the prune operation, the confirm flag must be appended
   oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
-
+  
   # See what the prune command would delete if we are interested in removing images
   # exceeding currently set limit ranges ('openshift.io/Image')
   oc adm prune images --prune-over-size-limit
-
+  
   # To actually perform the prune operation, the confirm flag must be appended
   oc adm prune images --prune-over-size-limit --confirm
-
+  
   # Force the insecure HTTP protocol with the particular registry host name
   oc adm prune images --registry-url=http://registry.example.org --confirm
-
+  
   # Force a secure connection with a custom certificate authority to the particular registry host name
   oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
 ----
 
 
 
+== oc adm prune renderedmachineconfigs
+Prunes rendered MachineConfigs in an OpenShift cluster
+
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # See what the prune command would delete if run with no options
+  oc adm prune renderedmachineconfigs
+  
+  # To actually perform the prune operation, the confirm flag must be appended
+  oc adm prune renderedmachineconfigs --confirm
+  
+  # See what the prune command would delete if run on the worker MachineConfigPool
+  oc adm prune renderedmachineconfigs --pool-name=worker
+  
+  # Prunes 10 oldest rendered MachineConfigs in the cluster
+  oc adm prune renderedmachineconfigs --count=10 --confirm
+  
+  # Prunes 10 oldest rendered MachineConfigs in the cluster for the worker MachineConfigPool
+  oc adm prune renderedmachineconfigs --count=10 --pool-name=worker --confirm
+----
+
+
+
+== oc adm prune renderedmachineconfigs list
+Lists rendered MachineConfigs in an OpenShift cluster
+
+.Example usage
+[source,bash,options="nowrap"]
+----
+  # List all rendered MachineConfigs for the worker MachineConfigPool in the cluster
+  oc adm prune renderedmachineconfigs list --pool-name=worker
+  
+  # List all rendered MachineConfigs in use by the cluster's MachineConfigPools
+  oc adm prune renderedmachineconfigs list --in-use
+----
+
+
+
 == oc adm reboot-machine-config-pool
 Initiate reboot of the specified MachineConfigPool.
 
@@ -621,10 +694,10 @@ Initiate reboot of the specified MachineConfigPool.
 ----
   # Reboot all MachineConfigPools
   oc adm reboot-machine-config-pool mcp/worker mcp/master
-
+  
   # Reboot all MachineConfigPools that inherit from worker.  This include all custom MachineConfigPools and infra.
   oc adm reboot-machine-config-pool mcp/worker
-
+  
   # Reboot masters
   oc adm reboot-machine-config-pool mcp/master
 ----
@@ -634,17 +707,15 @@ Initiate reboot of the specified MachineConfigPool.
 == oc adm release extract
 Extract the contents of an update payload to disk
 
-include::snippets/osd-aws-example-only.adoc[]
-
 .Example usage
 [source,bash,options="nowrap"]
 ----
   # Use git to check out the source code for the current cluster release to DIR
   oc adm release extract --git=DIR
-
+  
   # Extract cloud credential requests for AWS
   oc adm release extract --credentials-requests --cloud=aws
-
+  
   # Use git to check out the source code for the current cluster release to DIR from linux/s390x image
   # Note: Wildcard filter is not supported; pass a single os/arch to extract
   oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
@@ -660,16 +731,16 @@ Display information about a release
 ----
   # Show information about the cluster's current release
   oc adm release info
-
+  
   # Show the source code that comprises a release
   oc adm release info 4.11.2 --commit-urls
-
+  
   # Show the source code difference between two releases
   oc adm release info 4.11.0 4.11.2 --commits
-
+  
   # Show where the images referenced by the release are located
   oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --pullspecs
-
+  
   # Show information about linux/s390x image
   # Note: Wildcard filter is not supported; pass a single os/arch to extract
   oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
@@ -686,18 +757,18 @@ Mirror a release to a different image registry location
   # Perform a dry run showing what would be mirrored, including the mirror objects
   oc adm release mirror 4.11.0 --to myregistry.local/openshift/release \
   --release-image-signature-to-dir /tmp/releases --dry-run
-
+  
   # Mirror a release into the current directory
   oc adm release mirror 4.11.0 --to file://openshift/release \
   --release-image-signature-to-dir /tmp/releases
-
+  
   # Mirror a release to another directory in the default location
   oc adm release mirror 4.11.0 --to-dir /tmp/releases
-
+  
   # Upload a release from the current directory to another server
   oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
   --release-image-signature-to-dir /tmp/releases
-
+  
   # Mirror the 4.11.0 release to repository registry.example.com and apply signatures to connected cluster
   oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.11.0-x86_64 \
   --to=registry.example.com/your/repository --apply-release-image-signature
@@ -713,15 +784,15 @@ Create a new OpenShift release
 ----
   # Create a release from the latest origin images and push to a DockerHub repository
   oc adm release new --from-image-stream=4.11 -n origin --to-image docker.io/mycompany/myrepo:latest
-
+  
   # Create a new release with updated metadata from a previous release
   oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 --name 4.11.1 \
   --previous 4.11.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest
-
+  
   # Create a new release and override a single image
   oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 \
   cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest
-
+  
   # Run a verification pass to ensure the release can be reproduced
   oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11
 ----
@@ -736,13 +807,13 @@ Restarts kubelet on the specified nodes
 ----
   # Restart all the nodes,  10% at a time
   oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig
-
+  
   # Restart all the nodes,  20 nodes at a time
   oc adm restart-kubelet nodes --all --parallelism=20 --directive=RemoveKubeletKubeconfig
-
+  
   # Restart all the nodes,  15% at a time
   oc adm restart-kubelet nodes --all --parallelism=15% --directive=RemoveKubeletKubeconfig
-
+  
   # Restart all the masters at the same time
   oc adm restart-kubelet nodes -l node-role.kubernetes.io/master --parallelism=100% --directive=RemoveKubeletKubeconfig
 ----
@@ -758,16 +829,16 @@ Update the taints on one or more nodes
   # Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
   # If a taint with that key and effect already exists, its value is replaced as specified
   oc adm taint nodes foo dedicated=special-user:NoSchedule
-
+  
   # Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
   oc adm taint nodes foo dedicated:NoSchedule-
-
+  
   # Remove from node 'foo' all the taints with key 'dedicated'
   oc adm taint nodes foo dedicated-
-
+  
   # Add a taint with key 'dedicated' on nodes having label myLabel=X
   oc adm taint node -l myLabel=X  dedicated=foo:PreferNoSchedule
-
+  
   # Add to node 'foo' a taint with key 'bar' and no value
   oc adm taint nodes foo bar:NoSchedule
 ----
@@ -806,7 +877,7 @@ Display resource (CPU/memory) usage of nodes
 ----
   # Show metrics for all nodes
   oc adm top node
-
+  
   # Show metrics for a given node
   oc adm top node NODE_NAME
 ----
@@ -821,13 +892,13 @@ Display resource (CPU/memory) usage of pods
 ----
   # Show metrics for all pods in the default namespace
   oc adm top pod
-
+  
   # Show metrics for all pods in the given namespace
   oc adm top pod --namespace=NAMESPACE
-
+  
   # Show metrics for a given pod and its containers
   oc adm top pod POD_NAME --containers
-
+  
   # Show metrics for the pods defined by label name=myLabel
   oc adm top pod -l name=myLabel
 ----
@@ -854,7 +925,7 @@ Upgrade a cluster or adjust the upgrade channel
 ----
   # View the update status and available cluster updates
   oc adm upgrade
-
+  
   # Update to the latest version
   oc adm upgrade --to-latest=true
 ----
@@ -870,16 +941,16 @@ Verify the image identity contained in the image signature
   # Verify the image signature and identity using the local GPG keychain
   oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
   --expected-identity=registry.local:5000/foo/bar:v1
-
+  
   # Verify the image signature and identity using the local GPG keychain and save the status
   oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
   --expected-identity=registry.local:5000/foo/bar:v1 --save
-
+  
   # Verify the image signature and identity via exposed registry route
   oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
   --expected-identity=registry.local:5000/foo/bar:v1 \
   --registry-url=docker-registry.foo.com
-
+  
   # Remove all signature verifications from the image
   oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
 ----
@@ -894,10 +965,10 @@ Wait for nodes to reboot after running `oc adm reboot-machine-config-pool`
 ----
   # Wait for all nodes to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/worker mcp/master'
   oc adm wait-for-node-reboot nodes --all
-
+  
   # Wait for masters to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/master'
   oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master
-
+  
   # Wait for masters to complete a specific reboot
   oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master --reboot-number=4
 ----
@@ -912,7 +983,9 @@ wait for the platform operators to become stable
 ----
   # Wait for all clusteroperators to become stable
   oc adm wait-for-stable-cluster
-
+  
   # Consider operators to be stable if they report as such for 5 minutes straight
   oc adm wait-for-stable-cluster --minimum-stable-period 5m
 ----
+
+
diff --git a/modules/oc-by-example-content.adoc b/modules/oc-by-example-content.adoc
index 8a7107d751b4..2b046138e811 100644
--- a/modules/oc-by-example-content.adoc
+++ b/modules/oc-by-example-content.adoc
@@ -17,19 +17,19 @@ Update the annotations on a resource
   # Update pod 'foo' with the annotation 'description' and the value 'my frontend'
   # If the same annotation is set multiple times, only the last value will be applied
   oc annotate pods foo description='my frontend'
-
+  
   # Update a pod identified by type and name in "pod.json"
   oc annotate -f pod.json description='my frontend'
-
+  
   # Update pod 'foo' with the annotation 'description' and the value 'my frontend running nginx', overwriting any existing value
   oc annotate --overwrite pods foo description='my frontend running nginx'
-
+  
   # Update all pods in the namespace
   oc annotate pods --all description='my frontend running nginx'
-
+  
   # Update pod 'foo' only if the resource is unchanged from version 1
   oc annotate pods foo description='my frontend running nginx' --resource-version=1
-
+  
   # Update pod 'foo' by removing an annotation named 'description' if it exists
   # Does not require the --overwrite flag
   oc annotate pods foo description-
@@ -45,19 +45,19 @@ Print the supported API resources on the server
 ----
   # Print the supported API resources
   oc api-resources
-
+  
   # Print the supported API resources with more information
   oc api-resources -o wide
-
+  
   # Print the supported API resources sorted by a column
   oc api-resources --sort-by=name
-
+  
   # Print the supported namespaced resources
   oc api-resources --namespaced=true
-
+  
   # Print the supported non-namespaced resources
   oc api-resources --namespaced=false
-
+  
   # Print the supported API resources with a specific APIGroup
   oc api-resources --api-group=rbac.authorization.k8s.io
 ----
@@ -84,20 +84,20 @@ Apply a configuration to a resource by file name or stdin
 ----
   # Apply the configuration in pod.json to a pod
   oc apply -f ./pod.json
-
+  
   # Apply resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml
   oc apply -k dir/
-
+  
   # Apply the JSON passed into stdin to a pod
   cat pod.json | oc apply -f -
-
+  
   # Apply the configuration from all files that end with '.json'
   oc apply -f '*.json'
-
+  
   # Note: --prune is still in Alpha
   # Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx
   oc apply --prune -f manifest.yaml -l app=nginx
-
+  
   # Apply the configuration in manifest.yaml and delete all the other config maps that are not in the file
   oc apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/ConfigMap
 ----
@@ -112,7 +112,7 @@ Edit latest last-applied-configuration annotations of a resource/object
 ----
   # Edit the last-applied-configuration annotations by type/name in YAML
   oc apply edit-last-applied deployment/nginx
-
+  
   # Edit the last-applied-configuration annotations by file in JSON
   oc apply edit-last-applied -f deploy.yaml -o json
 ----
@@ -127,10 +127,10 @@ Set the last-applied-configuration annotation on a live object to match the cont
 ----
   # Set the last-applied-configuration of a resource to match the contents of a file
   oc apply set-last-applied -f deploy.yaml
-
+  
   # Execute set-last-applied against each configuration file in a directory
   oc apply set-last-applied -f path/
-
+  
   # Set the last-applied-configuration of a resource to match the contents of a file; will create the annotation if it does not already exist
   oc apply set-last-applied -f deploy.yaml --create-annotation=true
 ----
@@ -145,7 +145,7 @@ View the latest last-applied-configuration annotations of a resource/object
 ----
   # View the last-applied-configuration annotations by type/name in YAML
   oc apply view-last-applied deployment/nginx
-
+  
   # View the last-applied-configuration annotations by file in JSON
   oc apply view-last-applied -f deploy.yaml -o json
 ----
@@ -161,14 +161,14 @@ Attach to a running container
   # Get output from running pod mypod; use the 'oc.kubernetes.io/default-container' annotation
   # for selecting the container to be attached or the first container in the pod will be chosen
   oc attach mypod
-
+  
   # Get output from ruby-container from pod mypod
   oc attach mypod -c ruby-container
-
+  
   # Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod
   # and sends stdout/stderr from 'bash' back to the client
   oc attach mypod -c ruby-container -i -t
-
+  
   # Get output from the first pod of a replica set named nginx
   oc attach rs/nginx
 ----
@@ -183,27 +183,27 @@ Check whether an action is allowed
 ----
   # Check to see if I can create pods in any namespace
   oc auth can-i create pods --all-namespaces
-
+  
   # Check to see if I can list deployments in my current namespace
   oc auth can-i list deployments.apps
-
+  
   # Check to see if service account "foo" of namespace "dev" can list pods
   # in the namespace "prod".
   # You must be allowed to use impersonation for the global option "--as".
   oc auth can-i list pods --as=system:serviceaccount:dev:foo -n prod
-
+  
   # Check to see if I can do everything in my current namespace ("*" means all)
   oc auth can-i '*' '*'
-
+  
   # Check to see if I can get the job named "bar" in namespace "foo"
   oc auth can-i list jobs.batch/bar -n foo
-
+  
   # Check to see if I can read pod logs
   oc auth can-i get pods --subresource=log
-
+  
   # Check to see if I can access the URL /logs/
   oc auth can-i get /logs/
-
+  
   # List all allowed actions in namespace "foo"
   oc auth can-i --list --namespace=foo
 ----
@@ -230,7 +230,7 @@ Experimental: Check self subject attributes
 ----
   # Get your subject attributes.
   oc auth whoami
-
+  
   # Get your subject attributes in JSON format.
   oc auth whoami -o json
 ----
@@ -245,7 +245,7 @@ Autoscale a deployment config, deployment, replica set, stateful set, or replica
 ----
   # Auto scale a deployment "foo", with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used
   oc autoscale deployment foo --min=2 --max=10
-
+  
   # Auto scale a replication controller "foo", with the number of pods between 1 and 5, target CPU utilization at 80%
   oc autoscale rc foo --max=5 --cpu-percent=80
 ----
@@ -260,16 +260,16 @@ Cancel running, pending, or new builds
 ----
   # Cancel the build with the given name
   oc cancel-build ruby-build-2
-
+  
   # Cancel the named build and print the build logs
   oc cancel-build ruby-build-2 --dump-logs
-
+  
   # Cancel the named build and create a new one with the same parameters
   oc cancel-build ruby-build-2 --restart
-
+  
   # Cancel multiple builds
   oc cancel-build ruby-build-1 ruby-build-2 ruby-build-3
-
+  
   # Cancel all builds created from the 'ruby-build' build config that are in the 'new' state
   oc cancel-build bc/ruby-build --state=new
 ----
@@ -296,13 +296,13 @@ Dump relevant information for debugging and diagnosis
 ----
   # Dump current cluster state to stdout
   oc cluster-info dump
-
+  
   # Dump current cluster state to /path/to/cluster-state
   oc cluster-info dump --output-directory=/path/to/cluster-state
-
+  
   # Dump all namespaces to stdout
   oc cluster-info dump --all-namespaces
-
+  
   # Dump a set of namespaces to /path/to/cluster-state
   oc cluster-info dump --namespaces default,kube-system --output-directory=/path/to/cluster-state
 ----
@@ -323,8 +323,8 @@ Output shell completion code for the specified shell (bash, zsh, fish, or powers
   ## If oc is installed via homebrew, this should start working immediately
   ## If you've installed via other means, you may need add the completion to your completion directory
   oc completion bash > $(brew --prefix)/etc/bash_completion.d/oc
-
-
+  
+  
   # Installing bash completion on Linux
   ## If bash-completion is not installed on Linux, install the 'bash-completion' package
   ## via your distribution's package manager.
@@ -337,18 +337,18 @@ Output shell completion code for the specified shell (bash, zsh, fish, or powers
   source '$HOME/.kube/completion.bash.inc'
   " >> $HOME/.bash_profile
   source $HOME/.bash_profile
-
+  
   # Load the oc completion code for zsh[1] into the current shell
   source <(oc completion zsh)
   # Set the oc completion code for zsh[1] to autoload on startup
   oc completion zsh > "${fpath[1]}/_oc"
-
-
+  
+  
   # Load the oc completion code for fish[2] into the current shell
   oc completion fish | source
   # To load completions for each session, execute once:
   oc completion fish > ~/.config/fish/completions/oc.fish
-
+  
   # Load the oc completion code for powershell into the current shell
   oc completion powershell | Out-String | Invoke-Expression
   # Set oc completion code for powershell to run on startup
@@ -433,7 +433,7 @@ Describe one or many contexts
 ----
   # List all the contexts in your kubeconfig file
   oc config get-contexts
-
+  
   # Describe one context in your kubeconfig file
   oc config get-contexts my-context
 ----
@@ -484,10 +484,10 @@ Update the OpenShift CA bundle by contacting the apiserver.
 ----
   # Refresh the CA bundle for the current context's cluster
   oc config refresh-ca-bundle
-
+  
   # Refresh the CA bundle for the cluster named e2e in your kubeconfig
   oc config refresh-ca-bundle e2e
-
+  
   # Print the CA bundle from the current OpenShift cluster's apiserver.
   oc config refresh-ca-bundle --dry-run
 ----
@@ -514,13 +514,13 @@ Set an individual value in a kubeconfig file
 ----
   # Set the server field on the my-cluster cluster to https://1.2.3.4
   oc config set clusters.my-cluster.server https://1.2.3.4
-
+  
   # Set the certificate-authority-data field on the my-cluster cluster
   oc config set clusters.my-cluster.certificate-authority-data $(echo "cert_data_here" | base64 -i -)
-
+  
   # Set the cluster field in the my-context context to my-cluster
   oc config set contexts.my-context.cluster my-cluster
-
+  
   # Set the client-key-data field in the cluster-admin user using --set-raw-bytes option
   oc config set users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true
 ----
@@ -535,16 +535,16 @@ Set a cluster entry in kubeconfig
 ----
   # Set only the server field on the e2e cluster entry without touching other values
   oc config set-cluster e2e --server=https://1.2.3.4
-
+  
   # Embed certificate authority data for the e2e cluster entry
   oc config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
-
+  
   # Disable cert checking for the e2e cluster entry
   oc config set-cluster e2e --insecure-skip-tls-verify=true
-
+  
   # Set the custom TLS server name to use for validation for the e2e cluster entry
   oc config set-cluster e2e --tls-server-name=my-cluster-name
-
+  
   # Set the proxy URL for the e2e cluster entry
   oc config set-cluster e2e --proxy-url=https://1.2.3.4
 ----
@@ -572,31 +572,31 @@ Set a user entry in kubeconfig
   # Set only the "client-key" field on the "cluster-admin"
   # entry, without touching other values
   oc config set-credentials cluster-admin --client-key=~/.kube/admin.key
-
+  
   # Set basic auth for the "cluster-admin" entry
   oc config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif
-
+  
   # Embed client certificate data in the "cluster-admin" entry
   oc config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true
-
+  
   # Enable the Google Compute Platform auth provider for the "cluster-admin" entry
   oc config set-credentials cluster-admin --auth-provider=gcp
-
+  
   # Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional arguments
   oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar
-
+  
   # Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry
   oc config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-
-
+  
   # Enable new exec auth plugin for the "cluster-admin" entry
   oc config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1
-
+  
   # Define new exec auth plugin arguments for the "cluster-admin" entry
   oc config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2
-
+  
   # Create or update exec auth plugin environment variables for the "cluster-admin" entry
   oc config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2
-
+  
   # Remove exec auth plugin environment variables for the "cluster-admin" entry
   oc config set-credentials cluster-admin --exec-env=var-to-remove-
 ----
@@ -611,7 +611,7 @@ Unset an individual value in a kubeconfig file
 ----
   # Unset the current-context
   oc config unset current-context
-
+  
   # Unset namespace in foo context
   oc config unset contexts.foo.namespace
 ----
@@ -638,10 +638,10 @@ Display merged kubeconfig settings or a specified kubeconfig file
 ----
   # Show merged kubeconfig settings
   oc config view
-
+  
   # Show merged kubeconfig settings, raw certificate data, and exposed secrets
   oc config view --raw
-
+  
   # Get the password for the e2e user
   oc config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'
 ----
@@ -660,22 +660,22 @@ Copy files and directories to and from containers
   #
   # For advanced use cases, such as symlinks, wildcard expansion or
   # file mode preservation, consider using 'oc exec'.
-
+  
   # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
   tar cf - /tmp/foo | oc exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar
-
+  
   # Copy /tmp/foo from a remote pod to /tmp/bar locally
   oc exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar
-
+  
   # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
   oc cp /tmp/foo_dir <some-pod>:/tmp/bar_dir
-
+  
   # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
   oc cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>
-
+  
   # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
   oc cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar
-
+  
   # Copy /tmp/foo from a remote pod to /tmp/bar locally
   oc cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar
 ----
@@ -690,10 +690,10 @@ Create a resource from a file or from stdin
 ----
   # Create a pod using the data in pod.json
   oc create -f ./pod.json
-
+  
   # Create a pod based on the JSON passed into stdin
   cat pod.json | oc create -f -
-
+  
   # Edit the data in registry.yaml in JSON then create the resource using the edited data
   oc create -f registry.yaml --edit -o json
 ----
@@ -732,19 +732,19 @@ Create a cluster role
 ----
   # Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
   oc create clusterrole pod-reader --verb=get,list,watch --resource=pods
-
+  
   # Create a cluster role named "pod-reader" with ResourceName specified
   oc create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
-
+  
   # Create a cluster role named "foo" with API Group specified
   oc create clusterrole foo --verb=get,list,watch --resource=rs.apps
-
+  
   # Create a cluster role named "foo" with SubResource specified
   oc create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
-
+  
   # Create a cluster role name "foo" with NonResourceURL specified
   oc create clusterrole "foo" --verb=get --non-resource-url=/logs/*
-
+  
   # Create a cluster role name "monitoring" with AggregationRule specified
   oc create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
 ----
@@ -771,16 +771,16 @@ Create a config map from a local file, directory or literal value
 ----
   # Create a new config map named my-config based on folder bar
   oc create configmap my-config --from-file=path/to/bar
-
+  
   # Create a new config map named my-config with specified keys instead of file basenames on disk
   oc create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
-
+  
   # Create a new config map named my-config with key1=config1 and key2=config2
   oc create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
-
+  
   # Create a new config map named my-config from the key=value pairs in the file
   oc create configmap my-config --from-file=path/to/bar
-
+  
   # Create a new config map named my-config from an env file
   oc create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
 ----
@@ -795,7 +795,7 @@ Create a cron job with the specified name
 ----
   # Create a cron job
   oc create cronjob my-job --image=busybox --schedule="*/1 * * * *"
-
+  
   # Create a cron job with a command
   oc create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date
 ----
@@ -810,13 +810,13 @@ Create a deployment with the specified name
 ----
   # Create a deployment named my-dep that runs the busybox image
   oc create deployment my-dep --image=busybox
-
+  
   # Create a deployment with a command
   oc create deployment my-dep --image=busybox -- date
-
+  
   # Create a deployment named my-dep that runs the nginx image with 3 replicas
   oc create deployment my-dep --image=nginx --replicas=3
-
+  
   # Create a deployment named my-dep that runs the busybox image and expose port 5701
   oc create deployment my-dep --image=busybox --port=5701
 ----
@@ -880,34 +880,34 @@ Create an ingress with the specified name
   # Create a single ingress called 'simple' that directs requests to foo.com/bar to svc
   # svc1:8080 with a TLS secret "my-cert"
   oc create ingress simple --rule="foo.com/bar=svc1:8080,tls=my-cert"
-
+  
   # Create a catch all ingress of "/path" pointing to service svc:port and Ingress Class as "otheringress"
   oc create ingress catch-all --class=otheringress --rule="/path=svc:port"
-
+  
   # Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2
   oc create ingress annotated --class=default --rule="foo.com/bar=svc:port" \
   --annotation ingress.annotation1=foo \
   --annotation ingress.annotation2=bla
-
+  
   # Create an ingress with the same host and multiple paths
   oc create ingress multipath --class=default \
   --rule="foo.com/=svc:port" \
   --rule="foo.com/admin/=svcadmin:portadmin"
-
+  
   # Create an ingress with multiple hosts and the pathType as Prefix
   oc create ingress ingress1 --class=default \
   --rule="foo.com/path*=svc:8080" \
   --rule="bar.com/admin*=svc2:http"
-
+  
   # Create an ingress with TLS enabled using the default ingress certificate and different path types
   oc create ingress ingtls --class=default \
   --rule="foo.com/=svc:https,tls" \
   --rule="foo.com/path/subpath*=othersvc:8080"
-
+  
   # Create an ingress with TLS enabled using a specific secret and pathType as Prefix
   oc create ingress ingsecret --class=default \
   --rule="foo.com/*=svc:8080,tls=secret1"
-
+  
   # Create an ingress with a default backend
   oc create ingress ingdefault --class=default \
   --default-backend=defaultsvc:http \
@@ -924,10 +924,10 @@ Create a job with the specified name
 ----
   # Create a job
   oc create job my-job --image=busybox
-
+  
   # Create a job with a command
   oc create job my-job --image=busybox -- date
-
+  
   # Create a job from a cron job named "a-cronjob"
   oc create job test-job --from=cronjob/a-cronjob
 ----
@@ -955,7 +955,7 @@ Create a pod disruption budget with the specified name
   # Create a pod disruption budget named my-pdb that will select all pods with the app=rails label
   # and require at least one of them being available at any point in time
   oc create poddisruptionbudget my-pdb --selector=app=rails --min-available=1
-
+  
   # Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label
   # and require at least half of the pods selected to be available at any point in time
   oc create pdb my-pdb --selector=app=nginx --min-available=50%
@@ -971,10 +971,10 @@ Create a priority class with the specified name
 ----
   # Create a priority class named high-priority
   oc create priorityclass high-priority --value=1000 --description="high priority"
-
+  
   # Create a priority class named default-priority that is considered as the global default priority
   oc create priorityclass default-priority --value=1000 --global-default=true --description="default priority"
-
+  
   # Create a priority class named high-priority that cannot preempt pods with lower priority
   oc create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never"
 ----
@@ -989,7 +989,7 @@ Create a quota with the specified name
 ----
   # Create a new resource quota named my-quota
   oc create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10
-
+  
   # Create a new resource quota named best-effort
   oc create quota best-effort --hard=pods=100 --scopes=BestEffort
 ----
@@ -1004,13 +1004,13 @@ Create a role with single rule
 ----
   # Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
   oc create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
-
+  
   # Create a role named "pod-reader" with ResourceName specified
   oc create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
-
+  
   # Create a role named "foo" with API Group specified
   oc create role foo --verb=get,list,watch --resource=rs.apps
-
+  
   # Create a role named "foo" with SubResource specified
   oc create role foo --verb=get,list,watch --resource=pods,pods/status
 ----
@@ -1025,7 +1025,7 @@ Create a role binding for a particular role or cluster role
 ----
   # Create a role binding for user1, user2, and group1 using the admin cluster role
   oc create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
-
+  
   # Create a role binding for serviceaccount monitoring:sa-dev using the admin role
   oc create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev
 ----
@@ -1040,7 +1040,7 @@ Create a route that uses edge TLS termination
 ----
   # Create an edge route named "my-route" that exposes the frontend service
   oc create route edge my-route --service=frontend
-
+  
   # Create an edge route that exposes the frontend service and specify a path
   # If the route name is omitted, the service name will be used
   oc create route edge --service=frontend --path /assets
@@ -1056,7 +1056,7 @@ Create a route that uses passthrough TLS termination
 ----
   # Create a passthrough route named "my-route" that exposes the frontend service
   oc create route passthrough my-route --service=frontend
-
+  
   # Create a passthrough route that exposes the frontend service and specify
   # a host name. If the route name is omitted, the service name will be used
   oc create route passthrough --service=frontend --hostname=www.example.com
@@ -1072,7 +1072,7 @@ Create a route that uses reencrypt TLS termination
 ----
   # Create a route named "my-route" that exposes the frontend service
   oc create route reencrypt my-route --service=frontend --dest-ca-cert cert.cert
-
+  
   # Create a reencrypt route that exposes the frontend service, letting the
   # route name default to the service name and the destination CA certificate
   # default to the service CA
@@ -1089,7 +1089,7 @@ Create a secret for use with a Docker registry
 ----
   # If you do not already have a .dockercfg file, create a dockercfg secret directly
   oc create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
-
+  
   # Create a new secret named my-secret from ~/.docker/config.json
   oc create secret docker-registry my-secret --from-file=.dockerconfigjson=path/to/.docker/config.json
 ----
@@ -1104,16 +1104,16 @@ Create a secret from a local file, directory, or literal value
 ----
   # Create a new secret named my-secret with keys for each file in folder bar
   oc create secret generic my-secret --from-file=path/to/bar
-
+  
   # Create a new secret named my-secret with specified keys instead of names on disk
   oc create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
-
+  
   # Create a new secret named my-secret with key1=supersecret and key2=topsecret
   oc create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
-
+  
   # Create a new secret named my-secret using a combination of a file and a literal
   oc create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
-
+  
   # Create a new secret named my-secret from env files
   oc create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
 ----
@@ -1140,7 +1140,7 @@ Create a ClusterIP service
 ----
   # Create a new ClusterIP service named my-cs
   oc create service clusterip my-cs --tcp=5678:8080
-
+  
   # Create a new ClusterIP service named my-cs (in headless mode)
   oc create service clusterip my-cs --clusterip="None"
 ----
@@ -1203,19 +1203,19 @@ Request a service account token
 ----
   # Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace
   oc create token myapp
-
+  
   # Request a token for a service account in a custom namespace
   oc create token myapp --namespace myns
-
+  
   # Request a token with a custom expiration
   oc create token myapp --duration 10m
-
+  
   # Request a token with a custom audience
   oc create token myapp --audience https://example.com
-
+  
   # Request a token bound to an instance of a Secret object
   oc create token myapp --bound-object-kind Secret --bound-object-name mysecret
-
+  
   # Request a token bound to an instance of a Secret object with a specific UID
   oc create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc
 ----
@@ -1254,29 +1254,29 @@ Launch a new instance of a pod for debugging
 ----
   # Start a shell session into a pod using the OpenShift tools image
   oc debug
-
+  
   # Debug a currently running deployment by creating a new pod
   oc debug deploy/test
-
+  
   # Debug a node as an administrator
   oc debug node/master-1
-
+  
   # Debug a Windows Node
   # Note: the chosen image must match the Windows Server version (2019, 2022) of the Node
   oc debug node/win-worker-1 --image=mcr.microsoft.com/powershell:lts-nanoserver-ltsc2022
-
+  
   # Launch a shell in a pod using the provided image stream tag
   oc debug istag/mysql:latest -n openshift
-
+  
   # Test running a job as a non-root user
   oc debug job/test --as-user=1000000
-
+  
   # Debug a specific failing container by running the env command in the 'second' container
   oc debug daemonset/test -c second -- /bin/env
-
+  
   # See the pod that would be created to debug
   oc debug mypod-9xbc -o yaml
-
+  
   # Debug a resource but launch the debug pod in another namespace
   # Note: Not all resources can be debugged using --to-namespace without modification. For example,
   # volumes and service accounts are namespace-dependent. Add '-o yaml' to output the debug pod definition
@@ -1294,28 +1294,28 @@ Delete resources by file names, stdin, resources and names, or by resources and
 ----
   # Delete a pod using the type and name specified in pod.json
   oc delete -f ./pod.json
-
+  
   # Delete resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml
   oc delete -k dir
-
+  
   # Delete resources from all files that end with '.json'
   oc delete -f '*.json'
-
+  
   # Delete a pod based on the type and name in the JSON passed into stdin
   cat pod.json | oc delete -f -
-
+  
   # Delete pods and services with same names "baz" and "foo"
   oc delete pod,service baz foo
-
+  
   # Delete pods and services with label name=myLabel
   oc delete pods,services -l name=myLabel
-
+  
   # Delete a pod with minimal delay
   oc delete pod foo --now
-
+  
   # Force delete a pod on a dead node
   oc delete pod foo --force
-
+  
   # Delete all pods
   oc delete pods --all
 ----
@@ -1330,19 +1330,19 @@ Show details of a specific resource or group of resources
 ----
   # Describe a node
   oc describe nodes kubernetes-node-emt8.c.myproject.internal
-
+  
   # Describe a pod
   oc describe pods/nginx
-
+  
   # Describe a pod identified by type and name in "pod.json"
   oc describe -f pod.json
-
+  
   # Describe all pods
   oc describe pods
-
+  
   # Describe pods by label name=myLabel
   oc describe pods -l name=myLabel
-
+  
   # Describe all pods managed by the 'frontend' replication controller
   # (rc-created pods get the name of the rc as a prefix in the pod name)
   oc describe pods frontend
@@ -1358,7 +1358,7 @@ Diff the live version against a would-be applied version
 ----
   # Diff resources included in pod.json
   oc diff -f pod.json
-
+  
   # Diff file read from stdin
   cat service.yaml | oc diff -f -
 ----
@@ -1373,16 +1373,16 @@ Edit a resource on the server
 ----
   # Edit the service named 'registry'
   oc edit svc/registry
-
+  
   # Use an alternative editor
   KUBE_EDITOR="nano" oc edit svc/registry
-
+  
   # Edit the job 'myjob' in JSON using the v1 API format
   oc edit job.v1.batch/myjob -o json
-
+  
   # Edit the deployment 'mydeployment' in YAML and save the modified config in its annotation
   oc edit deployment/mydeployment -o yaml --save-config
-
+  
   # Edit the 'status' subresource for the 'mydeployment' deployment
   oc edit deployment mydeployment --subresource='status'
 ----
@@ -1397,16 +1397,16 @@ List events
 ----
   # List recent events in the default namespace
   oc events
-
+  
   # List recent events in all namespaces
   oc events --all-namespaces
-
+  
   # List recent events for the specified pod, then wait for more events and list them as they arrive
   oc events --for pod/web-pod-13je7 --watch
-
+  
   # List recent events in YAML format
   oc events -oyaml
-
+  
   # List recent only events of type 'Warning' or 'Normal'
   oc events --types=Warning,Normal
 ----
@@ -1421,24 +1421,24 @@ Execute a command in a container
 ----
   # Get output from running the 'date' command from pod mypod, using the first container by default
   oc exec mypod -- date
-
+  
   # Get output from running the 'date' command in ruby-container from pod mypod
   oc exec mypod -c ruby-container -- date
-
+  
   # Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod
   # and sends stdout/stderr from 'bash' back to the client
   oc exec mypod -c ruby-container -i -t -- bash -il
-
+  
   # List contents of /usr from the first container of pod mypod and sort by modification time
   # If the command you want to execute in the pod has any flags in common (e.g. -i),
   # you must use two dashes (--) to separate your command's flags/arguments
   # Also note, do not surround your command and its flags/arguments with quotes
   # unless that is how you would execute it normally (i.e., do ls -t /usr, not "ls -t /usr")
   oc exec mypod -i -t -- ls -t /usr
-
+  
   # Get output from running 'date' command from the first pod of the deployment mydeployment, using the first container by default
   oc exec deploy/mydeployment -- date
-
+  
   # Get output from running 'date' command from the first pod of the service myservice, using the first container by default
   oc exec svc/myservice -- date
 ----
@@ -1453,16 +1453,16 @@ Get documentation for a resource
 ----
   # Get the documentation of the resource and its fields
   oc explain pods
-
+  
   # Get all the fields in the resource
   oc explain pods --recursive
-
+  
   # Get the explanation for deployment in supported api versions
   oc explain deployments --api-version=apps/v1
-
+  
   # Get the documentation of a specific field of a resource
   oc explain pods.spec.containers
-
+  
   # Get the documentation of resources in different format
   oc explain deployment --output=plaintext-openapiv2
 ----
@@ -1477,20 +1477,20 @@ Expose a replicated application as a service or route
 ----
   # Create a route based on service nginx. The new route will reuse nginx's labels
   oc expose service nginx
-
+  
   # Create a route and specify your own label and route name
   oc expose service nginx -l name=myroute --name=fromdowntown
-
+  
   # Create a route and specify a host name
   oc expose service nginx --hostname=www.example.com
-
+  
   # Create a route with a wildcard
   oc expose service nginx --hostname=x.example.com --wildcard-policy=Subdomain
   # This would be equivalent to *.example.com. NOTE: only hosts are matched by the wildcard; subdomains would not be included
-
+  
   # Expose a deployment configuration as a service and use the specified port
   oc expose dc ruby-hello-world --port=8080
-
+  
   # Expose a service as a route in the specified path
   oc expose service nginx --path=/nginx
 ----
@@ -1505,13 +1505,13 @@ Extract secrets or config maps to disk
 ----
   # Extract the secret "test" to the current directory
   oc extract secret/test
-
+  
   # Extract the config map "nginx" to the /tmp directory
   oc extract configmap/nginx --to=/tmp
-
+  
   # Extract the config map "nginx" to STDOUT
   oc extract configmap/nginx --to=-
-
+  
   # Extract only the key "nginx.conf" from config map "nginx" to the /tmp directory
   oc extract configmap/nginx --to=/tmp --keys=nginx.conf
 ----
@@ -1526,37 +1526,37 @@ Display one or many resources
 ----
   # List all pods in ps output format
   oc get pods
-
+  
   # List all pods in ps output format with more information (such as node name)
   oc get pods -o wide
-
+  
   # List a single replication controller with specified NAME in ps output format
   oc get replicationcontroller web
-
+  
   # List deployments in JSON output format, in the "v1" version of the "apps" API group
   oc get deployments.v1.apps -o json
-
+  
   # List a single pod in JSON output format
   oc get -o json pod web-pod-13je7
-
+  
   # List a pod identified by type and name specified in "pod.yaml" in JSON output format
   oc get -f pod.yaml -o json
-
+  
   # List resources from a directory with kustomization.yaml - e.g. dir/kustomization.yaml
   oc get -k dir/
-
+  
   # Return only the phase value of the specified pod
   oc get -o template pod/web-pod-13je7 --template={{.status.phase}}
-
+  
   # List resource information in custom columns
   oc get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image
-
+  
   # List all replication controllers and services together in ps output format
   oc get rc,services
-
+  
   # List one or more resources by their type and names
   oc get rc/web service/frontend pods/web-pod-13je7
-
+  
   # List the 'status' subresource for a single pod
   oc get pod web-pod-13je7 --subresource status
 ----
@@ -1571,7 +1571,7 @@ Experimental: Get token from external OIDC issuer as credentials exec plugin
 ----
   # Starts an auth code flow to the issuer url with the client id and the given extra scopes
   oc get-token --client-id=client-id --issuer-url=test.issuer.url --extra-scopes=email,profile
-
+  
   # Starts an authe code flow to the issuer url with a different callback address.
   oc get-token --client-id=client-id --issuer-url=test.issuer.url --callback-address=127.0.0.1:8343
 ----
@@ -1598,31 +1598,31 @@ Add layers to images and push them to a registry
 ----
   # Remove the entrypoint on the mysql:latest image
   oc image append --from mysql:latest --to myregistry.com/myimage:latest --image '{"Entrypoint":null}'
-
+  
   # Add a new layer to the image
   oc image append --from mysql:latest --to myregistry.com/myimage:latest layer.tar.gz
-
+  
   # Add a new layer to the image and store the result on disk
   # This results in $(pwd)/v2/mysql/blobs,manifests
   oc image append --from mysql:latest --to file://mysql:local layer.tar.gz
-
+  
   # Add a new layer to the image and store the result on disk in a designated directory
   # This will result in $(pwd)/mysql-local/v2/mysql/blobs,manifests
   oc image append --from mysql:latest --to file://mysql:local --dir mysql-local layer.tar.gz
-
+  
   # Add a new layer to an image that is stored on disk (~/mysql-local/v2/image exists)
   oc image append --from-dir ~/mysql-local --to myregistry.com/myimage:latest layer.tar.gz
-
+  
   # Add a new layer to an image that was mirrored to the current directory on disk ($(pwd)/v2/image exists)
   oc image append --from-dir v2 --to myregistry.com/myimage:latest layer.tar.gz
-
+  
   # Add a new layer to a multi-architecture image for an os/arch that is different from the system's os/arch
   # Note: The first image in the manifest list that matches the filter will be returned when --keep-manifest-list is not specified
   oc image append --from docker.io/library/busybox:latest --filter-by-os=linux/s390x --to myregistry.com/myimage:latest layer.tar.gz
-
+  
   # Add a new layer to a multi-architecture image for all the os/arch manifests when keep-manifest-list is specified
   oc image append --from docker.io/library/busybox:latest --keep-manifest-list --to myregistry.com/myimage:latest layer.tar.gz
-
+  
   # Add a new layer to a multi-architecture image for all the os/arch manifests that is specified by the filter, while preserving the manifestlist
   oc image append --from docker.io/library/busybox:latest --filter-by-os=linux/s390x --keep-manifest-list --to myregistry.com/myimage:latest layer.tar.gz
 ----
@@ -1637,41 +1637,41 @@ Copy files from an image to the file system
 ----
   # Extract the busybox image into the current directory
   oc image extract docker.io/library/busybox:latest
-
+  
   # Extract the busybox image into a designated directory (must exist)
   oc image extract docker.io/library/busybox:latest --path /:/tmp/busybox
-
+  
   # Extract the busybox image into the current directory for linux/s390x platform
   # Note: Wildcard filter is not supported with extract; pass a single os/arch to extract
   oc image extract docker.io/library/busybox:latest --filter-by-os=linux/s390x
-
+  
   # Extract a single file from the image into the current directory
   oc image extract docker.io/library/centos:7 --path /bin/bash:.
-
+  
   # Extract all .repo files from the image's /etc/yum.repos.d/ folder into the current directory
   oc image extract docker.io/library/centos:7 --path /etc/yum.repos.d/*.repo:.
-
+  
   # Extract all .repo files from the image's /etc/yum.repos.d/ folder into a designated directory (must exist)
   # This results in /tmp/yum.repos.d/*.repo on local system
   oc image extract docker.io/library/centos:7 --path /etc/yum.repos.d/*.repo:/tmp/yum.repos.d
-
+  
   # Extract an image stored on disk into the current directory ($(pwd)/v2/busybox/blobs,manifests exists)
   # --confirm is required because the current directory is not empty
   oc image extract file://busybox:local --confirm
-
+  
   # Extract an image stored on disk in a directory other than $(pwd)/v2 into the current directory
   # --confirm is required because the current directory is not empty ($(pwd)/busybox-mirror-dir/v2/busybox exists)
   oc image extract file://busybox:local --dir busybox-mirror-dir --confirm
-
+  
   # Extract an image stored on disk in a directory other than $(pwd)/v2 into a designated directory (must exist)
   oc image extract file://busybox:local --dir busybox-mirror-dir --path /:/tmp/busybox
-
+  
   # Extract the last layer in the image
   oc image extract docker.io/library/centos:7[-1]
-
+  
   # Extract the first three layers of the image
   oc image extract docker.io/library/centos:7[:3]
-
+  
   # Extract the last three layers of the image
   oc image extract docker.io/library/centos:7[-3:]
 ----
@@ -1686,13 +1686,13 @@ Display information about an image
 ----
   # Show information about an image
   oc image info quay.io/openshift/cli:latest
-
+  
   # Show information about images matching a wildcard
   oc image info quay.io/openshift/cli:4.*
-
+  
   # Show information about a file mirrored to disk under DIR
   oc image info --dir=DIR file://library/busybox:latest
-
+  
   # Select which image from a multi-OS image to show
   oc image info library/busybox:latest --filter-by-os=linux/arm64
 ----
@@ -1702,57 +1702,55 @@ Display information about an image
 == oc image mirror
 Mirror images from one repository to another
 
-include::snippets/osd-aws-example-only.adoc[]
-
 .Example usage
 [source,bash,options="nowrap"]
 ----
   # Copy image to another tag
   oc image mirror myregistry.com/myimage:latest myregistry.com/myimage:stable
-
+  
   # Copy image to another registry
   oc image mirror myregistry.com/myimage:latest docker.io/myrepository/myimage:stable
-
+  
   # Copy all tags starting with mysql to the destination repository
   oc image mirror myregistry.com/myimage:mysql* docker.io/myrepository/myimage
-
+  
   # Copy image to disk, creating a directory structure that can be served as a registry
   oc image mirror myregistry.com/myimage:latest file://myrepository/myimage:latest
-
+  
   # Copy image to S3 (pull from <bucket>.s3.amazonaws.com/image:latest)
   oc image mirror myregistry.com/myimage:latest s3://s3.amazonaws.com/<region>/<bucket>/image:latest
-
+  
   # Copy image to S3 without setting a tag (pull via @<digest>)
   oc image mirror myregistry.com/myimage:latest s3://s3.amazonaws.com/<region>/<bucket>/image
-
+  
   # Copy image to multiple locations
   oc image mirror myregistry.com/myimage:latest docker.io/myrepository/myimage:stable \
   docker.io/myrepository/myimage:dev
-
+  
   # Copy multiple images
   oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test \
   myregistry.com/myimage:new=myregistry.com/other:target
-
+  
   # Copy manifest list of a multi-architecture image, even if only a single image is found
   oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test \
   --keep-manifest-list=true
-
+  
   # Copy specific os/arch manifest of a multi-architecture image
   # Run 'oc image info myregistry.com/myimage:latest' to see available os/arch for multi-arch images
   # Note that with multi-arch images, this results in a new manifest list digest that includes only
   # the filtered manifests
   oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test \
   --filter-by-os=os/arch
-
+  
   # Copy all os/arch manifests of a multi-architecture image
   # Run 'oc image info myregistry.com/myimage:latest' to see list of os/arch manifests that will be mirrored
   oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test \
   --keep-manifest-list=true
-
+  
   # Note the above command is equivalent to
   oc image mirror myregistry.com/myimage:latest=myregistry.com/other:test \
   --filter-by-os=.*
-
+  
   # Copy specific os/arch manifest of a multi-architecture image
   # Run 'oc image info myregistry.com/myimage:latest' to see available os/arch for multi-arch images
   # Note that the target registry may reject a manifest list if the platform specific images do not all
@@ -1772,22 +1770,22 @@ Import images from a container image registry
 ----
   # Import tag latest into a new image stream
   oc import-image mystream --from=registry.io/repo/image:latest --confirm
-
+  
   # Update imported data for tag latest in an already existing image stream
   oc import-image mystream
-
+  
   # Update imported data for tag stable in an already existing image stream
   oc import-image mystream:stable
-
+  
   # Update imported data for all tags in an existing image stream
   oc import-image mystream --all
-
+  
   # Update imported data for a tag that points to a manifest list to include the full manifest list
   oc import-image mystream --import-mode=PreserveOriginal
-
+  
   # Import all tags into a new image stream
   oc import-image mystream --from=registry.io/repo/image --all --confirm
-
+  
   # Import all tags into a new image stream using a custom timeout
   oc --request-timeout=5m import-image mystream --from=registry.io/repo/image --all --confirm
 ----
@@ -1802,10 +1800,10 @@ Build a kustomization target from a directory or URL
 ----
   # Build the current working directory
   oc kustomize
-
+  
   # Build some shared configuration directory
   oc kustomize /home/config/production
-
+  
   # Build from github
   oc kustomize https://github.com/kubernetes-sigs/kustomize.git/examples/helloWorld?ref=v1.0.6
 ----
@@ -1820,19 +1818,19 @@ Update the labels on a resource
 ----
   # Update pod 'foo' with the label 'unhealthy' and the value 'true'
   oc label pods foo unhealthy=true
-
+  
   # Update pod 'foo' with the label 'status' and the value 'unhealthy', overwriting any existing value
   oc label --overwrite pods foo status=unhealthy
-
+  
   # Update all pods in the namespace
   oc label pods --all status=unhealthy
-
+  
   # Update a pod identified by the type and name in "pod.json"
   oc label -f pod.json status=unhealthy
-
+  
   # Update pod 'foo' only if the resource is unchanged from version 1
   oc label pods foo status=unhealthy --resource-version=1
-
+  
   # Update pod 'foo' by removing a label named 'bar' if it exists
   # Does not require the --overwrite flag
   oc label pods foo bar-
@@ -1848,50 +1846,21 @@ Log in to a server
 ----
   # Log in interactively
   oc login --username=myuser
-
+  
   # Log in to the given server with the given certificate authority file
   oc login localhost:8443 --certificate-authority=/path/to/cert.crt
-
+  
   # Log in to the given server with the given credentials (will not prompt interactively)
   oc login localhost:8443 --username=myuser --password=mypass
-
+  
   # Log in to the given server through a browser
   oc login localhost:8443 --web --callback-port 8280
-
-ifdef::openshift-dedicated,openshift-rosa[]
+  
   # Log in to the external OIDC issuer through Auth Code + PKCE by starting a local server listening port 8080
-  oc login --exec-plugin=oc-oidc --issuer-url=<issuer_url> --client-id=<client_id> --extra-scopes=email,profile --callback-port=8080
-
-  # Log in with an external OIDC if the external OIDC certificate is not publically trusted
-  oc login --exec-plugin=oc-oidc --issuer-url=<issuer_url> --client-id=<client_id> --extra-scopes=email --callback-port=8080 --oidc-certificate-authority <CA for external OIDC certificate>
-endif::openshift-dedicated,openshift-rosa[]  
+  oc login localhost:8443 --exec-plugin=oc-oidc --client-id=client-id --extra-scopes=email,profile --callback-port=8080
 ----
 
-ifdef::openshift-dedicated,openshift-rosa[]
-.Arguments
-[cols="30,70"]
-|===
-|Option |Definition
-
-|`--exec-plugin`
-|Specifies the type of exec plugin credentials used to authenticate the external OIDC issuer. Currently, only `oc-oidc` is supported.
-
-|`--issuer-url`
-|Issuer URL for the external issuer. Required.
-
-|`--client-id`
-|Client ID for the external OIDC issuer. Only supports Auth Code and PKCE. Required.
-
-|`--extra-scopes`
-|Extra scopes for the external OIDC issuer. Optional.
-
-|`--callback-port`
-|The port that the callback server is redirected to after authentication flow is complete. The default is any random, open port.
 
-|`--oidc-certificate-authority`
-|Path to a certificate file for the external OIDC certificate authority.
-|===
-endif::openshift-dedicated,openshift-rosa[]
 
 == oc logout
 End the current server session
@@ -1913,18 +1882,18 @@ Print the logs for a container in a pod
 ----
   # Start streaming the logs of the most recent build of the openldap build config
   oc logs -f bc/openldap
-
+  
   # Start streaming the logs of the latest deployment of the mysql deployment config
   oc logs -f dc/mysql
-
+  
   # Get the logs of the first deployment for the mysql deployment config. Note that logs
   # from older deployments may not exist either because the deployment was successful
   # or due to deployment pruning or manual deletion of the deployment
   oc logs --version=1 dc/mysql
-
+  
   # Return a snapshot of ruby-container logs from pod backend
   oc logs backend -c ruby-container
-
+  
   # Start streaming of ruby-container logs from pod backend
   oc logs -f pod/backend -c ruby-container
 ----
@@ -1939,47 +1908,47 @@ Create a new application
 ----
   # List all local templates and image streams that can be used to create an app
   oc new-app --list
-
+  
   # Create an application based on the source code in the current git repository (with a public remote) and a container image
   oc new-app . --image=registry/repo/langimage
-
+  
   # Create an application myapp with Docker based build strategy expecting binary input
   oc new-app  --strategy=docker --binary --name myapp
-
+  
   # Create a Ruby application based on the provided [image]~[source code] combination
   oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
-
+  
   # Use the public container registry MySQL image to create an app. Generated artifacts will be labeled with db=mysql
   oc new-app mysql MYSQL_USER=user MYSQL_PASSWORD=pass MYSQL_DATABASE=testdb -l db=mysql
-
+  
   # Use a MySQL image in a private registry to create an app and override application artifacts' names
   oc new-app --image=myregistry.com/mycompany/mysql --name=private
-
+  
   # Use an image with the full manifest list to create an app and override application artifacts' names
   oc new-app --image=myregistry.com/mycompany/image --name=private --import-mode=PreserveOriginal
-
+  
   # Create an application from a remote repository using its beta4 branch
   oc new-app https://github.com/openshift/ruby-hello-world#beta4
-
+  
   # Create an application based on a stored template, explicitly setting a parameter value
   oc new-app --template=ruby-helloworld-sample --param=MYSQL_USER=admin
-
+  
   # Create an application from a remote repository and specify a context directory
   oc new-app https://github.com/youruser/yourgitrepo --context-dir=src/build
-
+  
   # Create an application from a remote private repository and specify which existing secret to use
   oc new-app https://github.com/youruser/yourgitrepo --source-secret=yoursecret
-
+  
   # Create an application based on a template file, explicitly setting a parameter value
   oc new-app --file=./example/myapp/template.json --param=MYSQL_USER=admin
-
+  
   # Search all templates, image streams, and container images for the ones that match "ruby"
   oc new-app --search ruby
-
+  
   # Search for "ruby", but only in stored templates (--template, --image-stream and --image
   # can be used to filter search results)
   oc new-app --search --template=ruby
-
+  
   # Search for "ruby" in stored templates and print the output as YAML
   oc new-app --search --template=ruby --output=yaml
 ----
@@ -1995,31 +1964,31 @@ Create a new build configuration
   # Create a build config based on the source code in the current git repository (with a public
   # remote) and a container image
   oc new-build . --image=repo/langimage
-
+  
   # Create a NodeJS build config based on the provided [image]~[source code] combination
   oc new-build centos/nodejs-8-centos7~https://github.com/sclorg/nodejs-ex.git
-
+  
   # Create a build config from a remote repository using its beta2 branch
   oc new-build https://github.com/openshift/ruby-hello-world#beta2
-
+  
   # Create a build config using a Dockerfile specified as an argument
   oc new-build -D $'FROM centos:7\nRUN yum install -y httpd'
-
+  
   # Create a build config from a remote repository and add custom environment variables
   oc new-build https://github.com/openshift/ruby-hello-world -e RACK_ENV=development
-
+  
   # Create a build config from a remote private repository and specify which existing secret to use
   oc new-build https://github.com/youruser/yourgitrepo --source-secret=yoursecret
-
+  
   # Create a build config using  an image with the full manifest list to create an app and override application artifacts' names
   oc new-build --image=myregistry.com/mycompany/image --name=private --import-mode=PreserveOriginal
-
+  
   # Create a build config from a remote repository and inject the npmrc into a build
   oc new-build https://github.com/openshift/ruby-hello-world --build-secret npmrc:.npmrc
-
+  
   # Create a build config from a remote repository and inject environment data into a build
   oc new-build https://github.com/openshift/ruby-hello-world --build-config-map env:config
-
+  
   # Create a build config that gets its input from a remote repository and another container image
   oc new-build https://github.com/openshift/ruby-hello-world --source-image=openshift/jenkins-1-centos7 --source-image-path=/var/lib/jenkins:tmp
 ----
@@ -2034,7 +2003,7 @@ Request a new project
 ----
   # Create a new project with minimal information
   oc new-project web-team-dev
-
+  
   # Create a new project with a display name and description
   oc new-project web-team-dev --display-name="Web Team Development" --description="Development project for the web team."
 ----
@@ -2049,10 +2018,10 @@ Observe changes to resources and react to them (experimental)
 ----
   # Observe changes to services
   oc observe services
-
+  
   # Observe changes to services, including the clusterIP and invoke a script for each
   oc observe services --template '{ .spec.clusterIP }' -- register_dns.sh
-
+  
   # Observe changes to services filtered by a label selector
   oc observe services -l regist-dns=true --template '{ .spec.clusterIP }' -- register_dns.sh
 ----
@@ -2067,19 +2036,19 @@ Update fields of a resource
 ----
   # Partially update a node using a strategic merge patch, specifying the patch as JSON
   oc patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'
-
+  
   # Partially update a node using a strategic merge patch, specifying the patch as YAML
   oc patch node k8s-node-1 -p $'spec:\n unschedulable: true'
-
+  
   # Partially update a node identified by the type and name specified in "node.json" using strategic merge patch
   oc patch -f node.json -p '{"spec":{"unschedulable":true}}'
-
+  
   # Update a container's image; spec.containers[*].name is required because it's a merge key
   oc patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'
-
+  
   # Update a container's image using a JSON patch with positional arrays
   oc patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
-
+  
   # Update a deployment's replicas through the 'scale' subresource using a merge patch
   oc patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
 ----
@@ -2106,7 +2075,7 @@ Add a role to users or service accounts for the current project
 ----
   # Add the 'view' role to user1 for the current project
   oc policy add-role-to-user view user1
-
+  
   # Add the 'edit' role to serviceaccount1 for the current project
   oc policy add-role-to-user edit -z serviceaccount1
 ----
@@ -2122,13 +2091,13 @@ Check which service account can create a pod
   # Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
   # Service Account specified in myresource.yaml file is ignored
   oc policy scc-review -z sa1,sa2 -f my_resource.yaml
-
+  
   # Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
   oc policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
-
+  
   # Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
   oc policy scc-review -f my_resource_with_sa.yaml
-
+  
   # Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
   oc policy scc-review -f myresource_with_no_sa.yaml
 ----
@@ -2143,10 +2112,10 @@ Check whether a user or a service account can create a pod
 ----
   # Check whether user bob can create a pod specified in myresource.yaml
   oc policy scc-subject-review -u bob -f myresource.yaml
-
+  
   # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
   oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
-
+  
   # Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
   oc policy scc-subject-review -f myresourcewithsa.yaml
 ----
@@ -2161,22 +2130,22 @@ Forward one or more local ports to a pod
 ----
   # Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod
   oc port-forward pod/mypod 5000 6000
-
+  
   # Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment
   oc port-forward deployment/mydeployment 5000 6000
-
+  
   # Listen on port 8443 locally, forwarding to the targetPort of the service's port named "https" in a pod selected by the service
   oc port-forward service/myservice 8443:https
-
+  
   # Listen on port 8888 locally, forwarding to 5000 in the pod
   oc port-forward pod/mypod 8888:5000
-
+  
   # Listen on port 8888 on all addresses, forwarding to 5000 in the pod
   oc port-forward --address 0.0.0.0 pod/mypod 8888:5000
-
+  
   # Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod
   oc port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000
-
+  
   # Listen on a random port locally, forwarding to 5000 in the pod
   oc port-forward pod/mypod :5000
 ----
@@ -2191,22 +2160,22 @@ Process a template into list of resources
 ----
   # Convert the template.json file into a resource list and pass to create
   oc process -f template.json | oc create -f -
-
+  
   # Process a file locally instead of contacting the server
   oc process -f template.json --local -o yaml
-
+  
   # Process template while passing a user-defined label
   oc process -f template.json -l name=mytemplate
-
+  
   # Convert a stored template into a resource list
   oc process foo
-
+  
   # Convert a stored template into a resource list by setting/overriding parameter values
   oc process foo PARM1=VALUE1 PARM2=VALUE2
-
+  
   # Convert a template stored in different namespace into a resource list
   oc process openshift//foo
-
+  
   # Convert template.json into a resource list
   cat template.json | oc process -f -
 ----
@@ -2221,7 +2190,7 @@ Switch to another project
 ----
   # Switch to the 'myapp' project
   oc project myapp
-
+  
   # Display the project currently in use
   oc project
 ----
@@ -2248,22 +2217,22 @@ Run a proxy to the Kubernetes API server
 ----
   # To proxy all of the Kubernetes API and nothing else
   oc proxy --api-prefix=/
-
+  
   # To proxy only part of the Kubernetes API and also some static files
   # You can get pods info with 'curl localhost:8001/api/v1/pods'
   oc proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/
-
+  
   # To proxy the entire Kubernetes API at a different root
   # You can get pods info with 'curl localhost:8001/custom/api/v1/pods'
   oc proxy --api-prefix=/custom/
-
+  
   # Run a proxy to the Kubernetes API server on port 8011, serving static content from ./local/www/
   oc proxy --port=8011 --www=./local/www/
-
+  
   # Run a proxy to the Kubernetes API server on an arbitrary local port
   # The chosen port for the server will be output to stdout
   oc proxy --port=0
-
+  
   # Run a proxy to the Kubernetes API server, changing the API prefix to k8s-api
   # This makes e.g. the pods API available at localhost:8001/k8s-api/v1/pods/
   oc proxy --api-prefix=/k8s-api
@@ -2279,7 +2248,7 @@ Log in to the integrated registry
 ----
   # Log in to the integrated registry
   oc registry login
-
+  
   # Log in to different registry using BASIC auth credentials
   oc registry login --registry quay.io/myregistry --auth-basic=USER:PASS
 ----
@@ -2294,13 +2263,13 @@ Replace a resource by file name or stdin
 ----
   # Replace a pod using the data in pod.json
   oc replace -f ./pod.json
-
+  
   # Replace a pod based on the JSON passed into stdin
   cat pod.json | oc replace -f -
-
+  
   # Update a single-container pod's image version (tag) to v4
   oc get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | oc replace -f -
-
+  
   # Force replace, delete and then re-create the resource
   oc replace --force -f ./pod.json
 ----
@@ -2315,16 +2284,16 @@ Revert part of an application back to a previous deployment
 ----
   # Perform a rollback to the last successfully completed deployment for a deployment config
   oc rollback frontend
-
+  
   # See what a rollback to version 3 will look like, but do not perform the rollback
   oc rollback frontend --to-version=3 --dry-run
-
+  
   # Perform a rollback to a specific deployment
   oc rollback frontend-2
-
+  
   # Perform the rollback manually by piping the JSON of the new config back to oc
   oc rollback frontend -o json | oc replace dc/frontend -f -
-
+  
   # Print the updated deployment configuration in JSON format instead of performing the rollback
   oc rollback frontend -o json
 ----
@@ -2351,7 +2320,7 @@ View rollout history
 ----
   # View the rollout history of a deployment
   oc rollout history dc/nginx
-
+  
   # View the details of deployment revision 3
   oc rollout history dc/nginx --revision=3
 ----
@@ -2366,7 +2335,7 @@ Start a new rollout for a deployment config with the latest state from its trigg
 ----
   # Start a new rollout based on the latest images defined in the image change triggers
   oc rollout latest dc/nginx
-
+  
   # Print the rolled out deployment config
   oc rollout latest dc/nginx -o json
 ----
@@ -2393,12 +2362,15 @@ Restart a resource
 .Example usage
 [source,bash,options="nowrap"]
 ----
+  # Restart all deployments in test-namespace namespace
+  oc rollout restart deployment -n test-namespace
+  
   # Restart a deployment
   oc rollout restart deployment/nginx
-
+  
   # Restart a daemon set
   oc rollout restart daemonset/abc
-
+  
   # Restart deployments with the app=nginx label
   oc rollout restart deployment --selector=app=nginx
 ----
@@ -2450,7 +2422,7 @@ Undo a previous rollout
 ----
   # Roll back to the previous deployment
   oc rollout undo dc/nginx
-
+  
   # Roll back to deployment revision 3. The replication controller for that version must exist
   oc rollout undo dc/nginx --to-revision=3
 ----
@@ -2465,17 +2437,17 @@ Start a shell session in a container
 ----
   # Open a shell session on the first container in pod 'foo'
   oc rsh foo
-
+  
   # Open a shell session on the first container in pod 'foo' and namespace 'bar'
   # (Note that oc client specific arguments must come before the resource name and its arguments)
   oc rsh -n bar foo
-
+  
   # Run the command 'cat /etc/resolv.conf' inside pod 'foo'
   oc rsh foo cat /etc/resolv.conf
-
+  
   # See the configuration of your internal registry
   oc rsh dc/docker-registry cat config.yml
-
+  
   # Open a shell session on the container named 'index' inside a pod of your job
   oc rsh -c index job/scheduled
 ----
@@ -2490,7 +2462,7 @@ Copy files between a local file system and a pod
 ----
   # Synchronize a local directory with a pod directory
   oc rsync ./local/dir/ POD:/remote/dir
-
+  
   # Synchronize a pod directory with a local directory
   oc rsync POD:/remote/dir/ ./local/dir
 ----
@@ -2505,28 +2477,28 @@ Run a particular image on the cluster
 ----
   # Start a nginx pod
   oc run nginx --image=nginx
-
+  
   # Start a hazelcast pod and let the container expose port 5701
   oc run hazelcast --image=hazelcast/hazelcast --port=5701
-
+  
   # Start a hazelcast pod and set environment variables "DNS_DOMAIN=cluster" and "POD_NAMESPACE=default" in the container
   oc run hazelcast --image=hazelcast/hazelcast --env="DNS_DOMAIN=cluster" --env="POD_NAMESPACE=default"
-
+  
   # Start a hazelcast pod and set labels "app=hazelcast" and "env=prod" in the container
   oc run hazelcast --image=hazelcast/hazelcast --labels="app=hazelcast,env=prod"
-
+  
   # Dry run; print the corresponding API objects without creating them
   oc run nginx --image=nginx --dry-run=client
-
+  
   # Start a nginx pod, but overload the spec with a partial set of values parsed from JSON
   oc run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'
-
+  
   # Start a busybox pod and keep it in the foreground, don't restart it if it exits
   oc run -i -t busybox --image=busybox --restart=Never
-
+  
   # Start the nginx pod using the default command, but use custom arguments (arg1 .. argN) for that command
   oc run nginx --image=nginx -- <arg1> <arg2> ... <argN>
-
+  
   # Start the nginx pod using a different command and custom arguments
   oc run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>
 ----
@@ -2541,16 +2513,16 @@ Set a new size for a deployment, replica set, or replication controller
 ----
   # Scale a replica set named 'foo' to 3
   oc scale --replicas=3 rs/foo
-
+  
   # Scale a resource identified by type and name specified in "foo.yaml" to 3
   oc scale --replicas=3 -f foo.yaml
-
+  
   # If the deployment named mysql's current size is 2, scale mysql to 3
   oc scale --current-replicas=2 --replicas=3 deployment/mysql
-
+  
   # Scale multiple replication controllers
   oc scale --replicas=5 rc/example1 rc/example2 rc/example3
-
+  
   # Scale stateful set named 'web' to 3
   oc scale --replicas=3 statefulset/web
 ----
@@ -2565,7 +2537,7 @@ Link secrets to a service account
 ----
   # Add an image pull secret to a service account to automatically use it for pulling pod images
   oc secrets link serviceaccount-name pull-secret --for=pull
-
+  
   # Add an image pull secret to a service account to automatically use it for both pulling and pushing build images
   oc secrets link builder builder-image-secret --for=pull,mount
 ----
@@ -2592,10 +2564,10 @@ Update a build hook on a build config
 ----
   # Clear post-commit hook on a build config
   oc set build-hook bc/mybuild --post-commit --remove
-
+  
   # Set the post-commit hook to execute a test suite using a new entrypoint
   oc set build-hook bc/mybuild --post-commit --command -- /bin/bash -c /var/lib/test-image.sh
-
+  
   # Set the post-commit hook to execute a shell script
   oc set build-hook bc/mybuild --post-commit --script="/var/lib/test-image.sh param1 param2 && /var/lib/done.sh"
 ----
@@ -2610,13 +2582,13 @@ Update a build secret on a build config
 ----
   # Clear the push secret on a build config
   oc set build-secret --push --remove bc/mybuild
-
+  
   # Set the pull secret on a build config
   oc set build-secret --pull bc/mybuild mysecret
-
+  
   # Set the push and pull secret on a build config
   oc set build-secret --push --pull bc/mybuild mysecret
-
+  
   # Set the source secret on a set of build configs matching a selector
   oc set build-secret --source -l app=myapp gitsecret
 ----
@@ -2631,13 +2603,13 @@ Update the data within a config map or secret
 ----
   # Set the 'password' key of a secret
   oc set data secret/foo password=this_is_secret
-
+  
   # Remove the 'password' key from a secret
   oc set data secret/foo password-
-
+  
   # Update the 'haproxy.conf' key of a config map from a file on disk
   oc set data configmap/bar --from-file=../haproxy.conf
-
+  
   # Update a secret with the contents of a directory, one key per file
   oc set data secret/foo --from-file=secret-dir
 ----
@@ -2652,11 +2624,11 @@ Update a deployment hook on a deployment config
 ----
   # Clear pre and post hooks on a deployment config
   oc set deployment-hook dc/myapp --remove --pre --post
-
+  
   # Set the pre deployment hook to execute a db migration command for an application
   # using the data volume from the application
   oc set deployment-hook dc/myapp --pre --volumes=data -- /var/lib/migrate-db.sh
-
+  
   # Set a mid deployment hook along with additional environment variables
   oc set deployment-hook dc/myapp --mid --volumes=data -e VAR1=value1 -e VAR2=value2 -- /var/lib/prepare-deploy.sh
 ----
@@ -2671,32 +2643,32 @@ Update environment variables on a pod template
 ----
   # Update deployment config 'myapp' with a new environment variable
   oc set env dc/myapp STORAGE_DIR=/local
-
+  
   # List the environment variables defined on a build config 'sample-build'
   oc set env bc/sample-build --list
-
+  
   # List the environment variables defined on all pods
   oc set env pods --all --list
-
+  
   # Output modified build config in YAML
   oc set env bc/sample-build STORAGE_DIR=/data -o yaml
-
+  
   # Update all containers in all replication controllers in the project to have ENV=prod
   oc set env rc --all ENV=prod
-
+  
   # Import environment from a secret
   oc set env --from=secret/mysecret dc/myapp
-
+  
   # Import environment from a config map with a prefix
   oc set env --from=configmap/myconfigmap --prefix=MYSQL_ dc/myapp
-
+  
   # Remove the environment variable ENV from container 'c1' in all deployment configs
   oc set env dc --all --containers="c1" ENV-
-
+  
   # Remove the environment variable ENV from a deployment config definition on disk and
   # update the deployment config on the server
   oc set env -f dc.json ENV-
-
+  
   # Set some of the local shell environment into a deployment config on the server
   oc set env | grep RAILS_ | oc env -e - dc/myapp
 ----
@@ -2711,16 +2683,16 @@ Update the image of a pod template
 ----
   # Set a deployment config's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'.
   oc set image dc/nginx busybox=busybox nginx=nginx:1.9.1
-
+  
   # Set a deployment config's app container image to the image referenced by the imagestream tag 'openshift/ruby:2.3'.
   oc set image dc/myapp app=openshift/ruby:2.3 --source=imagestreamtag
-
+  
   # Update all deployments' and rc's nginx container's image to 'nginx:1.9.1'
   oc set image deployments,rc nginx=nginx:1.9.1 --all
-
+  
   # Update image of all containers of daemonset abc to 'nginx:1.9.1'
   oc set image daemonset abc *=nginx:1.9.1
-
+  
   # Print result (in YAML format) of updating nginx container image from local file, without hitting the server
   oc set image -f path/to/file.yaml nginx=nginx:1.9.1 --local -o yaml
 ----
@@ -2735,19 +2707,19 @@ Change how images are resolved when deploying applications
 ----
   # Print all of the image streams and whether they resolve local names
   oc set image-lookup
-
+  
   # Use local name lookup on image stream mysql
   oc set image-lookup mysql
-
+  
   # Force a deployment to use local name lookup
   oc set image-lookup deploy/mysql
-
+  
   # Show the current status of the deployment lookup
   oc set image-lookup deploy/mysql --list
-
+  
   # Disable local name lookup on image stream mysql
   oc set image-lookup mysql --enabled=false
-
+  
   # Set local name lookup on all image streams
   oc set image-lookup --all
 ----
@@ -2762,22 +2734,22 @@ Update a probe on a pod template
 ----
   # Clear both readiness and liveness probes off all containers
   oc set probe dc/myapp --remove --readiness --liveness
-
+  
   # Set an exec action as a liveness probe to run 'echo ok'
   oc set probe dc/myapp --liveness -- echo ok
-
+  
   # Set a readiness probe to try to open a TCP socket on 3306
   oc set probe rc/mysql --readiness --open-tcp=3306
-
+  
   # Set an HTTP startup probe for port 8080 and path /healthz over HTTP on the pod IP
   oc set probe dc/webapp --startup --get-url=http://:8080/healthz
-
+  
   # Set an HTTP readiness probe for port 8080 and path /healthz over HTTP on the pod IP
   oc set probe dc/webapp --readiness --get-url=http://:8080/healthz
-
+  
   # Set an HTTP readiness probe over HTTPS on 127.0.0.1 for a hostNetwork pod
   oc set probe dc/router --readiness --get-url=https://127.0.0.1:1936/stats
-
+  
   # Set only the initial-delay-seconds field on all deployments
   oc set probe dc --all --readiness --initial-delay-seconds=30
 ----
@@ -2792,13 +2764,13 @@ Update resource requests/limits on objects with pod templates
 ----
   # Set a deployments nginx container CPU limits to "200m and memory to 512Mi"
   oc set resources deployment nginx -c=nginx --limits=cpu=200m,memory=512Mi
-
+  
   # Set the resource request and limits for all containers in nginx
   oc set resources deployment nginx --limits=cpu=200m,memory=512Mi --requests=cpu=100m,memory=256Mi
-
+  
   # Remove the resource requests for resources on containers in nginx
   oc set resources deployment nginx --limits=cpu=0,memory=0 --requests=cpu=0,memory=0
-
+  
   # Print the result (in YAML format) of updating nginx container limits locally, without hitting the server
   oc set resources -f path/to/file.yaml --limits=cpu=200m,memory=512Mi --local -o yaml
 ----
@@ -2813,19 +2785,19 @@ Update the backends for a route
 ----
   # Print the backends on the route 'web'
   oc set route-backends web
-
+  
   # Set two backend services on route 'web' with 2/3rds of traffic going to 'a'
   oc set route-backends web a=2 b=1
-
+  
   # Increase the traffic percentage going to b by 10%% relative to a
   oc set route-backends web --adjust b=+10%%
-
+  
   # Set traffic percentage going to b to 10%% of the traffic going to a
   oc set route-backends web --adjust b=10%%
-
+  
   # Set weight of b to 10
   oc set route-backends web --adjust b=10
-
+  
   # Set the weight to all backends to zero
   oc set route-backends web --zero
 ----
@@ -2853,7 +2825,7 @@ Update the service account of a resource
 ----
   # Set deployment nginx-deployment's service account to serviceaccount1
   oc set serviceaccount deployment nginx-deployment serviceaccount1
-
+  
   # Print the result (in YAML format) of updated nginx deployment with service account from a local file, without hitting the API server
   oc set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run -o yaml
 ----
@@ -2868,10 +2840,10 @@ Update the user, group, or service account in a role binding or cluster role bin
 ----
   # Update a cluster role binding for serviceaccount1
   oc set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
-
+  
   # Update a role binding for user1, user2, and group1
   oc set subject rolebinding admin --user=user1 --user=user2 --group=group1
-
+  
   # Print the result (in YAML format) of updating role binding subjects locally, without hitting the server
   oc create rolebinding admin --role=admin --user=admin -o yaml --dry-run | oc set subject --local -f - --user=foo -o yaml
 ----
@@ -2886,26 +2858,26 @@ Update the triggers on one or more objects
 ----
   # Print the triggers on the deployment config 'myapp'
   oc set triggers dc/myapp
-
+  
   # Set all triggers to manual
   oc set triggers dc/myapp --manual
-
+  
   # Enable all automatic triggers
   oc set triggers dc/myapp --auto
-
+  
   # Reset the GitHub webhook on a build to a new, generated secret
   oc set triggers bc/webapp --from-github
   oc set triggers bc/webapp --from-webhook
-
+  
   # Remove all triggers
   oc set triggers bc/webapp --remove-all
-
+  
   # Stop triggering on config change
   oc set triggers dc/myapp --from-config --remove
-
+  
   # Add an image trigger to a build config
   oc set triggers bc/webapp --from-image=namespace1/image:latest
-
+  
   # Add an image trigger to a stateful set on the main container
   oc set triggers statefulset/db --from-image=namespace1/image:latest -c main
 ----
@@ -2920,27 +2892,27 @@ Update volumes on a pod template
 ----
   # List volumes defined on all deployment configs in the current project
   oc set volume dc --all
-
+  
   # Add a new empty dir volume to deployment config (dc) 'myapp' mounted under
   # /var/lib/myapp
   oc set volume dc/myapp --add --mount-path=/var/lib/myapp
-
+  
   # Use an existing persistent volume claim (PVC) to overwrite an existing volume 'v1'
   oc set volume dc/myapp --add --name=v1 -t pvc --claim-name=pvc1 --overwrite
-
+  
   # Remove volume 'v1' from deployment config 'myapp'
   oc set volume dc/myapp --remove --name=v1
-
+  
   # Create a new persistent volume claim that overwrites an existing volume 'v1'
   oc set volume dc/myapp --add --name=v1 -t pvc --claim-size=1G --overwrite
-
+  
   # Change the mount point for volume 'v1' to /data
   oc set volume dc/myapp --add --name=v1 -m /data --overwrite
-
+  
   # Modify the deployment config by removing volume mount "v1" from container "c1"
   # (and by removing the volume "v1" if no other containers have volume mounts that reference it)
   oc set volume dc/myapp --remove --name=v1 --containers=c1
-
+  
   # Add new volume based on a more complex volume source (AWS EBS, GCE PD,
   # Ceph, Gluster, NFS, ISCSI, ...)
   oc set volume dc/myapp --add -m /data --source=<json-string>
@@ -2956,20 +2928,20 @@ Start a new build
 ----
   # Starts build from build config "hello-world"
   oc start-build hello-world
-
+  
   # Starts build from a previous build "hello-world-1"
   oc start-build --from-build=hello-world-1
-
+  
   # Use the contents of a directory as build input
   oc start-build hello-world --from-dir=src/
-
+  
   # Send the contents of a Git repository to the server from tag 'v2'
   oc start-build hello-world --from-repo=../hello-world --commit=v2
-
+  
   # Start a new build for build config "hello-world" and watch the logs until the build
   # completes or fails
   oc start-build hello-world --follow
-
+  
   # Start a new build for build config "hello-world" and wait until the build completes. It
   # exits with a non-zero return code if the build fails
   oc start-build hello-world --wait
@@ -2985,10 +2957,10 @@ Show an overview of the current project
 ----
   # See an overview of the current project
   oc status
-
+  
   # Export the overview of the current project in an svg file
   oc status -o dot | dot -T svg -o project.svg
-
+  
   # See an overview of the current project including details for any identified issues
   oc status --suggest
 ----
@@ -3003,19 +2975,19 @@ Tag existing images into image streams
 ----
   # Tag the current image for the image stream 'openshift/ruby' and tag '2.0' into the image stream 'yourproject/ruby with tag 'tip'
   oc tag openshift/ruby:2.0 yourproject/ruby:tip
-
+  
   # Tag a specific image
   oc tag openshift/ruby@sha256:6b646fa6bf5e5e4c7fa41056c27910e679c03ebe7f93e361e6515a9da7e258cc yourproject/ruby:tip
-
+  
   # Tag an external container image
   oc tag --source=docker openshift/origin-control-plane:latest yourproject/ruby:tip
-
+  
   # Tag an external container image and request pullthrough for it
   oc tag --source=docker openshift/origin-control-plane:latest yourproject/ruby:tip --reference-policy=local
-
+  
   # Tag an external container image and include the full manifest list
   oc tag --source=docker openshift/origin-control-plane:latest yourproject/ruby:tip --import-mode=PreserveOriginal
-
+  
   # Remove the specified spec tag from an image stream
   oc tag openshift/origin-control-plane:latest -d
 ----
@@ -3030,10 +3002,10 @@ Print the client and server version information
 ----
   # Print the OpenShift client, kube-apiserver, and openshift-apiserver version information for the current context
   oc version
-
+  
   # Print the OpenShift client, kube-apiserver, and openshift-apiserver version numbers for the current context in json format
   oc version --output json
-
+  
   # Print the OpenShift client version information for the current context
   oc version --client
 ----
@@ -3048,16 +3020,19 @@ Experimental: Wait for a specific condition on one or many resources
 ----
   # Wait for the pod "busybox1" to contain the status condition of type "Ready"
   oc wait --for=condition=Ready pod/busybox1
-
+  
   # The default value of status condition is true; you can wait for other targets after an equal delimiter (compared after Unicode simple case folding, which is a more general form of case-insensitivity)
   oc wait --for=condition=Ready=false pod/busybox1
-
+  
   # Wait for the pod "busybox1" to contain the status phase to be "Running"
   oc wait --for=jsonpath='{.status.phase}'=Running pod/busybox1
-
+  
+  # Wait for pod "busybox1" to be Ready
+  oc wait --for='jsonpath={.status.conditions[?(@.type=="Ready")].status}=True' pod/busybox1
+  
   # Wait for the service "loadbalancer" to have ingress.
   oc wait --for=jsonpath='{.status.loadBalancer.ingress}' service/loadbalancer
-
+  
   # Wait for the pod "busybox1" to be deleted, with a timeout of 60s, after having issued the "delete" command
   oc delete pod/busybox1
   oc wait --for=delete pod/busybox1 --timeout=60s
@@ -3074,3 +3049,5 @@ Return information about the current session
   # Display the currently authenticated user
   oc whoami
 ----
+
+
diff --git a/modules/oc-mirror-IDMS-ITMS-about.adoc b/modules/oc-mirror-IDMS-ITMS-about.adoc
new file mode 100644
index 000000000000..2b822692306e
--- /dev/null
+++ b/modules/oc-mirror-IDMS-ITMS-about.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-custom-resources-v2_{context}"]
+= About custom resources generated by v2
+
+With oc-mirror plugin v2, `ImageDigestMirrorSet` (IDMS) and `ImageTagMirrorSet` (ITMS) are generated by default if at least one image is found to which a tag refers. These sets contain mirrors for images referenced by digest or tag in releases, Operator catalogs and additional images.
+
+The `ImageDigestMirrorSet` (IDMS) links the mirror registry to the source registry and forwards image pull requests using digest specifications. The `ImagetagMirrorSet` (ITMS) resource, however, redirects image pull requests by using image tags.
+
+Operator Lifecycle Manager (OLM) uses the `CatalogSource` resource to retrieve information about the available Operators in the mirror registry.
+
+The OSUS service uses the `UpdateService` resource to provide Cincinnati graph to the disconnected environment.
\ No newline at end of file
diff --git a/modules/oc-mirror-building-image-set-config-v2.adoc b/modules/oc-mirror-building-image-set-config-v2.adoc
new file mode 100644
index 000000000000..673e8517a211
--- /dev/null
+++ b/modules/oc-mirror-building-image-set-config-v2.adoc
@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-building-image-set-config-v2_{context}"]
+= Building the image set configuration
+
+The oc-mirror plugin v2 uses the image set configuration as the input file to determine the required images for mirroring.
+
+.Example for the `ImageSetConfiguration` input file
+[source,yaml]
+----
+kind: ImageSetConfiguration
+apiVersion: mirror.openshift.io/v2alpha1
+mirror:
+  platform:
+    channels:
+    - name: stable-4.13
+      minVersion: 4.13.10
+      maxVersion: 4.13.10
+    graph: true
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+      packages:
+       - name: aws-load-balancer-operator
+       - name: 3scale-operator
+       - name: node-observability-operator
+  additionalImages: 
+   - name: registry.redhat.io/ubi8/ubi:latest
+   - name: registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0
+----
\ No newline at end of file
diff --git a/modules/oc-mirror-command-reference-v2.adoc b/modules/oc-mirror-command-reference-v2.adoc
new file mode 100644
index 000000000000..e63c74e7404b
--- /dev/null
+++ b/modules/oc-mirror-command-reference-v2.adoc
@@ -0,0 +1,80 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+
+:_mod-docs-content-type: REFERENCE
+[id="oc-mirror-command-reference-v2_{context}"]
+= Command reference for oc-mirror plugin v2
+
+The following tables describe the `oc mirror` subcommands and flags for oc-mirror plugin v2:
+
+.Subcommands and flags for the oc-mirror plugin v2:
+[cols="1,2",options="header"]
+|===
+|Subcommand
+|Description
+
+|`help`
+|Show help about any subcommand
+
+|`version`
+|Output the oc-mirror version
+
+|`delete`
+|Deletes images in remote registry and local cache.
+
+|===
+
+.oc mirror flags
+[cols="1,2",options="header"]
+|===
+|Flag
+|Description
+
+|`--authfile` 
+|Displays the string path of the authentication file. Default is `${XDG_RUNTIME_DIR}/containers/auth.json`.
+
+|`-c`, `--config` `<string>`
+|Specifies the path to an image set configuration file.
+
+|`--dest-tls-verify`
+|Requires HTTPS and verifies certificates when accessing the container registry or daemon.
+
+|`--dry-run`
+|Prints actions without mirroring images
+
+|`--from <string>`
+|Specifies the path to an image set archive that was generated by executing oc-mirror plugin v2 to load a target registry.
+
+|`-h`, `--help`
+|Displays help
+
+|`--loglevel` 
+|Displays string log levels. Supported values include info, debug, trace, error. The default is `info`.
+
+|`-p`, `--port` 
+|Determines the HTTP port used by oc-mirror plugin v2 local storage instance. The default is `55000`.
+
+|`--max-nested-paths <int>`
+|Specifies the maximum number of nested paths for destination registries that limit nested paths. The default is `0`.
+
+|`--secure-policy` 
+|Default value is `false`. If you set a non-default value, the command enables signature verification, which is the secure policy for signature verification.
+
+|`--since` 
+|Includes all new content since a specified date (format: `yyyy-mm-dd`). When not provided, new content since previous mirroring is mirrored.
+
+|`--src-tls-verify` 
+|Requires HTTPS and verifies certificates when accessing the container registry or daemon.
+
+|`--strict-archive` 
+|Default value is `false`. If you set a value, the command generates archives that are strictly less than the `archiveSize` that was set in the `imageSetConfig` custom resource (CR). Mirroring exist in error if a file being archived exceeds `archiveSize` (GB).
+
+|`-v`, `--version` 
+|Displays the version for oc-mirror plugin v2.
+
+|`--workspace` 
+|Determines string oc-mirror plugin v2 workspace where resources and internal artifacts are generated.
+
+|===
\ No newline at end of file
diff --git a/modules/oc-mirror-creating-image-set-config.adoc b/modules/oc-mirror-creating-image-set-config.adoc
index fbc04b196dac..41be6255994d 100644
--- a/modules/oc-mirror-creating-image-set-config.adoc
+++ b/modules/oc-mirror-creating-image-set-config.adoc
@@ -18,7 +18,7 @@ Do not delete or modify the metadata that is generated by the oc-mirror plugin.
 
 .Prerequisites
 
-* You have created a container image registry credentials file. For instructions, see _Configuring credentials that allow images to be mirrored_.
+* You have created a container image registry credentials file. For instructions, see "Configuring credentials that allow images to be mirrored".
 
 .Procedure
 
@@ -26,9 +26,9 @@ Do not delete or modify the metadata that is generated by the oc-mirror plugin.
 +
 [source,terminal]
 ----
-$ oc mirror init --registry example.com/mirror/oc-mirror-metadata > imageset-config.yaml <1>
+$ oc mirror init <--registry <storage_backend> > imageset-config.yaml <1>
 ----
-<1> Replace `example.com/mirror/oc-mirror-metadata` with the location of your registry for the storage backend.
+<1> Specifies the location of your storage backend, such as `example.com/mirror/oc-mirror-metadata`.
 
 . Edit the file and adjust the settings as necessary:
 +
@@ -72,7 +72,7 @@ mirror:
 The `graph: true` field also mirrors the `ubi-micro` image along with other mirrored images.
 ====
 +
-See _Image set configuration parameters_ for the full list of parameters and _Image set configuration examples_ for various mirroring use cases.
+See "Image set configuration parameters" for the full list of parameters and "Image set configuration examples" for various mirroring use cases.
 
 . Save the updated file.
 +
diff --git a/modules/oc-mirror-disk-to-mirror-v2.adoc b/modules/oc-mirror-disk-to-mirror-v2.adoc
new file mode 100644
index 000000000000..eef0be6a8495
--- /dev/null
+++ b/modules/oc-mirror-disk-to-mirror-v2.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="disk-mirror-v2_{context}"]
+== Mirroring from disk to mirror
+
+You can use the `oc-mirror` plugin v2 to mirror image sets from a disk to a target mirror registry.
+
+The `oc-mirror` plugin v2 retrieves container images from a local disk and transfers them to the specified mirror registry.
+
+.Procedure
+
+* Process the image set file on the disk and mirror the contents to a target mirror registry by running the following command:
++
+[source,terminal]
+----
+$ oc mirror -c isc.yaml --from file://<file_path> docker://<mirror_registry_url> --v2 <1>
+----
+<1> Specify the URL or address of the mirror registry where the images are stored and from which they need to be deleted.
+
+.Verification
+
+. Navigate to the `cluster-resources` directory within the `working-dir` directory that was generated in the `<file_path>` directory.
+. Verify that the YAML files are present for the `ImageDigestMirrorSet`, `ImageTagMirrorSet` and `CatalogSource` resources.
+
+.Next steps
+
+* Configure your cluster to use the resources generated by oc-mirror plugin v2.
\ No newline at end of file
diff --git a/modules/oc-mirror-dry-run-v2.adoc b/modules/oc-mirror-dry-run-v2.adoc
new file mode 100644
index 000000000000..c448e3ab65e5
--- /dev/null
+++ b/modules/oc-mirror-dry-run-v2.adoc
@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="oc-mirror-dry-run-v2_{context}"]
+= Performing dry run for oc-mirror plugin v2
+
+Verify your image set configuration by performing a dry run without mirroring any images. This ensures your setup is correct and prevents unintended changes.
+
+.Procedure
+
+* To perform a test run, run the `oc mirror` command and append the `--dry-run` argument to the command:
++
+[source,terminal]
+----
+$ oc mirror -c <image_set_config_yaml> --from file://<oc_mirror_workspace_path> docker://<mirror_registry_url> --dry-run --v2
+----
+Where:
+- `<image_set_config_yaml>`: Use the image set configuration file that you just created.
+- `<oc_mirror_workspace_path>`: Insert the address of the workspace path.
+- `<mirror_registry_url>`: Insert the URL or address of the remote container registry from which images will be deleted.
++
+.Example output
+[source,terminal]
+----
+$ oc mirror --config /tmp/isc_dryrun.yaml file://<oc_mirror_workspace_path> --dry-run --v2
+
+[INFO]   : :warning:  --v2 flag identified, flow redirected to the oc-mirror v2 version. This is Tech Preview, it is still under development and it is not production ready.
+[INFO]   : :wave: Hello, welcome to oc-mirror
+[INFO]   : :gear:  setting up the environment for you...
+[INFO]   : :twisted_rightwards_arrows: workflow mode: mirrorToDisk 
+[INFO]   : :sleuth_or_spy:  going to discover the necessary images...
+[INFO]   : :mag: collecting release images...
+[INFO]   : :mag: collecting operator images...
+[INFO]   : :mag: collecting additional images...
+[WARN]   : :warning:  54/54 images necessary for mirroring are not available in the cache.
+[WARN]   : List of missing images in : CLID-19/working-dir/dry-run/missing.txt.
+please re-run the mirror to disk process
+[INFO]   : :page_facing_up: list of all images for mirroring in : CLID-19/working-dir/dry-run/mapping.txt
+[INFO]   : mirror time     : 9.641091076s
+[INFO]   : :wave: Goodbye, thank you for using oc-mirror
+----
+
+.Verification
+
+. Navigate to the workspace directory that was generated:
++
+[source,terminal]
+----
+$ cd <oc_mirror_workspace_path>
+----
+
+. Review the `mapping.txt` and `missing.txt` files that were generated. These files contain a list of all images that would be mirrored.
\ No newline at end of file
diff --git a/modules/oc-mirror-enclave-support-about.adoc b/modules/oc-mirror-enclave-support-about.adoc
new file mode 100644
index 000000000000..adb551a9eb7a
--- /dev/null
+++ b/modules/oc-mirror-enclave-support-about.adoc
@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-enclave-support-about_{context}"]
+= Benefits of enclave support
+
+Enclave support restricts internal access to a specific part of a network. Unlike a demilitarized zone (DMZ) network, which allows inbound and outbound traffic access through firewall boundaries, enclaves do not cross firewall boundaries.
+
+:FeatureName: Enclave Support
+include::snippets/technology-preview.adoc[]
+
+The new enclave support functionality is for scenarios where mirroring is needed for multiple enclaves that are secured behind at least one intermediate disconnected network.
+
+Enclave support has the following benefits:
+
+* You can mirror content for multiple enclaves and centralize it in a single internal registry. Because some customers want to run security checks on the mirrored content, with this setup they can run these checks all at once. The content is then vetted before being mirrored to downstream enclaves.
+
+* You can mirror content directly from the centralized internal registry to enclaves without restarting the mirroring process from the internet for each enclave.
+
+* You can minimize data transfer between network stages, so to ensure that a blob or image is transferred only once from one stage to another.
\ No newline at end of file
diff --git a/modules/oc-mirror-enclave-support.adoc b/modules/oc-mirror-enclave-support.adoc
new file mode 100644
index 000000000000..09f3dc821f68
--- /dev/null
+++ b/modules/oc-mirror-enclave-support.adoc
@@ -0,0 +1,128 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: Procedure
+[id="oc-mirror-enclave-support_{context}"]
+= Mirroring to an enclave
+
+When you mirror to an enclave, you must first transfer the necessary images from one or more enclaves into the enterprise central registry.
+
+The central registry is situated within a secure network, specifically a disconnected environment, and is not directly linked to the public internet. But the user must execute `oc mirror` in an environment with access to the public internet.
+
+.Procedure
+
+. Before running oc-mirror plugin v2 in the disconnected environment, create a `registries.conf` file. The TOML format of the file is described in this specification:
++
+[NOTE]
+====
+It is recommended to store the file under `$HOME/.config/containers/registries.conf` or `/etc/containers/registries.conf`.
+====
++
+.Example `registries.conf`
+[source,toml]
+----
+[[registry]]
+location="registry.redhat.io"
+[[registry.mirror]]
+location="<enterprise-registry.in>"
+
+[[registry]]
+location="quay.io"
+[[registry.mirror]]
+location="<enterprise-registry.in>"
+----
+
+. Generate a mirror archive.
+
+.. To collect all the {product-title} content into an archive on the disk under `<file_path>/enterprise-content`, run the following command:
++
+[source,terminal]
+----
+$ oc mirror --v2 -c isc.yaml file://<file_path>/enterprise-content
+----
++
+.Example of isc.yaml:
+[source,yaml]
+----
+apiVersion: mirror.openshift.io/v2alpha1
+kind: ImageSetConfiguration
+mirror:
+  platform:
+    architectures:
+      - "amd64"
+    channels:
+      - name: stable-4.15
+        minVersion: 4.15.0
+        maxVersion: 4.15.3
+----
++
+After the archive is generated, it is transferred to the disconnected environment. The transport mechanism is not part of oc-mirror plugin v2. The enterprise network administrators determine the transfer strategy.
++
+In some cases, the transfer is done manually, in that the disk is physically unplugged from one location, and plugged to another computer in the disconnected environment. In other cases, the Secure File Transfer Protocol (SFTP) or other protocols are used.
+
+. After the transfer of the archive is done, you can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry (`entrerpise_registry.in` in the example) as demonstrated in the following example: 
++
+[source,terminal]
+----
+$ oc mirror --v2 -c isc.yaml --from file://<disconnected_environment_file_path>/enterprise-content docker://<enterprise_registry.in>/
+----
+Where:
+- `--from` points to the folder containing the archive. It starts with the `file://`.
+- `docker://` is the destination of the mirroring is the final argument. Because it is a docker registry.
+- `-c` (`--config`) is a mandatory argument. It enables oc-mirror plugin v2 to eventually mirror only sub-parts of the archive to the registry. One archive might contain several {product-title} releases, but the disconnected environment or an enclave might mirror only a few.
+
+. Prepare the `imageSetConfig` YAML file, which describes the content to mirror to the enclave:
++
+.Example isc-enclave.yaml
+[source,yaml]
+----
+apiVersion: mirror.openshift.io/v2alpha1
+kind: ImageSetConfiguration
+mirror:
+  platform:
+    architectures:
+      - "amd64"
+    channels:
+      - name: stable-4.15
+        minVersion: 4.15.2
+        maxVersion: 4.15.2
+----
++
+You must run oc-mirror plugin v2 on a machine with access to the disconnected registry. In the previous example, the disconnected environment, `enterprise-registry.in`, is accessible.
+
+. Update the graph URL
++
+If you are using `graph:true`, oc-mirror plugin v2 attempts to reach the `cincinnati` API endpoint. Because this environment is disconnected, be sure to export the environment variable `UPDATE_URL_OVERRIDE` to refer to the URL for the OpenShift Update Service (OSUS):
++
+[source,terminal]
+----
+$ export UPDATE_URL_OVERRIDE=https://<osus.enterprise.in>/graph
+----
++
+For more information on setting up OSUS on an OpenShift cluster, see "Updating a cluster in a disconnected environment using the OpenShift Update Service".
+
+. Generate a mirror archive from the enterprise registry for the enclave.
++
+To prepare an archive for the `enclave1`, the user executes oc-mirror plugin v2 in the enterprise disconnected environment by using the `imageSetConfiguration` specific for that enclave. This ensures that only images needed by that enclave are mirrored:
++
+[source,terminal]
+----
+$ oc mirror --v2 -c isc-enclave.yaml
+file:///disk-enc1/
+----
++
+This action collects all the {product-title} content into an archive and generates an archive on disk.
+
+. After the archive is generated, it will be transferred to the `enclave1` network. The transport mechanism is not the responsibility of oc-mirror plugin v2. 
+
+. Mirror contents to the enclave registry
++
+After the transfer of the archive is done, the user can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry.
++
+[source,terminal]
+----
+$ oc mirror --v2 -c isc-enclave.yaml --from file://local-disk docker://registry.enc1.in
+----
++
+The administrators of the {product-title} cluster in `enclave1` are now ready to install or upgrade that cluster.
\ No newline at end of file
diff --git a/modules/oc-mirror-imageset-config-parameters-v2.adoc b/modules/oc-mirror-imageset-config-parameters-v2.adoc
new file mode 100644
index 000000000000..de0330ac043c
--- /dev/null
+++ b/modules/oc-mirror-imageset-config-parameters-v2.adoc
@@ -0,0 +1,450 @@
+
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="oc-mirror-imageset-config-parameters-v2_{context}"]
+= `ImageSet` configuration parameters for oc-mirror plugin v2
+
+The oc-mirror plugin v2 requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the `ImageSetConfiguration` resource.
+
+[NOTE]
+====
+Using the `minVersion` and `maxVersion` properties to filter for a specific Operator version range can result in a multiple channel heads error. The error message states that there are `multiple channel heads`. This is because when the filter is applied, the update graph of the Operator is truncated.
+
+OLM requires that every Operator channel contains versions that form an update graph with exactly one end point, that is, the latest version of the Operator. When the filter range is applied, that graph can turn into two or more separate graphs or a graph that has more than one end point.
+
+To avoid this error, do not filter out the latest version of an Operator. If you still run into the error, depending on the Operator, either the `maxVersion` property must be increased or the `minVersion` property must be decreased. Because every Operator graph can be different, you might need to adjust these values until the error resolves.
+====
+
+.`ImageSetConfiguration` parameters
+[cols="2,2a,1a",options="header"]
+|===
+|Parameter
+|Description
+|Values
+
+|`apiVersion`
+|The API version of the `ImageSetConfiguration` content.
+|String 
+Example: `mirror.openshift.io/v2alpha1`
+
+|`archiveSize`
+|The maximum size, in GiB, of each archive file within the image set.
+|Integer 
+Example: `4`
+
+|`mirror`
+|The configuration of the image set.
+|Object
+
+|`mirror.additionalImages`
+|The additional images configuration of the image set.
+|Array of objects 
+
+Example:
+[source,yaml]
+----
+additionalImages:
+  - name: registry.redhat.io/ubi8/ubi:latest
+----
+
+|`mirror.additionalImages.name`
+|The tag or digest of the image to mirror.
+|String 
+Example: `registry.redhat.io/ubi8/ubi:latest`
+
+|`mirror.blockedImages`
+|The full tag, digest, or pattern of images to block from mirroring.
+|Array of strings 
+Example: `docker.io/library/alpine`
+
+|`mirror.operators`
+|The Operators configuration of the image set.
+|Array of objects 
+
+Example:
+[source,yaml,subs="attributes+"]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+      - name: elasticsearch-operator
+        minVersion: '2.4.0'
+----
+
+|`mirror.operators.catalog`
+|The Operator catalog to include in the image set.
+|String 
+Example: `registry.redhat.io/redhat/redhat-operator-index:v4.15`
+
+|`mirror.operators.full`
+|When `true`, downloads the full catalog, Operator package, or Operator channel.
+|Boolean 
+The default value is `false`.
+
+|`mirror.operators.packages`
+|The Operator packages configuration.
+|Array of objects 
+
+Example:
+[source,yaml,subs="attributes+"]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+      - name: elasticsearch-operator
+        minVersion: '5.2.3-31'
+----
+
+|`mirror.operators.packages.name`
+|The Operator package name to include in the image set.
+|String 
+Example: `elasticsearch-operator`
+
+|`mirror.operators.packages.channels`
+|Operator package channel configuration
+|Object
+
+|`mirror.operators.packages.channels.name`
+|The Operator channel name, unique within a package, to include in the image set.
+|String 
+Eample: `fast` or `stable-v4.15`
+
+|`mirror.operators.packages.channels.maxVersion`
+|The highest version of the Operator mirror across all channels in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`mirror.operators.packages.channels.minVersion`
+|The lowest version of the Operator to mirror across all channels in which it exists
+|String 
+Example: `5.2.3-31`
+
+|`mirror.operators.packages.maxVersion`
+|The highest version of the Operator to mirror across all channels in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`mirror.operators.packages.minVersion`
+|The lowest version of the Operator to mirror across all channels in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`mirror.operators.packages.bundles`
+|Selected bundles configuration
+|Array of objects 
+
+Example:
+[source,yaml,subs="attributes+"]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+    - name: 3scale-operator
+      bundles:
+      - name: 3scale-operator.v0.10.0-mas
+----
+
+|`mirror.operators.packages.bundles.name`
+|Name of the bundle selected for mirror (as it appears in the catalog).
+|String 
+Example : `3scale-operator.v0.10.0-mas`
+
+|`mirror.operators.targetCatalog`
+|An alternative name and optional namespace hierarchy to mirror the referenced catalog as
+|String 
+Example: `my-namespace/my-operator-catalog`
+
+|`mirror.operators.targetCatalogSourceTemplate`
+|Path on disk for a template to use to complete catalogSource custom resource generated by oc-mirror plugin v2.
+|String 
+Example: `/tmp/catalog-source_template.yaml`
+Example of a template file: 
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v2alpha1
+kind: CatalogSource
+metadata:
+  name: discarded
+  namespace: openshift-marketplace
+spec:
+  image: discarded
+  sourceType: grpc
+  updateStrategy:
+registryPoll:
+interval: 30m0s
+----
+
+|`mirror.operators.targetTag`
+|An alternative tag to append to the `targetName` or `targetCatalog`.
+|String 
+Example: `v1`
+
+|`mirror.platform`
+|The platform configuration of the image set.
+|Object
+
+|`mirror.platform.architectures`
+|The architecture of the platform release payload to mirror.
+|Array of strings 
+Example:
+[source,yaml]
+----
+architectures:
+  - amd64
+  - arm64
+  - multi
+  - ppc64le
+  - s390x
+----
+
+The default value is `amd64`. The value `multi` ensures that the mirroring is supported for all available architectures, eliminating the need to specify individual architectures
+
+|`mirror.platform.channels`
+|The platform channel configuration of the image set.
+|Array of objects 
+Example:
+[source,yaml,subs="attributes+"]
+----
+channels:
+  - name: stable-4.12
+  - name: stable-{product-version}
+----
+
+|`mirror.platform.channels.full`
+|When `true`, sets the `minVersion` to the first release in the channel and the `maxVersion` to the last release in the channel.
+|Boolean 
+The default value is `false`
+
+|`mirror.platform.channels.name`
+|Name of the release channel
+|String 
+Example: `stable-4.15`
+
+|`mirror.platform.channels.minVersion`
+|The minimum version of the referenced platform to be mirrored.
+|String 
+Example: `4.12.6`
+
+|`mirror.platform.channels.maxVersion`
+|The highest version of the referenced platform to be mirrored.
+|String 
+Example: `4.15.1`
+
+|`mirror.platform.channels.shortestPath`
+|Toggles shortest path mirroring or full range mirroring.
+|Boolean 
+The default value is `false`
+
+|`mirror.platform.channels.type`
+|Type of the platform to be mirrored
+|String 
+Example: `ocp` or `okd`. The default is `ocp`.
+
+|`mirror.platform.graph`
+|Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror.
+|Boolean
+The default value is `false`
+
+|===
+
+
+[id="delete-imagset-config-parameters"]
+== Delete `ImageSet` Configuration parameters
+
+To use the oc-mirror plugin v2, you must have delete image set configuration file that defines which images to delete from the mirror registry. The following table lists the available parameters for the `DeleteImageSetConfiguration` resource.
+
+.`DeleteImageSetConfiguration` parameters
+[cols="2,2a,1a",options="header"]
+|===
+|Parameter
+|Description
+|Values
+
+|`apiVersion`
+|The API version for the `DeleteImageSetConfiguration` content.
+|String 
+Example: `mirror.openshift.io/v2alpha1`
+
+|`delete`
+|The configuration of the image set to delete.
+|Object
+
+|`delete.additionalImages`
+|The additional images configuration of the delete image set.
+|Array of objects 
+Example:
+[source,yaml]
+----
+additionalImages:
+  - name: registry.redhat.io/ubi8/ubi:latest
+----
+
+|`delete.additionalImages.name`
+|The tag or digest of the image to delete.
+|String 
+Example: `registry.redhat.io/ubi8/ubi:latest`
+
+|`delete.operators`
+|The Operators configuration of the delete image set.
+|Array of objects 
+Example:
+[source,yaml]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+      - name: elasticsearch-operator
+        minVersion: '2.4.0'
+----
+
+|`delete.operators.catalog`
+|The Operator catalog to include in the delete image set.
+|String 
+Example: `registry.redhat.io/redhat/redhat-operator-index:v4.15`
+
+|`delete.operators.full`
+|When true, deletes the full catalog, Operator package, or Operator channel.
+|Boolean 
+The default value is `false`
+
+|`delete.operators.packages`
+|Operator packages configuration
+|Array of objects 
+Example:
+[source,yaml]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+      - name: elasticsearch-operator
+        minVersion: '5.2.3-31'
+----
+
+|`delete.operators.packages.name`
+|The Operator package name to include in the delete image set.
+|String 
+Example: `elasticsearch-operator`
+
+|`delete.operators.packages.channels`
+|Operator package channel configuration
+|Object
+
+|`delete.operators.packages.channels.name`
+|The Operator channel name, unique within a package, to include in the delete image set.
+|String 
+Example: `fast` or `stable-v4.15`
+
+|`delete.operators.packages.channels.maxVersion`
+|The highest version of the Operator to delete within the selected channel.
+|String 
+Example: `5.2.3-31`
+
+|`delete.operators.packages.channels.minVersion`
+|The lowest version of the Operator to delete within the selection in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`delete.operators.packages.maxVersion`
+|The highest version of the Operator to delete across all channels in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`delete.operators.packages.minVersion`
+|The lowest version of the Operator to delete across all channels in which it exists.
+|String 
+Example: `5.2.3-31`
+
+|`delete.operators.packages.bundles`
+|The selected bundles configuration
+|Array of objects
+
+You cannot choose both channels and bundles for the same operator.
+
+Example:  
+[source,yaml]
+----
+operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
+    packages:
+    - name: 3scale-operator
+      bundles:
+      - name: 3scale-operator.v0.10.0-mas
+----
+
+|`delete.operators.packages.bundles.name`
+|Name of the bundle selected to delete (as it is displayed in the catalog)
+|String 
+Example : `3scale-operator.v0.10.0-mas`
+
+|`delete.platform`
+|The platform configuration of the image set
+|Object
+
+|`delete.platform.architectures`
+|The architecture of the platform release payload to delete.
+|Array of strings
+Example:
+[source,yaml]
+----
+architectures:
+  - amd64
+  - arm64
+  - multi
+  - ppc64le
+  - s390x
+----
+
+The default value is `amd64`
+
+|`delete.platform.channels`
+|The platform channel configuration of the image set.
+|Array of objects 
+
+Example:
+[source,yaml,subs="attributes+"]
+----
+channels:
+  - name: stable-4.12
+  - name: stable-{product-version}
+----
+
+|`delete.platform.channels.full`
+|When `true`, sets the `minVersion` to the first release in the channel and the `maxVersion` to the last release in the channel.
+|Boolean
+The default value is `false`
+
+|`delete.platform.channels.name`
+|Name of the release channel
+|String 
+Example: `stable-4.15`
+
+|`delete.platform.channels.minVersion`
+|The minimum version of the referenced platform to be deleted.
+|String 
+Example: `4.12.6`
+
+|`delete.platform.channels.maxVersion`
+|The highest version of the referenced platform to be deleted.
+|String 
+Example: `4.15.1`
+
+|`delete.platform.channels.shortestPath`
+|Toggles between deleting the shortest path and deleting the full range.
+|Boolean 
+The default value is `false`
+
+|`delete.platform.channels.type`
+|Type of the platform to be deleted
+|String 
+Example: `ocp` or `okd` 
+The default is `ocp`
+
+|`delete.platform.graph`
+|Determines whether the OSUS graph is deleted as well on the mirror registry as well.
+|Boolean
+The default value is `false`
+
+|===
\ No newline at end of file
diff --git a/modules/oc-mirror-imageset-config-params.adoc b/modules/oc-mirror-imageset-config-params.adoc
index b52d9cfad959..84cc2ae68f53 100644
--- a/modules/oc-mirror-imageset-config-params.adoc
+++ b/modules/oc-mirror-imageset-config-params.adoc
@@ -129,7 +129,7 @@ operators:
 
 |`mirror.operators.catalog`
 |The Operator catalog to include in the image set.
-|String. For example: `registry.redhat.io/redhat/redhat-operator-index:v4.15`.
+|String. For example: `registry.redhat.io/redhat/redhat-operator-index:v4.16`.
 
 |`mirror.operators.full`
 |When `true`, downloads the full catalog, Operator package, or Operator channel.
@@ -158,7 +158,7 @@ operators:
 
 |`mirror.operators.packages.channels.name`
 |The Operator channel name, unique within a package, to include in the image set.
-|String. For example: `fast` or `stable-v4.15`.
+|String. For example: `fast` or `stable-v4.16`.
 
 |`mirror.operators.packages.channels.maxVersion`
 |The highest version of the Operator mirror across all channels in which it exists. See the following note for further information.
@@ -238,7 +238,7 @@ channels:
 
 |`mirror.platform.channels.name`
 |The name of the release channel.
-|String. For example: `stable-4.15`
+|String. For example: `stable-4.16`
 
 |`mirror.platform.channels.minVersion`
 |The minimum version of the referenced platform to be mirrored.
@@ -246,7 +246,7 @@ channels:
 
 |`mirror.platform.channels.maxVersion`
 |The highest version of the referenced platform to be mirrored.
-|String. For example: `4.15.1`
+|String. For example: `4.16.1`
 
 |`mirror.platform.channels.shortestPath`
 |Toggles shortest path mirroring or full range mirroring.
diff --git a/modules/oc-mirror-installing-plugin.adoc b/modules/oc-mirror-installing-plugin.adoc
index 1139197e7875..9c5f30220776 100644
--- a/modules/oc-mirror-installing-plugin.adoc
+++ b/modules/oc-mirror-installing-plugin.adoc
@@ -3,10 +3,21 @@
 // * installing/disconnected_install/installing-mirroring-disconnected.adoc
 // * updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc
 
+ifeval::["{context}" == "installing-mirroring-disconnected"]
+:oc-mirror:
+endif::[]
+
+ifeval::["{context}" == "about-installing-oc-mirror-v2"]
+:oc-mirror-v2:
+:restricted:
+endif::[]
+
 :_mod-docs-content-type: PROCEDURE
 [id="installation-oc-mirror-installing-plugin_{context}"]
 = Installing the oc-mirror OpenShift CLI plugin
 
+Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.
+
 .Prerequisites
 
 * You have installed the OpenShift CLI (`oc`). If you are mirroring image sets in a fully disconnected environment, ensure the following:
@@ -56,9 +67,28 @@ $ sudo mv oc-mirror /usr/local/bin/.
 
 .Verification
 
-* Run `oc mirror help` to verify that the plugin was successfully installed:
+ifdef::oc-mirror[]
+* Verify that the plugin for oc-mirror v1 is successfully installed by running the following command:
 +
 [source,terminal]
 ----
 $ oc mirror help
 ----
+endif::[]
+
+ifdef::oc-mirror-v2[]
+* Verify that the plugin for oc-mirror v2 is successfully installed by running the following command:
++
+[source,terminal]
+----
+$ oc mirror --v2 --help
+----
+endif::[]
+
+ifeval::["{context}" == "about-installing-oc-mirror-v2"]
+:!oc-mirror-v2:
+endif::[]
+
+ifeval::["{context}" == "installing-mirroring-disconnected"]
+:!oc-mirror:
+endif::[]
\ No newline at end of file
diff --git a/modules/oc-mirror-mirror-to-disk-v2.adoc b/modules/oc-mirror-mirror-to-disk-v2.adoc
new file mode 100644
index 000000000000..7304c157670f
--- /dev/null
+++ b/modules/oc-mirror-mirror-to-disk-v2.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="mirror-to-disk-v2_{context}"]
+== Mirroring from mirror to disk
+
+You can use the oc-mirror plugin v2 to generate an image set and save the content to disk. You can then transfer the generated image set can to the disconnected environment and mirrored to the target registry.
+
+oc-mirror plugin v2 retrieves the container images from the source specified in the image set configuration and packs them into a tar archive in a local directory.
+
+.Procedure
+
+* Mirror the images from the specified image set configuration to the disk by running the following command:
++
+[source,terminal]
+----
+$ oc mirror -c isc.yaml file://<file_path> --v2 <1>
+----
+<1> Add the required file path. 
+
+.Verification
+
+. Navigate to the `<file_path>` directory that was generated.
+. Verify that the archive files have been generated.
+
+.Next steps
+
+* Configure your cluster to use the resources generated by oc-mirror plugin v2.
\ No newline at end of file
diff --git a/modules/oc-mirror-operator-catalog-filtering.adoc b/modules/oc-mirror-operator-catalog-filtering.adoc
new file mode 100644
index 000000000000..cd5a0479e231
--- /dev/null
+++ b/modules/oc-mirror-operator-catalog-filtering.adoc
@@ -0,0 +1,268 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="oc-mirror-operator-catalog-filtering_{context}"]
+= How filtering works in the operator catalog
+
+oc-mirror plugin v2 selects the list of bundles for mirroring by processing the information in `imageSetConfig`.
+
+When oc-mirror plugin v2 selects bundles for mirroring, it does not infer Group Version Kind (GVK) or bundle dependencies, omitting them from the mirroring set. Instead, it strictly adheres to the user instructions. You must explicitly specify any required dependent packages and their versions.
+
+Bundle versions typically use semantic versioning standards (SemVer), and you can sort bundles within a channel by version. You can select buncles that fall within a specific range in the `ImageSetConfig`.
+
+This selection algorithm ensures consistent outcomes compared to oc-mirror plugin v1. However, it does not include upgrade graph details, such as `replaces`, `skip`, and `skipRange`. This approach differs from the OLM algorithm. It might mirror more bundles than necessary for upgrading a cluster because of potentially shorter upgrade paths between the `minVersion` and `maxVersion`.
+
+.Use the following table to see what bundle versions are included in different scenarios:
+[cols="1,2",options="header"]
+
+|===
+
+|ImageSetConfig operator filtering 
+|Expected bundle versions
+
+
+a|Scenario 1
+
+[source,yaml]
+----
+mirror:
+ operators:
+   - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
+----
+|For each package in the catalog, 1 bundle, corresponding to the head version of the default channel for that package.
+
+a|Scenario 2
+
+[source,yaml]
+----
+mirror:
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
+      full: true
+----
+|All bundles of all channels of the specified catalog
+
+a|Scenario 3
+
+[source,yaml]
+----
+mirror:
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
+     packages: 
+    - name: compliance-operator
+----
+|One bundle, corresponding to the head version of the default channel for that package
+
+a|Scenario 4
+
+[source,yaml]
+----
+mirror:
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
+      full: true
+      - packages:
+          - name: elasticsearch-operator
+----
+|All bundles of all channels for the packages specified
+
+a|Scenario 5
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+       minVersion: 5.6.0
+----
+|All bundles in the default channel, from the `minVersion`, up to the channel head for that package that do not rely on the shortest path from upgrade the graph.
+
+a|Scenario 6
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        maxVersion: 6.0.0
+----
+|All bundles in the default channel that are lower than the `maxVersion` for that package.
+
+a|Scenario 7
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        minVersion: 5.6.0
+        maxVersion: 6.0.0
+----
+|All bundles in the default channel, between the `minVersion` and `maxVersion` for that package. The head of the channel is not included, even if multiple channels are included in the filtering.
+
+a|Scenario 8
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+----
+|The head bundle for the selected channel of that package.
+
+a|Scenario 9
+
+[source,yaml]
+----
+mirror:
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
+      full: true
+      - packages:
+          - name: elasticsearch-operator
+            channels:
+               - name: 'stable-v0'
+----
+|All bundles for the specified packages and channels.
+
+a|Scenario 10
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+          - name: stable-5.5
+----
+|The head bundle for each selected channel of that package.
+
+a|Scenario 11
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+            minVersion: 5.6.0
+----
+|Within the selected channel of that package, all versions starting with the `minVersion` up to the channel head. This scenario does not relyon the shortest path from the upgrade graph.
+
+a|Scenario 12
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+            maxVersion: 6.0.0
+----
+|Within the selected channel of that package, all versions up to the `maxVersion` (not relying on the shortest path from the upgrade graph). The head of the channel is not included, even if multiple channels are included in the filtering.
+
+a|Scenario 13
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+       channels
+          - name: stable
+            minVersion: 5.6.0
+            maxVersion: 6.0.0
+----
+|Within the selected channel of that package, all versions between the `minVersion` and `maxVersion`, not relying on the shortest path from the upgrade graph. The head of the channel is not included, even if multiple channels are included in the filtering.
+
+a|Scenario 14
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
+    packages:
+    - name: aws-load-balancer-operator
+      bundles:
+      - name: aws-load-balancer-operator.v1.1.0
+    - name: 3scale-operator
+      bundles:
+      - name: 3scale-operator.v0.10.0-mas
+----
+|Only the bundles specified for each package are included in the filtering.
+
+a|Scenario 15
+
+[source,yaml]
+----
+mirror:
+  operators:
+  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+        minVersion: 5.6.0
+        maxVersion: 6.0.0
+----
+|Do not use this scenario. filtering by channel and by package with a `minVersion` or `maxVersion` is not allowed.
+
+a|Scenario 16
+
+[source,yaml]
+----
+mirror:
+  operators:
+   - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+        minVersion: 5.6.0
+        maxVersion: 6.0.0
+----
+|Do not use this scenario. You cannot filter using `full:true` and the `minVersion` or `maxVersion`.
+
+a|Scenario 17
+
+[source,yaml]
+----
+mirror:
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15
+      full: true
+    packages: 
+    - name: compliance-operator
+        channels
+          - name: stable
+            minVersion: 5.6.0
+            maxVersion: 6.0.0
+----
+|Do not use this scenario. You cannot filter using `full:true` and the `minVersion` or `maxVersion`.
+
+|===
\ No newline at end of file
diff --git a/modules/oc-mirror-preparing-mirror-hosts.adoc b/modules/oc-mirror-preparing-mirror-hosts.adoc
new file mode 100644
index 000000000000..dd867af9026d
--- /dev/null
+++ b/modules/oc-mirror-preparing-mirror-hosts.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-preparing-mirror-hosts_{context}"]
+= Preparing your mirror hosts
+
+To use the oc-mirror plugin v2 for image mirroring, you need to install the plugin and create a file with credentials for container images, enabling you to mirror from Red Hat to your mirror.
\ No newline at end of file
diff --git a/modules/oc-mirror-procedure-delete-v2.adoc b/modules/oc-mirror-procedure-delete-v2.adoc
new file mode 100644
index 000000000000..9c2729fe889f
--- /dev/null
+++ b/modules/oc-mirror-procedure-delete-v2.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="oc-mirror-procedure-delete-v2_{context}"]
+= Deleting the images from disconnected environment
+
+To delete images from a disconnected environment using the oc-mirror plugin v2, follow the procedure.
+
+.Procedure
+
+. Create a YAML file that deletes previous images:
++
+[source,terminal]
+----
+$ oc mirror delete --config delete-image-set-config.yaml --workspace file://<previously_mirrored_work_folder> --v2 --generate docker://<remote_registry>
+----
+Where:
+- `<previously_mirrored_work_folder>`: Use the directory where images were previously mirrored or stored during the mirroring process.
+- `<remote_registry>`: Insert the URL or address of the remote container registry from which images will be deleted.
+
+. Go to the `<previously_mirrored_work_folder>/delete directory` that was created.
+
+. Verify that the `delete-images.yaml` file has been generated.
+
+. Manually ensure that each image listed in the file is no longer needed by the cluster and can be safely removed from the registry.
+
+. After you generate the `delete` YAML file, delete the images from the remote registry:
++
+[source,terminal]
+----
+$ oc mirror delete --v2 --delete-yaml-file <previously_mirrored_work_folder>/delete/delete-images.yaml docker:/ <remote_registry>
+----
+Where:
+- `<previously_mirrored_work_folder>`: Specify your previously mirrored work folder.
++
+[IMPORTANT]
+====
+When using the mirror-to-mirror procedure, images are not cached locally, so you cannot delete images from a local cache.
+====
\ No newline at end of file
diff --git a/modules/oc-mirror-support.adoc b/modules/oc-mirror-support.adoc
index 10af68e17c20..f9dd80c8c343 100644
--- a/modules/oc-mirror-support.adoc
+++ b/modules/oc-mirror-support.adoc
@@ -5,19 +5,13 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="oc-mirror-support_{context}"]
-= oc-mirror compatibility and support
+= oc-mirror plugin compatibility and support
 
-The oc-mirror plugin supports mirroring {product-title} payload images and Operator catalogs for {product-title} versions 4.10 and later.
+The oc-mirror plugin supports mirroring {product-title} payload images and Operator catalogs for {product-title} versions 4.12 and later.
 
 [NOTE]
 ====
 On `aarch64`, `ppc64le`, and `s390x` architectures the oc-mirror plugin is only supported for {product-title} versions 4.14 and later.
 ====
 
-Use the latest available version of the oc-mirror plugin regardless of which versions of {product-title} you need to mirror.
-
-// TODO: Remove this in 4.14
-[IMPORTANT]
-====
-If you used the Technology Preview OCI local catalogs feature for the oc-mirror plugin for {product-title} 4.12, you can no longer use the OCI local catalogs feature of the oc-mirror plugin to copy a catalog locally and convert it to OCI format as a first step to mirroring to a fully disconnected cluster.
-====
+Use the latest available version of the oc-mirror plugin regardless of which versions of {product-title} you need to mirror.
\ No newline at end of file
diff --git a/modules/oc-mirror-updating-cluster-manifests-v2.adoc b/modules/oc-mirror-updating-cluster-manifests-v2.adoc
new file mode 100644
index 000000000000..567e26ce570f
--- /dev/null
+++ b/modules/oc-mirror-updating-cluster-manifests-v2.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+// * updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="oc-mirror-updating-cluster-manifests-v2_{context}"]
+= Configuring your cluster to use the resources generated by oc-mirror plugin v2
+
+After you have mirrored your image set to the mirror registry, you must apply the generated `ImageDigestMirrorSet` (IDMS), `ImageTagMirrorSet` (ITMS), `CatalogSource`, and `UpdateService` to the cluster.
+
+[IMPORTANT]
+====
+In oc-mirror plugin v2, the IDMS and ITMS files cover the entire image set, unlike the ICSP files in oc-mirror plugin v1. Therefore, the IDMS and ITMS files contain all images of the set even if you only add new images during incremental mirroring.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+* Apply the YAML files from the results directory to the cluster by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <path_to_oc-mirror_workspace>/working-dir/cluster-resources
+----
+
+.Verification
+
+. Verify that the `ImageDigestMirrorSet` resources are successfully installed by running the following command:
++
+[source,terminal]
+----
+$ oc get imagedigestmirrorset
+----
+
+. Verify that the `ImageTagMirrorSet` resources are successfully installed by running the following command:
++
+[source,terminal]
+----
+$ oc get imagetagmirrorset
+----
+
+. Verify that the `CatalogSource` resources are successfully installed by running the following command:
++
+[source,terminal]
+----
+$ oc get catalogsource -n openshift-marketplace
+----
\ No newline at end of file
diff --git a/modules/oc-mirror-v2-about-dry-run.adoc b/modules/oc-mirror-v2-about-dry-run.adoc
new file mode 100644
index 000000000000..3baf4e819ea0
--- /dev/null
+++ b/modules/oc-mirror-v2-about-dry-run.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-v2-about-dry-run_{context}"]
+= Verifying your selected images for mirroring
+
+You can use oc-mirror plugin v2 to perform a test run (dry run) that does not actually mirror any images. This enables you to review the list of images that would be mirrored. You can also use a dry run to catch any errors with your image set configuration early. When running a dry run on a mirror-to-disk workflow, the oc-mirror plugin v2 checks if all the images within the image set are available in its cache. Any missing images are listed in the `missing.txt` file. When a dry run is performed before mirroring, both `missing.txt` and `mapping.txt` files contain the same list of images.
\ No newline at end of file
diff --git a/modules/oc-mirror-v2-about.adoc b/modules/oc-mirror-v2-about.adoc
new file mode 100644
index 000000000000..d7bda5d2290f
--- /dev/null
+++ b/modules/oc-mirror-v2-about.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/about-installing-oc-mirror-v2.adoc
+// * updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="installation-oc-mirror-v2-about_{context}"]
+= About oc-mirror plugin v2
+
+The oc-mirror OpenShift CLI (`oc`) plugin is a single tool that mirrors all required {product-title} content and other images to your mirror registry.
+
+To use the new Technology Preview version of oc-mirror, add the `--v2` flag to the oc-mirror plugin v2 command line.
+
+oc-mirror plugin v2 has the following features:
+
+* Verifies that the complete image set specified in the image set config is mirrored to the mirrored registry, regardless of whether the images were previously mirrored or not.
+
+* Uses a cache system instead of metadata.
+
+* Maintains minimal archive sizes by incorporating only new images into the archive.
+
+* Generates mirroring archives with content selected by mirroring date.
+
+* Can generate `ImageDigestMirrorSet` (IDMS), `ImageTagMirrorSet` (ITMS), instead of `ImageContentSourcePolicy` (ICSP) for the full image set, rather than just for the incremental changes.
+
+* Saves filter Operator versions by bundle name.
+
+* Does not perform automatic pruning. V2 now has a `Delete` feature, which grants users more control over deleting images.
+
+* Introduces support for `registries.conf`. This change facilitates mirroring to multiple enclaves while using the same cache.
\ No newline at end of file
diff --git a/modules/oc-mirror-v2-support.adoc b/modules/oc-mirror-v2-support.adoc
new file mode 100644
index 000000000000..ea2c1ad9dcb5
--- /dev/null
+++ b/modules/oc-mirror-v2-support.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected.adoc
+// * installing/disconnected_install/about-installing-oc-mirror-v2.adoc
+// * updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-v2-support_{context}"]
+= oc-mirror plugin v2 compatibility and support
+
+The oc-mirror plugin v2 is supported for {product-title}.
+
+[NOTE]
+====
+On `aarch64`, `ppc64le`, and `s390x` architectures the oc-mirror plugin v2 is supported only for {product-title} versions 4.14 and later.
+====
+
+Use the latest available version of the oc-mirror plugin v2 regardless of which versions of {product-title} you need to mirror.
\ No newline at end of file
diff --git a/modules/oc-mirror-workflows-delete-v2.adoc b/modules/oc-mirror-workflows-delete-v2.adoc
new file mode 100644
index 000000000000..cbb9ce2b9a44
--- /dev/null
+++ b/modules/oc-mirror-workflows-delete-v2.adoc
@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-workflows-delete-v2_{context}"]
+= Deletion of images from your disconnected environment
+
+Before you can use oc-mirror plugin v2, you must delete previously deployed images. oc-mirror plugin v2 no longer performs automatic pruning.
+
+You must create the `DeleteImageSetConfiguration` file to delete image configuration when using oc-mirror plugin v2. This prevents accidentally deleting necessary or deployed images when making changes with `ImageSetConfig.yaml`.
+
+
+In the following example, `DeleteImageSetConfiguration` removes the following:
+
+* All images of {product-title} release 4.13.3.
+* The catalog image `redhat-operator-index` `v4.12`.
+* The `aws-load-balancer-operator` v0.0.1 bundle and all its related images.
+* The additional images `ubi` and `ubi-minimal` referenced by their corresponding digests.
+
+.Example: `DeleteImageSetConfig`
+[source,yaml]
+----
+apiVersion: mirror.openshift.io/v2alpha1
+kind: DeleteImageSetConfiguration
+delete:
+  platform:
+    channels:
+      - name: stable-4.13 
+        minVersion: 4.13.3
+        maxVersion: 4.13.3
+  operators:
+    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
+      packages:
+      - name: aws-load-balancer-operator
+         minVersion: 0.0.1
+         maxVersion: 0.0.1
+  additionalImages: 
+    - name: registry.redhat.io/ubi8/ubi@sha256:bce7e9f69fb7d4533447232478fd825811c760288f87a35699f9c8f030f2c1a6
+    - name: registry.redhat.io/ubi8/ubi-minimal@sha256:8bedbe742f140108897fb3532068e8316900d9814f399d676ac78b46e740e34e
+----
+
+[IMPORTANT]
+====
+Consider using the mirror-to-disk and disk-to-mirror workflows to reduce mirroring issues.
+====
+
+In the image delete workflow, oc-mirror plugin v2 deletes only the manifests of the images, which does not reduce the storage occupied in the registry.
+
+To free up storage space from unnecessary images, such as those with deleted manifests, you must enable the garbage collector on your container registry. With the garbage collector enabled, the registry will delete the image blobs that no longer have references to any manifests, thereby reducing the storage previously occupied by the deleted blobs. Enabling the garbage collector differs depending on your container registry. 
diff --git a/modules/oc-mirror-workflows-fully-disconnected-v2.adoc b/modules/oc-mirror-workflows-fully-disconnected-v2.adoc
new file mode 100644
index 000000000000..0dc2974e65c3
--- /dev/null
+++ b/modules/oc-mirror-workflows-fully-disconnected-v2.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oc-mirror-workflows-fully-disconnected-v2_{context}"]
+= Mirroring an image set in a fully disconnected environment
+
+You can mirror image sets in a fully disconnected environment where the {product-title} cluster cannot access the public internet.
+
+. *Mirror to disk*: Prepare an archive containing the image set for mirroring. Internet access is required.
+
+. *Manual step*: Transfer the archive to the network of the disconnected mirror registry.
+
+. *Disk to mirror*: To mirror the image set from the archive to the target disconnected registry, run oc-mirror plugin v2 from the environment that has access to the mirror registry.
\ No newline at end of file
diff --git a/modules/oc-mirror-workflows-partially-disconnected-v2.adoc b/modules/oc-mirror-workflows-partially-disconnected-v2.adoc
new file mode 100644
index 000000000000..8c7e30c04215
--- /dev/null
+++ b/modules/oc-mirror-workflows-partially-disconnected-v2.adoc
@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * installing/disconnected_install/installing-mirroring-disconnected-v2.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="oc-mirror-workflows-partially-disconnected-v2_{context}"]
+= Mirroring an image set in a partially disconnected environment
+
+You can mirror image sets to a registry using the oc-mirror plugin v2 in environments with restricted internet access.
+
+.Prerequisites
+
+* You have access to the internet and the mirror registry in the environment where you are running the oc-mirror plugin v2.
+
+.Procedure
+
+* Mirror the images from the specified image set configuration to a specified registry by running the following command:
++
+[source,terminal]
+----
+$ oc mirror -c isc.yaml --workspace file://<file_path> docker://<mirror_registry_url> --v2 <1>
+----
+<1> Specify the URL or address of the mirror registry where the images are stored and from which they need to be deleted.
+
+.Verification
+
+. Navigate to the `cluster-resources` directory within the `working-dir` directory that was generated in the `<file_path>` directory.
+. Verify that the YAML files are present for the `ImageDigestMirrorSet`, `ImageTagMirrorSet` and `CatalogSource` resources.
+
+
+.Next steps
+
+* Configure your cluster to use the resources generated by oc-mirror plugin v2.
\ No newline at end of file
diff --git a/modules/odc-accessing-perspectives.adoc b/modules/odc-accessing-perspectives.adoc
index e08aa38514e7..fd47ade7d8b3 100644
--- a/modules/odc-accessing-perspectives.adoc
+++ b/modules/odc-accessing-perspectives.adoc
@@ -13,7 +13,7 @@ You can access the *Administrator* and *Developer* perspective from the web cons
 To access a perspective, ensure that you have logged in to the web console. Your default perspective is automatically determined by the permission of the users. The *Administrator* perspective is selected for users with access to all projects, while the *Developer* perspective is selected for users with limited access to their own projects
 
 .Additional Resources
-See link:https://docs.openshift.com/container-platform/4.15/web_console/adding-user-preferences.html[Adding User Preferences] for more information on changing perspectives.
+See link:https://docs.openshift.com/container-platform/4.16/web_console/adding-user-preferences.html[Adding User Preferences] for more information on changing perspectives.
 
 
 .Procedure
diff --git a/modules/odc-adding-health-checks.adoc b/modules/odc-adding-health-checks.adoc
index d5f5d9b6a98d..25650bc37972 100644
--- a/modules/odc-adding-health-checks.adoc
+++ b/modules/odc-adding-health-checks.adoc
@@ -6,9 +6,9 @@
 [id="odc-adding-health-checks_{context}"]
 = Adding health checks using the Developer perspective
 
-You can use the *Topology* view to add health checks to your deployed application. 
+You can use the *Topology* view to add health checks to your deployed application.
 
-.Prerequisites:
+.Prerequisites
 * You have switched to the *Developer* perspective in the web console.
 * You have created and deployed an application on {product-title} using the *Developer* perspective.
 
diff --git a/modules/odc-editing-health-checks.adoc b/modules/odc-editing-health-checks.adoc
index 0712c8003ab7..03cc3a84abdf 100644
--- a/modules/odc-editing-health-checks.adoc
+++ b/modules/odc-editing-health-checks.adoc
@@ -8,7 +8,7 @@
 
 You can use the *Topology* view to edit health checks added to your application, modify them, or add more health checks.
 
-.Prerequisites:
+.Prerequisites
 * You have switched to the *Developer* perspective in the web console.
 * You have created and deployed an application on {product-title} using the *Developer* perspective.
 * You have added health checks to your application.
diff --git a/modules/odc-monitoring-health-checks.adoc b/modules/odc-monitoring-health-checks.adoc
index b620b29c7d25..a3c393bea68f 100644
--- a/modules/odc-monitoring-health-checks.adoc
+++ b/modules/odc-monitoring-health-checks.adoc
@@ -8,7 +8,7 @@
 
 In case an application health check fails, you can use the *Topology* view to monitor these health check violations.
 
-.Prerequisites:
+.Prerequisites
 * You have switched to the *Developer* perspective in the web console.
 * You have created and deployed an application on {product-title} using the *Developer* perspective.
 * You have added health checks to your application.
diff --git a/modules/olm-catalogsource-image-template.adoc b/modules/olm-catalogsource-image-template.adoc
index b8a897a92968..cede83876b0d 100644
--- a/modules/olm-catalogsource-image-template.adoc
+++ b/modules/olm-catalogsource-image-template.adoc
@@ -14,18 +14,18 @@ endif::[]
 
 Operator compatibility with the underlying cluster can be expressed by a catalog source in various ways. One way, which is used for the default Red Hat-provided catalog sources, is to identify image tags for index images that are specifically created for a particular platform release, for example {product-title} {product-version}.
 
-During a cluster upgrade, the index image tag for the default Red Hat-provided catalog sources are updated automatically by the Cluster Version Operator (CVO) so that Operator Lifecycle Manager (OLM) pulls the updated version of the catalog. For example during an upgrade from {product-title} 4.14 to 4.15, the `spec.image` field in the `CatalogSource` object for the `redhat-operators` catalog is updated from:
+During a cluster upgrade, the index image tag for the default Red Hat-provided catalog sources are updated automatically by the Cluster Version Operator (CVO) so that Operator Lifecycle Manager (OLM) pulls the updated version of the catalog. For example during an upgrade from {product-title} 4.15 to 4.16, the `spec.image` field in the `CatalogSource` object for the `redhat-operators` catalog is updated from:
 
 [source,terminal]
 ----
-registry.redhat.io/redhat/redhat-operator-index:v4.14
+registry.redhat.io/redhat/redhat-operator-index:v4.15
 ----
 
 to:
 
 [source,terminal]
 ----
-registry.redhat.io/redhat/redhat-operator-index:v4.15
+registry.redhat.io/redhat/redhat-operator-index:v4.16
 ----
 
 However, the CVO does not automatically update image tags for custom catalogs. To ensure users are left with a compatible and supported Operator installation after a cluster upgrade, custom catalogs should also be kept updated to reference an updated index image.
diff --git a/modules/olm-deleting-po.adoc b/modules/olm-deleting-po.adoc
deleted file mode 100644
index 94077dee3d21..000000000000
--- a/modules/olm-deleting-po.adoc
+++ /dev/null
@@ -1,65 +0,0 @@
-// Module included in the following assemblies:
-//
-// * operators/admin/olm-managing-po.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="olm-deleting-po_{context}"]
-= Deleting platform Operators
-
-As a cluster administrator, you can delete existing platform Operators. Operator Lifecycle Manager (OLM) performs a cascading deletion. First, OLM removes the bundle deployment for the platform Operator, which then deletes any objects referenced in the `registry+v1` type bundle.
-
-[NOTE]
-====
-The platform Operator manager and bundle deployment provisioner only manage objects that are referenced in the bundle, but not objects subsequently deployed by any bundle workloads themselves. For example, if a bundle workload creates a namespace and the Operator is not configured to clean it up before the Operator is removed, it is outside of the scope of OLM to remove the namespace during platform Operator deletion.
-====
-
-.Procedure
-
-. Get a list of installed platform Operators and find the name for the Operator you want to delete:
-+
-[source,terminal]
-----
-$ oc get platformoperator
-----
-
-. Delete the `PlatformOperator` resource for the chosen Operator, for example, for the Quay Operator:
-+
-[source,terminal]
-----
-$ oc delete platformoperator quay-operator
-----
-+
-.Example output
-[source,terminal]
-----
-platformoperator.platform.openshift.io "quay-operator" deleted
-----
-
-.Verification
-
-. Verify the namespace for the platform Operator is eventually deleted, for example, for the Quay Operator:
-+
-[source,terminal]
-----
-$ oc get ns quay-operator-system
-----
-+
-.Example output
-[source,terminal]
-----
-Error from server (NotFound): namespaces "quay-operator-system" not found
-----
-
-. Verify the `platform-operators-aggregated` cluster Operator continues to report an `Available=True` status:
-+
-[source,terminal]
-----
-$ oc get co platform-operators-aggregated
-----
-+
-.Example output
-[source,terminal,subs="attributes+"]
-----
-NAME                            VERSION     AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
-platform-operators-aggregated   {product-version}.0-0    True        False         False      70s
-----
\ No newline at end of file
diff --git a/modules/olm-installing-from-operatorhub-using-cli.adoc b/modules/olm-installing-from-operatorhub-using-cli.adoc
index 630584f19e17..45c891614543 100644
--- a/modules/olm-installing-from-operatorhub-using-cli.adoc
+++ b/modules/olm-installing-from-operatorhub-using-cli.adoc
@@ -73,13 +73,14 @@ $ oc describe packagemanifests <operator_name> -n openshift-marketplace
 
 . An Operator group, defined by an `OperatorGroup` object, selects target namespaces in which to generate required RBAC access for all Operators in the same namespace as the Operator group.
 +
-The namespace to which you subscribe the Operator must have an Operator group that matches the install mode of the Operator, either the `AllNamespaces` or `SingleNamespace` mode. If the Operator you intend to install uses the `AllNamespaces`, then the `openshift-operators` namespace already has an appropriate Operator group in place.
+The namespace to which you subscribe the Operator must have an Operator group that matches the install mode of the Operator, either the `AllNamespaces` or `SingleNamespace` mode. If the Operator you intend to install uses the `AllNamespaces` mode, the `openshift-operators` namespace already has the appropriate `global-operators` Operator group in place.
 +
 However, if the Operator uses the `SingleNamespace` mode and you do not already have an appropriate Operator group in place, you must create one.
 +
 [NOTE]
 ====
-The web console version of this procedure handles the creation of the `OperatorGroup` and `Subscription` objects automatically behind the scenes for you when choosing `SingleNamespace` mode.
+* The web console version of this procedure handles the creation of the `OperatorGroup` and `Subscription` objects automatically behind the scenes for you when choosing `SingleNamespace` mode.
+* You can only have one Operator group per namespace. For more information, see "Operator groups".
 ====
 
 .. Create an `OperatorGroup` object YAML file, for example `operatorgroup.yaml`:
@@ -220,4 +221,4 @@ At this point, OLM is now aware of the selected Operator. A cluster service vers
 
 ifeval::["{context}" == "olm-installing-operators-in-namespace"]
 :!olm-user:
-endif::[]
\ No newline at end of file
+endif::[]
diff --git a/modules/olm-installing-po-after.adoc b/modules/olm-installing-po-after.adoc
index 18637156c917..1c8aeba9e35e 100644
--- a/modules/olm-installing-po-after.adoc
+++ b/modules/olm-installing-po-after.adoc
@@ -6,7 +6,7 @@
 [id="olm-installing-po-after_{context}"]
 = Installing platform Operators after cluster creation
 
-As a cluster administrator, you can install platform Operators after cluster creation on clusters that have enabled the `TechPreviewNoUpgrades` feature set by using the cluster-wide `PlatformOperator` API.
+As a cluster administrator, you can install platform Operators after cluster creation on clusters that have enabled the `TechPreviewNoUpgrade` feature set by using the cluster-wide `PlatformOperator` API.
 
 .Procedure
 
@@ -35,7 +35,7 @@ $ oc apply -f service-mesh-po.yaml
 +
 [NOTE]
 ====
-If your cluster does not have the `TechPreviewNoUpgrades` feature set enabled, the object creation fails with the following message:
+If your cluster does not have the `TechPreviewNoUpgrade` feature set enabled, the object creation fails with the following message:
 
 [source,terminal]
 ----
diff --git a/modules/olm-installing-po-during.adoc b/modules/olm-installing-po-during.adoc
deleted file mode 100644
index a79f85651422..000000000000
--- a/modules/olm-installing-po-during.adoc
+++ /dev/null
@@ -1,117 +0,0 @@
-// Module included in the following assemblies:
-//
-// * operators/admin/olm-managing-po.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="olm-installing-po-during_{context}"]
-= Installing platform Operators during cluster creation
-
-As a cluster administrator, you can install platform Operators by providing `FeatureGate` and `PlatformOperator` manifests during cluster creation.
-
-.Procedure
-
-. Choose a platform Operator from the supported set of OLM-based Operators. For the list of this set and details on current limitations, see "Technology Preview restrictions for platform Operators".
-
-. Select a cluster installation method and follow the instructions through creating an `install-config.yaml` file. For more details on preparing for a cluster installation, see "Selecting a cluster installation method and preparing it for users".
-
-. After you have created the `install-config.yaml` file and completed any modifications to it, change to the directory that contains the installation program and create the manifests:
-+
-[source,terminal]
-----
-$ ./openshift-install create manifests --dir <installation_directory> <1>
-----
-<1> For `<installation_directory>`, specify the name of the directory that contains the `install-config.yaml` file for your cluster.
-
-. Create a `FeatureGate` object YAML file in the `<installation_directory>/manifests/` directory that enables the `TechPreviewNoUpgrade` feature set, for example a `feature-gate.yaml` file:
-+
-.Example `feature-gate.yaml` file
-[source,yaml]
-----
-apiVersion: config.openshift.io/v1
-kind: FeatureGate
-metadata:
-  annotations:
-    include.release.openshift.io/self-managed-high-availability: "true"
-    include.release.openshift.io/single-node-developer: "true"
-    release.openshift.io/create-only: "true"
-  name: cluster
-spec:
-  featureSet: TechPreviewNoUpgrade <1>
-----
-<1> Enable the `TechPreviewNoUpgrade` feature set.
-
-. Create a `PlatformOperator` object YAML file for your chosen platform Operator in the `<installation_directory>/manifests/` directory, for example a `service-mesh-po.yaml` file for the {SMProductName} Operator:
-+
-.Example `service-mesh-po.yaml` file
-[source,yaml]
-----
-apiVersion: platform.openshift.io/v1alpha1
-kind: PlatformOperator
-metadata:
-  name: service-mesh-po
-spec:
-  package:
-    name: servicemeshoperator
-----
-
-. When you are ready to complete the cluster install, refer to your chosen installation method and continue through running the `openshift-install create cluster` command.
-+
-During cluster creation, your provided manifests are used to enable the `TechPreviewNoUpgrade` feature set and install your chosen platform Operator.
-+
-[IMPORTANT]
-====
-Failure of the platform Operator to successfully install will block the cluster installation process.
-====
-
-.Verification
-
-. Check the status of the `service-mesh-po` platform Operator by running the following command:
-+
-[source,terminal]
-----
-$ oc get platformoperator service-mesh-po -o yaml
-----
-+
-.Example output
-[source,yaml]
-----
-...
-status:
-  activeBundleDeployment:
-    name: service-mesh-po
-  conditions:
-  - lastTransitionTime: "2022-10-24T17:24:40Z"
-    message: Successfully applied the service-mesh-po BundleDeployment resource
-    reason: InstallSuccessful
-    status: "True" <1>
-    type: Installed
-----
-<1> Wait until the `Installed` status condition reports `True`.
-
-. Verify that the `platform-operators-aggregated` cluster Operator is reporting an `Available=True` status:
-+
-[source,terminal]
-----
-$ oc get clusteroperator platform-operators-aggregated -o yaml
-----
-+
-.Example output
-[source,yaml]
-----
-...
-status:
-  conditions:
-  - lastTransitionTime: "2022-10-24T17:43:26Z"
-    message: All platform operators are in a successful state
-    reason: AsExpected
-    status: "False"
-    type: Progressing
-  - lastTransitionTime: "2022-10-24T17:43:26Z"
-    status: "False"
-    type: Degraded
-  - lastTransitionTime: "2022-10-24T17:43:26Z"
-    message: All platform operators are in a successful state
-    reason: AsExpected
-    status: "True"
-    type: Available
-----
diff --git a/modules/olm-po-techpreview.adoc b/modules/olm-po-techpreview.adoc
deleted file mode 100644
index f6f5accd1604..000000000000
--- a/modules/olm-po-techpreview.adoc
+++ /dev/null
@@ -1,68 +0,0 @@
-// Module included in the following assemblies:
-//
-// * operators/admin/olm-managing-po.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="olm-po-techpreview_{context}"]
-= Technology Preview restrictions for platform Operators
-
-During the Technology Preview release of the platform Operators feature in {product-title} 4.12, the following restrictions determine whether an Operator can be installed through the platform Operators mechanism:
-
-* Kubernetes manifests must be packaged using the Operator Lifecycle Manager (OLM) `registry+v1` bundle format.
-* The Operator cannot declare package or group/version/kind (GVK) dependencies.
-* The Operator cannot specify cluster service version (CSV) install modes other than `AllNamespaces`
-* The Operator cannot specify any `Webhook` or `APIService` definitions.
-* All package bundles must be in the `redhat-operators` catalog source.
-
-After considering these restrictions, the following Operators can be successfully installed:
-
-.OLM-based Operators installable as platform Operators
-[cols="1,1"]
-|===
-|3scale-operator
-|amq-broker-rhel8
-
-|amq-online
-|amq-streams
-
-|ansible-cloud-addons-operator
-|apicast-operator
-
-|container-security-operator
-|eap
-
-|file-integrity-operator
-|gatekeeper-operator-product
-
-|integration-operator
-|jws-operator
-
-|kiali-ossm
-|node-healthcheck-operator
-
-|odf-csi-addons-operator
-|odr-hub-operator
-
-|openshift-custom-metrics-autoscaler-operator
-|openshift-gitops-operator
-
-|openshift-pipelines-operator-rh
-|quay-operator
-
-|red-hat-camel-k
-|rhpam-kogito-operator
-
-|service-registry-operator
-|servicemeshoperator
-
-|skupper-operator
-|
-|===
-
-[NOTE]
-====
-The following features are not available during this Technology Preview release:
-
-* Automatically upgrading platform Operator packages after cluster rollout
-* Extending the platform Operator mechanism to support any optional, CVO-based components
-====
diff --git a/modules/olm-rukpak-about.adoc b/modules/olm-rukpak-about.adoc
index 091b682f889f..91944d2edfa2 100644
--- a/modules/olm-rukpak-about.adoc
+++ b/modules/olm-rukpak-about.adoc
@@ -11,9 +11,7 @@ ifeval::["{context}" == "olm-packaging-format"]
 :FeatureName: RukPak
 include::snippets/technology-preview.adoc[]
 
-{product-title} 4.12 introduces the _platform Operator_ type as a Technology Preview feature. The platform Operator mechanism relies on the RukPak component, also introduced in {product-title} 4.12, and its resources to manage content.
-
-{product-title} 4.14 introduces {olmv1-first} as a Technology Preview feature, which also relies on the RukPak component.
+{product-title} 4.14 introduces {olmv1-first} as a Technology Preview feature, which relies on the RukPak component.
 endif::[]
 ifeval::["{context}" == "olmv1-rukpak"]
 = About RukPak
@@ -36,4 +34,4 @@ A Git repository that contains a bundle within a directory
 Provisioner::
 Controllers that install and manage content on a Kubernetes cluster
 Bundle deployment::
-Generates deployed instances of a bundle
\ No newline at end of file
+Generates deployed instances of a bundle
diff --git a/modules/olm-rukpak-bd.adoc b/modules/olm-rukpak-bd.adoc
index e145663da9e0..c98f9e762801 100644
--- a/modules/olm-rukpak-bd.adoc
+++ b/modules/olm-rukpak-bd.adoc
@@ -16,24 +16,3 @@ The RukPak `BundleDeployment` API points to a `Bundle` object and indicates that
 Much like pods generate instances of container images, a bundle deployment generates a deployed version of a bundle. A bundle deployment can be seen as a generalization of the pod concept.
 
 The specifics of how a bundle deployment makes changes to a cluster based on a referenced bundle is defined by the provisioner that is configured to watch that bundle deployment.
-
-.Example `BundleDeployment` object configured to work with the plain provisioner
-[source,yaml]
-----
-apiVersion: core.rukpak.io/v1alpha1
-kind: BundleDeployment
-metadata:
-  name: my-bundle-deployment
-spec:
-  provisionerClassName: core-rukpak-io-plain
-  template:
-    metadata:
-      labels:
-        app: my-bundle
-    spec:
-      source:
-        type: image
-        image:
-          ref: my-bundle@sha256:xyz123
-      provisionerClassName: core-rukpak-io-plain
-----
\ No newline at end of file
diff --git a/modules/olm-rukpak-bundle-immutability.adoc b/modules/olm-rukpak-bundle-immutability.adoc
index 58061e90eea5..628bba5ae5fc 100644
--- a/modules/olm-rukpak-bundle-immutability.adoc
+++ b/modules/olm-rukpak-bundle-immutability.adoc
@@ -65,4 +65,4 @@ If this scenario occurs, the new content from step 2 is unpacked as a result of
 
 This is similar to pod behavior, where one of the pod's container images uses a tag, the tag is moved to a different digest, and then at some point in the future the existing pod is rescheduled on a different node. At that point, the node pulls the new image at the new digest and runs something different without the user explicitly asking for it.
 
-To be confident that the underlying `Bundle` spec content does not change, use a digest-based image or a Git commit reference when creating the bundle.
\ No newline at end of file
+To be confident that the underlying `Bundle` spec content does not change, use a digest-based image or a Git commit reference when creating the bundle.
diff --git a/modules/olm-rukpak-bundle.adoc b/modules/olm-rukpak-bundle.adoc
index 794648b642b5..57c65ee9333e 100644
--- a/modules/olm-rukpak-bundle.adoc
+++ b/modules/olm-rukpak-bundle.adoc
@@ -10,22 +10,7 @@ A RukPak `Bundle` object represents content to make available to other consumers
 
 Bundles cannot do anything on their own; they require a provisioner to unpack and make their content available in the cluster. They can be unpacked to any arbitrary storage medium, such as a `tar.gz` file in a directory mounted into the provisioner pods. Each `Bundle` object has an associated `spec.provisionerClassName` field that indicates the `Provisioner` object that watches and unpacks that particular bundle type.
 
-.Example `Bundle` object configured to work with the plain provisioner
-[source,yaml]
-----
-apiVersion: core.rukpak.io/v1alpha1
-kind: Bundle
-metadata:
-  name: my-bundle
-spec:
-  source:
-    type: image
-    image:
-      ref: my-bundle@sha256:xyz123
-  provisionerClassName: core-rukpak-io-plain
-----
-
 [NOTE]
 ====
 Bundles are considered immutable after they are created.
-====
\ No newline at end of file
+====
diff --git a/modules/olm-rukpak-provisioner.adoc b/modules/olm-rukpak-provisioner.adoc
index ac32f804c9e2..1301f2ed99fb 100644
--- a/modules/olm-rukpak-provisioner.adoc
+++ b/modules/olm-rukpak-provisioner.adoc
@@ -9,8 +9,8 @@
 
 RukPak consists of a series of controllers, known as _provisioners_, that install and manage content on a Kubernetes cluster. RukPak also provides two primary APIs: `Bundle` and `BundleDeployment`. These components work together to bring content onto the cluster and install it, generating resources within the cluster.
 
-Two provisioners are currently implemented and bundled with RukPak: the _plain provisioner_ that sources and unpacks `plain+v0` bundles, and the _registry provisioner_ that sources and unpacks Operator Lifecycle Manager (OLM) `registry+v1` bundles.
+Currently, the _registry provisioner_ is implemented and bundled with RukPak. The registry provisioner sources and unpacks Operator Lifecycle Manager (OLM) `registry+v1` bundles.
 
-Each provisioner is assigned a unique ID and is responsible for reconciling `Bundle` and `BundleDeployment` objects with a `spec.provisionerClassName` field that matches that particular ID. For example, the plain provisioner is able to unpack a given `plain+v0` bundle onto a cluster and then instantiate it, making the content of the bundle available in the cluster.
+A provisioner is assigned a unique ID and is responsible for reconciling `Bundle` and `BundleDeployment` objects with a `spec.provisionerClassName` field that matches that particular ID. For example, the registry provisioner is able to unpack a given `registry+v1` bundle onto a cluster and then instantiate it, making the content of the bundle available in the cluster.
 
-A provisioner places a watch on both `Bundle` and `BundleDeployment` resources that refer to the provisioner explicitly. For a given bundle, the provisioner unpacks the contents of the `Bundle` resource onto the cluster. Then, given a `BundleDeployment` resource referring to that bundle, the provisioner installs the bundle contents and is responsible for managing the lifecycle of those resources.
\ No newline at end of file
+A provisioner places a watch on both `Bundle` and `BundleDeployment` resources that refer to the provisioner explicitly. For a given bundle, the provisioner unpacks the contents of the `Bundle` resource onto the cluster. Then, given a `BundleDeployment` resource referring to that bundle, the provisioner installs the bundle contents and is responsible for managing the lifecycle of those resources.
diff --git a/modules/olmv1-about-target-versions.adoc b/modules/olmv1-about-target-versions.adoc
index b9202c892b55..848a968ae271 100644
--- a/modules/olmv1-about-target-versions.adoc
+++ b/modules/olmv1-about-target-versions.adoc
@@ -21,12 +21,13 @@ If you specify a channel in the CR, {olmv1} installs the latest version of the O
 .Example CR with a specified channel
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace_name>
   channel: latest <1>
 ----
 <1> Installs the latest release that can be resolved from the specified channel. Updates to the channel are automatically installed.
@@ -38,13 +39,14 @@ If you want to update the version of the Operator that is installed on the clust
 .Example CR with the target version specified
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
-  version: 1.11.1 <1>
+  installNamespace: <namespace_name>
+  version: "1.11.1" <1>
 ----
 <1> Specifies the target version. If you want to update the version of the Operator or extension that is installed, you must manually update this field the CR to the desired target version.
 
@@ -53,13 +55,14 @@ If you want to define a range of acceptable versions for an Operator or extensio
 .Example CR with a version range specified
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
-  version: >1.11.1 <1>
+  installNamespace: <namespace_name>
+  version: ">1.11.1" <1>
 ----
 <1> Specifies that the desired version range is greater than version `1.11.1`. For more information, see "Support for version ranges".
 
diff --git a/modules/olmv1-adding-a-catalog.adoc b/modules/olmv1-adding-a-catalog.adoc
index 49e5377cecde..f3feaa9de396 100644
--- a/modules/olmv1-adding-a-catalog.adoc
+++ b/modules/olmv1-adding-a-catalog.adoc
@@ -89,21 +89,21 @@ Annotations:  <none>
 API Version:  catalogd.operatorframework.io/v1alpha1
 Kind:         Catalog
 Metadata:
-  Creation Timestamp:  2024-01-10T16:18:38Z
+  Creation Timestamp:  2024-06-10T17:34:53Z
   Finalizers:
     catalogd.operatorframework.io/delete-server-cache
   Generation:        1
-  Resource Version:  57057
-  UID:               128db204-49b3-45ee-bfea-a2e6fc8e34ea
+  Resource Version:  46075
+  UID:               83c0db3c-a553-41da-b279-9b3cddaa117d
 Spec:
   Source:
     Image:
       Pull Secret:  redhat-cred
-      Ref:          registry.redhat.io/redhat/redhat-operator-index:v4.15
+      Ref:          registry.redhat.io/redhat/redhat-operator-index:v4.16
     Type:           image
 Status: <1>
   Conditions:
-    Last Transition Time:  2024-01-10T16:18:55Z
+    Last Transition Time:  2024-06-10T17:35:15Z
     Message:
     Reason:                UnpackSuccessful <2>
     Status:                True
@@ -113,9 +113,9 @@ Status: <1>
   Phase:                   Unpacked <3>
   Resolved Source:
     Image:
-      Last Poll Attempt:  2024-01-10T16:18:51Z
-      Ref:                registry.redhat.io/redhat/redhat-operator-index:v4.15
-      Resolved Ref:       registry.redhat.io/redhat/redhat-operator-index@sha256:7b536ae19b8e9f74bb521c4a61e5818e036ac1865a932f2157c6c9a766b2eea5 <4>
+      Last Poll Attempt:  2024-06-10T17:35:10Z
+      Ref:                registry.redhat.io/redhat/redhat-operator-index:v4.16
+      Resolved Ref:       registry.redhat.io/redhat/redhat-operator-index@sha256:f2ccc079b5e490a50db532d1dc38fd659322594dcf3e653d650ead0e862029d9 <4>
     Type:                 image
 Events:                   <none>
 ----
diff --git a/modules/olmv1-clusterextension-api.adoc b/modules/olmv1-clusterextension-api.adoc
new file mode 100644
index 000000000000..9608fffc30c3
--- /dev/null
+++ b/modules/olmv1-clusterextension-api.adoc
@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * operators/olm_v1/arch/olmv1-operator-controller.adoc
+
+:_mod-docs-content-type: CONCEPT
+
+[id="olmv1-clusterextension-api"]
+= ClusterExtension API
+
+Operator Controller provides a new `ClusterExtension` API object that is a single resource representing an instance of an installed extension, which includes Operators via the `registry+v1` bundle format. This `clusterextension.olm.operatorframework.io` API streamlines management of installed extensions by consolidating user-facing APIs into a single object.
+
+[IMPORTANT]
+====
+In {olmv1}, `ClusterExtension` objects are cluster-scoped. This differs from {olmv0} where Operators could be either namespace-scoped or cluster-scoped, depending on the configuration of their related `Subscription` and `OperatorGroup` objects.
+
+For more information about the earlier behavior, see _Multitenancy and Operator colocation_.
+====
+
+.Example `ClusterExtension` object
+[source,yaml]
+----
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
+metadata:
+  name: <operator_name>
+spec:
+  packageName: <package_name>
+  installNamespace: <namespace_name>
+  channel: <channel_name>
+  version: <version_number>
+----
diff --git a/modules/olmv1-creating-fbc.adoc b/modules/olmv1-creating-fbc.adoc
index eed4a684985d..e1478e6f919c 100644
--- a/modules/olmv1-creating-fbc.adoc
+++ b/modules/olmv1-creating-fbc.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * operators/olm_v1/olmv1-plain-bundles.adoc
+// *
 
 ifdef::openshift-origin[]
 :registry-image: quay.io/operator-framework/opm:latest
diff --git a/modules/olmv1-deleting-an-operator.adoc b/modules/olmv1-deleting-an-operator.adoc
index 74a168659474..5f58f7b940a7 100644
--- a/modules/olmv1-deleting-an-operator.adoc
+++ b/modules/olmv1-deleting-an-operator.adoc
@@ -7,7 +7,7 @@
 [id="olmv1-deleting-an-operator_{context}"]
 = Deleting an Operator
 
-You can delete an Operator and its custom resource definitions (CRDs) by deleting the Operator's custom resource (CR).
+You can delete an Operator and its custom resource definitions (CRDs) by deleting the `ClusterExtension` custom resource (CR).
 
 .Prerequisites
 
@@ -20,13 +20,13 @@ You can delete an Operator and its custom resource definitions (CRDs) by deletin
 +
 [source,terminal]
 ----
-$ oc delete operator.operators.operatorframework.io <operator_name>
+$ oc delete clusterextension <operator_name>
 ----
 +
 .Example output
 [source,text]
 ----
-operator.operators.operatorframework.io "<operator_name>" deleted
+clusterextension.olm.operatorframework.io "<operator_name>" deleted
 ----
 
 .Verification
@@ -37,7 +37,7 @@ operator.operators.operatorframework.io "<operator_name>" deleted
 +
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io
+$ oc get clusterextensions
 ----
 +
 .Example output
diff --git a/modules/olmv1-forcing-an-update-or-rollback.adoc b/modules/olmv1-forcing-an-update-or-rollback.adoc
index 2a21211915af..82a93772f5de 100644
--- a/modules/olmv1-forcing-an-update-or-rollback.adoc
+++ b/modules/olmv1-forcing-an-update-or-rollback.adoc
@@ -32,6 +32,7 @@ metadata:
   name: <operator_name> <1>
 spec:
   packageName: <package_name> <2>
+  installNamespace: <namespace_name>
   version: <version> <3>
   upgradeConstraintPolicy: Ignore <4>
 ----
diff --git a/modules/olmv1-installing-an-operator.adoc b/modules/olmv1-installing-an-operator.adoc
index 8c7b12589a4c..13a30ef52155 100644
--- a/modules/olmv1-installing-an-operator.adoc
+++ b/modules/olmv1-installing-an-operator.adoc
@@ -5,18 +5,18 @@
 :_mod-docs-content-type: PROCEDURE
 
 [id="olmv1-installing-an-operator_{context}"]
-= Installing an Operator from a catalog
+= Installing a cluster extension from a catalog
 
-{olmv1-first} supports installing Operators and extensions scoped to the cluster. You can install an Operator or extension from a catalog by creating a custom resource (CR) and applying it to the cluster.
+{olmv1-first} supports installing cluster extensions, including {olmv0} Operators via the `registry+v1` bundle format, that are scoped to the cluster. You can install an extension from a catalog by creating a custom resource (CR) and applying it to the cluster.
 
 [IMPORTANT]
 ====
-Currently, {olmv1} supports the installation Operators and extensions that meet the following criteria:
+Currently, {olmv1} supports the installation of extensions that meet the following criteria:
 
-* The Operator or extension must use the `AllNamespaces` install mode.
-* The Operator or extension must not use webhooks.
+* The extension must use the `AllNamespaces` install mode.
+* The extension must not use webhooks.
 
-Operators and extensions that use webhooks or that target a single or specified set of namespaces cannot be installed.
+Cluster extensions that use webhooks or that target a single or specified set of namespaces cannot be installed.
 ====
 
 .Prerequisite
@@ -58,6 +58,7 @@ $ jq -s '.[] | select( .schema == "olm.channel" ) | \
 "pipelines-1.11"
 "pipelines-1.12"
 "pipelines-1.13"
+"pipelines-1.14"
 ----
 ====
 
@@ -87,34 +88,51 @@ select( .schema == "olm.channel" ) | select( .name == "latest" ) | \
 ====
 [source,text]
 ----
-"openshift-pipelines-operator-rh.v1.11.1"
 "openshift-pipelines-operator-rh.v1.12.0"
 "openshift-pipelines-operator-rh.v1.12.1"
 "openshift-pipelines-operator-rh.v1.12.2"
 "openshift-pipelines-operator-rh.v1.13.0"
 "openshift-pipelines-operator-rh.v1.13.1"
+"openshift-pipelines-operator-rh.v1.11.1"
+"openshift-pipelines-operator-rh.v1.12.0"
+"openshift-pipelines-operator-rh.v1.12.1"
+"openshift-pipelines-operator-rh.v1.12.2"
+"openshift-pipelines-operator-rh.v1.13.0"
+"openshift-pipelines-operator-rh.v1.14.1"
+"openshift-pipelines-operator-rh.v1.14.2"
+"openshift-pipelines-operator-rh.v1.14.3"
+"openshift-pipelines-operator-rh.v1.14.4"
+
 ----
 ====
+. If you want to install your extension into a new namespace, run the following command:
++
+[source,terminal]
+----
+$ oc adm new-project <new_namespace>
+----
 
 . Create a CR, similar to the following example:
 +
 .Example `pipelines-operator.yaml` CR
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace>
   channel: <channel>
   version: "<version>"
 ----
 +
 where:
 +
-<channel>:: Optional: Specifies the channel, such as `pipelines-1.11` or `latest`, for the package you want to install or update.
-<version>:: Optional: Specifies the version or version range, such as `1.11.1`, `1.12.x`, or `>=1.12.1`, of the package you want to install or update. For more information, see "Example custom resources (CRs) that specify a target version" and "Support for version ranges".
+`<namespace>`:: Specifies the namespace where you want the bundle installed, such as `openshift-operators` or `my-extension`. Extensions are still cluster-scoped and might contain resources that are installed in different namespaces.
+`<channel>`:: Optional: Specifies the channel, such as `pipelines-1.11` or `latest`, for the package you want to install or update.
+`<version>`:: Optional: Specifies the version or version range, such as `1.11.1`, `1.12.x`, or `>=1.12.1`, of the package you want to install or update. For more information, see "Example custom resources (CRs) that specify a target version" and "Support for version ranges".
 +
 --
 include::snippets/olmv1-multi-catalog-admon.adoc[]
@@ -130,7 +148,7 @@ $ oc apply -f pipeline-operator.yaml
 .Example output
 [source,text]
 ----
-operator.operators.operatorframework.io/pipelines-operator created
+clusterextension.olm.operatorframework.io/pipelines-operator created
 ----
 
 .Verification
@@ -139,51 +157,98 @@ operator.operators.operatorframework.io/pipelines-operator created
 +
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io pipelines-operator -o yaml
+$ oc get clusterextension pipelines-operator -o yaml
 ----
 +
---
-include::snippets/olmv1-version-range-cr-adomn.adoc[]
---
-+
 .Example output
 [%collapsible]
 ====
 [source,text]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: v1
+items:
+- apiVersion: olm.operatorframework.io/v1alpha1
+  kind: ClusterExtension
+  metadata:
+    annotations:
+      kubectl.kubernetes.io/last-applied-configuration: |
+        {"apiVersion":"olm.operatorframework.io/v1alpha1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","installNamespace":"openshift-operators","packageName":"openshift-pipelines-operator-rh","pollInterval":"30m"}}
+    creationTimestamp: "2024-06-10T17:50:51Z"
+    generation: 1
+    name: pipelines-operator
+    resourceVersion: "53324"
+    uid: c54237be-cde4-46d4-9b31-d0ec6acc19bf
+  spec:
+    channel: latest
+    installNamespace: openshift-operators
+    packageName: openshift-pipelines-operator-rh
+    upgradeConstraintPolicy: Enforce
+  status:
+    conditions:
+    - lastTransitionTime: "2024-06-10T17:50:58Z"
+      message: resolved to "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:dd3d18367da2be42539e5dde8e484dac3df33ba3ce1d5bcf896838954f3864ec"
+      observedGeneration: 1
+      reason: Success
+      status: "True"
+      type: Resolved
+    - lastTransitionTime: "2024-06-10T17:51:11Z"
+      message: installed from "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:dd3d18367da2be42539e5dde8e484dac3df33ba3ce1d5bcf896838954f3864ec"
+      observedGeneration: 1
+      reason: Success
+      status: "True"
+      type: Installed
+    - lastTransitionTime: "2024-06-10T17:50:58Z"
+      message: ""
+      observedGeneration: 1
+      reason: Deprecated
+      status: "False"
+      type: Deprecated
+    - lastTransitionTime: "2024-06-10T17:50:58Z"
+      message: ""
+      observedGeneration: 1
+      reason: Deprecated
+      status: "False"
+      type: PackageDeprecated
+    - lastTransitionTime: "2024-06-10T17:50:58Z"
+      message: ""
+      observedGeneration: 1
+      reason: Deprecated
+      status: "False"
+      type: ChannelDeprecated
+    - lastTransitionTime: "2024-06-10T17:50:58Z"
+      message: ""
+      observedGeneration: 1
+      reason: Deprecated
+      status: "False"
+      type: BundleDeprecated
+    installedBundle:
+      name: openshift-pipelines-operator-rh.v1.14.4
+      version: 1.14.4
+    resolvedBundle:
+      name: openshift-pipelines-operator-rh.v1.14.4
+      version: 1.14.4
+kind: List
 metadata:
-  annotations:
-    kubectl.kubernetes.io/last-applied-configuration: |
-      {"apiVersion":"operators.operatorframework.io/v1alpha1","kind":"Operator","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","packageName":"openshift-pipelines-operator-rh","version":"1.11.x"}}
-  creationTimestamp: "2024-01-30T20:06:09Z"
-  generation: 1
-  name: pipelines-operator
-  resourceVersion: "44362"
-  uid: 4272d228-22e1-419e-b9a7-986f982ee588
-spec:
-  channel: latest
-  packageName: openshift-pipelines-operator-rh
-  upgradeConstraintPolicy: Enforce
-  version: 1.11.x
-status:
-  conditions:
-  - lastTransitionTime: "2024-01-30T20:06:15Z"
-    message: resolved to "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280"
-    observedGeneration: 1
-    reason: Success
-    status: "True"
-    type: Resolved
-  - lastTransitionTime: "2024-01-30T20:06:31Z"
-    message: installed from "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280"
-    observedGeneration: 1
-    reason: Success
-    status: "True"
-    type: Installed
-  installedBundleResource: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280
-  resolvedBundleResource: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280
+  resourceVersion: ""
 ----
+where:
+
+`spec.channel`:: Displays the channel defined in the CR of the extension.
+`spec.version`:: Displays the version or version range defined in the CR of the extension.
+`status.conditions`:: Displays information about the status and health of the extension.
+`type: Deprecated`:: Displays whether one or more of following are deprecated:
++
+--
+`type: PackageDeprecated`:: Displays whether the resolved package is deprecated.
+`type: ChannelDeprecated`:: Displays whether the resolved channel is deprecated.
+`type: BundleDeprecated`:: Displays whether the resolved bundle is deprecated.
+--
++
+The value of `False` in the `status` field indicates that the `reason: Deprecated` condition is not deprecated. The value of `True` in the `status` field indicates that the `reason: Deprecated` condition is deprecated.
+`installedBundle.name`:: Displays the name of the bundle installed.
+`installedBundle.version`:: Displays the version of the bundle installed.
+`resolvedBundle.name`:: Displays the name of the resolved bundle.
+`resolvedBundle.version`:: Displays the verson of the resolved bundle.
 ====
 
 . Get information about your bundle deployment by running the following command:
@@ -198,51 +263,52 @@ $ oc get bundleDeployment pipelines-operator -o yaml
 ====
 [source,text]
 ----
-apiVersion: core.rukpak.io/v1alpha1
+apiVersion: core.rukpak.io/v1alpha2
 kind: BundleDeployment
 metadata:
-  creationTimestamp: "2024-01-30T20:06:15Z"
-  generation: 2
+  creationTimestamp: "2024-06-10T17:50:58Z"
+  finalizers:
+  - core.rukpak.io/delete-cached-bundle
+  generation: 1
   name: pipelines-operator
   ownerReferences:
-  - apiVersion: operators.operatorframework.io/v1alpha1
+  - apiVersion: olm.operatorframework.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
-    kind: Operator
+    kind: ClusterExtension
     name: pipelines-operator
-    uid: 4272d228-22e1-419e-b9a7-986f982ee588
-  resourceVersion: "44464"
-  uid: 0a0c3525-27e2-4c93-bf57-55920a7707c0
+    uid: c54237be-cde4-46d4-9b31-d0ec6acc19bf
+  resourceVersion: "53414"
+  uid: 74367cfc-578e-4da0-815f-fe40f3ca5d1c
 spec:
-  provisionerClassName: core-rukpak-io-plain
-  template:
-    metadata: {}
-    spec:
-      provisionerClassName: core-rukpak-io-registry
-      source:
-        image:
-          ref: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280
-        type: image
+  installNamespace: openshift-operators
+  provisionerClassName: core-rukpak-io-registry
+  source:
+    image:
+      ref: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:dd3d18367da2be42539e5dde8e484dac3df33ba3ce1d5bcf896838954f3864ec
+    type: image
 status:
-  activeBundle: pipelines-operator-29x720cjzx8yiowf13a3j75fil2zs3mfw
   conditions:
-  - lastTransitionTime: "2024-01-30T20:06:15Z"
-    message: Successfully unpacked the pipelines-operator-29x720cjzx8yiowf13a3j75fil2zs3mfw
-      Bundle
+  - lastTransitionTime: "2024-06-10T17:51:09Z"
+    message: Successfully unpacked the image Bundle
     reason: UnpackSuccessful
     status: "True"
-    type: HasValidBundle
-  - lastTransitionTime: "2024-01-30T20:06:28Z"
-    message: Instantiated bundle pipelines-operator-29x720cjzx8yiowf13a3j75fil2zs3mfw
-      successfully
+    type: Unpacked
+  - lastTransitionTime: "2024-06-10T17:51:10Z"
+    message: Instantiated bundle pipelines-operator successfully
     reason: InstallationSucceeded
     status: "True"
     type: Installed
-  - lastTransitionTime: "2024-01-30T20:06:40Z"
+  - lastTransitionTime: "2024-06-10T17:51:19Z"
     message: BundleDeployment is healthy
     reason: Healthy
     status: "True"
     type: Healthy
-  observedGeneration: 2
+  contentURL: https://core.openshift-rukpak.svc/bundles/pipelines-operator.tgz
+  observedGeneration: 1
+  resolvedSource:
+    image:
+      ref: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:dd3d18367da2be42539e5dde8e484dac3df33ba3ce1d5bcf896838954f3864ec
+    type: image
 ----
 ====
diff --git a/modules/olmv1-operator-api.adoc b/modules/olmv1-operator-api.adoc
deleted file mode 100644
index ecb2761cc726..000000000000
--- a/modules/olmv1-operator-api.adoc
+++ /dev/null
@@ -1,32 +0,0 @@
-// Module included in the following assemblies:
-//
-// * operators/olm_v1/olmv1-plain-bundles.adoc
-
-:_mod-docs-content-type: CONCEPT
-
-[id="olmv1-operator-api"]
-= Operator API
-
-Operator Controller provides a new `Operator` API object, which is a single resource that represents an instance of an installed Operator. This `operator.operators.operatorframework.io` API streamlines management of installed Operators by consolidating user-facing APIs into a single object.
-
-[IMPORTANT]
-====
-In {olmv1}, `Operator` objects are cluster-scoped. This differs from earlier OLM versions where Operators could be either namespace-scoped or cluster-scoped, depending on the configuration of their related `Subscription` and `OperatorGroup` objects.
-
-For more information about the earlier behavior, see _Multitenancy and Operator colocation_.
-====
-
-.Example `Operator` object
-[source,yaml]
-----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
-metadata:
-  name: <operator_name>
-spec:
-  packageName: <package_name>
-  channel: <channel_name>
-  version: <version_number>
-----
-
-include::snippets/olmv1-operator-api-group.adoc[]
\ No newline at end of file
diff --git a/modules/olmv1-updating-an-operator.adoc b/modules/olmv1-updating-an-operator.adoc
index 85b80b490678..7d9302e3ef92 100644
--- a/modules/olmv1-updating-an-operator.adoc
+++ b/modules/olmv1-updating-an-operator.adoc
@@ -5,9 +5,9 @@
 :_mod-docs-content-type: PROCEDURE
 
 [id="olmv1-updating-an-operator_{context}"]
-= Updating an Operator
+= Updating a cluster extension
 
-You can update your Operator or extension by manually editing the custom resource (CR) and applying the changes.
+You can update your cluster extension or Operator by manually editing the custom resource (CR) and applying the changes.
 
 .Prerequisites
 
@@ -49,6 +49,7 @@ $ jq -s '.[] | select( .schema == "olm.channel" ) | \
 "pipelines-1.11"
 "pipelines-1.12"
 "pipelines-1.13"
+"pipelines-1.14"
 ----
 ====
 
@@ -83,7 +84,10 @@ select( .schema == "olm.channel" ) | select( .name == "latest" ) | \
 "openshift-pipelines-operator-rh.v1.12.1"
 "openshift-pipelines-operator-rh.v1.12.2"
 "openshift-pipelines-operator-rh.v1.13.0"
-"openshift-pipelines-operator-rh.v1.13.1"
+"openshift-pipelines-operator-rh.v1.14.1"
+"openshift-pipelines-operator-rh.v1.14.2"
+"openshift-pipelines-operator-rh.v1.14.3"
+"openshift-pipelines-operator-rh.v1.14.4"
 ----
 ====
 
@@ -91,13 +95,13 @@ select( .schema == "olm.channel" ) | select( .name == "latest" ) | \
 +
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io <operator_name> -o yaml
+$ oc get clusterextension <operator_name> -o yaml
 ----
 +
 .Example command
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io pipelines-operator -o yaml
+$ oc get clusterextension pipelines-operator -o yaml
 ----
 +
 .Example output
@@ -105,44 +109,69 @@ $ oc get operator.operators.operatorframework.io pipelines-operator -o yaml
 ====
 [source,text]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   annotations:
-    kubectl.kubernetes.io/last-applied-configuration: |  {"apiVersion":"operators.operatorframework.io/v1alpha1","kind":"Operator","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","packageName":"openshift-pipelines-operator-rh","version":"1.11.1"}}
-  creationTimestamp: "2024-02-06T17:47:15Z"
-  generation: 2
+    kubectl.kubernetes.io/last-applied-configuration: |
+      {"apiVersion":"olm.operatorframework.io/v1alpha1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","installNamespace":"openshift-operators","packageName":"openshift-pipelines-operator-rh","pollInterval":"30m","version":"\u003c1.12"}}
+  creationTimestamp: "2024-06-11T15:55:37Z"
+  generation: 1
   name: pipelines-operator
-  resourceVersion: "84528"
-  uid: dffe2c89-b9c4-427e-b694-ada0b37fc0a9
+  resourceVersion: "69776"
+  uid: 6a11dff3-bfa3-42b8-9e5f-d8babbd6486f
 spec:
-  channel: latest <1>
+  channel: latest
+  installNamespace: openshift-operators
   packageName: openshift-pipelines-operator-rh
   upgradeConstraintPolicy: Enforce
-  version: 1.11.1 <2>
+  version: <1.12
 status:
   conditions:
-  - lastTransitionTime: "2024-02-06T17:47:21Z"
-    message: bundledeployment status is unknown
-    observedGeneration: 2
-    reason: InstallationStatusUnknown
-    status: Unknown
+  - lastTransitionTime: "2024-06-11T15:56:09Z"
+    message: installed from "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280"
+    observedGeneration: 1
+    reason: Success
+    status: "True"
     type: Installed
-  - lastTransitionTime: "2024-02-06T17:50:58Z"
+  - lastTransitionTime: "2024-06-11T15:55:50Z"
     message: resolved to "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280"
-    observedGeneration: 2
+    observedGeneration: 1
     reason: Success
     status: "True"
     type: Resolved
-  resolvedBundleResource: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:e09d37bb1e754db42324fd18c1cb3e7ce77e7b7fcbf4932d0535391579938280
+  - lastTransitionTime: "2024-06-11T15:55:50Z"
+    message: ""
+    observedGeneration: 1
+    reason: Deprecated
+    status: "False"
+    type: Deprecated
+  - lastTransitionTime: "2024-06-11T15:55:50Z"
+    message: ""
+    observedGeneration: 1
+    reason: Deprecated
+    status: "False"
+    type: PackageDeprecated
+  - lastTransitionTime: "2024-06-11T15:55:50Z"
+    message: ""
+    observedGeneration: 1
+    reason: Deprecated
+    status: "False"
+    type: ChannelDeprecated
+  - lastTransitionTime: "2024-06-11T15:55:50Z"
+    message: ""
+    observedGeneration: 1
+    reason: Deprecated
+    status: "False"
+    type: BundleDeprecated
+  installedBundle:
+    name: openshift-pipelines-operator-rh.v1.11.1
+    version: 1.11.1
+  resolvedBundle:
+    name: openshift-pipelines-operator-rh.v1.11.1
+    version: 1.11.1
 ----
-<1> Specifies the channel for your Operator or extension.
-<2> Specifies the version or version range for your Operator or extension.
 ====
-+
---
-include::snippets/olmv1-version-range-cr-adomn.adoc[]
---
 
 . Edit your CR by using one of the following methods:
 
@@ -151,13 +180,14 @@ include::snippets/olmv1-version-range-cr-adomn.adoc[]
 .Example `pipelines-operator.yaml` CR
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
-  version: 1.12.1 <1>
+  installNamespace: <namespace>
+  version: "1.12.1" <1>
 ----
 <1> Update the version from `1.11.1` to `1.12.1`
 
@@ -166,12 +196,13 @@ spec:
 .Example CR with a version range specified
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace>
   version: ">1.11.1, <1.13" <1>
 ----
 <1> Specifies that the desired version range is greater than version `1.11.1` and less than `1.13`. For more information, see "Support for version ranges" and "Version comparison strings".
@@ -181,12 +212,13 @@ spec:
 .Example CR with a specified channel
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace>
   channel: pipelines-1.13 <1>
 ----
 <1> Installs the latest release that can be resolved from the specified channel. Updates to the channel are automatically installed.
@@ -196,12 +228,13 @@ spec:
 .Example CR with a specified channel and version range
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace>
   channel: latest
   version: "<1.13"
 ----
@@ -218,7 +251,7 @@ $ oc apply -f pipelines-operator.yaml
 .Example output
 [source,text]
 ----
-operator.operators.operatorframework.io/pipelines-operator configured
+clusterextension.olm.operatorframework.io/pipelines-operator configured
 ----
 +
 [TIP]
@@ -227,15 +260,15 @@ You can patch and apply the changes to your CR from the CLI by running the follo
 
 [source,terminal]
 ----
-$ oc patch operator.operators.operatorframework.io/pipelines-operator -p \
-  '{"spec":{"version":"1.12.1"}}' \
+$ oc patch clusterextension/pipelines-operator -p \
+  '{"spec":{"version":"<1.13"}}' \
   --type=merge
 ----
 
 .Example output
 [source,text]
 ----
-operator.operators.operatorframework.io/pipelines-operator patched
+clusterextension.olm.operatorframework.io/pipelines-operator patched
 ----
 ====
 
@@ -245,7 +278,7 @@ operator.operators.operatorframework.io/pipelines-operator patched
 +
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io pipelines-operator -o yaml
+$ oc get clusterextension pipelines-operator -o yaml
 ----
 +
 .Example output
@@ -253,88 +286,139 @@ $ oc get operator.operators.operatorframework.io pipelines-operator -o yaml
 ====
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   annotations:
     kubectl.kubernetes.io/last-applied-configuration: |
-      {"apiVersion":"operators.operatorframework.io/v1alpha1","kind":"Operator","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","packageName":"openshift-pipelines-operator-rh","version":"1.12.1"}}
-  creationTimestamp: "2024-02-06T19:16:12Z"
-  generation: 4
+      {"apiVersion":"olm.operatorframework.io/v1alpha1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","installNamespace":"openshift-operators","packageName":"openshift-pipelines-operator-rh","pollInterval":"30m","version":"\u003c1.13"}}
+  creationTimestamp: "2024-06-11T18:23:26Z"
+  generation: 2
   name: pipelines-operator
-  resourceVersion: "58122"
-  uid: 886bbf73-604f-4484-9f87-af6ce0f86914
+  resourceVersion: "66310"
+  uid: ce0416ba-13ea-4069-a6c8-e5efcbc47537
 spec:
   channel: latest
+  installNamespace: openshift-operators
   packageName: openshift-pipelines-operator-rh
   upgradeConstraintPolicy: Enforce
-  version: 1.12.1 <1>
+  version: <1.13
 status:
   conditions:
-  - lastTransitionTime: "2024-02-06T19:30:57Z"
-    message: installed from "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:2f1b8ef0fd741d1d686489475423dabc07c55633a4dfebc45e1d533183179f6a"
-    observedGeneration: 3
+  - lastTransitionTime: "2024-06-11T18:23:33Z"
+    message: resolved to "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:814742c8a7cc7e2662598e114c35c13993a7b423cfe92548124e43ea5d469f82"
+    observedGeneration: 2
     reason: Success
     status: "True"
-    type: Installed
-  - lastTransitionTime: "2024-02-06T19:30:57Z"
-    message: resolved to "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:2f1b8ef0fd741d1d686489475423dabc07c55633a4dfebc45e1d533183179f6a"
-    observedGeneration: 3
+    type: Resolved
+  - lastTransitionTime: "2024-06-11T18:23:52Z"
+    message: installed from "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:814742c8a7cc7e2662598e114c35c13993a7b423cfe92548124e43ea5d469f82"
+    observedGeneration: 2
     reason: Success
     status: "True"
-    type: Resolved
-  installedBundleResource: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:2f1b8ef0fd741d1d686489475423dabc07c55633a4dfebc45e1d533183179f6a
-  resolvedBundleResource: registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:2f1b8ef0fd741d1d686489475423dabc07c55633a4dfebc45e1d533183179f6a
+    type: Installed
+  - lastTransitionTime: "2024-06-11T18:23:33Z"
+    message: ""
+    observedGeneration: 2
+    reason: Deprecated
+    status: "False"
+    type: Deprecated
+  - lastTransitionTime: "2024-06-11T18:23:33Z"
+    message: ""
+    observedGeneration: 2
+    reason: Deprecated
+    status: "False"
+    type: PackageDeprecated
+  - lastTransitionTime: "2024-06-11T18:23:33Z"
+    message: ""
+    observedGeneration: 2
+    reason: Deprecated
+    status: "False"
+    type: ChannelDeprecated
+  - lastTransitionTime: "2024-06-11T18:23:33Z"
+    message: ""
+    observedGeneration: 2
+    reason: Deprecated
+    status: "False"
+    type: BundleDeprecated
+  installedBundle:
+    name: openshift-pipelines-operator-rh.v1.12.2
+    version: 1.12.2
+  resolvedBundle:
+    name: openshift-pipelines-operator-rh.v1.12.2
+    version: 1.12.2
 ----
-<1> Verify that the version is updated to `1.12.1`.
 ====
 
 .Troubleshooting
 
-* If you specify a target version or channel that does not exist, you can run the following command to check the status of your Operator or extension:
+* If you specify a target version or channel that is deprecated or does not exist, you can run the following command to check the status of your extension:
 +
 [source,terminal]
 ----
-$ oc get operator.operators.operatorframework.io <operator_name> -o yaml
+$ oc get clusterextension <operator_name> -o yaml
 ----
 +
-.Example output
+.Example output for a version that does not exist
 [%collapsible]
 ====
 [source,text]
 ----
-oc get operator.operators.operatorframework.io pipelines-operator -o yaml
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   annotations:
     kubectl.kubernetes.io/last-applied-configuration: |
-      {"apiVersion":"operators.operatorframework.io/v1alpha1","kind":"Operator","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","packageName":"openshift-pipelines-operator-rh","version":"2.0.0"}}
-  creationTimestamp: "2024-02-06T17:47:15Z"
-  generation: 1
+      {"apiVersion":"olm.operatorframework.io/v1alpha1","kind":"ClusterExtension","metadata":{"annotations":{},"name":"pipelines-operator"},"spec":{"channel":"latest","installNamespace":"openshift-operators","packageName":"openshift-pipelines-operator-rh","pollInterval":"30m","version":"3.0"}}
+  creationTimestamp: "2024-06-11T18:23:26Z"
+  generation: 3
   name: pipelines-operator
-  resourceVersion: "82667"
-  uid: dffe2c89-b9c4-427e-b694-ada0b37fc0a9
+  resourceVersion: "71852"
+  uid: ce0416ba-13ea-4069-a6c8-e5efcbc47537
 spec:
   channel: latest
+  installNamespace: openshift-operators
   packageName: openshift-pipelines-operator-rh
   upgradeConstraintPolicy: Enforce
-  version: 2.0.0
+  version: "3.0"
 status:
   conditions:
-  - lastTransitionTime: "2024-02-06T17:47:21Z"
-    message: installation has not been attempted due to failure to gather data for
-      resolution
-    observedGeneration: 1
-    reason: InstallationStatusUnknown
-    status: Unknown
-    type: Installed
-  - lastTransitionTime: "2024-02-06T17:47:21Z"
-    message: no package "openshift-pipelines-operator-rh" matching version "2.0.0"
-      found in channel "latest"
-    observedGeneration: 1
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: 'error upgrading from currently installed version "1.12.2": no package
+      "openshift-pipelines-operator-rh" matching version "3.0" found in channel "latest"'
+    observedGeneration: 3
     reason: ResolutionFailed
     status: "False"
     type: Resolved
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: installation has not been attempted as resolution failed
+    observedGeneration: 3
+    reason: InstallationStatusUnknown
+    status: Unknown
+    type: Installed
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: deprecation checks have not been attempted as resolution failed
+    observedGeneration: 3
+    reason: Deprecated
+    status: Unknown
+    type: Deprecated
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: deprecation checks have not been attempted as resolution failed
+    observedGeneration: 3
+    reason: Deprecated
+    status: Unknown
+    type: PackageDeprecated
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: deprecation checks have not been attempted as resolution failed
+    observedGeneration: 3
+    reason: Deprecated
+    status: Unknown
+    type: ChannelDeprecated
+  - lastTransitionTime: "2024-06-11T18:29:02Z"
+    message: deprecation checks have not been attempted as resolution failed
+    observedGeneration: 3
+    reason: Deprecated
+    status: Unknown
+    type: BundleDeprecated
 ----
 ====
diff --git a/modules/olmv1-version-range-comparisons.adoc b/modules/olmv1-version-range-comparisons.adoc
index 3143540c3209..c5f2ac2fda07 100644
--- a/modules/olmv1-version-range-comparisons.adoc
+++ b/modules/olmv1-version-range-comparisons.adoc
@@ -40,12 +40,13 @@ You can specify a version range in an Operator or extension's CR by using a rang
 .Example version range comparison
 [source,yaml]
 ----
-apiVersion: operators.operatorframework.io/v1alpha1
-kind: Operator
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
 metadata:
   name: pipelines-operator
 spec:
   packageName: openshift-pipelines-operator-rh
+  installNamespace: <namespace_name>
   version: ">=1.11, <1.13"
 ----
 
@@ -96,7 +97,7 @@ You can make patch release comparisons by using the tilde (`~`) comparison opera
 
 |===
 
-You can use the caret (`^`) comparison operator to make a comparison for a major release. If you use a major release comparison before the first stable release is published, the minor versions define the API's level of stability. In the semantic versioning (SemVer) specification, the first stable release is published as the `1.0.0` version.
+You can use the caret (`^`) comparison operator to make a comparison for a major release. If you make a major release comparison before the first stable release is published, the minor versions define the API's level of stability. In the semantic versioning (semver) specification, the first stable release is published as the `1.0.0` version.
 
 .Example major release comparisons
 [options="header"]
diff --git a/modules/osd-aws-privatelink-about.adoc b/modules/osd-aws-privatelink-about.adoc
index 5b4e8ac61cad..7c610735eeb4 100644
--- a/modules/osd-aws-privatelink-about.adoc
+++ b/modules/osd-aws-privatelink-about.adoc
@@ -16,7 +16,7 @@ ifdef::rosa-hcp[]
 All {hcp-title} clusters are created with an AWS PrivateLink connection to expose the private Kubernetes API server to the customer's virtual private cloud (VPC).
 endif::rosa-hcp[]
 ifndef::rosa-hcp[]
-A {product-title} cluster can be created without any requirements on public subnets, internet gateways, or network address translation (NAT) gateways. In this configuration, Red Hat uses AWS PrivateLink to manage and monitor a cluster to avoid all public ingress network traffic. Without a public subnet, it is not possible to configure an application router as public. Configuring private application routers is the only option.
+A {product-title} cluster can be created without any requirements on public subnets, internet gateways, or network address translation (NAT) gateways. In this configuration, Red{nbsp}Hat uses AWS PrivateLink to manage and monitor a cluster to avoid all public ingress network traffic. Without a public subnet, it is not possible to configure an application router as public. Configuring private application routers is the only option.
 endif::rosa-hcp[]
 
 For more information, see link:https://aws.amazon.com/privatelink/[AWS PrivateLink] on the AWS website.
diff --git a/modules/osd-aws-privatelink-architecture.adoc b/modules/osd-aws-privatelink-architecture.adoc
index dfce0e1c3df2..df39664ca0fc 100644
--- a/modules/osd-aws-privatelink-architecture.adoc
+++ b/modules/osd-aws-privatelink-architecture.adoc
@@ -5,7 +5,7 @@
 [id="osd-aws-privatelink-architecture.adoc_{context}"]
 = AWS PrivateLink architecture
 
-The Red Hat managed infrastructure that creates AWS PrivateLink clusters is hosted on private subnets. The connection between Red Hat and the customer-provided infrastructure is created through AWS PrivateLink VPC endpoints.
+The Red{nbsp}Hat managed infrastructure that creates AWS PrivateLink clusters is hosted on private subnets. The connection between Red{nbsp}Hat and the customer-provided infrastructure is created through AWS PrivateLink VPC endpoints.
 
 [NOTE]
 ====
diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc
index d6848c758338..1adc5de5496f 100644
--- a/modules/osd-aws-privatelink-firewall-prerequisites.adoc
+++ b/modules/osd-aws-privatelink-firewall-prerequisites.adoc
@@ -67,7 +67,7 @@ endif::[]
 
 |`sso.redhat.com`
 |443
-|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
+|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red{nbsp}Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
 
 |`quay-registry.s3.amazonaws.com`
 |443
@@ -91,7 +91,7 @@ endif::[]
 
 |`registry.access.redhat.com`
 |443
-|Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
+|Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
 
 |`access.redhat.com`
 |443
@@ -180,11 +180,11 @@ endif::fedramp[]
 
 |`console.redhat.com`
 |443
-|Required for telemetry and Red Hat Insights.
+|Required for telemetry and Red{nbsp}Hat Insights.
 
 |`cloud.redhat.com/api/ingress`
 |443
-|Required for telemetry and Red Hat Insights.
+|Required for telemetry and Red{nbsp}Hat Insights.
 
 |`observatorium-mst.api.openshift.com`
 |443
@@ -195,8 +195,8 @@ endif::fedramp[]
 |Required for managed OpenShift-specific telemetry.
 |===
 +
-Managed clusters require enabling telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.
-For more information about how remote health monitoring data is used by Red Hat, see _About remote health monitoring_ in the _Additional resources_ section.
+Managed clusters require enabling telemetry to allow Red{nbsp}Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.
+For more information about how remote health monitoring data is used by Red{nbsp}Hat, see _About remote health monitoring_ in the _Additional resources_ section.
 
 . Allowlist the following Amazon Web Services (AWS) API URls:
 +
@@ -286,11 +286,11 @@ Alternatively, if you choose to not use a wildcard for Amazon Web Services (AWS)
 
 |`api.pagerduty.com`
 |443
-|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
+|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on.
 
 |`events.pagerduty.com`
 |443
-|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
+|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on.
 
 |`api.deadmanssnitch.com`
 |443
@@ -317,11 +317,11 @@ OR
 `inputs14.osdsecuritylogs.splunkcloud.com`
 `inputs15.osdsecuritylogs.splunkcloud.com`
 |9997
-|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.
+|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting.
 
 |`http-inputs-osdsecuritylogs.splunkcloud.com`
 |443
-|Required. Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.
+|Required. Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting.
 
 |`sftp.access.redhat.com` (Recommended)
 |22
diff --git a/modules/osd-rhoam.adoc b/modules/osd-rhoam.adoc
index a8593a63ac3c..49ba58b8464f 100644
--- a/modules/osd-rhoam.adoc
+++ b/modules/osd-rhoam.adoc
@@ -4,14 +4,14 @@
 // * adding_service_cluster/rosa-available-services.adoc
 :_mod-docs-content-type: CONCEPT
 [id="osd-rhoam_{context}"]
-= Red Hat OpenShift API Management
+= Red{nbsp}Hat OpenShift API Management
 
-The Red Hat OpenShift API Management (OpenShift API Management) service is available as an add-on to your {product-title} on AWS cluster. OpenShift API Management is a managed API traffic control and API program management solution. It is based on the 3scale API Management platform and implements single sign-on for Red Hat solutions to secure and protect your APIs.
+The Red{nbsp}Hat OpenShift API Management (OpenShift API Management) service is available as an add-on to your {product-title} on AWS cluster. OpenShift API Management is a managed API traffic control and API program management solution. It is based on the 3scale API Management platform and implements single sign-on for Red{nbsp}Hat solutions to secure and protect your APIs.
 
 This OpenShift API Management entitlement provides:
 
 ifdef::openshift-rosa[]
-* Availability to any cluster that meets the resource requirements listed in the Red Hat OpenShift API Management service definition.
+* Availability to any cluster that meets the resource requirements listed in the Red{nbsp}Hat OpenShift API Management service definition.
 endif::[]
 ifdef::openshift-dedicated[]
 * Availability to any cluster that meets the resource requirements listed in the {product-title} service definition.
diff --git a/modules/ossm-rn-fixed-issues.adoc b/modules/ossm-rn-fixed-issues.adoc
index d620bd8fb818..d371935951f0 100644
--- a/modules/ossm-rn-fixed-issues.adoc
+++ b/modules/ossm-rn-fixed-issues.adoc
@@ -15,7 +15,21 @@ Provide the following info for each issue if possible:
 ////
 
 The following issues have been resolved in the current release:
-//current release is 2.5.1/2.4.7/2.3.11 scheduled for April 18, 2024
+
+//current release is 2.5.2/2.4.8/2.3.12 scheduled for May 22, 2024
+
+* https://issues.redhat.com/browse/OSSM-6331[OSSM-6331] Previously, the `smcp.general.logging.componentLevels` spec accepted invalid `LogLevel` values, and the `ServiceMeshControlPlane` resource was still created. Now, the terminal shows an error message if an invalid value is used, and the control plane is not created.
+
+* https://issues.redhat.com/browse/OSSM-6290[OSSM-6290] Previously, the **Project** filter of the **Istio Config** list page did not work correctly. All `istio config` items were displayed from all namespaces even if you selected a specific project from the drop-down menu. Now, only the `istio config` items that belong to the selected project in the filter dropdown are displayed.
+
+* https://issues.redhat.com/browse/OSSM-6298[OSSM-6298] Previously, when you clicked an item reference within the {SMPlugin}, the console sometimes performed multiple redirects before opening the desired page. As a result, navigating back to the previous page that was open in the console caused your web browser to open the wrong page. Now, these redirects do not occur, and clicking *Back* in a web browser brings you to the correct page.
+
+* https://issues.redhat.com/browse/OSSM-6299[OSSM-6299] Previously, in {product-title} 4.15, when you clicked the **Node graph** menu option of any node menu within the traffic graph, the node graph was not displayed. Instead, the page refreshed with the same traffic graph. Now, clicking the **Node graph** menu option correctly displays the node graph.
+
+The following issues have been resolved in previous releases:
+
+[id="ossm-rn-fixed-issues-ossm_{context}"]
+== {SMProductShortName} fixed issues
 
 * https://issues.redhat.com/browse/OSSM-6177[OSSM-6177] Previously, when validation messages were enabled in the `ServiceMeshControlPlane` (SMCP), the `istiod` crashed continuously unless `GatewayAPI` support was enabled. Now, when validation messages are enabled but `GatewayAPI` support is not, the `istiod` does not continuously crash.
 
@@ -37,11 +51,6 @@ The following issues have been resolved in the current release:
 
 * https://issues.redhat.com/browse/OSSM-5541[OSSM-5541] Previously, an Istio operator pod might keep waiting for the leader lease in some restart conditions. Now, the leader election implementation has been enhanced to avoid this issue.
 
-The following issues have been resolved in previous releases:
-
-[id="ossm-rn-fixed-issues-ossm_{context}"]
-== {SMProductShortName} fixed issues
-
 * https://issues.redhat.com/browse/OSSM-1397[OSSM-1397] Previously, if you removed the `maistra.io/member-of` label from a namespace, the {SMProductShortName} Operator did not automatically reapply the label to the namespace. As a result, sidecar injection did not work in the namespace.
 +
 The Operator would reapply the label to the namespace when you made changes to the `ServiceMeshMember` object, which triggered the reconciliation of this member object.
diff --git a/modules/ossm-rn-known-issues.adoc b/modules/ossm-rn-known-issues.adoc
index 096a7a6ee1d3..5840cffb60c9 100644
--- a/modules/ossm-rn-known-issues.adoc
+++ b/modules/ossm-rn-known-issues.adoc
@@ -201,14 +201,6 @@ New issues for Kiali should be created in the link:https://issues.redhat.com/pro
 
 These are the known issues in Kiali:
 
-* https://issues.redhat.com/browse/OSSM-6299[OSSM-6299] In {product-title} 4.15, when you click the **Node graph** menu option of any node menu within the traffic graph, the node graph is not displayed. Instead, the page is refreshed with the same traffic graph. Currently, no workaround exists for this issue.
-
-* https://issues.redhat.com/browse/OSSM-6298[OSSM-6298] When you click an item reference within the {SMPlugin}, such as a workload link related to a specific service, the console sometimes performs multiple redirections before opening the desired page. If you click *Back* in a web browser, a different page of the console opens instead of the previous page.
-+
-Workaround: In the web browser, click *Back* twice to navigate to the previous page.
-
-* https://issues.redhat.com/browse/OSSM-6290[OSSM-6290] For {product-title} 4.15, the **Project** filter of the **Istio Config** list page does not work correctly. All `istio` items are displayed even if you select a specific project from the dropdown. Currently, no workaround exists for this issue.
-
 //Keep KIALI-2206 in RN as this is for information purposes.
 * link:https://issues.jboss.org/browse/KIALI-2206[KIALI-2206] When you are accessing the Kiali console for the first time, and there is no cached browser data for Kiali, the “View in Grafana” link on the Metrics tab of the Kiali Service Details page redirects to the wrong location. The only way you would encounter this issue is if you are accessing Kiali for the first time.
 //Keep KIALI-507 in RN as this is for information purposes.
diff --git a/modules/ossm-rn-new-features.adoc b/modules/ossm-rn-new-features.adoc
index 8b7fe27400d0..18561b0c7f72 100644
--- a/modules/ossm-rn-new-features.adoc
+++ b/modules/ossm-rn-new-features.adoc
@@ -15,6 +15,34 @@ Module included in the following assemblies:
 
 This release adds improvements related to the following components and concepts.
 
+[id="new-features-ossm-2-5-2"]
+== New features {SMProductName} version 2.5.2
+
+//Release is scheduled for May 22, 2024.
+//As of May 8, there are no new features so the phrase "new features" has been removed. This is a z-stream release to update containers before they are Grade B or C on May 28.
+//Includes 2.5.2, 2.4.8, 2.3.12
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on {product-title} 4.12 and later.
+
+The most current version of the {SMProductName} Operator can be used with all supported versions of {SMProductShortName}. The version of {SMProductShortName} is specified using the `ServiceMeshControlPlane`.
+
+=== Component versions for {SMProductName} version 2.5.2
+
+// Release is scheduled for May 22, 2024. Code and Doc Freeze is scheduled for May 10, 2024. Component versions should be available after May 10.
+
+|===
+|Component |Version
+
+|Istio
+|1.18.5
+
+|Envoy Proxy
+|1.26.8
+
+|Kiali
+|1.73.8
+|===
+
 [id="new-features-ossm-2-5-1"]
 == New features {SMProductName} version 2.5.1
 
@@ -150,6 +178,34 @@ A new version of the Gateway API custom resource definition (CRD) is now availab
 |For multitenant mesh deployment, all Gateway API CRDs must be present. Use the experimental branch.
 |===
 
+[id="new-features-ossm-2-4-8"]
+== New features {SMProductName} version 2.4.8
+
+//Release is scheduled for May 22, 2024.
+//As of May 8, there are no new features so the phrase "new features" has been removed. This is a z-stream release to update containers before they are Grade B or C on May 28.
+//Includes 2.5.2, 2.4.8, 2.3.12
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on {product-title} 4.12 and later.
+
+The most current version of the {SMProductName} Operator can be used with all supported versions of {SMProductShortName}. The version of {SMProductShortName} is specified using the `ServiceMeshControlPlane`.
+
+=== Component versions for {SMProductName} version 2.4.8
+
+// Release is scheduled for May 22, 2024. Code and Doc Freeze is scheduled for May 10, 2024. Component versions should be available after May 10.
+
+|===
+|Component |Version
+
+|Istio
+|1.16.7
+
+|Envoy Proxy
+|1.24.12
+
+|Kiali
+|1.65.11
+|===
+
 [id="new-features-ossm-2-4-7"]
 == New features {SMProductName} version 2.4.7
 
@@ -474,6 +530,34 @@ ifndef::openshift-rosa,openshift-dedicated[]
 * OpenTelemetry API remains a Technology Preview feature.
 endif::openshift-rosa,openshift-dedicated[]
 
+[id="new-features-ossm-2-3-12"]
+== New features {SMProductName} version 2.3.12
+
+//Release is scheduled for May 22, 2024.
+//As of May 8, there are no new features so the phrase "new features" has been removed. This is a z-stream release to update containers before they are Grade B or C on May 28.
+//Includes 2.5.2, 2.4.8, 2.3.12
+
+This release of {SMProductName} addresses Common Vulnerabilities and Exposures (CVEs), contains bug fixes, and is supported on {product-title} 4.12 and later.
+
+The most current version of the {SMProductName} Operator can be used with all supported versions of {SMProductShortName}. The version of {SMProductShortName} is specified using the `ServiceMeshControlPlane`.
+
+=== Component versions for {SMProductName} version 2.3.12
+
+// Release is scheduled for May 22, 2024. Code and Doc Freeze is scheduled for May 10, 2024. Component versions should be available after May 10.
+
+|===
+|Component |Version
+
+|Istio
+|1.14.5
+
+|Envoy Proxy
+|1.22.11
+
+|Kiali
+|1.57.14
+|===
+
 [id="new-features-ossm-2-3-11"]
 == New features {SMProductName} version 2.3.11
 
diff --git a/modules/ossm-routing-bookinfo-example.adoc b/modules/ossm-routing-bookinfo-example.adoc
index f28ab819e636..cc191fe6d4b8 100644
--- a/modules/ossm-routing-bookinfo-example.adoc
+++ b/modules/ossm-routing-bookinfo-example.adoc
@@ -12,6 +12,6 @@ When you access the Bookinfo app `/product` page in a browser and refresh severa
 
 This tutorial helps you apply rules that route all traffic to `v1` (version 1) of the microservices. Later, you can apply a rule to route traffic based on the value of an HTTP request header.
 
-.Prerequisites:
+.Prerequisites
 
 * Deploy the Bookinfo sample application to work with the following examples.
diff --git a/modules/ossm-routing-ingress.adoc b/modules/ossm-routing-ingress.adoc
index 15d5e070579a..a3ff04e13e1a 100644
--- a/modules/ossm-routing-ingress.adoc
+++ b/modules/ossm-routing-ingress.adoc
@@ -24,10 +24,6 @@ That command returns the `NAME`, `TYPE`, `CLUSTER-IP`, `EXTERNAL-IP`, `PORT(S)`,
 If the `EXTERNAL-IP` value is set, your environment has an external load balancer that you can use for the ingress gateway.
 
 If the `EXTERNAL-IP` value is `<none>`, or perpetually `<pending>`, your environment does not provide an external load balancer for the ingress gateway.
-ifdef::openshift-enterprise[]
-You can access the gateway using the service's xref:../../networking/configuring-node-port-service-range.adoc#configuring-node-port-service-range[node port].
-
-endif::[]
 
 ////
 TO DO - remove XREF in this module.
diff --git a/modules/ossm-threescale-integrate-1x.adoc b/modules/ossm-threescale-integrate-1x.adoc
index 863932aa7fb9..d9da010dd656 100644
--- a/modules/ossm-threescale-integrate-1x.adoc
+++ b/modules/ossm-threescale-integrate-1x.adoc
@@ -10,7 +10,7 @@
 You can use these examples to configure requests to your services using the 3scale Istio Adapter.
 
 
-.Prerequisites:
+.Prerequisites
 
 * {SMProductName} version 1.x
 * A working 3scale account (link:https://www.3scale.net/signup/[SaaS] or link:https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.5/html/installing_3scale/onpremises-installation[3scale 2.5 On-Premises])
diff --git a/modules/ossm-threescale-integrate.adoc b/modules/ossm-threescale-integrate.adoc
index e5a5194752f7..9ff75c9ae86e 100644
--- a/modules/ossm-threescale-integrate.adoc
+++ b/modules/ossm-threescale-integrate.adoc
@@ -10,7 +10,7 @@
 You can use these examples to configure requests to your services using the 3scale Istio Adapter.
 
 
-.Prerequisites:
+.Prerequisites
 
 * {SMProductName} version 2.x
 * A working 3scale account (link:https://www.3scale.net/signup/[SaaS] or link:https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.9/html/installing_3scale/install-threescale-on-openshift-guide[3scale 2.9 On-Premises])
diff --git a/modules/ossm-tutorial-bookinfo-install.adoc b/modules/ossm-tutorial-bookinfo-install.adoc
index c33f2a9041ff..ec10471f0e60 100644
--- a/modules/ossm-tutorial-bookinfo-install.adoc
+++ b/modules/ossm-tutorial-bookinfo-install.adoc
@@ -10,7 +10,7 @@ This PROCEDURE module included in the following assemblies:
 
 This tutorial walks you through how to create a sample application by creating a project, deploying the Bookinfo application to that project, and viewing the running application in {SMProductShortName}.
 
-.Prerequisites:
+.Prerequisites
 
 * {product-title} 4.1 or higher installed.
 * {SMProductName} {SMProductVersion} installed.
diff --git a/modules/ossm-tutorial-grafana-accessing.adoc b/modules/ossm-tutorial-grafana-accessing.adoc
index 41aaf3a8e585..337dc311e9dc 100644
--- a/modules/ossm-tutorial-grafana-accessing.adoc
+++ b/modules/ossm-tutorial-grafana-accessing.adoc
@@ -9,7 +9,7 @@ This PROCEDURE module included in the following assemblies:
 
 The Grafana dashboard's web-based interface lets you visualize your metrics data.
 
-.Prerequisites:
+.Prerequisites
 
 * {product-title} 3.11 or higher installed.
 * {SMProductName} {SMProductVersion} installed.
diff --git a/modules/ossm-tutorial-jaeger-generating-traces.adoc b/modules/ossm-tutorial-jaeger-generating-traces.adoc
index 955870225b21..08b30ea246d8 100644
--- a/modules/ossm-tutorial-jaeger-generating-traces.adoc
+++ b/modules/ossm-tutorial-jaeger-generating-traces.adoc
@@ -12,7 +12,7 @@ Jaeger is an open source distributed tracing system. With Jaeger, you can perfor
 
 This tutorial uses {SMProductShortName} and the Bookinfo sample application to demonstrate how you can use Jaeger to perform distributed tracing.
 
-.Prerequisites:
+.Prerequisites
 
 * {product-title} 4.1 or higher installed.
 * {SMProductName} {SMProductVersion} installed.
diff --git a/modules/ossm-tutorial-prometheus-querying-metrics.adoc b/modules/ossm-tutorial-prometheus-querying-metrics.adoc
index d971d41958a1..57f0dd8c5e8f 100644
--- a/modules/ossm-tutorial-prometheus-querying-metrics.adoc
+++ b/modules/ossm-tutorial-prometheus-querying-metrics.adoc
@@ -8,7 +8,7 @@ This PROCEDURE module included in the following assemblies:
 
 This tutorial uses {SMProductShortName} and the `bookinfo` tutorial to demonstrate how you can query for metrics using Prometheus.
 
-.Prerequisites:
+.Prerequisites
 
 * {product-title} 3.11 or higher installed.
 * {SMProductName} {SMProductVersion} installed.
diff --git a/modules/otel-collector-components.adoc b/modules/otel-collector-components.adoc
deleted file mode 100644
index 2b8452d259d2..000000000000
--- a/modules/otel-collector-components.adoc
+++ /dev/null
@@ -1,1112 +0,0 @@
-// Module included in the following assemblies:
-//
-// * observability/otel/otel-configuration-of-collector.adoc
-
-:_mod-docs-content-type: REFERENCE
-[id="otel-collector-components_{context}"]
-= OpenTelemetry Collector components
-
-[id="receivers_{context}"]
-== Receivers
-
-Receivers get data into the Collector.
-
-[id="otlp-receiver_{context}"]
-=== OTLP Receiver
-
-The OTLP receiver ingests traces and metrics using the OpenTelemetry protocol (OTLP).
-
-.OpenTelemetry Collector custom resource with an enabled OTLP receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-      otlp:
-        protocols:
-          grpc:
-            endpoint: 0.0.0.0:4317 # <1>
-            tls: # <2>
-              ca_file: ca.pem
-              cert_file: cert.pem
-              key_file: key.pem
-              client_ca_file: client.pem # <3>
-              reload_interval: 1h # <4>
-          http:
-            endpoint: 0.0.0.0:4318 # <5>
-            tls: # <6>
-
-    service:
-      pipelines:
-        traces:
-          receivers: [otlp]
-        metrics:
-          receivers: [otlp]
-----
-<1> The OTLP gRPC endpoint. If omitted, the default `+0.0.0.0:4317+` is used.
-<2> The server-side TLS configuration. Defines paths to TLS certificates. If omitted, TLS is disabled.
-<3> The path to the TLS certificate at which the server verifies a client certificate. This sets the value of `ClientCAs` and `ClientAuth` to `RequireAndVerifyClientCert` in the `TLSConfig`. For more information, see the link:https://godoc.org/crypto/tls#Config[`Config` of the Golang TLS package].
-<4> Specifies the time interval at which the certificate is reloaded. If the value is not set, the certificate is never reloaded. The `reload_interval` accepts a string containing valid units of time such as `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
-<5> The OTLP HTTP endpoint. The default value is `+0.0.0.0:4318+`.
-<6> The server-side TLS configuration. For more information, see the `grpc` protocol configuration section.
-
-[id="jaeger-receiver_{context}"]
-=== Jaeger Receiver
-
-The Jaeger receiver ingests traces in the Jaeger formats.
-
-.OpenTelemetry Collector custom resource with an enabled Jaeger receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-      jaeger:
-        protocols:
-          grpc:
-            endpoint: 0.0.0.0:14250 # <1>
-          thrift_http:
-            endpoint: 0.0.0.0:14268 # <2>
-          thrift_compact:
-            endpoint: 0.0.0.0:6831 # <3>
-          thrift_binary:
-            endpoint: 0.0.0.0:6832 # <4>
-          tls: # <5>
-
-    service:
-      pipelines:
-        traces:
-          receivers: [jaeger]
-----
-<1> The Jaeger gRPC endpoint. If omitted, the default `+0.0.0.0:14250+` is used.
-<2> The Jaeger Thrift HTTP endpoint. If omitted, the default `+0.0.0.0:14268+` is used.
-<3> The Jaeger Thrift Compact endpoint. If omitted, the default `+0.0.0.0:6831+` is used.
-<4> The Jaeger Thrift Binary endpoint. If omitted, the default `+0.0.0.0:6832+` is used.
-<5> The  server-side TLS configuration. See the OTLP receiver configuration section for more details.
-
-[id="prometheus-receiver_{context}"]
-=== Prometheus Receiver
-
-The Prometheus receiver is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Prometheus receiver scrapes the metrics endpoints.
-
-.OpenTelemetry Collector custom resource with an enabled Prometheus receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-        prometheus:
-          config:
-            scrape_configs: # <1>
-              - job_name: 'my-app'  # <2>
-                scrape_interval: 5s # <3>
-                static_configs:
-                  - targets: ['my-app.example.svc.cluster.local:8888'] # <4>
-    service:
-      pipelines:
-        metrics:
-          receivers: [prometheus]
-----
-<1> Scrapes configurations using the Prometheus format.
-<2> The Prometheus job name.
-<3> The lnterval for scraping the metrics data. Accepts time units. The default value is `1m`.
-<4> The targets at which the metrics are exposed. This example scrapes the metrics from a `my-app` application in the `example` project.
-
-[id="zipkin-receiver_{context}"]
-=== Zipkin Receiver
-
-The Zipkin receiver ingests traces in the Zipkin v1 and v2 formats.
-
-.OpenTelemetry Collector custom resource with the enabled Zipkin receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-      zipkin:
-        endpoint: 0.0.0.0:9411 # <1>
-        tls: # <2>
-
-    service:
-      pipelines:
-        traces:
-          receivers: [zipkin]
-----
-<1> The Zipkin HTTP endpoint. If omitted, the default `+0.0.0.0:9411+` is used.
-<2> The server-side TLS configuration. See the OTLP receiver configuration section for more details.
-
-[id="kafka-receiver_{context}"]
-=== Kafka Receiver
-
-The Kafka receiver is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Kafka receiver receives traces, metrics, and logs from Kafka in the OTLP format.
-
-.OpenTelemetry Collector custom resource with the enabled Kafka receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-      kafka:
-        brokers: ["localhost:9092"] # <1>
-        protocol_version: 2.0.0 # <2>
-        topic: otlp_spans # <3>
-        auth:
-          plain_text: # <4>
-            username: example
-            password: example
-          tls: # <5>
-            ca_file: ca.pem
-            cert_file: cert.pem
-            key_file: key.pem
-            insecure: false # <6>
-            server_name_override: kafka.example.corp # <7>
-    service:
-      pipelines:
-        traces:
-          receivers: [kafka]
-----
-<1> The list of Kafka brokers. The default is `+localhost:9092+`.
-<2> The Kafka protocol version. For example, `+2.0.0+`. This is a required field.
-<3> The name of the Kafka topic to read from. The default is `+otlp_spans+`.
-<4> The plaintext authentication configuration. If omitted, plaintext authentication is disabled.
-<5> The client-side TLS configuration. Defines paths to the TLS certificates. If omitted, TLS authentication is disabled.
-<6> Disables verifying the server's certificate chain and host name. The default is `+false+`.
-<7> ServerName indicates the name of the server requested by the client to support virtual hosting.
-
-[id="opencensus-receiver_{context}"]
-=== OpenCensus receiver
-
-The OpenCensus receiver provides backwards compatibility with the OpenCensus project for easier migration of instrumented codebases. It receives metrics and traces in the OpenCensus format via gRPC or HTTP and Json.
-
-.OpenTelemetry Collector custom resource with the enabled OpenCensus receiver
-[source,yaml]
-----
-  config: |
-    receivers:
-      opencensus:
-        endpoint: 0.0.0.0:9411 # <1>
-        tls: # <2>
-        cors_allowed_origins: # <3>
-          - https://*.<example>.com
-    service:
-      pipelines:
-        traces:
-          receivers: [opencensus]
-          ...
-----
-<1> The OpenCensus endpoint. If omitted, the default is `+0.0.0.0:55678+`.
-<2> The server-side TLS configuration. See the OTLP receiver configuration section for more details.
-<3> You can also use the HTTP JSON endpoint to optionally configure CORS, which is enabled by specifying a list of allowed CORS origins in this field.
-Wildcards with `+*+` are accepted under the `cors_allowed_origins`.
-To match any origin, enter only `+*+`.
-
-[id="processors_{context}"]
-== Processors
-
-Processors run through the data between it is received and exported.
-
-[id="batch-processor_{context}"]
-=== Batch processor
-
-The Batch processor batches traces and metrics to reduce the number of outgoing connections needed to transfer the telemetry information.
-
-.Example of the OpenTelemetry Collector custom resource when using the Batch processor
-[source,yaml]
-----
-  config: |
-    processor:
-      batch:
-        timeout: 5s
-        send_batch_max_size: 10000
-    service:
-      pipelines:
-        traces:
-          processors: [batch]
-        metrics:
-          processors: [batch]
-----
-
-.Parameters used by the Batch processor
-[options="header"]
-[cols="l, a, a"]
-|===
-|Parameter |Description |Default
-
-|timeout
-|Sends the batch after a specific time duration and irrespective of the batch size.
-|`200ms`
-
-|send_batch_size
-|Sends the batch of telemetry data after the specified number of spans or metrics.
-|`8192`
-
-|send_batch_max_size
-|The maximum allowable size of the batch. Must be equal or greater than the `send_batch_size`.
-|`0`
-
-|metadata_keys
-|When activated, a batcher instance is created for each unique set of values found in the `client.Metadata`.
-|`[]`
-
-|metadata_cardinality_limit
-|When the `metadata_keys` are populated, this configuration restricts the number of distinct metadata key-value combinations processed throughout the duration of the process.
-|`1000`
-|===
-
-[id="memorylimiter-processor_{context}"]
-=== Memory Limiter processor
-
-The Memory Limiter processor periodically checks the Collector's memory usage and pauses data processing when the soft memory limit is reached. This processor supports traces, metrics, and logs. The preceding component, which is typically a receiver, is expected to retry sending the same data and may apply a backpressure to the incoming data. When memory usage exceeds the hard limit, the Memory Limiter processor forces garbage collection to run.
-
-.Example of the OpenTelemetry Collector custom resource when using the Memory Limiter processor
-[source,yaml]
-----
-  config: |
-    processor:
-      memory_limiter:
-        check_interval: 1s
-        limit_mib: 4000
-        spike_limit_mib: 800
-    service:
-      pipelines:
-        traces:
-          processors: [batch]
-        metrics:
-          processors: [batch]
-----
-
-.Parameters used by the Memory Limiter processor
-[options="header"]
-[cols="l, a, a"]
-|===
-|Parameter |Description |Default
-
-|check_interval
-|Time between memory usage measurements. The optimal value is `1s`. For spiky traffic patterns, you can decrease the `check_interval` or increase the `spike_limit_mib`.
-|`0s`
-
-|limit_mib
-|The hard limit, which is the maximum amount of memory in MiB allocated on the heap. Typically, the total memory usage of the OpenTelemetry Collector is about 50 MiB greater than this value.
-|`0`
-
-|spike_limit_mib
-|Spike limit, which is the maximum expected spike of memory usage in MiB. The optimal value is approximately 20% of `limit_mib`. To calculate the soft limit, subtract the `spike_limit_mib` from the `limit_mib`.
-|20% of `limit_mib`
-
-|limit_percentage
-|Same as the `limit_mib` but expressed as a percentage of the total available memory. The `limit_mib` setting takes precedence over this setting.
-|`0`
-
-|spike_limit_percentage
-|Same as the `spike_limit_mib` but expressed as a percentage of the total available memory. Intended to be used with the `limit_percentage` setting.
-|`0`
-
-|===
-
-[id="resource-detection-processor_{context}"]
-=== Resource Detection processor
-
-The Resource Detection processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Resource Detection processor identifies host resource details in alignment with OpenTelemetry's resource semantic standards. Using the detected information, it can add or replace the resource values in telemetry data. This processor supports traces, metrics, and can be used with multiple detectors such as the Docket metadata detector or the `OTEL_RESOURCE_ATTRIBUTES` environment variable detector.
-
-.{product-title} permissions required for the Resource Detection processor
-[source,yaml]
-----
-kind: ClusterRole
-metadata:
-  name: otel-collector
-rules:
-- apiGroups: ["config.openshift.io"]
-  resources: ["infrastructures", "infrastructures/status"]
-  verbs: ["get", "watch", "list"]
-----
-
-.OpenTelemetry Collector using the Resource Detection processor
-[source,yaml]
-----
-  config: |
-    processor:
-      resourcedetection:
-        detectors: [openshift]
-        override: true
-    service:
-      pipelines:
-        traces:
-          processors: [resourcedetection]
-        metrics:
-          processors: [resourcedetection]
-----
-
-.OpenTelemetry Collector using the Resource Detection Processor with an environment variable detector
-[source,yaml]
-----
-  config: |
-    processors:
-      resourcedetection/env:
-        detectors: [env] # <1>
-        timeout: 2s
-        override: false
-----
-<1> Specifies which detector to use. In this example, the environment detector is specified.
-
-[id="attributes-processor_{context}"]
-=== Attributes processor
-
-The Attributes processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Attributes processor can modify attributes of a span, log, or metric. You can configure this processor to filter and match input data and include or exclude such data for specific actions.
-
-The processor operates on a list of actions, executing them in the order specified in the configuration. The following actions are supported:
-
-Insert:: Inserts a new attribute into the input data when the specified key does not already exist.
-
-Update:: Updates an attribute in the input data if the key already exists.
-
-Upsert:: Combines the insert and update actions: Inserts a new attribute if the key does not exist yet. Updates the attribute if the key already exists.
-
-Delete:: Removes an attribute from the input data.
-
-Hash:: Hashes an existing attribute value as SHA1.
-
-Extract:: Extracts values by using a regular expression rule from the input key to the target keys defined in the rule. If a target key already exists, it will be overridden similarly to the Span processor's `to_attributes` setting with the existing attribute as the source.
-
-Convert:: Converts an existing attribute to a specified type.
-
-.OpenTelemetry Collector using the Attributes processor
-[source,yaml]
-----
-  config: |
-    processors:
-      attributes/example:
-        actions:
-          - key: db.table
-            action: delete
-          - key: redacted_span
-            value: true
-            action: upsert
-          - key: copy_key
-            from_attribute: key_original
-            action: update
-          - key: account_id
-            value: 2245
-            action: insert
-          - key: account_password
-            action: delete
-          - key: account_email
-            action: hash
-          - key: http.status_code
-            action: convert
-            converted_type: int
-----
-
-[id="resource-processor_{context}"]
-=== Resource processor
-
-The Resource processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Resource processor applies changes to the resource attributes. This processor supports traces, metrics, and logs.
-
-.OpenTelemetry Collector using the Resource Detection processor
-[source,yaml]
-----
-  config: |
-    processor:
-      attributes:
-      - key: cloud.availability_zone
-        value: "zone-1"
-        action: upsert
-      - key: k8s.cluster.name
-        from_attribute: k8s-cluster
-        action: insert
-      - key: redundant-attribute
-        action: delete
-----
-
-Attributes represent the actions that are applied to the resource attributes, such as delete the attribute, insert the attribute, or upsert the attribute.
-
-[id="span-processor_{context}"]
-=== Span processor
-
-The Span processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Span processor modifies the span name based on its attributes or extracts the span attributes from the span name. It can also change the span status. It can also include or exclude spans. This processor supports traces.
-
-Span renaming requires specifying attributes for the new name by using the `from_attributes` configuration.
-
-.OpenTelemetry Collector using the Span processor for renaming a span
-[source,yaml]
-----
-  config: |
-    processor:
-      span:
-        name:
-          from_attributes: [<key1>, <key2>, ...] # <1>
-          separator: <value> # <2>
-----
-<1> Defines the keys to form the new span name.
-<2> An optional separator.
-
-You can use the processor to extract attributes from the span name.
-
-.OpenTelemetry Collector using the Span processor for extracting attributes from a span name
-[source,yaml]
-----
-  config: |
-    processor:
-      span/to_attributes:
-        name:
-          to_attributes:
-            rules:
-              - ^\/api\/v1\/document\/(?P<documentId>.*)\/update$ # <1>
-----
-<1> This rule defines how the extraction is to be executed. You can define more rules: for example, in this case, if the regular expression matches the name, a `documentID` attibute is created. In this example, if the input span name is `/api/v1/document/12345678/update`, this results in the `/api/v1/document/{documentId}/update` output span name, and a new `"documentId"="12345678"` attribute is added to the span.
-
-You can have the span status modified.
-
-.OpenTelemetry Collector using the Span Processor for status change
-[source,yaml]
-----
-  config: |
-    processor:
-      span/set_status:
-        status:
-          code: Error
-          description: "<error_description>"
-----
-
-[id="kubernetes-attributes-processor_{context}"]
-=== Kubernetes Attributes processor
-
-The Kubernetes Attributes processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Kubernetes Attributes processor enables automatic configuration of spans, metrics, and log resource attributes by using the Kubernetes metadata.
-This processor supports traces, metrics, and logs.
-This processor automatically identifies the Kubernetes resources, extracts the metadata from them, and incorporates this extracted metadata as resource attributes into relevant spans, metrics, and logs. It utilizes the Kubernetes API to discover all pods operating within a cluster, maintaining records of their IP addresses, pod UIDs, and other relevant metadata. 
-
-.Minimum {product-title} permissions required for the Kubernetes Attributes processor
-[source,yaml]
-----
-kind: ClusterRole
-metadata:
-  name: otel-collector
-rules:
-  - apiGroups: ['']
-    resources: ['pods', 'namespaces']
-    verbs: ['get', 'watch', 'list']
-----
-
-.OpenTelemetry Collector using the Kubernetes Attributes processor
-[source,yaml]
-----
-  config: |
-    processors:
-         k8sattributes:
-             filter:
-                 node_from_env_var: KUBE_NODE_NAME
-----
-
-[id="filter-processor_{context}"]
-=== Filter processor
-
-The Filter processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Filter processor leverages the OpenTelemetry Transformation Language to establish criteria for discarding telemetry data. If any of these conditions are satisfied, the telemetry data are discarded. The conditions can be combined by using the logical OR operator. This processor supports traces, metrics, and logs.
-
-.OpenTelemetry Collector custom resource with an enabled OTLP exporter
-[source,yaml]
-----
-config: |
-  processors:
-    filter/ottl:
-      error_mode: ignore # <1>
-      traces:
-        span:
-          - 'attributes["container.name"] == "app_container_1"' # <2>
-          - 'resource.attributes["host.name"] == "localhost"' # <3>
-----
-<1> Defines the error mode. When set to `ignore`, ignores errors returned by conditions. When set to `propagate`, returns the error up the pipeline. An error causes the payload to be dropped from the Collector.
-<2> Filters the spans that have the `container.name == app_container_1` attribute.
-<3> Filters the spans that have the `host.name == localhost` resource attribute.
-
-[id="routing-processor_{context}"]
-=== Routing processor
-
-The Routing processor is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Routing processor routes logs, metrics, or traces to specific exporters. This processor can read a header from an incoming HTTP request (gRPC or plain HTTP) or can read a resource attribute, and then directs the trace information to relevant exporters according to the read value.
-
-.OpenTelemetry Collector custom resource with an enabled OTLP exporter
-[source,yaml]
-----
-config: |
-  processors:
-    routing:
-      from_attribute: X-Tenant # <1>
-      default_exporters: # <2>
-      - jaeger
-      table: # <3>
-      - value: acme
-        exporters: [jaeger/acme]
-  exporters:
-    jaeger:
-      endpoint: localhost:14250
-    jaeger/acme:
-      endpoint: localhost:24250
-----
-<1> The HTTP header name for the lookup value when performing the route.
-<2> The default exporter when the attribute value is not present in the table in the next section.
-<3> The table that defines which values are to be routed to which exporters.
-
-You can optionally create an `attribute_source` configuratiion, which defines where to look for the attribute in `from_attribute`. The allowed value is `context` to search the context, which includes the HTTP headers, or `resource` to search the resource attributes.
-
-[id="exporters_{context}"]
-== Exporters
-
-Exporters send data to one or more back ends or destinations.
-
-[id="otlp-exporter_{context}"]
-=== OTLP exporter
-
-The OTLP gRPC exporter exports traces and metrics using the OpenTelemetry protocol (OTLP).
-
-.OpenTelemetry Collector custom resource with an enabled OTLP exporter
-[source,yaml]
-----
-  config: |
-    exporters:
-      otlp:
-        endpoint: tempo-ingester:4317 # <1>
-        tls: # <2>
-          ca_file: ca.pem
-          cert_file: cert.pem
-          key_file: key.pem
-          insecure: false # <3>
-          insecure_skip_verify: false # # <4>
-          reload_interval: 1h # <5>
-          server_name_override: <name> # <6>
-        headers: # <7>
-          X-Scope-OrgID: "dev"
-    service:
-      pipelines:
-        traces:
-          exporters: [otlp]
-        metrics:
-          exporters: [otlp]
-----
-<1> The OTLP gRPC endpoint. If the `+https://+` scheme is used, then client transport security is enabled and overrides the `insecure` setting in the `tls`.
-<2> The client-side TLS configuration. Defines paths to TLS certificates.
-<3> Disables client transport security when set to `true`. The default value is `false` by default.
-<4> Skips verifying the certificate when set to `true`. The default value is `false`.
-<5> Specifies the time interval at which the certificate is reloaded. If the value is not set, the certificate is never reloaded. The `reload_interval` accepts a string containing valid units of time such as `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
-<6> Overrides the virtual host name of authority such as the authority header field in requests. You can use this for testing.
-<7> Headers are sent for every request performed during an established connection.
-
-[id="otlp-http-exporter_{context}"]
-=== OTLP HTTP exporter
-
-The OTLP HTTP exporter exports traces and metrics using the OpenTelemetry protocol (OTLP).
-
-.OpenTelemetry Collector custom resource with an enabled OTLP exporter
-[source,yaml]
-----
-  config: |
-    exporters:
-      otlphttp:
-        endpoint: http://tempo-ingester:4318 # <1>
-        tls: # <2>
-        headers: # <3>
-          X-Scope-OrgID: "dev"
-        disable_keep_alives: false <4>
-
-    service:
-      pipelines:
-        traces:
-          exporters: [otlphttp]
-        metrics:
-          exporters: [otlphttp]
-----
-<1> The OTLP HTTP endpoint. If the `+https://+` scheme is used, then client transport security is enabled and overrides the `insecure` setting in the `tls`.
-<2> The client side TLS configuration. Defines paths to TLS certificates.
-<3> Headers are sent in every HTTP request.
-<4> If true, disables HTTP keep-alives. It will only use the connection to the server for a single HTTP request.
-
-[id="debug-exporter_{context}"]
-=== Debug exporter
-
-The Debug exporter prints traces and metrics to the standard output.
-
-.OpenTelemetry Collector custom resource with an enabled Debug exporter
-[source,yaml]
-----
-  config: |
-    exporters:
-      debug:
-        verbosity: detailed # <1>
-    service:
-      pipelines:
-        traces:
-          exporters: [logging]
-        metrics:
-          exporters: [logging]
-----
-<1> Verbosity of the debug export: `detailed` or `normal` or `basic`. When set to `detailed`, pipeline data is verbosely logged. Defaults to `normal`.
-
-[id="prometheus-exporter_{context}"]
-=== Prometheus exporter
-
-The Prometheus exporter is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Prometheus exporter exports metrics in the Prometheus or OpenMetrics formats.
-
-.OpenTelemetry Collector custom resource with an enabled Prometheus exporter
-[source,yaml]
-----
-  ports:
-  - name: promexporter # <1>
-    port: 8889
-    protocol: TCP
-  config: |
-    exporters:
-      prometheus:
-        endpoint: 0.0.0.0:8889 # <2>
-        tls: # <3>
-          ca_file: ca.pem
-          cert_file: cert.pem
-          key_file: key.pem
-        namespace: prefix # <4>
-        const_labels: # <5>
-          label1: value1
-        enable_open_metrics: true # <6>
-        resource_to_telemetry_conversion: # <7>
-          enabled: true
-        metric_expiration: 180m # <8>
-        add_metric_suffixes: false # <9>
-    service:
-      pipelines:
-        metrics:
-          exporters: [prometheus]
-----
-<1> Exposes the Prometheus port from the Collector pod and service. You can enable scraping of metrics by Prometheus by using the port name in `ServiceMonitor` or `PodMonitor` custom resource.
-<2> The network endpoint where the metrics are exposed.
-<3> The server-side TLS configuration. Defines paths to TLS certificates.
-<4> If set, exports metrics under the provided value. No default.
-<5> Key-value pair labels that are applied for every exported metric. No default.
-<6> If `true`, metrics are exported using the OpenMetrics format. Exemplars are only exported in the OpenMetrics format and only for histogram and monotonic sum metrics such as `counter`. Disabled by default.
-<7> If `enabled` is `true`, all the resource attributes are converted to metric labels by default. Disabled by default.
-<8> Defines how long metrics are exposed without updates. The default is `5m`.
-<9> Adds the metrics types and units suffixes. Must be disabled if the monitor tab in Jaeger console is enabled. The default is `true`.
-
-[id="kafka-exporter_{context}"]
-=== Kafka exporter
-
-The Kafka exporter is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Kafka exporter exports logs, metrics, and traces to Kafka. This exporter uses a synchronous producer that blocks and does not batch messages. It must be used with batch and queued retry processors for higher throughput and resiliency.
-
-.OpenTelemetry Collector custom resource with an enabled Kafka exporter
-[source,yaml]
-----
-  config: |
-    exporters:
-      kafka:
-        brokers: ["localhost:9092"] # <1>
-        protocol_version: 2.0.0 # <2>
-        topic: otlp_spans # <3>
-        auth:
-          plain_text: # <4>
-            username: example
-            password: example
-          tls: # <5>
-            ca_file: ca.pem
-            cert_file: cert.pem
-            key_file: key.pem
-            insecure: false # <6>
-            server_name_override: kafka.example.corp # <7>
-    service:
-      pipelines:
-        traces:
-          exporters: [kafka]
-----
-<1> The list of Kafka brokers. The default is `+localhost:9092+`.
-<2> The Kafka protocol version. For example, `+2.0.0+`. This is a required field.
-<3> The name of the Kafka topic to read from. The following are the defaults: `+otlp_spans+` for traces, `+otlp_metrics+` for metrics, `+otlp_logs+` for logs.
-<4> The plaintext authentication configuration. If omitted, plaintext authentication is disabled.
-<5> The client-side TLS configuration. Defines paths to the TLS certificates. If omitted, TLS authentication is disabled.
-<6> Disables verifying the server's certificate chain and host name. The default is `+false+`.
-<7> ServerName indicates the name of the server requested by the client to support virtual hosting.
-
-[id="connectors_{context}"]
-== Connectors
-
-Connectors connect two pipelines.
-
-[id="spanmetrics-connector_{context}"]
-=== Spanmetrics connector
-
-The Spanmetrics connector is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Spanmetrics connector aggregates Request, Error, and Duration (R.E.D) OpenTelemetry metrics from span data.
-
-.OpenTelemetry Collector custom resource with an enabled spanmetrics connector
-[source,yaml]
-----
-  config: |
-    connectors:
-      spanmetrics:
-        metrics_flush_interval: 15s # <1>
-    service:
-      pipelines:
-        traces:
-          exporters: [spanmetrics]
-        metrics:
-          receivers: [spanmetrics]
-----
-<1> Defines the flush interval of the generated metrics. Defaults to `15s`.
-
-[id="extensions_{context}"]
-== Extensions
-
-Extensions add capabilities to the Collector.
-
-[id="bearertokenauth-extension_{context}"]
-=== BearerTokenAuth extension
-
-The BearerTokenAuth extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The BearerTokenAuth extension is an authenticator for receivers and exporters that are based on the HTTP and the gRPC protocol.
-You can use the OpenTelemetry Collector custom resource to configure client authentication and server authentication for the BearerTokenAuth extension on the receiver and exporter side.
-This extension supports traces, metrics, and logs.
-
-.OpenTelemetry Collector custom resource with client and server authentication configured for the BearerTokenAuth extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      bearertokenauth:
-        scheme: "Bearer" # <1>
-        token: "<token>" # <2>
-        filename: "<token_file>" # <3>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-            auth:
-              authenticator: bearertokenauth # <4>
-    exporters:
-      otlp:
-        auth:
-          authenticator: bearertokenauth # <5>
-
-    service:
-      extensions: [bearertokenauth]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> You can configure the BearerTokenAuth extension to send a custom `scheme`. The default is `Bearer`.
-<2> You can add the BearerTokenAuth extension token as metadata to identify a message.
-<3> Path to a file that contains an authorization token that is transmitted with every message.
-<4> You can assign the authenticator configuration to an OTLP receiver.
-<5> You can assign the authenticator configuration to an OTLP exporter.
-
-[id="oauth2client-extension_{context}"]
-=== OAuth2Client extension
-
-The OAuth2Client extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The OAuth2Client extension is an authenticator for exporters that are based on the HTTP and the gRPC protocol.
-Client authentication for the OAuth2Client extension is configured in a separate section in the OpenTelemetry Collector custom resource.
-This extension supports traces, metrics, and logs.
-
-.OpenTelemetry Collector custom resource with client authentication configured for the OAuth2Client extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      oauth2client:
-        client_id: <client_id> # <1>
-        client_secret: <client_secret> # <2>
-        endpoint_params: # <3>
-          audience: <audience>
-        token_url: https://example.com/oauth2/default/v1/token # <4>
-        scopes: ["api.metrics"] # <5>
-        # tls settings for the token client
-        tls: # <6>
-          insecure: true # <7>
-          ca_file: /var/lib/mycert.pem # <8>
-          cert_file: <cert_file> # <9>
-          key_file: <key_file> # <10>
-        timeout: 2s # <11>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-
-    exporters:
-      otlp:
-        auth:
-          authenticator: oauth2client # <12>
-
-    service:
-      extensions: [oauth2client]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> Client identifier, which is provided by the identity provider.
-<2> Confidential key used to authenticate the client to the identity provider.
-<3> Further metadata, in the key-value pair format, which is transferred during authentication. For example, `audience` specifies the intended audience for the access token, indicating the recipient of the token.
-<4> The URL of the OAuth2 token endpoint, where the Collector requests access tokens.
-<5> The scopes define the specific permissions or access levels requested by the client.
-<6> The Transport Layer Security (TLS) settings for the token client, which is used to establish a secure connection when requesting tokens.
-<7> When set to `true`, configures the Collector to use an insecure or non-verified TLS connection to call the configured token endpoint.
-<8> The path to a Certificate Authority (CA) file that is used to verify the server's certificate during the TLS handshake.
-<9> The path to the client certificate file that the client must use to authenticate itself to the OAuth2 server if required.
-<10> The path to the client's private key file that is used with the client certificate if needed for authentication.
-<11> Sets a timeout for the token client's request.
-<12> You can assign the authenticator configuration to an OTLP exporter.
-
-
-[id="jaegerremotesampling-extension_{context}"]
-=== Jaeger Remote Sampling extension
-
-The Jaeger Remote Sampling extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Jaeger Remote Sampling extension allows serving sampling strategies after Jaeger's remote sampling API. You can configure this extension to proxy requests to a backing remote sampling server such as a Jaeger collector down the pipeline or to a static JSON file from the local file system.
-
-.OpenTelemetry Collector custom resource with a configured Jaeger Remote Sampling extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      jaegerremotesampling:
-        source:
-          reload_interval: 30s # <1>
-          remote:
-            endpoint: jaeger-collector:14250 # <2>
-          file: /etc/otelcol/sampling_strategies.json # <3>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-
-    exporters:
-      otlp:
-
-    service:
-      extensions: [jaegerremotesampling]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> The time interval at which the sampling configuration is updated.
-<2> The endpoint for reaching the Jaeger remote sampling strategy provider.
-<3> The path to a local file that contains a sampling strategy configuration in the JSON format.
-
-.Example of a Jaeger Remote Sampling strategy file
-[source,json]
-----
-{
-  "service_strategies": [
-    {
-      "service": "foo",
-      "type": "probabilistic",
-      "param": 0.8,
-      "operation_strategies": [
-        {
-          "operation": "op1",
-          "type": "probabilistic",
-          "param": 0.2
-        },
-        {
-          "operation": "op2",
-          "type": "probabilistic",
-          "param": 0.4
-        }
-      ]
-    },
-    {
-      "service": "bar",
-      "type": "ratelimiting",
-      "param": 5
-    }
-  ],
-  "default_strategy": {
-    "type": "probabilistic",
-    "param": 0.5,
-    "operation_strategies": [
-      {
-        "operation": "/health",
-        "type": "probabilistic",
-        "param": 0.0
-      },
-      {
-        "operation": "/metrics",
-        "type": "probabilistic",
-        "param": 0.0
-      }
-    ]
-  }
-}
-----
-
-
-[id="pprof-extension_{context}"]
-=== Performance Profiler extension
-
-The Performance Profiler extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Performance Profiler extension enables the Go `net/http/pprof` endpoint. This is typically used by developers to collect performance profiles and investigate issues with the service.
-
-.OpenTelemetry Collector custom resource with the configured Performance Profiler extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      pprof:
-        endpoint: localhost:1777 # <1>
-        block_profile_fraction: 0 # <2>
-        mutex_profile_fraction: 0 # <3>
-        save_to_file: test.pprof # <4>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-
-    exporters:
-      otlp:
-
-    service:
-      extensions: [pprof]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> The endpoint at which this extension listens. Use `localhost:` to make it available only locally or `":"` to make it available on all network interfaces. The default value is `localhost:1777`.
-<2> Sets a fraction of blocking events to be profiled. To disable profiling, set this to `0` or a negative integer. See the link:https://golang.org/pkg/runtime/#SetBlockProfileRate[documentation] for the `runtime` package. The default value is `0`.
-<3> Set a fraction of mutex contention events to be profiled. To disable profiling, set this to `0` or a negative integer. See the link:https://golang.org/pkg/runtime/#SetMutexProfileFraction[documentation] for the `runtime` package. The default value is `0`.
-<4> The name of the file in which the CPU profile is to be saved. Profiling starts when the Collector starts. Profiling is saved to the file when the Collector is terminated.
-
-[id="healthcheck-extension_{context}"]
-=== Health Check extension
-
-The Health Check extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Health Check extension provides an HTTP URL for checking the status of the OpenTelemetry Collector. You can use this extension as a liveness and readiness probe on OpenShift.
-
-.OpenTelemetry Collector custom resource with the configured Health Check extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      health_check:
-        endpoint: "0.0.0.0:13133" # <1>
-        tls: # <2>
-          ca_file: "/path/to/ca.crt"
-          cert_file: "/path/to/cert.crt"
-          key_file: "/path/to/key.key"
-        path: "/health/status" # <3>
-        check_collector_pipeline: # <4>
-          enabled: true # <5>
-          interval: "5m" # <6>
-          exporter_failure_threshold: 5 # <7>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-
-    exporters:
-      otlp:
-
-    service:
-      extensions: [health_check]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> The target IP address for publishing the health check status. The default is `0.0.0.0:13133`.
-<2> The TLS server-side configuration. Defines paths to TLS certificates. If omitted, the TLS is disabled.
-<3> The path for the health check server. The default is `/`.
-<4> Settings for the Collector pipeline health check.
-<5> Enables the Collector pipeline health check. The default is `false`.
-<6> The time interval for checking the number of failures. The default is `5m`.
-<7> The threshold of a number of failures until which a container is still marked as healthy. The default is `5`.
-
-[id="memory-ballast-extension_{context}"]
-=== Memory Ballast extension
-
-The Memory Ballast extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The Memory Ballast extension enables applications to configure memory ballast for the process.
-
-.OpenTelemetry Collector custom resource with the configured Memory Ballast extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      memory_ballast:
-        size_mib: 64 # <1>
-        size_in_percentage: 20 # <2>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-
-    exporters:
-      otlp:
-
-    service:
-      extensions: [memory_ballast]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-<1> Sets the memory ballast size in MiB. Takes priority over the `size_in_percentage` if both are specified.
-<2> Sets the memory ballast as a percentage, `1`-`100`, of the total memory. Supports containerized and physical host environments.
-
-
-[id="zpages-extension_{context}"]
-=== zPages extension
-
-The zPages extension is currently a link:https://access.redhat.com/support/offerings/techpreview[Technology Preview] feature only.
-
-The zPages extension provides an HTTP endpoint for extensions that serve zPages. At the endpoint, this extension serves live data for debugging instrumented components. All core exporters and receivers provide some zPages instrumentation.
-
-zPages are useful for in-process diagnostics without having to depend on a back end to examine traces or metrics.
-
-.OpenTelemetry Collector custom resource with the configured zPages extension
-[source,yaml]
-----
-  config: |
-    extensions:
-      zpages:
-        endpoint: "localhost:55679" # <1>
-
-    receivers:
-      otlp:
-        protocols:
-          http:
-    exporters:
-      otlp:
-
-    service:
-      extensions: [zpages]
-      pipelines:
-        traces:
-          receivers: [otlp]
-          exporters: [otlp]
-----
-
-<1> Specifies the HTTP endpoint that serves zPages. Use `localhost:` to make it available only locally, or `":"` to make it available on all network interfaces. The default is `localhost:55679`.
diff --git a/modules/otel-collector-config-options.adoc b/modules/otel-collector-config-options.adoc
index cef3f00c0708..77a42a900d2e 100644
--- a/modules/otel-collector-config-options.adoc
+++ b/modules/otel-collector-config-options.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * observability/otel/otel-configuration-of-collector.adoc
+// * observability/otel/otel-configuration-of-otel-collector.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="otel-collector-config-options_{context}"]
@@ -8,15 +8,11 @@
 
 The OpenTelemetry Collector consists of five types of components that access telemetry data:
 
-Receivers:: A receiver, which can be push or pull based, is how data gets into the Collector. Generally, a receiver accepts data in a specified format, translates it into the internal format, and passes it to processors and exporters defined in the applicable pipelines. By default, no receivers are configured. One or more receivers must be configured. Receivers may support one or more data sources.
-
-Processors:: Optional. Processors process the data between it is received and exported. By default, no processors are enabled. Processors must be enabled for every data source. Not all processors support all data sources. Depending on the data source, multiple processors might be enabled. Note that the order of processors matters.
-
-Exporters:: An exporter, which can be push or pull based, is how you send data to one or more back ends or destinations. By default, no exporters are configured. One or more exporters must be configured. Exporters can support one or more data sources. Exporters might be used with their default settings, but many exporters require configuration to specify at least the destination and security settings.
-
-Connectors:: A connector connects two pipelines. It consumes data as an exporter at the end of one pipeline and emits data as a receiver at the start of another pipeline. It can consume and emit data of the same or different data type. It can generate and emit data to summarize the consumed data, or it can merely replicate or route data.
-
-Extensions:: An extension adds capabilities to the Collector. For example, authentication can be added to the receivers and exporters automatically.
+* Receivers
+* Processors
+* Exporters
+* Connectors
+* Extensions
 
 You can define multiple instances of components in a custom resource YAML file. When configured, these components must be enabled through pipelines defined in the `spec.config.service` section of the YAML file. As a best practice, only enable the components that you need.
 
@@ -37,9 +33,9 @@ spec:
     receivers:
       otlp:
         protocols:
-          grpc:
-          http:
-    processors:
+          grpc: {}
+          http: {}
+    processors: {}
     exporters:
       otlp:
         endpoint: jaeger-production-collector-headless.tracing-system.svc:4317
diff --git a/modules/otel-config-instrumentation.adoc b/modules/otel-config-instrumentation.adoc
index 00b9758bcd78..fc62a6f7a22f 100644
--- a/modules/otel-config-instrumentation.adoc
+++ b/modules/otel-config-instrumentation.adoc
@@ -48,51 +48,51 @@ spec:
 
 .Parameters used by the Operator to define the Instrumentation
 [options="header"]
-[cols="l, a, a"]
+[cols="a, a, a"]
 |===
 |Parameter |Description |Values
 
-|env
+|`env`
 |Common environment variables to define across all the instrumentations.
 |
 
-|exporter
+|`exporter`
 |Exporter configuration.
 |
 
-|propagators
+|`propagators`
 |Propagators defines inter-process context propagation configuration.
 |`tracecontext`, `baggage`, `b3`, `b3multi`, `jaeger`, `ottrace`, `none`
 
-|resource
+|`resource`
 |Resource attributes configuration.
 |
 
-|sampler
+|`sampler`
 |Sampling configuration.
 |
 
-|apacheHttpd
+|`apacheHttpd`
 |Configuration for the Apache HTTP Server instrumentation.
 |
 
-|dotnet
+|`dotnet`
 |Configuration for the .NET instrumentation.
 |
 
-|go
+|`go`
 |Configuration for the Go instrumentation.
 |
 
-|java
+|`java`
 |Configuration for the Java instrumentation.
 |
 
-|nodejs
+|`nodejs`
 |Configuration for the Node.js instrumentation.
 |
 
-|python
+|`python`
 |Configuration for the Python instrumentation.
 |
 
@@ -108,31 +108,31 @@ When using the instrumentation custom resource (CR) with {SMProductName}, you mu
 
 .Parameters for the `+.spec.apacheHttpd+` field
 [options="header"]
-[cols="l, a, a"]
+[cols="a, a, a"]
 |===
 |Name |Description |Default
 
-|attrs
+|`attrs`
 |Attributes specific to the Apache HTTP Server.
 |
 
-|configPath
+|`configPath`
 |Location of the Apache HTTP Server configuration.
 |/usr/local/apache2/conf
 
-|env
+|`env`
 |Environment variables specific to the Apache HTTP Server.
 |
 
-|image
+|`image`
 |Container image with the Apache SDK and auto-instrumentation.
 |
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 |
 
-|version
+|`version`
 |Apache HTTP Server version.
 |2.4
 
@@ -148,17 +148,17 @@ instrumentation.opentelemetry.io/inject-apache-httpd: "true"
 === Configuration of the .NET auto-instrumentation
 
 [options="header"]
-[cols="l, a"]
+[cols="a, a"]
 |===
 |Name |Description
 
-|env
+|`env`
 |Environment variables specific to .NET.
 
-|image
+|`image`
 |Container image with the .NET SDK and auto-instrumentation.
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 
 |===
@@ -175,17 +175,17 @@ instrumentation.opentelemetry.io/inject-dotnet: "true"
 === Configuration of the Go auto-instrumentation
 
 [options="header"]
-[cols="l, a"]
+[cols="a, a"]
 |===
 |Name |Description
 
-|env
+|`env`
 |Environment variables specific to Go.
 
-|image
+|`image`
 |Container image with the Go SDK and auto-instrumentation.
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 
 |===
@@ -233,17 +233,17 @@ $ oc adm policy add-scc-to-user otel-go-instrumentation-scc -z <service_account>
 === Configuration of the Java auto-instrumentation
 
 [options="header"]
-[cols="l, a"]
+[cols="a, a"]
 |===
 |Name |Description
 
-|env
+|`env`
 |Environment variables specific to Java.
 
-|image
+|`image`
 |Container image with the Java SDK and auto-instrumentation.
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 
 |===
@@ -258,17 +258,17 @@ instrumentation.opentelemetry.io/inject-java: "true"
 === Configuration of the Node.js auto-instrumentation
 
 [options="header"]
-[cols="l, a"]
+[cols="a, a"]
 |===
 |Name |Description
 
-|env
+|`env`
 |Environment variables specific to Node.js.
 
-|image
+|`image`
 |Container image with the Node.js SDK and auto-instrumentation.
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 
 |===
@@ -286,17 +286,17 @@ The `+instrumentation.opentelemetry.io/otel-go-auto-target-exe+` annotation sets
 === Configuration of the Python auto-instrumentation
 
 [options="header"]
-[cols="l, a"]
+[cols="a, a"]
 |===
 |Name |Description
 
-|env
+|`env`
 |Environment variables specific to Python.
 
-|image
+|`image`
 |Container image with the Python SDK and auto-instrumentation.
 
-|resourceRequirements
+|`resourceRequirements`
 |The compute resource requirements.
 
 |===
diff --git a/modules/otel-config-receive-metrics-monitoring-stack.adoc b/modules/otel-config-receive-metrics-monitoring-stack.adoc
new file mode 100644
index 000000000000..077a1bf7568f
--- /dev/null
+++ b/modules/otel-config-receive-metrics-monitoring-stack.adoc
@@ -0,0 +1,83 @@
+// Module included in the following assemblies:
+//
+// * observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="configuration-for-receiving-metrics-from-the-monitoring-stack_{context}"]
+= Configuration for receiving metrics from the monitoring stack
+
+A configured OpenTelemetry Collector custom resource (CR) can set up the Prometheus receiver to scrape metrics from the in-cluster monitoring stack.
+
+.Example of the OpenTelemetry Collector CR for scraping metrics from the in-cluster monitoring stack
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: otel-collector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-monitoring-view # <1>
+subjects:
+  - kind: ServiceAccount
+    name: otel-collector
+    namespace: observability
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: cabundle
+  namespce: observability
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true" # <2>
+---
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otel
+  namespace: observability
+spec:
+  volumeMounts:
+    - name: cabundle-volume
+      mountPath: /etc/pki/ca-trust/source/service-ca
+      readOnly: true
+  volumes:
+    - name: cabundle-volume
+      configMap:
+        name: cabundle
+  mode: deployment
+  config: |
+    receivers:
+      prometheus: # <3>
+        config:
+          scrape_configs:
+            - job_name: 'federate'
+              scrape_interval: 15s
+              scheme: https
+              tls_config:
+                ca_file: /etc/pki/ca-trust/source/service-ca/service-ca.crt
+              bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+              honor_labels: false
+              params:
+                'match[]':
+                  - '{__name__="<metric_name>"}' # <4>
+              metrics_path: '/federate'
+              static_configs:
+                - targets:
+                  - "prometheus-k8s.openshift-monitoring.svc.cluster.local:9091"
+    exporters:
+      debug: # <5>
+        verbosity: detailed
+    service:
+      pipelines:
+        metrics:
+          receivers: [prometheus]
+          processors: []
+          exporters: [debug]
+----
+<1> Assigns the `cluster-monitoring-view` cluster role to the service account of the OpenTelemetry Collector so that it can access the metrics data.
+<2> Injects the OpenShift service CA for configuring the TLS in the Prometheus receiver.
+<3> Configures the Prometheus receiver to scrape the federate endpoint from the in-cluster monitoring stack.
+<4> Uses the Prometheus query language to select the metrics to be scraped. See the in-cluster monitoring documentation for more details and limitations of the federate endpoint.
+<5> Configures the debug exporter to print the metrics to the standard output.
diff --git a/observability/otel/otel-config-send-metrics-monitoring-stack.adoc b/modules/otel-config-send-metrics-monitoring-stack.adoc
similarity index 57%
rename from observability/otel/otel-config-send-metrics-monitoring-stack.adoc
rename to modules/otel-config-send-metrics-monitoring-stack.adoc
index 34adbd5ed799..4c0bc1c80efc 100644
--- a/observability/otel/otel-config-send-metrics-monitoring-stack.adoc
+++ b/modules/otel-config-send-metrics-monitoring-stack.adoc
@@ -1,14 +1,23 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="otel-configuration-for-sending-metrics-to-the-monitoring-stack"]
+// Module included in the following assemblies:
+//
+// * observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="configuration-for-sending-metrics-to-the-monitoring-stack_{context}"]
 = Configuration for sending metrics to the monitoring stack
-include::_attributes/common-attributes.adoc[]
-:context: otel-configuration-for-sending-metrics-to-the-monitoring-stack
 
-The OpenTelemetry Collector custom resource (CR) can be configured to create a Prometheus `ServiceMonitor` CR for scraping the Collector's pipeline metrics and the enabled Prometheus exporters.
+One of two following custom resources (CR) configures the sending of metrics to the monitoring stack:
+
+* OpenTelemetry Collector CR
+* Prometheus `PodMonitor` CR
+
+A configured OpenTelemetry Collector CR can create a Prometheus `ServiceMonitor` CR for scraping the Collector's pipeline metrics and the enabled Prometheus exporters.
 
-.Example of the OpenTelemetry Collector custom resource with the Prometheus exporter
+.Example of the OpenTelemetry Collector CR with the Prometheus exporter
 [source,yaml]
 ----
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
 spec:
   mode: deployment
   observability:
@@ -31,9 +40,9 @@ spec:
 ----
 <1> Configures the Operator to create the Prometheus `ServiceMonitor` CR to scrape the Collector's internal metrics endpoint and Prometheus exporter metric endpoints. The metrics will be stored in the OpenShift monitoring stack.
 
-Alternatively, a manually created Prometheus `PodMonitor` can provide fine control, for example removing duplicated labels added during Prometheus scraping.
+Alternatively, a manually created Prometheus `PodMonitor` CR can provide fine control, for example removing duplicated labels added during Prometheus scraping.
 
-.Example of the `PodMonitor` custom resource that configures the monitoring stack to scrape the Collector metrics
+.Example of the `PodMonitor` CR that configures the monitoring stack to scrape the Collector metrics
 [source,yaml]
 ----
 apiVersion: monitoring.coreos.com/v1
@@ -43,7 +52,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: `<cr_name>-collector` # <1>
+      app.kubernetes.io/name: <cr_name>-collector # <1>
   podMetricsEndpoints:
   - port: metrics # <2>
   - port: promexporter # <3>
@@ -60,6 +69,6 @@ spec:
     - action: labeldrop
       regex: job
 ----
-<1> The name of the OpenTelemetry Collector custom resource.
+<1> The name of the OpenTelemetry Collector CR.
 <2> The name of the internal metrics port for the OpenTelemetry Collector. This port name is always `metrics`.
 <3> The name of the Prometheus exporter port for the OpenTelemetry Collector.
diff --git a/modules/otel-creating-required-RBAC-resources-automatically.adoc b/modules/otel-creating-required-RBAC-resources-automatically.adoc
new file mode 100644
index 000000000000..9e575d2593f0
--- /dev/null
+++ b/modules/otel-creating-required-RBAC-resources-automatically.adoc
@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+//
+// * observability/otel/otel-configuration-of-otel-collector.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="otel-creating-required-RBAC-resources-automatically_{context}"]
+= Creating the required RBAC resources automatically
+
+Some Collector components require configuring the RBAC resources.
+
+.Procedure
+
+* Add the following permissions to the `opentelemetry-operator-controller-manage` service account so that the {OTELOperator} can create them automatically:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: generate-processors-rbac
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: generate-processors-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: generate-processors-rbac
+subjects:
+- kind: ServiceAccount
+  name: opentelemetry-operator-controller-manager
+  namespace: openshift-opentelemetry-operator
+----
diff --git a/modules/otel-install-cli.adoc b/modules/otel-install-cli.adoc
index b45bda5046b4..ee7d18327ddc 100644
--- a/modules/otel-install-cli.adoc
+++ b/modules/otel-install-cli.adoc
@@ -131,19 +131,19 @@ spec:
           http:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
       zipkin:
     processors:
-      batch:
+      batch: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
         spike_limit_percentage: 30
     exporters:
-      debug:
+      debug: {}
     service:
       pipelines:
         traces:
diff --git a/modules/otel-install-web-console.adoc b/modules/otel-install-web-console.adoc
index 584fdbdb8a82..9732dd1d075e 100644
--- a/modules/otel-install-web-console.adoc
+++ b/modules/otel-install-web-console.adoc
@@ -61,19 +61,19 @@ spec:
           http:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
-      zipkin:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
+      zipkin: {}
     processors:
-      batch:
+      batch: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
         spike_limit_percentage: 30
     exporters:
-      debug:
+      debug: {}
     service:
       pipelines:
         traces:
diff --git a/modules/otel-migrating-from-jaeger-with-sidecars.adoc b/modules/otel-migrating-from-jaeger-with-sidecars.adoc
index 4910bba09661..e43afd16a584 100644
--- a/modules/otel-migrating-from-jaeger-with-sidecars.adoc
+++ b/modules/otel-migrating-from-jaeger-with-sidecars.adoc
@@ -30,12 +30,12 @@ spec:
     receivers:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
     processors:
-      batch:
+      batch: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
diff --git a/modules/otel-migrating-from-jaeger-without-sidecars.adoc b/modules/otel-migrating-from-jaeger-without-sidecars.adoc
index 5cc7841e20f2..32816326d993 100644
--- a/modules/otel-migrating-from-jaeger-without-sidecars.adoc
+++ b/modules/otel-migrating-from-jaeger-without-sidecars.adoc
@@ -95,12 +95,12 @@ spec:
     receivers:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
     processors:
-      batch:
+      batch: {}
       k8sattributes:
       memory_limiter:
         check_interval: 1s
diff --git a/modules/otel-product-overview.adoc b/modules/otel-product-overview.adoc
index 2cc205f961f5..3ce0647da31f 100644
--- a/modules/otel-product-overview.adoc
+++ b/modules/otel-product-overview.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * observability/otel/otel_rn/otel-rn-3-1.adoc
+// * observability/otel/otel_rn/otel-rn-3-2.adoc
 // * observability/otel/otel_rn/otel-rn-past-releases.adoc
 
 :_mod-docs-content-type: CONCEPT
diff --git a/modules/otel-send-traces-and-metrics-to-otel-collector-with-sidecar.adoc b/modules/otel-send-traces-and-metrics-to-otel-collector-with-sidecar.adoc
index 8d54e7037c91..c8a7e630af2b 100644
--- a/modules/otel-send-traces-and-metrics-to-otel-collector-with-sidecar.adoc
+++ b/modules/otel-send-traces-and-metrics-to-otel-collector-with-sidecar.adoc
@@ -89,10 +89,10 @@ spec:
     receivers:
       otlp:
         protocols:
-          grpc:
-          http:
+          grpc: {}
+          http: {}
     processors:
-      batch:
+      batch: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
diff --git a/modules/otel-send-traces-and-metrics-to-otel-collector-without-sidecar.adoc b/modules/otel-send-traces-and-metrics-to-otel-collector-without-sidecar.adoc
index 8dd9cd25e0fc..9a34d10c3dee 100644
--- a/modules/otel-send-traces-and-metrics-to-otel-collector-without-sidecar.adoc
+++ b/modules/otel-send-traces-and-metrics-to-otel-collector-without-sidecar.adoc
@@ -86,19 +86,19 @@ spec:
     receivers:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
       opencensus:
       otlp:
         protocols:
-          grpc:
-          http:
-      zipkin:
+          grpc: {}
+          http: {}
+      zipkin: {}
     processors:
-      batch:
-      k8sattributes:
+      batch: {}
+      k8sattributes: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
@@ -122,34 +122,34 @@ spec:
 . Set the environment variables in the container with your instrumented application.
 +
 [options="header"]
-[cols="l, a, a"]
+[cols="a, a, a"]
 |===
 |Name |Description |Default value
-|OTEL_SERVICE_NAME
+|`OTEL_SERVICE_NAME`
 |Sets the value of the `service.name` resource attribute.
 |`""`
 
-|OTEL_EXPORTER_OTLP_ENDPOINT
+|`OTEL_EXPORTER_OTLP_ENDPOINT`
 |Base endpoint URL for any signal type with an optionally specified port number.
 |`\https://localhost:4317`
 
-|OTEL_EXPORTER_OTLP_CERTIFICATE
+|`OTEL_EXPORTER_OTLP_CERTIFICATE`
 |Path to the certificate file for the TLS credentials of the gRPC client.
 |`\https://localhost:4317`
 
-|OTEL_TRACES_SAMPLER
+|`OTEL_TRACES_SAMPLER`
 |Sampler to be used for traces.
 |`parentbased_always_on`
 
-|OTEL_EXPORTER_OTLP_PROTOCOL
+|`OTEL_EXPORTER_OTLP_PROTOCOL`
 |Transport protocol for the OTLP exporter.
 |`grpc`
 
-|OTEL_EXPORTER_OTLP_TIMEOUT
+|`OTEL_EXPORTER_OTLP_TIMEOUT`
 |Maximum time interval for the OTLP exporter to wait for each batch export.
 |`10s`
 
-|OTEL_EXPORTER_OTLP_INSECURE
+|`OTEL_EXPORTER_OTLP_INSECURE`
 |Disables client transport security for gRPC requests. An HTTPS schema overrides it.
 |`False`
 |===
diff --git a/modules/persistent-storage-csi-drivers-supported.adoc b/modules/persistent-storage-csi-drivers-supported.adoc
index 41f0d9246304..987241088117 100644
--- a/modules/persistent-storage-csi-drivers-supported.adoc
+++ b/modules/persistent-storage-csi-drivers-supported.adoc
@@ -24,35 +24,46 @@ supported by {product-title}
 endif::openshift-rosa[]
 and which CSI features they support, such as volume snapshots and resize.
 
+ifndef::openshift-rosa[]
+[IMPORTANT]
+====
+If your CSI driver is not listed in the following table, you must follow the installation instructions provided by your CSI storage vendor to use their supported CSI features.
+====
+endif::openshift-rosa[]
+ifdef::openshift-rosa,openshift-aro[]
+In addition to the drivers listed in the following table, ROSA functions with CSI drivers from third-party storage vendors. Red Hat does not oversee third-party provisioners or the connected CSI drivers and the vendors fully control source code, deployment, operation, and Kubernetes compatibility. These volume provisioners are considered customer-managed and the respective vendors are responsible for providing support. See the link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.html#rosa-policy-responsibilities_rosa-policy-responsibility-matrix[Shared responsibilities for {product-title}] matrix for more information. 
+endif::openshift-rosa,openshift-aro[]
+
 .Supported CSI drivers and features in {product-title}
 [cols=",^v,^v,^v,^v,^v width="100%",options="header"]
 |===
 |CSI driver |CSI volume snapshots  |CSI cloning  |CSI resize |Inline ephemeral volumes
-|AWS EBS | ✅ | - | ✅| -
-|AWS EFS | - | - | -| -
+|AWS EBS | ✅ |  | ✅| 
+|AWS EFS |  |  |  | 
 ifndef::openshift-rosa[]
-|Google Compute Platform (GCP) persistent disk (PD)|  ✅|  ✅ | ✅| -
-|GCP Filestore | ✅ | - | ✅| -
+|Google Compute Platform (GCP) persistent disk (PD)|  ✅|  ✅ | ✅|  
+|GCP Filestore | ✅ |   | ✅|  
 endif::openshift-rosa[]
 ifndef::openshift-dedicated,openshift-rosa[]
-|{ibm-power-server-name} Block | - | - | ✅ | -
-|{ibm-cloud-name} Block | ✅^[3]^ | - | ✅^[3]^| -
+|{ibm-power-server-name} Block |   |   | ✅ |  
+|{ibm-cloud-name} Block | ✅^[3]^ |   | ✅^[3]^|  
 endif::openshift-dedicated,openshift-rosa[]
-|LVM Storage | ✅ | ✅ | ✅ | -
+|LVM Storage | ✅ | ✅ | ✅ |  
 ifndef::openshift-dedicated,openshift-rosa[]
-|Microsoft Azure Disk | ✅ | ✅ | ✅| -
-|Microsoft Azure Stack Hub | ✅ | ✅ | ✅| -
-|Microsoft Azure File | - | - | ✅| ✅
-|OpenStack Cinder | ✅ | ✅ | ✅| -
-|OpenShift Data Foundation | ✅ | ✅ | ✅| -
-|OpenStack Manila | ✅ | - | -| -
-|Shared Resource | - | - | - | ✅
-|VMware vSphere | ✅^[1]^ | - | ✅^[2]^| -
+|Microsoft Azure Disk | ✅ | ✅ | ✅|  
+|Microsoft Azure Stack Hub | ✅ | ✅ | ✅|  
+|Microsoft Azure File |   |   | ✅| ✅
+|OpenStack Cinder | ✅ | ✅ | ✅|  
+|OpenShift Data Foundation | ✅ | ✅ | ✅|  
+|OpenStack Manila | ✅ |   |  |  
+|Shared Resource |   |   |   | ✅
+|CIFS/SMB |   | ✅  |   |   
+|VMware vSphere | ✅^[1]^ |   | ✅^[2]^|  
 endif::openshift-dedicated,openshift-rosa[]
 |===
 ifndef::openshift-dedicated,openshift-rosa[]
 --
-1.
+1. 
 
 * Requires vSphere version 7.0 Update 3 or later for both vCenter Server and ESXi.
 
@@ -67,14 +78,14 @@ ifndef::openshift-dedicated,openshift-rosa[]
 3.
 
 * Does not support offline snapshots or resize. Volume must be attached to a running pod.
+
+4.
+
+* Azure File cloning does not supports NFS protocol. It supports the `azurefile-csi` storage class, which uses SMB protocol.
+
+* Azure File cloning is a Technology Preview feature:
+
+:FeatureName: Azure File CSI cloning
+include::snippets/technology-preview.adoc[leveloffset=+1]
 --
-endif::openshift-dedicated,openshift-rosa[]
-ifndef::openshift-rosa[]
-[IMPORTANT]
-====
-If your CSI driver is not listed in the preceding table, you must follow the installation instructions provided by your CSI storage vendor to use their supported CSI features.
-====
-endif::openshift-rosa[]
-ifdef::openshift-rosa[]
-In addition to the drivers listed in the preceding table, ROSA functions with CSI drivers from third-party storage vendors. Red Hat does not oversee third-party provisioners or the connected CSI drivers and the vendors fully control source code, deployment, operation, and Kubernetes compatibility. These volume provisioners are considered customer-managed and the respective vendors are responsible for providing support. See the link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.html#rosa-policy-responsibilities_rosa-policy-responsibility-matrix[Shared responsibilities for {product-title}] matrix for more information. 
-endif::openshift-rosa[]
\ No newline at end of file
+endif::openshift-dedicated,openshift-rosa[]
\ No newline at end of file
diff --git a/modules/persistent-storage-csi-olm-operator-install.adoc b/modules/persistent-storage-csi-olm-operator-install.adoc
index 321eb9a9e044..6f0d86515301 100644
--- a/modules/persistent-storage-csi-olm-operator-install.adoc
+++ b/modules/persistent-storage-csi-olm-operator-install.adoc
@@ -2,12 +2,29 @@
 //
 // * storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc
 // * storage/container_storage_interface/osd-persistent-storage-csi-aws-efs.adoc
+// * storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="persistent-storage-csi-olm-operator-install_{context}"]
 = Installing the {FeatureName} CSI Driver Operator
 
-The link:https://github.com/openshift/aws-efs-csi-driver-operator[AWS EFS CSI Driver Operator] (a Red Hat operator) is not installed in {product-title} by default. Use the following procedure to install and configure the {FeatureName} CSI Driver Operator in your cluster.
+The {FeatureName} CSI Driver Operator (a Red{nbsp}Hat Operator) is not installed in {product-title} by default. Use the following procedure to install and configure the {FeatureName} CSI Driver Operator in your cluster.
+
+// The following ifeval and restricted ifdef statements exclude STS and a note about avoiding 
+// installing community operator content for CSI drivers other than EWS
+
+ifeval::["{context}" == "persistent-storage-csi-aws-efs"]
+:restricted:
+endif::[]
+
+ifeval::["{context}" == "osd-persistent-storage-aws-efs-csi"]
+:restricted:
+endif::[]
+
+ifeval::["{context}" == "rosa-persistent-storage-aws-efs-csi"]
+:restricted:
+endif::[]
 
 .Prerequisites
 * Access to the {product-title} web console.
@@ -24,19 +41,24 @@ To install the {FeatureName} CSI Driver Operator from the web console:
 .. Locate the {FeatureName} CSI Operator by typing *{FeatureName} CSI* in the filter box.
 
 .. Click the *{FeatureName} CSI Driver Operator* button.
+
+ifdef::restricted[]
 +
 [IMPORTANT]
 ====
 Be sure to select the *{FeatureName} CSI Driver Operator* and not the *{FeatureName} Operator*. The *{FeatureName} Operator* is a community Operator and is not supported by Red Hat.
 ====
+endif::restricted[]
 
 .. On the *{FeatureName} CSI Driver Operator* page, click *Install*.
 
 .. On the *Install Operator* page, ensure that:
 +
+ifdef::restricted[]
 ifdef::openshift-rosa,openshift-enterprise[]
 * If you are using {FeatureName} with AWS Secure Token Service (STS), in the *role ARN* field, enter the ARN role copied from the last step of the _Obtaining a role Amazon Resource Name for Security Token Service_ procedure.
 endif::[]
+endif::restricted[]
 * *All namespaces on the cluster (default)* is selected.
 * *Installed Namespace* is set to *openshift-cluster-csi-drivers*.
 
@@ -44,4 +66,17 @@ endif::[]
 +
 After the installation finishes, the {FeatureName} CSI Operator is listed in the *Installed Operators* section of the web console.
 
-.Next steps
+// The following ifeval statements exclude STS and a note about avoiding 
+// installing community operator content for CSI drivers other than EWS
+
+ifeval::["{context}" == "persistent-storage-csi-aws-efs"]
+:!restricted:
+endif::[]
+
+ifeval::["{context}" == "osd-persistent-storage-aws-efs-csi"]
+:!restricted:
+endif::[]
+
+ifeval::["{context}" == "rosa-persistent-storage-aws-efs-csi"]
+:!restricted:
+endif::[]
diff --git a/modules/persistent-storage-csi-smb-cifs-limits.adoc b/modules/persistent-storage-csi-smb-cifs-limits.adoc
new file mode 100644
index 000000000000..d07cfa78375c
--- /dev/null
+++ b/modules/persistent-storage-csi-smb-cifs-limits.adoc
@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="persistent-storage-csi-smb-cifs-limits_{context}"]
+= Limitations
+
+The following limitations apply to the Common Internet File System (CIFS)/Server Message Block (SMB) Container Storage Interface (CSI) Driver Operator:
+
+* FIPS mode is not supported: 
++
+When Federal Information Processing Standards (FIPS) mode is enabled, the use of md4 and md5 are disabled, which prevents users from using ntlm, ntlmv2, or ntlmssp authentication. Also, signing cannot be used because it uses md5. Any CIFS mount that uses these methods fails when FIPS mode is enabled.
+
+* Using HTTP proxy configuration to connect to outside of the cluster SMB servers is not supported by the CSI driver.
++
+Since CIFS/SMB is a LAN protocol, and though it can be routed to subnets, it is not designed to be extended over the WAN, and does not support HTTP proxy settings. 
\ No newline at end of file
diff --git a/modules/persistent-storage-csi-smb-cifs-operator-install-driver.adoc b/modules/persistent-storage-csi-smb-cifs-operator-install-driver.adoc
new file mode 100644
index 000000000000..6d7f0651b27f
--- /dev/null
+++ b/modules/persistent-storage-csi-smb-cifs-operator-install-driver.adoc
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-smb-cifs-driver-install_{context}"]
+= Installing the {FeatureName} CSI Driver
+
+After installing the {FeatureName} Container Storage Interface (CSI) Driver Operator, install the {FeatureName} CSI driver.
+
+.Prerequisites
+* Access to the {product-title} web console.
+* {FeatureName} CSI Driver Operator installed.
+
+.Procedure
+
+. Click *Administration* -> *CustomResourceDefinitions* -> *ClusterCSIDriver*.
+
+. On the *Instances* tab, click *Create ClusterCSIDriver*.
+
+. Use the following YAML file:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: ClusterCSIDriver
+metadata:
+    name: smb.csi.k8s.io
+spec:
+  managementState: Managed
+----
+
+. Click *Create*.
+
+. Wait for the following Conditions to change to a "True" status:
++
+
+* `SambaDriverControllerServiceControllerAvailable`
+
+* `SambaDriverNodeServiceControllerAvailable`
diff --git a/modules/persistent-storage-csi-smb-cifs-provision-dynamic.adoc b/modules/persistent-storage-csi-smb-cifs-provision-dynamic.adoc
new file mode 100644
index 000000000000..8e5c1dcb082a
--- /dev/null
+++ b/modules/persistent-storage-csi-smb-cifs-provision-dynamic.adoc
@@ -0,0 +1,130 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-smb-cifs-provision-dynamic_{context}"]
+= Dynamic provisioning
+
+You can create a storage class for dynamic provisioning of Common Internet File System (CIFS) dialect/Server Message Block (SMB) protocol volumes. Provisioning volumes creates a subdirectory with the persistent volume (PV) name under `source` defined in the storage class.
+
+.Prerequisites
+* {FeatureName} CSI Driver Operator and driver installed.
+* You are logged in to the running {product-title} cluster.
+* You have installed the SMB server and know the following information about the server:
+** Hostname
+** Share name
+** Username and password
+
+.Procedure
+
+To set up dynamic provisioning:
+
+. Create a Secret for access to the Samba server using the following command with the following example YAML file:
++
+[source,terminal]
+--
+$ oc create -f <file_name>.yaml
+--
++
+[source,yaml]
+.Secret example YAML file
+--
+apiVersion: v1
+kind: Secret
+metadata:
+  name: smbcreds <1>
+  namespace: samba-server <2>
+stringData:
+  username: <username> <3>
+  password: <password> <4>
+--
+<1> Name of the Secret for the Samba server.
+<2> Namespace for the Secret for the Samba server.
+<3> Username for the Secret for the Samba server.
+<4> Password for the Secret for the Samba server.
+
+. Create a storage class by running the following command with the following example YAML file:
++
+[source,terminal]
+--
+$ oc create -f <sc_file_name>.yaml <1>
+--
+<1> Name of the storage class YAML file.
++
+[source,yaml]
+.Storage class example YAML file
+--
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: <sc_name> <1>
+provisioner: smb.csi.k8s.io
+parameters:
+  source: //<hostname>/<shares> <2>
+  csi.storage.k8s.io/provisioner-secret-name: smbcreds <3>
+  csi.storage.k8s.io/provisioner-secret-namespace: samba-server <4>
+  csi.storage.k8s.io/node-stage-secret-name: smbcreds <3>
+  csi.storage.k8s.io/node-stage-secret-namespace: samba-server <4>
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+mountOptions:
+  - dir_mode=0777
+  - file_mode=0777
+  - uid=1001
+  - gid=1001
+--
+<1> The name of the storage class.
+<2> The Samba server must be installed somewhere and reachable from the cluster with <`hostname>` being the hostname for the Samba server and `<shares>` the path the server is configured to have among the exported shares. 
+<3> Name of the Secret for the Samba server that was set in the previous step. If the `csi.storage.k8s.io/provisioner-secret` is provided, a subdirectory is created with the PV name under `source`.
+<4> Namespace for the Secret for the Samba server that was set in the previous step.
+
+. Create a PVC:
+
+.. Create a PVC by running the following command with the following example YAML file:
++
+[source, terminal]
+----
+$ oc create -f <pv_file_name>.yaml <1>
+----
+<1> The name of the PVC YAML file.
++
+.Example PVC YAML file
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: <pvc_name> <1>
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: <storage_amount> <2>
+  storageClassName: <sc_name> <3>
+----
+<1> The name of the PVC.
+<2> Storage request amount.
+<3> The name of the CIFS/SMB storage class that you created in the previous step.
+
+.. Ensure that the PVC was created and is in the "Bound" status by running the following command:
++
+[source, terminal]
+----
+$ oc describe pvc <pvc_name> <1>
+----
+<1> The name of the PVC that you created in the preceding step.
++
+.Example output
++
+[source,terminal]
+----
+Name:          pvc-test
+Namespace:     default
+StorageClass:  samba
+Status:        Bound <1>
+...
+----
+<1> PVC is in Bound status.
\ No newline at end of file
diff --git a/modules/persistent-storage-csi-smb-cifs-provision-static.adoc b/modules/persistent-storage-csi-smb-cifs-provision-static.adoc
new file mode 100644
index 000000000000..e20b80f9fd5a
--- /dev/null
+++ b/modules/persistent-storage-csi-smb-cifs-provision-static.adoc
@@ -0,0 +1,222 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-smb-cifs-provision-static_{context}"]
+= Static provisioning
+
+You can use static provisioning to create a persistent volume (PV) and persistent volume claim (PVC) to consume existing Server Message Block protocol (SMB) shares:
+
+.Prerequisites
+* Access to the {product-title} web console.
+* {FeatureName} CSI Driver Operator and driver installed.
+* You have installed the SMB server and know the following information about the server:
+** Hostname
+** Share name
+** Username and password
+
+.Procedure
+
+To set up static provisioning:
+
+. Create a Secret for access to the Samba server using the following command with the following example YAML file:
++
+[source,terminal]
+--
+$ oc create -f <file_name>.yaml
+--
++
+[source,yaml]
+.Secret example YAML file
+--
+apiVersion: v1
+kind: Secret
+metadata:
+  name: smbcreds <1>
+  namespace: samba-server <2>
+stringData:
+  username: <username> <3>
+  password: <password> <4>
+--
+<1> Name of the Secret for the Samba server.
+<2> Namespace for the Secret for the Samba server.
+<3> Username for the Secret for the Samba server.
+<4> Password for the Secret for the Samba server.
+
+. Create a PV by running the following command with the following example YAML file:
++
+[source,terminal]
+----
+$ oc create -f <pv_file_name>.yaml <1>
+----
+<1> The name of the PV YAML file.
++
+.Example PV YAML file
++
+[source,yaml]
+----
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
+  name: <pv_name> <1>
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  mountOptions:
+    - dir_mode=0777
+    - file_mode=0777
+  csi:
+    driver: smb.csi.k8s.io
+    volumeHandle: smb-server.default.svc.cluster.local/share/ <2>
+    volumeAttributes:
+      source: //<hostname>/<shares> <3>
+    nodeStageSecretRef:
+      name: <secret_name_shares> <4>
+      namespace: <namespace> <5>
+----
+<1> The name of the PV.
+<2> `volumeHandle` format: {smb-server-address}.{sub-dir-name}.{share-name}. Ensure that this value is unique for every share in the cluster.
+<3> The Samba server must be installed somewhere and reachable from the cluster with <hostname> being the hostname for the Samba server and <shares> the path the server is configured to have among the exported shares.
+<4> The name of the Secret for the shares.
+<5> The applicable namespace.
+
+. Create a PVC:
+
+.. Create a PVC by running the following command with the following example YAML file:
++
+[source, terminal]
+----
+$ oc create -f <pv_file_name>.yaml <1>
+----
+<1> The name of the PVC YAML file.
++
+.Example PVC YAML file
++
+[source,yaml]
+----
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: <pvc_name> <1>
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: <storage_amount> <2>
+  storageClassName: ""
+  volumeName: <pv_name> <3>
+----
+<1> The name of the PVC.
+<2> Storage request amount.
+<3> The name of the PV from the first step.
+
+.. Ensure that the PVC was created and is in the "Bound" status by running the following command:
++
+[source, terminal]
+----
+$ oc describe pvc <pvc_name> <1>
+----
+<1> The name of the PVC that you created in the preceding step.
++
+.Example output
++
+[source,terminal]
+----
+Name:          pvc-test
+Namespace:     default
+StorageClass:  
+Status:        Bound <1>
+...
+----
+<1> PVC is in Bound status.
+
+. Create a deployment on Linux by running the following command with the following example YAML file:
++
+[NOTE]
+====
+The following deployment is not mandatory for using the PV and PVC created in the previous steps. It is example of how they can be used.
+====
++
+[source, terminal]
+----
+$ oc create -f <deployment_file_name>.yaml <1>
+----
+<1> The name of the deployment YAML file.
++
+.Example deployment YAML file
++
+[source, yaml]
+----
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: <deployment_name> <1>
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+      name: <deployment_name> <1>
+    spec:
+      nodeSelector:
+        "kubernetes.io/os": linux
+      containers:
+        - name: <deployment_name> <1>
+          image: quay.io/centos/centos:stream8
+          command:
+            - "/bin/bash"
+            - "-c"
+            - set -euo pipefail; while true; do echo $(date) >> <mount_path>/outfile; sleep 1; done <2>
+          volumeMounts:
+            - name: <vol_mount_name> <3>
+              mountPath: <mount_path> <2>
+              readOnly: false
+      volumes:
+        - name: <vol_mount_name> <3>
+          persistentVolumeClaim:
+            claimName: <pvc_name> <4>
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+----
+<1> The name of the deployment.
+<2> The volume mount path.
+<3> The name of the volume mount.
+<4> The name of the PVC created in the preceding step.
+
+. Check the setup by running the `df -h` command in the container:
++
+[source, terminal]
+----
+$ oc exec -it <pod_name> -- df -h <1>
+----
+<1> The name of the pod.
++
+.Example output
++
+[source, terminal]
+----
+Filesystem            Size  Used Avail Use% Mounted on
+...
+/dev/sda1              97G   21G   77G  22% /etc/hosts
+//20.43.191.64/share   97G   21G   77G  22% /mnt/smb
+...
+----
++
+In this example, there is a `/mnt/smb` directory mounted as a Common Internet File System (CIFS) filesystem.
\ No newline at end of file
diff --git a/modules/persistent-storage-csi-vsphere-change-max-snapshot.adoc b/modules/persistent-storage-csi-vsphere-change-max-snapshot.adoc
new file mode 100644
index 000000000000..fb2ac199cc9d
--- /dev/null
+++ b/modules/persistent-storage-csi-vsphere-change-max-snapshot.adoc
@@ -0,0 +1,127 @@
+// Module included in the following assemblies:
+//
+// * storage/persistent_storage/persistent-storage-vsphere.adoc
+// * storage/persistent_storage/persistent-storage-csi-snapshots.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="vsphere-change-max-snapshot_{context}"]
+= Changing the maximum number of snapshots for vSphere
+
+The default maximum number of snapshots per volume in vSphere Container Storage Interface (CSI) is 3. You can change the maximum number up to 32 per volume.
+
+However, be aware that increasing the snapshot maximum involves a performance trade off, so for better performance use only 2 to 3 snapshots per volume.
+
+For more VMware snapshot performance recommendations, see *_Additional Resources_*.
+
+.Prerequisites
+
+* Access to the cluster with administrator rights.
+
+.Procedure
+
+. Check the current config map by the running the following command:
++
+[source, terminal]
+----
+$ oc -n openshift-cluster-csi-drivers get cm/vsphere-csi-config -o yaml
+----
++
+.Example output
++
+[source, terminal]
+----
+apiVersion: v1
+data:
+  cloud.conf: |+
+    # Labels with topology values are added dynamically via operator
+    [Global]
+    cluster-id = vsphere-01-cwv8p
+
+    [VirtualCenter "vcenter.openshift.com"]
+    insecure-flag           = true
+    datacenters             = DEVQEdatacenter
+    migration-datastore-url = ds:///vmfs/volumes/vsan:527320283a8c3163-2faa6dc5949a3a28/
+
+kind: ConfigMap
+metadata:
+  creationTimestamp: "2024-03-06T09:46:40Z"
+  name: vsphere-csi-config
+  namespace: openshift-cluster-csi-drivers
+  resourceVersion: "126687"
+----
++
+In this example, the global maximum number of snapshots is not configured, so the default value of 3 is applied.
+
+. Change the snapshot limit by running the following command:
++
+* Set *global* snapshot limit:
++
+[source, terminal]
+----
+$ oc patch clustercsidriver/csi.vsphere.vmware.com --type=merge -p '{"spec":{"driverConfig":{"vSphere":{"globalMaxSnapshotsPerBlockVolume": 10}}}}'
+clustercsidriver.operator.openshift.io/csi.vsphere.vmware.com patched
+----
++
+In this example, the global limit is being changed to 10 (`globalMaxSnapshotsPerBlockVolume` set to 10).
+
+* Set *Virtual Volume* snapshot limit:
++
+This parameter sets the limit on the Virtual Volumes datastore only. The Virtual Volume maximum snapshot limit overrides the global constraint if set, but defaults to the global limit if it is not set.
++
+[source, terminal]
+----
+$ oc patch clustercsidriver/csi.vsphere.vmware.com --type=merge -p '{"spec":{"driverConfig":{"vSphere":{"granularMaxSnapshotsPerBlockVolumeInVVOL": 5}}}}'
+clustercsidriver.operator.openshift.io/csi.vsphere.vmware.com patched
+----
++
+In this example, the Virtual Volume limit is being changed to 5 (`granularMaxSnapshotsPerBlockVolumeInVVOL` set to 5).
+
+* Set *vSAN* snapshot limit:
++
+This parameter sets the limit on the vSAN datastore only. The vSAN maximum snapshot limit overrides the global constraint if set, but defaults to the global limit if it is not set. You can set a maximum value of 32 under vSAN ESA setup.
++
+[source, terminal]
+----
+$ oc patch clustercsidriver/csi.vsphere.vmware.com --type=merge -p '{"spec":{"driverConfig":{"vSphere":{"granularMaxSnapshotsPerBlockVolumeInVSAN": 7}}}}'
+clustercsidriver.operator.openshift.io/csi.vsphere.vmware.com patched
+----
++
+In this example, the vSAN limit is being changed to 7 (`granularMaxSnapshotsPerBlockVolumeInVSAN` set to 7).
+
+.Verification
+
+* Verify that any changes you made are reflected in the config map by running the following command:
++
+[source, terminal]
+----
+$ oc -n openshift-cluster-csi-drivers get cm/vsphere-csi-config -o yaml
+----
++
+.Example output
++
+[source, terminal]
+----
+apiVersion: v1
+data:
+  cloud.conf: |+
+    # Labels with topology values are added dynamically via operator
+    [Global]
+    cluster-id = vsphere-01-cwv8p
+
+    [VirtualCenter "vcenter.openshift.com"]
+    insecure-flag           = true
+    datacenters             = DEVQEdatacenter
+    migration-datastore-url = ds:///vmfs/volumes/vsan:527320283a8c3163-2faa6dc5949a3a28/
+
+    [Snapshot]
+    global-max-snapshots-per-block-volume = 10 <1>
+
+kind: ConfigMap
+metadata:
+  creationTimestamp: "2024-03-06T09:46:40Z"
+  name: vsphere-csi-config
+  namespace: openshift-cluster-csi-drivers
+  resourceVersion: "127118"
+  uid: f6968303-81d8-4048-99c1-d8211363d0fa
+----
+<1> `global-max-snapshots-per-block-volume` is now set to 10.
diff --git a/modules/persistent-storage-csi-vsphere-top-aware-overview.adoc b/modules/persistent-storage-csi-vsphere-top-aware-overview.adoc
index c915d9af4f3d..d061556a3609 100644
--- a/modules/persistent-storage-csi-vsphere-top-aware-overview.adoc
+++ b/modules/persistent-storage-csi-vsphere-top-aware-overview.adoc
@@ -26,4 +26,20 @@ Datacenter: Atlanta
 Datacenter: Atlanta
 |openshift-region: us-east-1 (tag), openshift-zone: us-east-1b (tag)
 |This defines a different failure domain within the same region called us-east-1b.
-|===
\ No newline at end of file
+|===
+
+== vSphere CSI topology requirements 
+The following guidelines are recommended for vSphere CSI topology:
+
+* You are strongly recommended to add topology tags to datacenters and compute clusters, and *not* to hosts. 
++
+`vsphere-problem-detector` provides alerts if the `openshift-region` or `openshift-zone` tags are not defined at the datacenter or compute cluster level, and each topology tag (`openshift-region` or `openshift-zone`) should occur only once in the hierarchy.
++
+[NOTE]
+====
+Ignoring this recommendation only results in a log warning from the CSI driver and duplicate tags lower in the hierarchy, such as hosts, are ignored; VMware considers this an invalid configuration, and therefore to prevent problems you should not use it.
+====
+
+* Volume provisioning requests in topology-aware environments attempt to create volumes in datastores accessible to all hosts under a given topology segment. This includes hosts that do not have Kubernetes node VMs running on them. For example, if the vSphere Container Storage Plug-in driver receives a request to provision a volume in zone-a, applied on the Datacenter dc-1, all hosts under dc-1 must have access to the datastore selected for volume provisioning. The hosts include those that are directly under dc-1, and those that are a part of clusters inside dc-1.
+
+* For additional recommendations, you should read the VMware https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-162E7582-723B-4A0F-A937-3ACE82EAFD31.html[Guidelines and Best Practices for Deployment with Topology] section.
\ No newline at end of file
diff --git a/modules/power-monitoring-configuring-kepler-redfish.adoc b/modules/power-monitoring-configuring-kepler-redfish.adoc
new file mode 100644
index 000000000000..fea1ac2d7e41
--- /dev/null
+++ b/modules/power-monitoring-configuring-kepler-redfish.adoc
@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+
+// * power_monitoring/configuring-power-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="power-monitoring-configuring-kepler-redfish_{context}"]
+= Configuring {PM-kepler} to use Redfish
+
+You can configure {PM-kepler} to use Redfish as the source for running or hosting containers. {PM-kepler} can then monitor the power usage of these containers.
+
+.Prerequisites
+* You have access to the {product-title} web console.
+* You are logged in as a user with the `cluster-admin` role.
+* You have installed the {PM-operator}.
+
+.Procedure
+
+. In the *Administrator* perspective of the web console, click *Operators* -> *Installed Operators*.
+
+. Click *{PM-title-c}* from the *Installed Operators* list and click the *{PM-kepler}* tab.
+
+. Click *Create {PM-kepler}*. If you already have a {PM-kepler} instance created, click *Edit Kepler*.
+
+. Configure `.spec.exporter.redfish` of the {PM-kepler} instance by specifying the mandatory `secretRef` field. You can also configure the optional `probeInterval` and `skipSSLVerify` fields to meet your needs.
++
+.Example {PM-kepler} instance
+[source,yaml]
+----
+apiVersion: kepler.system.sustainable.computing.io/v1alpha1
+kind: Kepler
+metadata:
+  name: kepler
+spec:
+  exporter:
+    deployment:
+# ... 
+    redfish:
+      secretRef: <secret_name> required <1>
+      probeInterval: 60s <2>
+      skipSSLVerify: false <3>
+# ...
+----
+<1> Required: Specifies the name of the secret that contains the credentials for accessing the Redfish server.
+<2> Optional: Controls the frequency at which the power information is queried from Redfish. The default value is `60s`.
+<3> Optional: Controls if {PM-kepler} skips verifying the Redfish server certificate. The default value is `false`.
++
+[NOTE]
+====
+After {PM-kepler} is deployed, the `openshift-power-monitoring` namespace is created.
+====
+. Create the `redfish.csv` file with the following data format:
++
+[source,csv]
+----
+<your_kubelet_node_name>,<redfish_username>,<redfish_password>,https://<redfish_ip_or_hostname>/
+----
++
+.Example `redfish.csv` file
+[source,csv]
+----
+control-plane,exampleuser,examplepass,https://redfish.nodes.example.com
+worker-1,exampleuser,examplepass,https://redfish.nodes.example.com
+worker-2,exampleuser,examplepass,https://another.redfish.nodes.example.com
+----
+. Create the secret under the `openshift-power-monitoring` namespace. You must create the secret with the following conditions:
++
+--
+* The secret type is `Opaque`.
+* The credentials are stored under the `redfish.csv` key in the `data` field of the secret.
+--
++
+[source,terminal]
+----
+$ oc -n openshift-power-monitoring \
+      create secret generic redfish-secret \
+      --from-file=redfish.csv
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redfish-secret
+data:
+  redfish.csv: YmFyCg==
+  # ...
+----
++
+[IMPORTANT]
+====
+The {PM-kepler} deployment will not continue until the Redfish secret is created. You can find this information in the `status` of a {PM-kepler} instance.
+====
\ No newline at end of file
diff --git a/modules/power-monitoring-kepler-configuration.adoc b/modules/power-monitoring-kepler-configuration.adoc
index 9788c36e1319..1a5af2e67c7b 100644
--- a/modules/power-monitoring-kepler-configuration.adoc
+++ b/modules/power-monitoring-kepler-configuration.adoc
@@ -10,7 +10,7 @@ You can configure {PM-kepler} with the `spec` field of the `{PM-kepler}` resourc
 
 [IMPORTANT]
 ====
-Ensure that the name of your {PM-kepler} instance is `kepler`. All other instances are ignored by the {PM-operator}.
+Ensure that the name of your {PM-kepler} instance is `kepler`. All other instances are rejected by the {PM-operator} Webhook.
 ====
 
 The following is the list of configuration options:
diff --git a/modules/ptp-configuring-linuxptp-services-as-boundary-clock-dual-nic.adoc b/modules/ptp-configuring-linuxptp-services-as-boundary-clock-dual-nic.adoc
index ad1e3b4015f0..a2904177b24d 100644
--- a/modules/ptp-configuring-linuxptp-services-as-boundary-clock-dual-nic.adoc
+++ b/modules/ptp-configuring-linuxptp-services-as-boundary-clock-dual-nic.adoc
@@ -6,9 +6,6 @@
 [id="ptp-configuring-linuxptp-services-as-bc-for-dual-nic_{context}"]
 = Configuring linuxptp services as boundary clocks for dual-NIC hardware
 
-:FeatureName: Precision Time Protocol (PTP) hardware with dual-NIC configured as boundary clocks
-include::snippets/technology-preview.adoc[leveloffset=+1]
-
 You can configure the `linuxptp` services (`ptp4l`, `phc2sys`) as boundary clocks for dual-NIC hardware by creating a `PtpConfig` custom resource (CR) object for each NIC.
 
 Dual NIC hardware allows you to connect each NIC to the same upstream leader clock with separate `ptp4l` instances for each NIC feeding the downstream clocks.
diff --git a/modules/registry-exposing-default-registry-manually.adoc b/modules/registry-exposing-default-registry-manually.adoc
index 2e7b8a834e67..a6f3fa782bf5 100644
--- a/modules/registry-exposing-default-registry-manually.adoc
+++ b/modules/registry-exposing-default-registry-manually.adoc
@@ -4,7 +4,7 @@
 
 Instead of logging in to the default {product-registry} from within the cluster, you can gain external access to it by exposing it with a route. This external access enables you to log in to the registry from outside the cluster using the route address and to tag and push images to an existing project by using the route host.
 
-.Prerequisites:
+.Prerequisites
 
 * The following prerequisites are automatically performed:
 ** Deploy the Registry Operator.
diff --git a/modules/registry-exposing-secure-registry-manually.adoc b/modules/registry-exposing-secure-registry-manually.adoc
index 82126c9e091f..51360f9e631d 100644
--- a/modules/registry-exposing-secure-registry-manually.adoc
+++ b/modules/registry-exposing-secure-registry-manually.adoc
@@ -11,7 +11,7 @@ you can gain external access to it by exposing it with a route. This allows you
 to log in to the registry from outside the cluster using the route address, and
 to tag and push images to an existing project by using the route host.
 
-.Prerequisites:
+.Prerequisites
 
 * The following prerequisites are automatically performed:
 ** Deploy the Registry Operator.
@@ -65,6 +65,11 @@ default TLS configuration from the Ingress Operator.
 +
 . On the Registry Operator:
 +
+[source,terminal]
+----
+$ oc edit configs.imageregistry.operator.openshift.io/cluster
+----
++
 [source,yaml]
 ----
 spec:
@@ -82,4 +87,4 @@ registry's route.
 ====
 
 .Troubleshooting
-* link:https://access.redhat.com/solutions/5419501[Error creating TLS secret]
\ No newline at end of file
+* link:https://access.redhat.com/solutions/5419501[Error creating TLS secret]
diff --git a/modules/removing-custom-config-from-cluster.adoc b/modules/removing-custom-config-from-cluster.adoc
new file mode 100644
index 000000000000..bbbcf4b60ac4
--- /dev/null
+++ b/modules/removing-custom-config-from-cluster.adoc
@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa-configuring-pid-limits.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="removing-custom-config-from-cluster_{context}"]
+= Removing custom configuration from a cluster
+
+You can remove custom configuration from your cluster by removing the `KubeletConfig` object that contains the configuration details.
+
+.Prerequisites
+* You have an existing {product-title} cluster.
+* You have installed the ROSA CLI (rosa).
+* You have logged in to your Red Hat account by using the ROSA CLI.
+
+.Procedure
+
+* Remove custom configuration from the cluster by deleting the relevant custom `KubeletConfig` object:
++
+[source,terminal]
+----
+$ rosa delete kubeletconfig --cluster <cluster_name> --name <kubeletconfig_name>
+----
+
+.Verification steps
+* Confirm that the custom `KubeletConfig` object is not listed for the cluster:
++
+[source,terminal]
+----
+$ rosa describe kubeletconfig --name <cluster_name>
+----
\ No newline at end of file
diff --git a/modules/removing-custom-config-from-machinepool.adoc b/modules/removing-custom-config-from-machinepool.adoc
new file mode 100644
index 000000000000..8862b0572d0e
--- /dev/null
+++ b/modules/removing-custom-config-from-machinepool.adoc
@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa-configuring-pid-limits.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="removing-custom-config-from-machinepool_{context}"]
+= Removing custom configuration from a machine pool
+
+You can remove custom configuration on your machine pools by removing the `KubeletConfig` object that contains the configuration details.
+
+.Prerequisites
+* You have an existing {product-title} cluster.
+* You have installed the ROSA CLI (rosa).
+* You have logged in to your Red Hat account by using the ROSA CLI.
+
+.Procedure
+
+* Edit the machine pool and set the `--kubeletconfigs` parameter so that the `KubeletConfig` object you want to remove is omitted.
++
+To remove all `KubeletConfig` objects from the machine pool, set an empty value for the `--kubeletconfigs` parameter, for example:
++
+[source,terminal]
+----
+$ rosa edit machinepool -c <cluster_name> --kubeletconfigs="" --name <machinepool_name>
+----
+
+.Verification steps
+* Confirm that the `KubeletConfig` object you removed is not visible in the machine pool description:
++
+[source,terminal]
+----
+$ rosa describe machinepool --cluster <cluster_name> --name <machinepool_name>
+----
\ No newline at end of file
diff --git a/modules/rhcos-add-extensions.adoc b/modules/rhcos-add-extensions.adoc
index de54c7bc1a34..2b2750071e79 100644
--- a/modules/rhcos-add-extensions.adoc
+++ b/modules/rhcos-add-extensions.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="rhcos-add-extensions_{context}"]
diff --git a/modules/rhcos-enabling-multipath-day-2.adoc b/modules/rhcos-enabling-multipath-day-2.adoc
index ef8d6cc9a7de..1e3428caf04c 100644
--- a/modules/rhcos-enabling-multipath-day-2.adoc
+++ b/modules/rhcos-enabling-multipath-day-2.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="rhcos-enabling-multipath-day-2_{context}"]
@@ -19,6 +19,11 @@ On {ibm-z-name} and {ibm-linuxone-name}, you can enable multipathing only if you
 ====
 // Add xref once it's allowed.
 
+[IMPORTANT]
+====
+When a {product-title} {product-version} cluster is installed or configured as a post-installation activity on a single VIOS host with "vSCSI" storage on {ibm-power-name} with multipath configured, the CoreOS nodes with multipath enabled fail to boot. This behavior is expected, as only one path is available to the Node.
+====
+
 .Prerequisites
 * You have a running {product-title} cluster that uses version 4.7 or later.
 * You are logged in to the cluster as a user with administrative privileges.
diff --git a/modules/rhcos-install-iscsi-ibft.adoc b/modules/rhcos-install-iscsi-ibft.adoc
new file mode 100644
index 000000000000..935b27c41e15
--- /dev/null
+++ b/modules/rhcos-install-iscsi-ibft.adoc
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_bare_metal/installing-bare-metal.adoc
+// * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
+// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rhcos-install-iscsi-ibft_{context}"]
+= Installing {op-system} on an iSCSI boot device using iBFT
+
+On a completely diskless machine, the iSCSI target and initiator values can be passed through iBFT. iSCSI multipathing is also supported.
+
+.Prerequisites
+. You are in the {op-system} live environment.
+. You have an iSCSI target you want to install {op-system} on.
+. Optional: you have multipathed your iSCSI target.
+
+.Procedure
+
+. Mount the iSCSI target from the live environment by running the following command:
++
+[source,text]
+----
+$ iscsiadm \
+    --mode discovery \
+    --type sendtargets
+    --portal <IP_address> \ <1>
+    --login
+----
+<1> The IP address of the target portal.
+
+. Optional: enable multipathing and start the daemon with the following command:
++
+[source,text]
+----
+$ mpathconf --enable && systemctl start multipathd.service
+----
+
+. Install {op-system} onto the iSCSI target by running the following command and using the necessary kernel arguments, for example:
++
+[source,text]
+----
+$ coreos-installer install \
+    /dev/mapper/mpatha \ <1>
+    --append-karg rd.iscsi.firmware=1 \ <2>
+    --append-karg rd.multipath=default \ <3>
+    --console ttyS0 \
+    --ignition-file <path_to_file>
+----
+<1> The path of a single multipathed device. If there are multiple multipath devices connected, or to be explicit, you can use the World Wide Name (WWN) symlink available in `/dev/disk/by-path`.
+<2> The iSCSI parameter is read from the BIOS firmware.
+<3> Optional: include this parameter if you are enabling multipathing.
++
+For more information about the iSCSI options supported by `dracut`, see the link:https://www.man7.org/linux/man-pages/man7/dracut.cmdline.7.html[`dracut.cmdline` manual page].
+
+. Unmount the iSCSI disk:
++
+[source,text]
+----
+$ iscsiadm --mode node --logout=all
+----
+
+This procedure can also be performed using the `coreos-installer iso customize` or `coreos-installer pxe customize` subcommands.
diff --git a/modules/rhcos-install-iscsi-manual.adoc b/modules/rhcos-install-iscsi-manual.adoc
new file mode 100644
index 000000000000..b446e66581f1
--- /dev/null
+++ b/modules/rhcos-install-iscsi-manual.adoc
@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_bare_metal/installing-bare-metal.adoc
+// * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
+// * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rhcos-install-iscsi-manual_{context}"]
+= Installing {op-system} manually on an iSCSI boot device
+
+You can manually install {op-system} on an iSCSI target.
+
+.Prerequisites
+. You are in the {op-system} live environment.
+. You have an iSCSI target that you want to install {op-system} on.
+
+.Procedure
+
+. Mount the iSCSI target from the live environment by running the following command:
++
+[source,text]
+----
+$ iscsiadm \
+    --mode discovery \
+    --type sendtargets
+    --portal <IP_address> \ <1>
+    --login
+----
+<1> The IP address of the target portal.
+
+. Install {op-system} onto the iSCSI target by running the following command and using the necessary kernel arguments, for example:
++
+[source,text]
+----
+$ coreos-installer install \
+    /dev/disk/by-path/ip-<IP_address>:<port>-iscsi-<target_iqn>-lun-<lun> \ <1>
+    --append-karg rd.iscsi.initiator=<initiator_iqn> \ <2>
+    --append.karg netroot=<target_iqn> \ <3>
+    --console ttyS0,115200n8
+    --ignition-file <path_to_file>
+----
+<1> The location you are installing to. You must provide the IP address of the target portal, the associated port number, the target iSCSI node in IQN format, and the iSCSI logical unit number (LUN).
+<2> The iSCSI initiator, or client, name in IQN format. The initiator forms a session to connect to the iSCSI target.
+<3> The the iSCSI target, or server, name in IQN format.
++
+For more information about the iSCSI options supported by `dracut`, see the link:https://www.man7.org/linux/man-pages/man7/dracut.cmdline.7.html[`dracut.cmdline` manual page].
+
+. Unmount the iSCSI disk with the following command:
++
+[source,text]
+----
+$ iscsiadm --mode node --logoutall=all
+----
+
+This procedure can also be performed using the `coreos-installer iso customize` or `coreos-installer pxe customize` subcommands.
diff --git a/modules/rhcos-load-firmware-blobs.adoc b/modules/rhcos-load-firmware-blobs.adoc
index 48c049c9b321..b6273a54c58f 100644
--- a/modules/rhcos-load-firmware-blobs.adoc
+++ b/modules/rhcos-load-firmware-blobs.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/machine-configuration-tasks.adoc
+// * machine_configuration/machine-configs-configure.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="rhcos-load-firmware-blobs_{context}"]
diff --git a/modules/rhel-compute-requirements.adoc b/modules/rhel-compute-requirements.adoc
index a2251c465ad2..8c6326d45469 100644
--- a/modules/rhel-compute-requirements.adoc
+++ b/modules/rhel-compute-requirements.adoc
@@ -30,11 +30,11 @@ If you have {op-system-base} 7 compute machines that were previously supported i
 For the most recent list of major functionality that has been deprecated or removed within {product-title}, refer to the _Deprecated and removed features_ section of the {product-title} release notes.
 ====
 ** If you deployed {product-title} in FIPS mode, you must enable FIPS on the {op-system-base} machine before you boot it. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening[Installing a RHEL 8 system with FIPS mode enabled] in the {op-system-base} 8 documentation.
++
+--
+include::snippets/fips-snippet.adoc[]
+--
 
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
 endif::[]
 ** NetworkManager 1.0 or later.
 ** 1 vCPU.
diff --git a/modules/rhel-compute-updating.adoc b/modules/rhel-compute-updating.adoc
index 5ca32eee6795..a361824880b8 100644
--- a/modules/rhel-compute-updating.adoc
+++ b/modules/rhel-compute-updating.adoc
@@ -52,7 +52,7 @@ By default, the base OS RHEL with "Minimal" installation option enables firewall
 +
 [source,terminal,subs="attributes+"]
 ----
-# subscription-manager repos --disable=rhocp-4.14-for-rhel-8-x86_64-rpms \
+# subscription-manager repos --disable=rhocp-4.15-for-rhel-8-x86_64-rpms \
                              --enable=rhocp-{product-version}-for-rhel-8-x86_64-rpms
 ----
 +
@@ -72,7 +72,7 @@ As of {product-title} 4.11, the Ansible playbooks are provided only for {op-syst
 +
 [source,terminal,subs="attributes+"]
 ----
-# subscription-manager repos --disable=rhocp-4.14-for-rhel-8-x86_64-rpms \
+# subscription-manager repos --disable=rhocp-4.15-for-rhel-8-x86_64-rpms \
                              --enable=rhocp-{product-version}-for-rhel-8-x86_64-rpms
 ----
 
diff --git a/modules/rosa-access-approval-review.adoc b/modules/rosa-access-approval-review.adoc
index 1542e01b4b2a..6306cc3cc39c 100644
--- a/modules/rosa-access-approval-review.adoc
+++ b/modules/rosa-access-approval-review.adoc
@@ -17,7 +17,7 @@ The access and identity authorization table includes responsibilities for managi
 |Customer responsibilities
 
 |Logging
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Adhere to an industry standards-based tiered internal access process for platform audit logs.
 
@@ -27,45 +27,45 @@ The access and identity authorization table includes responsibilities for managi
 - For third-party or custom application logging solutions, the customer is responsible for access management.
 
 |Application networking
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provide native OpenShift RBAC and `dedicated-admin` capabilities.
 
 |- Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
-- Manage organization administrators for Red Hat to grant access to {cluster-manager}. The cluster manager is used to configure router options and provide service load balancer quota.
+- Manage organization administrators for Red{nbsp}Hat to grant access to {cluster-manager}. The cluster manager is used to configure router options and provide service load balancer quota.
 
 |Cluster networking
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provide customer access controls through {cluster-manager}.
 
 - Provide native OpenShift RBAC and `dedicated-admin` capabilities.
 
-|- Manage Red Hat organization membership of Red Hat accounts.
-- Manage organization administrators for Red Hat to grant access to {cluster-manager}.
+|- Manage Red{nbsp}Hat organization membership of Red{nbsp}Hat accounts.
+- Manage organization administrators for Red{nbsp}Hat to grant access to {cluster-manager}.
 - Configure OpenShift `dedicated-admin` and RBAC to control access to route configuration as required.
 
 |Virtual networking management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provide customer access controls through {cluster-manager}.
 
 |- Manage optional user access to AWS components through {cluster-manager}.
 
 |Virtual storage management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provide customer access controls through
-Red Hat OpenShift Cluster Manager.
+Red{nbsp}Hat OpenShift Cluster Manager.
 
 |- Manage optional user access to AWS components through {cluster-manager}.
 - Create AWS IAM roles and attached policies necessary to enable ROSA service access.
 
 |Virtual compute management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provide customer access controls through
-Red Hat OpenShift Cluster Manager.
+Red{nbsp}Hat OpenShift Cluster Manager.
 
 |- Manage optional user access to AWS components through {cluster-manager}.
 - Create AWS IAM roles and attached policies necessary to enable ROSA service access.
diff --git a/modules/rosa-adding-node-labels.adoc b/modules/rosa-adding-node-labels.adoc
index 02ce21ea7c02..9add656eeffd 100644
--- a/modules/rosa-adding-node-labels.adoc
+++ b/modules/rosa-adding-node-labels.adoc
@@ -16,7 +16,7 @@ Labels are assigned as key-value pairs. Each key must be unique to the object it
 
 ifdef::openshift-rosa[]
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a {product-title} (ROSA) cluster.
 endif::openshift-rosa[]
 ifndef::openshift-rosa[]
diff --git a/modules/rosa-adding-tags-cli.adoc b/modules/rosa-adding-tags-cli.adoc
new file mode 100644
index 000000000000..1c2367347cc8
--- /dev/null
+++ b/modules/rosa-adding-tags-cli.adoc
@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-adding-tags-cli{context}"]
+= Adding tags to a machine pool using the ROSA CLI
+
+You can add tags to a machine pool for your {product-title} cluster by using the ROSA command line interface (CLI).
+
+[IMPORTANT]
+====
+You must ensure that your tag keys are not `aws`, `red-hat-managed`, `red-hat-clustertype`, or `Name`. In addition, you must not set a tag key that begins with `kubernetes.io/cluster/`. Your tag's key cannot be longer than 128 characters, while your tag's value cannot be longer than 256 characters. Red{nbsp}Hat reserves the right to add additional reserved tags in the future.
+====
+
+.Prerequisites
+
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red{nbsp}Hat account by using the `rosa` CLI.
+* You created a {product-title} (ROSA) cluster.
+
+.Procedure
+
+* Create a machine pool with a custom tag by running the following command:
++
+--
+[source,terminal]
+----
+$ rosa create machinepools --cluster=<name> --replicas=<replica_count> \
+     --name <mp_name> --tags='<key> <value>,<key> <value>' \ <1>
+----
+<1> Replace `<key> <value>,<key> <value>` with a key and value for each tag.
+--
++
+.Example output
+[source,terminal]
+----
+$ rosa create machinepools --cluster=mycluster --replicas 2 --tags='tagkey1 tagvalue1,tagkey2 tagvaluev2'
+
+I: Checking available instance types for machine pool 'mp-1'
+I: Machine pool 'mp-1' created successfully on cluster 'mycluster'
+I: To view the machine pool details, run 'rosa describe machinepool --cluster mycluster --machinepool mp-1'
+I: To view all machine pools, run 'rosa list machinepools --cluster mycluster'
+----
+
+.Verification
+
+* Use the `describe` command to see the details of the machine pool with the tags, and verify that the tags are included for your machine pool in the output:
++
+[source,terminal]
+----
+$ rosa describe machinepool --cluster=<cluster_name> <machine_pool_name>
+----
++
+.Example output
+[source,terminal]
+----
+$ rosa describe machinepool --cluster classic-rosa --machinepool mp-1
+
+ID:                                    mp-1
+Cluster ID:                            2baiirqa2141oreotoivp4sipq84vp5g
+Autoscaling:                           No
+Replicas:                              2
+Instance type:                         m5.xlarge
+Labels:
+Taints:
+Availability zones:                    us-east-1a
+Subnets:
+Spot instances:                        No
+Disk size:                             300 GiB
+Additional Security Group IDs:
+Tags:                                  red-hat-clustertype=rosa, red-hat-managed=true, tagkey1=tagvalue1, tagkey2=tagvaluev2
+----
\ No newline at end of file
diff --git a/modules/rosa-adding-tags.adoc b/modules/rosa-adding-tags.adoc
new file mode 100644
index 000000000000..e824185373a8
--- /dev/null
+++ b/modules/rosa-adding-tags.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-adding-tags_{context}"]
+= Adding tags to a machine pool
+
+You can add tags for compute nodes, also known as worker nodes, in a machine pool to introduce custom user tags for AWS resources that are generated when you provision your machine pool.
\ No newline at end of file
diff --git a/modules/rosa-adding-taints-cli.adoc b/modules/rosa-adding-taints-cli.adoc
index 6b33ce3c96fe..d6a6c3682034 100644
--- a/modules/rosa-adding-taints-cli.adoc
+++ b/modules/rosa-adding-taints-cli.adoc
@@ -8,7 +8,7 @@
 [id="rosa-adding-taints-cli{context}"]
 = Adding taints to a machine pool using the ROSA CLI
 
-You can add taints to a machine pool for your Red Hat OpenShift Service on AWS (ROSA) cluster by using the ROSA CLI.
+You can add taints to a machine pool for your Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster by using the ROSA CLI.
 
 [NOTE]
 ====
@@ -18,7 +18,7 @@ For users of ROSA CLI `rosa` version 1.2.25 and prior versions, the number of ta
 
 ifdef::openshift-rosa[]
 * You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
-* You logged in to your Red Hat account by using the `rosa` CLI.
+* You logged in to your Red{nbsp}Hat account by using the `rosa` CLI.
 * You created a {product-title} (ROSA) cluster.
 endif::openshift-rosa[]
 ifndef::openshift-rosa[]
diff --git a/modules/rosa-adding-taints-ocm.adoc b/modules/rosa-adding-taints-ocm.adoc
index 553ac32512e2..2fc50bd919be 100644
--- a/modules/rosa-adding-taints-ocm.adoc
+++ b/modules/rosa-adding-taints-ocm.adoc
@@ -8,7 +8,7 @@
 [id="rosa-adding-taints-ocm{context}"]
 = Adding taints to a machine pool using OpenShift Cluster Manager
 
-You can add taints to a machine pool for your Red Hat OpenShift Service on AWS (ROSA) cluster by using OpenShift Cluster Manager.
+You can add taints to a machine pool for your Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster by using OpenShift Cluster Manager.
 
 .Prerequisites
 
@@ -16,7 +16,7 @@ ifndef::openshift-rosa[]
 * You created an OpenShift Dedicated cluster.
 endif::[]
 ifdef::openshift-rosa[]
-* You created a Red Hat OpenShift Service on AWS (ROSA) cluster.
+* You created a Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster.
 endif::[]
 * You have an existing machine pool that does not contain any taints and contains at least two instances.
 
diff --git a/modules/rosa-adding-taints.adoc b/modules/rosa-adding-taints.adoc
index a52d22aa94be..80c63025fc41 100644
--- a/modules/rosa-adding-taints.adoc
+++ b/modules/rosa-adding-taints.adoc
@@ -19,7 +19,7 @@ A cluster must have at least one machine pool that does not contain any taints.
 ifndef::openshift-rosa[]
 .Prerequisites
 // ifdef::openshift-rosa[]
-//   * You created a Red Hat OpenShift Service on AWS (ROSA) cluster.
+//   * You created a Red{nbsp}Hat OpenShift Service on AWS (ROSA) cluster.
 // endif::openshift-rosa[]
  * You created an {product-title} cluster.
  * You have an existing machine pool that does not contain any taints and contains at least two instances.
diff --git a/modules/rosa-adding-tuning.adoc b/modules/rosa-adding-tuning.adoc
index c5cb38655799..4ca04a0c9eb8 100644
--- a/modules/rosa-adding-tuning.adoc
+++ b/modules/rosa-adding-tuning.adoc
@@ -16,7 +16,7 @@ This feature is only supported on {hcp-title-first} clusters.
 .Prerequisites
 
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account by using the ROSA CLI.
+* You logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 * You created a {hcp-title-first} cluster.
 * You have an existing machine pool.
 * You have an existing tuning configuration.
diff --git a/modules/rosa-architecture.adoc b/modules/rosa-architecture.adoc
index 771010ef5272..4ed6971744d9 100644
--- a/modules/rosa-architecture.adoc
+++ b/modules/rosa-architecture.adoc
@@ -12,7 +12,7 @@ In {product-rosa} (ROSA) Classic, both the control plane and the worker nodes ar
 
 With ROSA Classic, you can create clusters that are accessible over public or private networks.
 
-You can customize access patterns for your API server endpoint and Red Hat SRE management in the following ways:
+You can customize access patterns for your API server endpoint and Red{nbsp}Hat SRE management in the following ways:
 
 * Public - API server endpoint and application routes are internet-facing.
 
diff --git a/modules/rosa-attaching-the-policy.adoc b/modules/rosa-attaching-the-policy.adoc
index 58f73768835f..aa31313784b1 100644
--- a/modules/rosa-attaching-the-policy.adoc
+++ b/modules/rosa-attaching-the-policy.adoc
@@ -14,7 +14,7 @@ Once you have created an identity-based IAM policy, attach it to the relevant IA
 +
 [NOTE]
 ====
-You can change the default IAM `ManagedOpenShift-Support-Role` role. For more information about roles, see link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.html#rosa-policy-rh-access_rosa-sre-access[Red Hat support access].
+You can change the default IAM `ManagedOpenShift-Support-Role` role. For more information about roles, see link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.html#rosa-policy-rh-access_rosa-sre-access[Red{nbsp}Hat support access].
 ====
 +
 . In the *Permissions* tab, select *Add Permissions* or *Create inline policy* from the *Add Permissions* drop-down list.
@@ -25,6 +25,6 @@ You can change the default IAM `ManagedOpenShift-Support-Role` role. For more in
 
 [IMPORTANT]
 ====
-To ensure effective IP-based role assumption prevention, you must keep the allowlisted IPs up to date. Failure to do so may result in Red Hat site reliability engineering (SRE) being unable to access your account and affect your SLA. If you have further questions or require assistance, please reach out to our support team.
+To ensure effective IP-based role assumption prevention, you must keep the allowlisted IPs up to date. Failure to do so may result in Red{nbsp}Hat site reliability engineering (SRE) being unable to access your account and affect your SLA. If you have further questions or require assistance, please reach out to our support team.
 ====
 
diff --git a/modules/rosa-aws-customer-managed-policies.adoc b/modules/rosa-aws-customer-managed-policies.adoc
new file mode 100644
index 000000000000..054c48ce1871
--- /dev/null
+++ b/modules/rosa-aws-customer-managed-policies.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * rosa_architecture/rosa-sts-about-iam-resources.adoc
+
+[id="rosa-aws-customer-managed-policies_{context}"]
+= Customer-managed policies
+{product-title} (ROSA) users are able to attach customer-managed policies to the IAM roles required to run and maintain ROSA clusters. This capability is not uncommon with AWS IAM roles.
+The ability to attach these policies to ROSA-specific IAM roles extends a ROSA cluster’s permission capabilities; for example, as a way to allow cluster components to access additional AWS resources that are otherwise not part of the ROSA-specific IAM policies.
+
+To ensure that any critical customer applications that rely on customer-managed policies are not modified in any way during cluster or role upgrades, ROSA utilizes the `ListAttachedRolesPolicies` permission to retrieve the list of permission policies from roles and the `ListRolePolicies` permission to retrieve the list of policies from ROSA-specific roles. This information ensures that customer-managed policies are not impacted during cluster events, and allows Red Hat SREs to monitor both ROSA and customer-managed policies attached to ROSA-specific IAM roles, enhancing their ability to troubleshoot any cluster issues more effectively.
+
+[WARNING]
+====
+Attaching permission boundary policies to IAM roles that restrict ROSA-specific policies is not supported, as these policies could interrupt the functionality of the basic permissions necessary to successfully run and maintain your ROSA cluster. There are prepared permissions boundary policies for the ROSA (classic architecture) installer role. See the Additional resources section for more information.
+====
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-aws-requirements-attaching-boundary-policy_rosa-sts-about-iam-resources[Permission boundaries for the installer role]
+* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities]
diff --git a/modules/rosa-aws-iam.adoc b/modules/rosa-aws-iam.adoc
index 166368a98d27..dad5f73067aa 100644
--- a/modules/rosa-aws-iam.adoc
+++ b/modules/rosa-aws-iam.adoc
@@ -3,10 +3,10 @@
 // * rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
 
 [id="rosa-policy-iam_{context}"]
-= Red Hat managed IAM references for AWS
+= Red{nbsp}Hat managed IAM references for AWS
 
 
-Red Hat is responsible for creating and managing the following Amazon Web Services (AWS) resources: IAM policies, IAM users, and IAM roles.
+Red{nbsp}Hat is responsible for creating and managing the following Amazon Web Services (AWS) resources: IAM policies, IAM users, and IAM roles.
 
 [id="rosa-iam-policies_{context}"]
 == IAM Policies
@@ -16,7 +16,7 @@ Red Hat is responsible for creating and managing the following Amazon Web Servic
 IAM policies are subject to modification as the capabilities of {product-title} change.
 ====
 
-* The `AdministratorAccess` policy is used by the administration role. This policy provides Red Hat the access necessary to administer the {product-title} (ROSA) cluster in the customer's AWS account.
+* The `AdministratorAccess` policy is used by the administration role. This policy provides Red{nbsp}Hat the access necessary to administer the {product-title} (ROSA) cluster in the customer's AWS account.
 +
 ----
 {
diff --git a/modules/rosa-aws-procedure.adoc b/modules/rosa-aws-procedure.adoc
index 1763d0f6c687..c9b204f19700 100644
--- a/modules/rosa-aws-procedure.adoc
+++ b/modules/rosa-aws-procedure.adoc
@@ -11,6 +11,6 @@ Complete these steps before deploying {product-title} (ROSA).
 
 .Procedure
 . If you, as the customer, are utilizing AWS Organizations, then you must use an AWS account within your organization or link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html#orgs_manage_accounts_create-new[create a new one].
-. To ensure that Red Hat can perform necessary actions, you must either create a service control policy (SCP) or ensure that none is applied to the AWS account.
+. To ensure that Red{nbsp}Hat can perform necessary actions, you must either create a service control policy (SCP) or ensure that none is applied to the AWS account.
 . link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html[Attach] the SCP to the AWS account.
 . Follow the ROSA procedures for setting up the environment.
diff --git a/modules/rosa-aws-requirements.adoc b/modules/rosa-aws-requirements.adoc
index 9a24d5757930..ec027290503a 100644
--- a/modules/rosa-aws-requirements.adoc
+++ b/modules/rosa-aws-requirements.adoc
@@ -18,39 +18,39 @@ In order to create the cluster, the user must be logged in as an IAM user and no
 +
 [NOTE]
 ====
-It is not a requirement that the customer's account be within the AWS Organizations or for the SCP to be applied, however Red Hat must be able to perform all the actions listed in the SCP without restriction.
+It is not a requirement that the customer's account be within the AWS Organizations or for the SCP to be applied, however Red{nbsp}Hat must be able to perform all the actions listed in the SCP without restriction.
 ====
 
-* The customer's AWS account should not be transferable to Red Hat.
-* The customer may not impose AWS usage restrictions on Red Hat activities. Imposing restrictions will severely hinder Red Hat’s ability to respond to incidents.
+* The customer's AWS account should not be transferable to Red{nbsp}Hat.
+* The customer may not impose AWS usage restrictions on Red{nbsp}Hat activities. Imposing restrictions will severely hinder Red{nbsp}Hat’s ability to respond to incidents.
 * The customer may deploy native AWS services within the same AWS account.
 +
 [NOTE]
 ====
-Customers are encouraged, but not mandated, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red Hat supported services.
+Customers are encouraged, but not mandated, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red{nbsp}Hat supported services.
 ====
 
 [id="rosa-access-requirements_{context}"]
 == Access requirements
-* To appropriately manage the {product-title} service, Red Hat must have the `AdministratorAccess` policy applied to the administrator role at all times. This requirement does *not* apply if you are using AWS Security Token Service (STS).
+* To appropriately manage the {product-title} service, Red{nbsp}Hat must have the `AdministratorAccess` policy applied to the administrator role at all times. This requirement does *not* apply if you are using AWS Security Token Service (STS).
 +
 [NOTE]
 ====
-This policy only provides Red Hat with permissions and capabilities to change resources in the customer-provided AWS account.
+This policy only provides Red{nbsp}Hat with permissions and capabilities to change resources in the customer-provided AWS account.
 ====
-* Red Hat must have AWS console access to the customer-provided AWS account. This access is protected and managed by Red Hat.
+* Red{nbsp}Hat must have AWS console access to the customer-provided AWS account. This access is protected and managed by Red{nbsp}Hat.
 * The customer must not utilize the AWS account to elevate their permissions within the {product-title} cluster.
 * Actions available in the {product-title} (ROSA) CLI, `rosa`, or {cluster-manager-url} console must not be directly performed in the customer's AWS account.
 
 [id="rosa-support-requirements_{context}"]
 == Support requirements
-* Red Hat recommends that the customer have at least link:https://aws.amazon.com/premiumsupport/plans/[Business Support] from AWS.
-* Red Hat has authority from the customer to request AWS support on their behalf.
-* Red Hat has authority from the customer to request AWS resource limit increases on the customer's account.
-* Red Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section.
+* Red{nbsp}Hat recommends that the customer have at least link:https://aws.amazon.com/premiumsupport/plans/[Business Support] from AWS.
+* Red{nbsp}Hat has authority from the customer to request AWS support on their behalf.
+* Red{nbsp}Hat has authority from the customer to request AWS resource limit increases on the customer's account.
+* Red{nbsp}Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section.
 
 [id="rosa-security-requirements_{context}"]
 == Security requirements
 * Volume snapshots will remain within the customer's AWS account and customer-specified region.
-* Red Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
-* Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack.
+* Red{nbsp}Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
+* Red{nbsp}Hat must have egress allowed to forward system and audit logs to a Red{nbsp}Hat managed central logging stack.
diff --git a/modules/rosa-checking-account-version-cli-whoami.adoc b/modules/rosa-checking-account-version-cli-whoami.adoc
index 84e0a0195704..afda62b2a6a0 100644
--- a/modules/rosa-checking-account-version-cli-whoami.adoc
+++ b/modules/rosa-checking-account-version-cli-whoami.adoc
@@ -5,7 +5,7 @@
 [id="rosa-whoami_{context}"]
 = whoami
 
-Display information about your AWS and Red Hat accounts by using the following command syntax:
+Display information about your AWS and Red{nbsp}Hat accounts by using the following command syntax:
 
 .Syntax
 [source,terminal]
diff --git a/modules/rosa-classic-cluster-terraform-file-creation.adoc b/modules/rosa-classic-cluster-terraform-file-creation.adoc
new file mode 100644
index 000000000000..2258bfe2d9f2
--- /dev/null
+++ b/modules/rosa-classic-cluster-terraform-file-creation.adoc
@@ -0,0 +1,279 @@
+// Module included in the following assemblies:
+//
+// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
+//
+
+:_content-type: PROCEDURE
+
+[id="rosa-classic-cluster-terraform-file-creation_{context}"]
+= Creating your Terraform files locally
+
+After you set up your link:https://console.redhat.com/openshift/token/rosa[offline {cluster-manager-first} token], you need to create the Terraform files locally to build your cluster. You can create these files by using the following code templates.
+
+.Procedure
+
+. Create the `main.tf` file by running the following command:
++
+[source,terminal]
+----
+$ cat<<-EOF>main.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.20.0"
+    }
+    rhcs = {
+      version = ">= 1.6.2"
+      source  = "terraform-redhat/rhcs"
+    }
+  }
+}
+
+# Export token using the RHCS_TOKEN environment variable
+provider "rhcs" {}
+
+provider "aws" {
+  region = var.aws_region
+  ignore_tags {
+    key_prefixes = ["kubernetes.io/"]
+  }
+  default_tags {
+    tags = var.default_aws_tags
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  # The default setting creates 3 availability zones. Set to "false" to create a single availability zones.
+  region_azs = var.multi_az ? slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, 3) : slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, 1)
+}
+
+resource "random_string" "random_name" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+locals {
+  path                 = coalesce(var.path, "/")
+  worker_node_replicas = try(var.worker_node_replicas, var.multi_az ? 3 : 2)
+  # If cluster_name is not null, use that, otherwise generate a random cluster name
+  cluster_name = coalesce(var.cluster_name, "rosa-\${random_string.random_name.result}")
+}
+
+# The network validator requires an additional 60 seconds to validate Terraform clusters.
+resource "time_sleep" "wait_60_seconds" {
+  count = var.create_vpc ? 1 : 0
+  depends_on = [module.vpc]
+  create_duration = "60s"
+}
+
+module "rosa-classic" {
+  source                 = "terraform-redhat/rosa-classic/rhcs"
+  version                = "1.5.0"
+  cluster_name           = local.cluster_name
+  openshift_version      = var.openshift_version
+  account_role_prefix    = local.cluster_name
+  operator_role_prefix   = local.cluster_name
+  replicas               = local.worker_node_replicas
+  aws_availability_zones = local.region_azs
+  create_oidc            = true
+  private                = var.private_cluster
+  aws_private_link       = var.private_cluster
+  aws_subnet_ids         = var.create_vpc ? var.private_cluster ? module.vpc[0].private_subnets : concat(module.vpc[0].public_subnets, module.vpc[0].private_subnets) : var.aws_subnet_ids
+  multi_az               = var.multi_az
+  create_account_roles   = true
+  create_operator_roles  = true
+
+  depends_on = [time_sleep.wait_60_seconds]
+}
+EOF
+----
+
+. Create the `variables.tf` file by running the following command:
++
+[NOTE]
+====
+Copy and edit this file _before_ running the command to build your cluster.
+====
++
+[source,terminal]
+----
+$ cat<<-EOF>variables.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+variable "openshift_version" {
+  type        = string
+  default     = "4.14.20"
+  description = "Desired version of OpenShift for the cluster, for example '4.14.20'. If version is greater than the currently running version, an upgrade will be scheduled."
+}
+
+variable "create_vpc" {
+  type        = bool
+  description = "If you would like to create a new VPC, set this value to 'true'. If you do not want to create a new VPC, set this value to 'false'."
+}
+
+# ROSA Cluster info
+variable "cluster_name" {
+  default     = null
+  type        = string
+  description = "The name of the ROSA cluster to create"
+}
+
+variable "additional_tags" {
+  default = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+  description = "Additional AWS resource tags"
+  type        = map(string)
+}
+
+variable "path" {
+  description = "(Optional) The arn path for the account/operator roles as well as their policies."
+  type        = string
+  default     = null
+}
+
+variable "multi_az" {
+  type        = bool
+  description = "Multi AZ Cluster for High Availability"
+  default     = true
+}
+
+variable "worker_node_replicas" {
+  default     = 3
+  description = "Number of worker nodes to provision. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes"
+  type        = number
+}
+
+variable "aws_subnet_ids" {
+  type        = list(any)
+  description = "A list of either the public or public + private subnet IDs to use for the cluster blocks to use for the cluster"
+  default     = ["subnet-01234567890abcdef", "subnet-01234567890abcdef", "subnet-01234567890abcdef"]
+}
+
+variable "private_cluster" {
+  type        = bool
+  description = "If you want to create a private cluster, set this value to 'true'. If you want a publicly available cluster, set this value to 'false'."
+}
+
+#VPC Info
+variable "vpc_name" {
+  type        = string
+  description = "VPC Name"
+  default     = "tf-qs-vpc"
+}
+
+variable "vpc_cidr_block" {
+  type        = string
+  description = "value of the CIDR block to use for the VPC"
+  default     = "10.0.0.0/16"
+}
+
+variable "private_subnet_cidrs" {
+  type        = list(any)
+  description = "The CIDR blocks to use for the private subnets"
+  default     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+}
+
+variable "public_subnet_cidrs" {
+  type        = list(any)
+  description = "The CIDR blocks to use for the public subnets"
+  default     = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+}
+
+variable "single_nat_gateway" {
+  type        = bool
+  description = "Single NAT or per NAT for subnet"
+  default     = false
+}
+
+#AWS Info
+variable "aws_region" {
+  type    = string
+  default = "us-east-2"
+}
+
+variable "default_aws_tags" {
+  type        = map(string)
+  description = "Default tags for AWS"
+  default     = {}
+}
+EOF
+----
+
+. Create the `vpc.tf` file by running the following command:
++
+[source,terminal]
+----
+$ cat<<-EOF>vpc.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.1.2"
+
+  count = var.create_vpc ? 1 : 0
+  name  = var.vpc_name
+  cidr  = var.vpc_cidr_block
+
+  azs             = local.region_azs
+  private_subnets = var.private_subnet_cidrs
+  public_subnets  = var.public_subnet_cidrs
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = var.single_nat_gateway
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = var.additional_tags
+}
+EOF
+----
++
+You are ready to initiate Terraform.
diff --git a/modules/rosa-configure.adoc b/modules/rosa-configure.adoc
index daef8d84dbcd..fb4f33bda139 100644
--- a/modules/rosa-configure.adoc
+++ b/modules/rosa-configure.adoc
@@ -11,7 +11,7 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`.
 [id="rosa-login_{context}"]
 == login
 
-Log in to your Red Hat account, saving the credentials to the `rosa` configuration file. You must provide a token when logging in. You can copy your token from link:https://console.redhat.com/openshift/token/rosa[the ROSA token page].
+Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file. You must provide a token when logging in. You can copy your token from link:https://console.redhat.com/openshift/token/rosa[the ROSA token page].
 
 The ROSA CLI (`rosa`) looks for a token in the following priority order:
 
diff --git a/modules/rosa-configuring-aws-account.adoc b/modules/rosa-configuring-aws-account.adoc
index 81e13e0ff070..4b1f83638152 100644
--- a/modules/rosa-configuring-aws-account.adoc
+++ b/modules/rosa-configuring-aws-account.adoc
@@ -13,7 +13,7 @@ To configure your AWS account to use the ROSA service, complete the following st
 .Prerequisites
 
 * Review and complete the deployment prerequisites and policies.
-* Create a link:https://cloud.redhat.com[Red Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
+* Create a link:https://cloud.redhat.com[Red{nbsp}Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
 
 .Procedure
 
diff --git a/modules/rosa-create-an-identity-based-policy.adoc b/modules/rosa-create-an-identity-based-policy.adoc
index a0282cf17476..ae7590141282 100644
--- a/modules/rosa-create-an-identity-based-policy.adoc
+++ b/modules/rosa-create-an-identity-based-policy.adoc
@@ -5,7 +5,7 @@
 [id="rosa-create-an-identity-based-policy_{context}"]
 = Create an identity-based IAM policy
 
-You can create an identity-based Identity and Access Management (IAM) policy that denies access to all AWS actions when the request originates from an IP address other than Red Hat provided IPs.
+You can create an identity-based Identity and Access Management (IAM) policy that denies access to all AWS actions when the request originates from an IP address other than Red{nbsp}Hat provided IPs.
 
 .Prerequisites
 
diff --git a/modules/rosa-create-objects.adoc b/modules/rosa-create-objects.adoc
index 7d2ab405fe03..9947cc7c0f3f 100644
--- a/modules/rosa-create-objects.adoc
+++ b/modules/rosa-create-objects.adoc
@@ -280,20 +280,20 @@ a|--sts \| --non-sts
 When using `--private-link`, the `--subnet-ids` argument is required and only one private subnet is allowed per zone.
 
 |--support-role-arn string
-|The ARN of the role used by Red Hat Site Reliabilty Engineers (SREs) to enable access to the cluster account to provide support.
+|The ARN of the role used by Red{nbsp}Hat Site Reliabilty Engineers (SREs) to enable access to the cluster account to provide support.
 
 |--tags
 a|Tags that are used on resources created by {product-title} in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar".
 [IMPORTANT]
 ====
-{product-title} only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
-Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed.
+{product-title} only supports custom tags to Red{nbsp}Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
+Tags that are added by Red{nbsp}Hat are required for clusters to stay in compliance with Red{nbsp}Hat production service level agreements (SLAs). These tags must not be removed.
 
 {product-title} does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
 ====
 
 |--version string
-|The version of ROSA that will be used to install the cluster or cluster resources. For `cluster` use an `X.Y.Z` format, for example, `4.15.0`. For `account-role` use an `X.Y` format, for example, `4.15`.
+|The version of ROSA that will be used to install the cluster or cluster resources. For `cluster` use an `X.Y.Z` format, for example, `4.16.0`. For `account-role` use an `X.Y` format, for example, `4.16`.
 
 |--worker-iam-role string
 |The ARN of the IAM role that will be attached to compute instances.
@@ -645,12 +645,19 @@ $ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz
 [id="rosa-create-kubeletconfig_{context}"]
 == create kubeletconfig
 
-Create a custom `KubeletConfig` object for the cluster.
+Create a custom `KubeletConfig` object to allow custom configuration of nodes in a machine pool. For {product-title} clusters, these settings are cluster-wide. For {hcp-title-first} clusters, each machine pool can be configured differently.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// cluster.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// machine pool.
+// endif::openshift-rosa-hcp[]
 
 .Syntax
 [source,terminal]
 ----
-$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --pod-pids-limit=<number> [flags]
+$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
 ----
 
 .Flags
@@ -659,10 +666,27 @@ $ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --pod-pids-limit
 |Option |Definition
 
 |--pod-pids-limit <number>
-|Required. The maximum number of PIDs for the cluster.
+a|Required. The maximum number of PIDs for each node in the machine pool associated with the `KubeletConfig` object.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// cluster.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// machine pool associated with the `KubeletConfig` object.
+// endif::openshift-rosa-hcp[]
 
 a|-c, --cluster <cluster_name>\|<cluster_id>
-|Required. The name or ID of the cluster for which the `KubeletConfig` object will be created.
+|Required. The name or ID of the cluster in which to create the `KubeletConfig` object.
+
+|--name
+a| Required for {hcp-title-first} clusters. Optional for {product-title}, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// Optional.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// Required.
+// endif::openshift-rosa-hcp[]
 
 |-i, --interactive
 |Enable interactive mode.
@@ -702,6 +726,12 @@ a|--cluster <cluster_name>\|<cluster_id>
 |--instance-type
 |The instance type (string) that should be used. Default: `m5.xlarge`
 
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+//ifdef::openshift-rosa-hcp[]
+a|--kubelet-configs <kubeletconfig_name>
+| For {hcp-title-first} clusters, the names of any `KubeletConfig` objects to apply to nodes in a machine pool.
+//endif::openshift-rosa-hcp[]
+
 |--labels
 |The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis.
 
@@ -717,6 +747,9 @@ a|--cluster <cluster_name>\|<cluster_id>
 |--replicas
 |Required when autoscaling is not configured. The number (integer) of machines for this machine pool.
 
+|--tags                            
+|Apply user defined tags to all resources created by ROSA in AWS. Tags are comma separated, for example: `'key value, foo bar'`.
+
 |--taints
 |Taints for the machine pool. This string value should be formatted as a comma-separated list of `key=value:ScheduleType`. This list will overwrite any modifications made to Node taints on an ongoing basis.
 |===
@@ -768,6 +801,13 @@ Add a machine pool with labels to a cluster.
 $ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1
 ----
 
+Add a machine pool with tags to a cluster.
+
+[source,terminal]
+----
+$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1
+----
+
 [id="rosa-create-ocm-role_{context}"]
 == create ocm-role
 
diff --git a/modules/rosa-creating-node-tuning.adoc b/modules/rosa-creating-node-tuning.adoc
index 5cb34aac624b..48c90aba6bcc 100644
--- a/modules/rosa-creating-node-tuning.adoc
+++ b/modules/rosa-creating-node-tuning.adoc
@@ -25,7 +25,7 @@ $ rosa create tuning-config -c <cluster_id> --name <name_of_tuning> --spec-path
 +
 You must supply the path to the `spec.json` file or the command returns an error.
 +
-.Sample output
+.Example output
 [source,terminal]
 ----
 $ I: Tuning config 'sample-tuning' has been created on cluster 'cluster-example'.
@@ -45,7 +45,7 @@ You can specify the type of output you want for the configuration list.
 
 ** Without specifying the output type, you see the ID and name of the tuning configuration:
 +
-.Sample output without specifying output type
+.Example output without specifying output type
 [source,terminal]
 ----
 ID                                    NAME
@@ -59,7 +59,7 @@ ID                                    NAME
 The following JSON output has hard line-returns for the sake of reading clarity. This JSON output is invalid unless you remove the newlines in the JSON strings.
 ====
 +
-.Sample output specifying JSON output
+.Example output specifying JSON output
 [source,terminal]
 ----
 [
diff --git a/modules/rosa-delete-objects.adoc b/modules/rosa-delete-objects.adoc
index 0ac691addece..e070bd940f0f 100644
--- a/modules/rosa-delete-objects.adoc
+++ b/modules/rosa-delete-objects.adoc
@@ -285,6 +285,16 @@ a|-c, --cluster <cluster_name>\|<cluster_id>
 |-h, --help
 |Shows help for this command.
 
+|--name
+a| Required for {hcp-title-first} clusters. Optional for {product-title}, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// Optional.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// Required.
+// endif::openshift-rosa-hcp[]
+
 |-y, --yes
 |Automatically answers `yes` to confirm the operation.
 
diff --git a/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc b/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc
index 0bf28b29a9bc..507527730205 100644
--- a/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc
+++ b/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc
@@ -75,9 +75,9 @@ ifdef::hcp[]
 ----
 I: Fetching account roles
 ROLE NAME                                 ROLE TYPE      ROLE ARN                                                                 OPENSHIFT VERSION  AWS Managed
-ManagedOpenShift-HCP-ROSA-Installer-Role  Installer      arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role  4.15               Yes
-ManagedOpenShift-HCP-ROSA-Support-Role    Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role    4.15               Yes
-ManagedOpenShift-HCP-ROSA-Worker-Role     Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role     4.15               Yes
+ManagedOpenShift-HCP-ROSA-Installer-Role  Installer      arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role  4.16               Yes
+ManagedOpenShift-HCP-ROSA-Support-Role    Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role    4.16               Yes
+ManagedOpenShift-HCP-ROSA-Worker-Role     Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role     4.16               Yes
 ----
 endif::hcp[]
 .. Delete the account-wide roles:
diff --git a/modules/rosa-deleting-node-tuning.adoc b/modules/rosa-deleting-node-tuning.adoc
index 0d35a303b6f3..f2908ea751a5 100644
--- a/modules/rosa-deleting-node-tuning.adoc
+++ b/modules/rosa-deleting-node-tuning.adoc
@@ -30,7 +30,7 @@ $ rosa delete tuning-config -c <cluster_id> <name_of_tuning>
 +
 The tuning configuration on the cluster is deleted
 +
-.Sample output
+.Example output
 [source,terminal]
 ----
 ? Are you sure you want to delete tuning config sample-tuning on cluster sample-cluster? Yes
diff --git a/modules/rosa-edit-objects.adoc b/modules/rosa-edit-objects.adoc
index c4915cf12ec4..09d4c16b7cc7 100644
--- a/modules/rosa-edit-objects.adoc
+++ b/modules/rosa-edit-objects.adoc
@@ -171,12 +171,19 @@ $ rosa edit ingress --lb-type=nlb --cluster=mycluster apps2
 [id="rosa-edit-kubeletconfig_{context}"]
 == edit kubeletconfig
 
-Edit a custom `KubeletConfig` object in a cluster.
+Edit a custom `KubeletConfig` object in a machine pool.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// cluster.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// machine pool.
+// endif::openshift-rosa-hcp[]
 
 .Syntax
 [source,terminal]
 ----
-$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --pod-pids-limit=<number> [flags]
+$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
 ----
 
 .Flags
@@ -191,7 +198,24 @@ a|-c, --cluster <cluster_name>\|<cluster_id>
 |Enable interactive mode.
 
 |--pod-pids-limit <number>
-|Required. The maximum number of PIDs for the cluster.
+a|Required. The maximum number of PIDs for each node in the machine pool associated with the `KubeletConfig` object.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// cluster.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// machine pool associated with the `KubeletConfig` object.
+// endif::openshift-rosa-hcp[]
+
+|--name
+a| Required for {hcp-title-first} clusters. Optional for {product-title}, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// Optional.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// Required.
+// endif::openshift-rosa-hcp[]
 
 |-h, --help
 |Shows help for this command.
@@ -224,6 +248,12 @@ $ rosa edit machinepool --cluster=<cluster_name> | <cluster_id> <machinepool_ID>
 |--labels
 |The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis.
 
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+//ifdef::openshift-rosa-hcp[]
+a|--kubelet-configs <kubeletconfig_name>
+| For {hcp-title-first} clusters, the names of any `KubeletConfig` objects to apply to nodes in a machine pool.
+//endif::openshift-rosa-hcp[]
+
 |--max-replicas
 |Specifies the maximum number of compute nodes when enabling autoscaling.
 
@@ -287,3 +317,10 @@ Modify the autoscaling range on a machine pool named `mp1` on a cluster named `m
 ----
 $ rosa edit machinepool --max-replicas=9 --cluster=mycluster --name=mp1
 ----
+
+Associate a `KubeletConfig` object with an existing machine pool on a {hcp-title-first} cluster.
+
+[source,terminal]
+----
+$ rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids --name high-pid-pool
+----
\ No newline at end of file
diff --git a/modules/rosa-getting-started-access-cluster-web-console.adoc b/modules/rosa-getting-started-access-cluster-web-console.adoc
index b38937dea1e9..d46830bf4063 100644
--- a/modules/rosa-getting-started-access-cluster-web-console.adoc
+++ b/modules/rosa-getting-started-access-cluster-web-console.adoc
@@ -21,7 +21,7 @@ ifdef::getting-started[]
 
 * You have an AWS account.
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 * You have created a cluster administrator user or added your user account to the configured identity provider.
 endif::[]
diff --git a/modules/rosa-getting-started-configure-an-idp.adoc b/modules/rosa-getting-started-configure-an-idp.adoc
index b95d1cd7407a..5789d95f7e1a 100644
--- a/modules/rosa-getting-started-configure-an-idp.adoc
+++ b/modules/rosa-getting-started-configure-an-idp.adoc
@@ -28,7 +28,7 @@ ifdef::getting-started[]
 
 * You have an AWS account.
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 * You have a GitHub user account.
 endif::[]
diff --git a/modules/rosa-getting-started-create-cluster-admin-user.adoc b/modules/rosa-getting-started-create-cluster-admin-user.adoc
index aa46ef47bafd..1fa872abe0a5 100644
--- a/modules/rosa-getting-started-create-cluster-admin-user.adoc
+++ b/modules/rosa-getting-started-create-cluster-admin-user.adoc
@@ -26,7 +26,7 @@ ifdef::getting-started[]
 
 * You have an AWS account.
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 endif::[]
 
diff --git a/modules/rosa-getting-started-deleting-a-cluster.adoc b/modules/rosa-getting-started-deleting-a-cluster.adoc
index ae4e1b40b7ea..f642b55b4593 100644
--- a/modules/rosa-getting-started-deleting-a-cluster.adoc
+++ b/modules/rosa-getting-started-deleting-a-cluster.adoc
@@ -25,7 +25,7 @@ ifdef::getting-started[]
 .Prerequisites
 
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 endif::[]
 
diff --git a/modules/rosa-getting-started-enable-rosa.adoc b/modules/rosa-getting-started-enable-rosa.adoc
index 81cf1a812ddd..3bf24f3f1170 100644
--- a/modules/rosa-getting-started-enable-rosa.adoc
+++ b/modules/rosa-getting-started-enable-rosa.adoc
@@ -11,7 +11,7 @@ Use the steps in this procedure to enable {product-title} (ROSA) in your AWS acc
 
 .Prerequisites
 
-* You have a Red Hat account.
+* You have a Red{nbsp}Hat account.
 * You have an AWS account.
 +
 [NOTE]
@@ -33,7 +33,7 @@ The *Verify ROSA prerequisites* page opens.
 +
 If not, follow these steps:
 
-.. Select the checkbox beside `I agree to share my contact information with Red Hat`.
+.. Select the checkbox beside `I agree to share my contact information with Red{nbsp}Hat`.
 .. Click *Enable ROSA*.
 +
 After a short wait, a green check mark and `You enabled ROSA` message are displayed.
@@ -44,7 +44,7 @@ If you see `Your quotas don't meet the minimum requirements`, take note of the q
 
 . Under *ELB service-linked role*, ensure that a green check mark and `AWSServiceRoleForElasticLoadBalancing already exists` are displayed.
 
-. Click *Continue to Red Hat*.
+. Click *Continue to Red{nbsp}Hat*.
 +
 The *Get started with {product-title} (ROSA)* page opens in a new tab. You have already completed Step 1 on this page, and can now continue with Step 2.
 
diff --git a/modules/rosa-getting-started-environment-setup.adoc b/modules/rosa-getting-started-environment-setup.adoc
index 6ca9a9542f27..4895ac3952dd 100644
--- a/modules/rosa-getting-started-environment-setup.adoc
+++ b/modules/rosa-getting-started-environment-setup.adoc
@@ -8,7 +8,7 @@
 
 Before you create a {product-title} (ROSA) cluster, you must set up your environment by completing the following tasks:
 
-* Verify ROSA prerequisites against your AWS and Red Hat accounts.
+* Verify ROSA prerequisites against your AWS and Red{nbsp}Hat accounts.
 * Install and configure the required command line interface (CLI) tools.
 * Verify the configuration of the CLI tools.
 
diff --git a/modules/rosa-getting-started-grant-admin-privileges.adoc b/modules/rosa-getting-started-grant-admin-privileges.adoc
index 1c339c4769a9..d15cffa8b6b6 100644
--- a/modules/rosa-getting-started-grant-admin-privileges.adoc
+++ b/modules/rosa-getting-started-grant-admin-privileges.adoc
@@ -21,7 +21,7 @@ ifdef::getting-started[]
 
 * You have an AWS account.
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 * You have configured a GitHub identity provider for your cluster and added identity provider users.
 endif::[]
diff --git a/modules/rosa-getting-started-grant-user-access.adoc b/modules/rosa-getting-started-grant-user-access.adoc
index 1c8a406a7ea3..a7fb78e0cd8d 100644
--- a/modules/rosa-getting-started-grant-user-access.adoc
+++ b/modules/rosa-getting-started-grant-user-access.adoc
@@ -23,7 +23,7 @@ ifdef::getting-started[]
 
 * You have an AWS account.
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 * You have a GitHub user account.
 * You have configured a GitHub identity provider for your cluster.
diff --git a/modules/rosa-getting-started-install-configure-cli-tools.adoc b/modules/rosa-getting-started-install-configure-cli-tools.adoc
index a4432d5bf082..3324e3b8514c 100644
--- a/modules/rosa-getting-started-install-configure-cli-tools.adoc
+++ b/modules/rosa-getting-started-install-configure-cli-tools.adoc
@@ -27,11 +27,11 @@ ifdef::getting-started[]
 .Prerequisites
 
 * You have an AWS account.
-* You created a Red Hat account.
+* You created a Red{nbsp}Hat account.
 +
 [NOTE]
 ====
-You can create a Red Hat account by navigating to link:https://console.redhat.com[console.redhat.com] and selecting *Register for a Red Hat account*.
+You can create a Red{nbsp}Hat account by navigating to link:https://console.redhat.com[console.redhat.com] and selecting *Register for a Red{nbsp}Hat account*.
 ====
 endif::[]
 
@@ -104,7 +104,7 @@ You must open a new terminal to activate the configuration.
 For steps to configure `rosa` tab completion for different shell types, see the help menu by running `rosa completion --help`.
 ====
 endif::[]
-.. Log in to your Red Hat account by using the ROSA CLI:
+.. Log in to your Red{nbsp}Hat account by using the ROSA CLI:
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-getting-started-revoke-admin-privileges.adoc b/modules/rosa-getting-started-revoke-admin-privileges.adoc
index 7746e6bd80d1..9b04e7771af1 100644
--- a/modules/rosa-getting-started-revoke-admin-privileges.adoc
+++ b/modules/rosa-getting-started-revoke-admin-privileges.adoc
@@ -20,7 +20,7 @@ ifdef::getting-started[]
 .Prerequisites
 
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a ROSA cluster.
 * You have configured a GitHub identity provider for your cluster and added an identity provider user.
 * You granted `cluster-admin` or `dedicated-admin` privileges to a user.
diff --git a/modules/rosa-hcp-aws-private-create-cluster.adoc b/modules/rosa-hcp-aws-private-create-cluster.adoc
index aa0a1986ee2b..46a50947028a 100644
--- a/modules/rosa-hcp-aws-private-create-cluster.adoc
+++ b/modules/rosa-hcp-aws-private-create-cluster.adoc
@@ -76,7 +76,7 @@ $ rosa describe cluster --cluster=<cluster_name>
 +
 [NOTE]
 ====
-If installation fails or the `State` field does not change to `ready` after 10 minutes, see the "Troubleshooting Red Hat OpenShift Service on AWS installations" documentation in the Additional resources section.
+If installation fails or the `State` field does not change to `ready` after 10 minutes, see the "Troubleshooting Red{nbsp}Hat OpenShift Service on AWS installations" documentation in the Additional resources section.
 ====
 
 . Enter the following command to follow the OpenShift installer logs to track the progress of your cluster:
diff --git a/modules/rosa-hcp-classic-comparison.adoc b/modules/rosa-hcp-classic-comparison.adoc
index c06c3ee01ec0..9080b4431774 100644
--- a/modules/rosa-hcp-classic-comparison.adoc
+++ b/modules/rosa-hcp-classic-comparison.adoc
@@ -15,7 +15,7 @@
 | *Classic*
 
 | *Control plane hosting*
-| Control plane components, such as the API server etcd database, are hosted in a Red Hat-owned AWS account.
+| Control plane components, such as the API server etcd database, are hosted in a Red{nbsp}Hat-owned AWS account.
 | Control plane components, such as the API server etcd database, are hosted in a customer-owned AWS account.
 
 | *Virtual Private Cloud (VPC)*
diff --git a/modules/rosa-hcp-cluster-terraform-file-creation.adoc b/modules/rosa-hcp-cluster-terraform-file-creation.adoc
new file mode 100644
index 000000000000..8a47da932ef5
--- /dev/null
+++ b/modules/rosa-hcp-cluster-terraform-file-creation.adoc
@@ -0,0 +1,268 @@
+// Module included in the following assemblies:
+//
+// * rosa_install_access_delete_clusters/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
+//
+:_content-type: PROCEDURE
+
+[id="rosa-hcp-cluster-terraform-file-creation_{context}"]
+= Creating your Terraform files locally
+
+After you set up your link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token], you need to create the Terraform files locally to build your cluster. You can create these files by using the following code templates.
+
+.Procedure
+
+. Create the `main.tf` file by running the following command:
++
+[source,terminal]
+----
+$ cat<<-EOF>main.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.20.0"
+    }
+    rhcs = {
+      version = ">= 1.6.2"
+      source  = "terraform-redhat/rhcs"
+    }
+  }
+}
+
+# Export token using the RHCS_TOKEN environment variable
+provider "rhcs" {}
+
+provider "aws" {
+  region = var.aws_region
+  ignore_tags {
+    key_prefixes = ["kubernetes.io/"]
+  }
+  default_tags {
+    tags = var.default_aws_tags
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  # Extract availability zone names for the specified region, limit it to 3 if multi az or 1 if single
+  region_azs = var.multi_az ? slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, 3) : slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, 1)
+}
+
+resource "random_string" "random_name" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+locals {
+  worker_node_replicas = var.multi_az ? 3 : 2
+  # If cluster_name is not null, use that, otherwise generate a random cluster name
+  cluster_name = coalesce(var.cluster_name, "rosa-\${random_string.random_name.result}")
+}
+
+# The network validator requires an additional 60 seconds to validate Terraform clusters.
+resource "time_sleep" "wait_60_seconds" {
+  count = var.create_vpc ? 1 : 0
+  depends_on = [module.vpc]
+  create_duration = "60s"
+}
+
+module "rosa-hcp" {
+  source                 = "terraform-redhat/rosa-hcp/rhcs"
+  version                = "1.6.2"
+  cluster_name           = local.cluster_name
+  openshift_version      = var.openshift_version
+  account_role_prefix    = local.cluster_name
+  operator_role_prefix   = local.cluster_name
+  replicas               = local.worker_node_replicas
+  aws_availability_zones = local.region_azs
+  create_oidc            = true
+  private                = var.private_cluster
+  aws_subnet_ids         = var.create_vpc ? var.private_cluster ? module.vpc[0].private_subnets : concat(module.vpc[0].public_subnets, module.vpc[0].private_subnets) : var.aws_subnet_ids
+  create_account_roles   = true
+  create_operator_roles  = true
+    
+  depends_on = [time_sleep.wait_60_seconds]
+}
+EOF
+----
+
+. Create the `variables.tf` file by running the following command:
++
+[NOTE]
+====
+Copy and edit this file _before_ running the command to build your cluster.
+====
++
+[source,terminal]
+----
+$ cat<<-EOF>variables.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+variable "openshift_version" {
+  type        = string
+  default     = "4.14.20"
+  description = "Desired version of OpenShift for the cluster, for example '4.14.20'. If version is greater than the currently running version, an upgrade will be scheduled."
+}
+
+variable "create_vpc" {
+  type        = bool
+  description = "If you would like to create a new VPC, set this value to 'true'. If you do not want to create a new VPC, set this value to 'false'."
+}
+
+# ROSA Cluster info
+variable "cluster_name" {
+  default     = null
+  type        = string
+  description = "The name of the ROSA cluster to create"
+}
+
+variable "additional_tags" {
+  default = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+  description = "Additional AWS resource tags"
+  type        = map(string)
+}
+
+variable "multi_az" {
+  type        = bool
+  description = "Multi AZ Cluster for High Availability"
+  default     = true
+}
+
+variable "worker_node_replicas" {
+  default     = 3
+  description = "Number of worker nodes to provision. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes"
+  type        = number
+}
+
+variable "aws_subnet_ids" {
+  type        = list(any)
+  description = "A list of either the public or public + private subnet IDs to use for the cluster blocks to use for the cluster"
+  default     = ["subnet-01234567890abcdef", "subnet-01234567890abcdef", "subnet-01234567890abcdef"]
+}
+
+variable "private_cluster" {
+  type        = bool
+  description = "If you want to create a private cluster, set this value to 'true'. If you want a publicly available cluster, set this value to 'false'."
+}
+
+#VPC Info
+variable "vpc_name" {
+  type        = string
+  description = "VPC Name"
+  default     = "tf-qs-vpc"
+}
+
+variable "vpc_cidr_block" {
+  type        = string
+  description = "value of the CIDR block to use for the VPC"
+  default     = "10.0.0.0/16"
+}
+
+variable "private_subnet_cidrs" {
+  type        = list(any)
+  description = "The CIDR blocks to use for the private subnets"
+  default     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+}
+
+variable "public_subnet_cidrs" {
+  type        = list(any)
+  description = "The CIDR blocks to use for the public subnets"
+  default     = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+}
+
+variable "single_nat_gateway" {
+  type        = bool
+  description = "Single NAT or per NAT for subnet"
+  default     = false
+}
+
+#AWS Info
+variable "aws_region" {
+  type    = string
+  default = "us-east-2"
+}
+
+variable "default_aws_tags" {
+  type        = map(string)
+  description = "Default tags for AWS"
+  default     = {}
+}
+EOF
+----
+
+. Create the `vpc.tf` file by running the following command:
++
+[source,terminal]
+----
+$ cat<<-EOF>vpc.tf
+#
+# Copyright (c) 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.1.2"
+
+  count = var.create_vpc ? 1 : 0
+  name  = var.vpc_name
+  cidr  = var.vpc_cidr_block
+
+  azs             = local.region_azs
+  private_subnets = var.multi_az ? var.private_subnet_cidrs : [var.private_subnet_cidrs[0]]
+  public_subnets  = var.multi_az ? var.public_subnet_cidrs : [var.public_subnet_cidrs[0]]
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = var.single_nat_gateway
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = var.additional_tags
+}
+EOF
+----
++
+You are ready to initiate Terraform.
\ No newline at end of file
diff --git a/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc b/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
index e8218690da5e..8ba2c54c6fce 100644
--- a/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
+++ b/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
@@ -16,7 +16,7 @@ Before using the {product-title} (ROSA) CLI (`rosa`) to create {hcp-title-first}
 * You have available AWS service quotas.
 * You have enabled the ROSA service in the AWS Console.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
-* You have logged in to your Red Hat account by using the ROSA CLI.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 
 .Procedure
 
diff --git a/modules/rosa-hcp-deleting-cluster.adoc b/modules/rosa-hcp-deleting-cluster.adoc
index 511317999d0e..22d5b3d0d1ca 100644
--- a/modules/rosa-hcp-deleting-cluster.adoc
+++ b/modules/rosa-hcp-deleting-cluster.adoc
@@ -40,7 +40,7 @@ Display Name:               test_cluster
 ID:                         <cluster_id> <1>
 External ID:                <external_id>
 Control Plane:              ROSA Service Hosted
-OpenShift Version:          4.15.0
+OpenShift Version:          4.16.0
 Channel Group:              stable
 DNS:                        test_cluster.l3cn.p3.openshiftapps.com
 AWS Account:                <AWS_id>
diff --git a/modules/rosa-hcp-firewall-prerequisites.adoc b/modules/rosa-hcp-firewall-prerequisites.adoc
index 1a4f409a3cff..49fc59e2d81a 100644
--- a/modules/rosa-hcp-firewall-prerequisites.adoc
+++ b/modules/rosa-hcp-firewall-prerequisites.adoc
@@ -58,7 +58,7 @@ endif::rosa-classic-sts[]
 
 |`registry.access.redhat.com`
 |443
-|Required. Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
+|Required. Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
 
 |`access.redhat.com`
 |443
@@ -84,11 +84,11 @@ endif::rosa-classic-sts[]
 
 |`sso.redhat.com`
 |443
-|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
+|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red{nbsp}Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
 |===
 +
-Managed clusters require enabling telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.
-For more information about how remote health monitoring data is used by Red Hat, see _About remote health monitoring_ in the _Additional resources_ section.
+Managed clusters require enabling telemetry to allow Red{nbsp}Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.
+For more information about how remote health monitoring data is used by Red{nbsp}Hat, see _About remote health monitoring_ in the _Additional resources_ section.
 
 . Allowlist the following Amazon Web Services (AWS) API URls:
 +
diff --git a/modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc b/modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc
index 7a4a3658241c..3d8dbbd424f0 100644
--- a/modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc
+++ b/modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc
@@ -86,7 +86,7 @@ The following is a list of possible `Status` field values:
 +
 * `issued` The break glass credential has been issued and is ready to use.
 * `expired` The break glass credential has expired and can no longer be used.
-* `failed` The break glass credential has failed to create. In this case, you receive a service log detailing the failure. For more information about service logs, see _Accessing the service logs for Red Hat OpenShift Service on AWS clusters_. For steps to contact Red Hat Support for assistance, see _Getting support_.
+* `failed` The break glass credential has failed to create. In this case, you receive a service log detailing the failure. For more information about service logs, see _Accessing the service logs for Red{nbsp}Hat OpenShift Service on AWS clusters_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support_.
 * `awaiting_revocation` The break glass credential is currently being revoked, meaning it cannot be used.
 * `revoked` The break glass credential has been revoked and can no longer be used.
 +
diff --git a/modules/rosa-hcp-sts-creating-a-cluster-cli.adoc b/modules/rosa-hcp-sts-creating-a-cluster-cli.adoc
index 55b95b1f07f2..6886c1c10f06 100644
--- a/modules/rosa-hcp-sts-creating-a-cluster-cli.adoc
+++ b/modules/rosa-hcp-sts-creating-a-cluster-cli.adoc
@@ -14,7 +14,7 @@ When using the {product-title} (ROSA) CLI, `rosa`, to create a cluster, you can
 * You have available AWS service quotas.
 * You have enabled the ROSA service in the AWS Console.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
-* You have logged in to your Red Hat account by using the ROSA CLI.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 * You have created an OIDC configuration.
 * You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
 
@@ -88,7 +88,7 @@ The following `State` field changes are listed in the output as the cluster inst
 +
 [NOTE]
 ====
-If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
 ====
 +
 . Track the progress of the cluster creation by watching the {product-title} installation program logs. To check the logs, run the following command:
diff --git a/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc
index 64241544c3c9..1005ae8f4bb5 100644
--- a/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc
+++ b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc
@@ -56,7 +56,7 @@ Display Name:               rosa-ext-test
 ID:                         <cluster_id>
 External ID:                <cluster_ext_id>
 Control Plane:              ROSA Service Hosted
-OpenShift Version:          4.15.3
+OpenShift Version:          4.16.3
 Channel Group:              stable
 DNS:                        <dns>
 AWS Account:                <AWS_id>
diff --git a/modules/rosa-hcp-vpc-terraform.adoc b/modules/rosa-hcp-vpc-terraform.adoc
index fee289ce1074..ea0c5ad0f754 100644
--- a/modules/rosa-hcp-vpc-terraform.adoc
+++ b/modules/rosa-hcp-vpc-terraform.adoc
@@ -66,7 +66,7 @@ $ export SUBNET_IDS=$(terraform output -raw cluster-subnets-string)
 $ echo $SUBNET_IDS
 ----
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-install-uninstall-addon.adoc b/modules/rosa-install-uninstall-addon.adoc
index 6542709e5f82..19ad844365b0 100644
--- a/modules/rosa-install-uninstall-addon.adoc
+++ b/modules/rosa-install-uninstall-addon.adoc
@@ -6,7 +6,7 @@
 = Install and uninstall add-ons
 
 
-This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.
+This section describes how to install and uninstall Red{nbsp}Hat managed service add-ons to a cluster.
 
 [id="rosa-install-addon_{context}"]
 == install addon
diff --git a/modules/rosa-installing.adoc b/modules/rosa-installing.adoc
index b658e0309083..662ec5fa3019 100644
--- a/modules/rosa-installing.adoc
+++ b/modules/rosa-installing.adoc
@@ -13,7 +13,7 @@ Install and configure the {product-title} (ROSA) CLI, `rosa`. You can also insta
 .Prerequisites
 
 * Review and complete the AWS prerequisites and ROSA policies.
-* Create a link:https://cloud.redhat.com[Red Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
+* Create a link:https://cloud.redhat.com[Red{nbsp}Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
 * Configure your AWS account and enable the ROSA service in your AWS account.
 
 .Procedure
@@ -89,7 +89,7 @@ $ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
 $ source /etc/bash_completion.d/rosa
 ----
 
-. Log in to your Red Hat account with `rosa`.
+. Log in to your Red{nbsp}Hat account with `rosa`.
 +
 .. Enter the following command.
 +
@@ -157,7 +157,7 @@ After both the permissions and quota checks pass, proceed to the next step.
 +
 . Prepare your AWS account for cluster deployment:
 +
-.. Run the following command to verify your Red Hat and AWS credentials are setup correctly.  Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with `OCM` for now.
+.. Run the following command to verify your Red{nbsp}Hat and AWS credentials are setup correctly. Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with `OCM` for now.
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-list-objects.adoc b/modules/rosa-list-objects.adoc
index 6afab1e1baf5..b9944dc4e8a6 100644
--- a/modules/rosa-list-objects.adoc
+++ b/modules/rosa-list-objects.adoc
@@ -287,6 +287,49 @@ List all instance types.
 $ rosa list instance-types
 ----
 
+[id="rosa-list-kubeletconfigs_{context}"]
+== list kubeletconfigs
+
+List the `KubeletConfig` objects configured on a cluster.
+
+.Syntax
+[source,terminal]
+----
+$ rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]
+----
+
+.Arguments
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--cluster
+|Required: The name or ID (string) of the cluster that the machine pools will be listed for.
+|===
+
+.Optional arguments inherited from parent commands
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--help
+|Shows help for this command.
+
+|--debug
+|Enables debug mode.
+
+// |--profile
+// |Specifies an AWS profile (string) from your credentials file.
+|===
+
+.Example
+List all of the `KubeletConfig` objects on a cluster named `mycluster`.
+
+[source,terminal]
+----
+$ rosa list kubeletconfigs --cluster=mycluster
+----
+
 [id="rosa-list-machinepools_{context}"]
 == list machinepools
 
@@ -640,8 +683,12 @@ $ rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]
 
 |--profile
 |Specifies an AWS profile (string) from your credentials file.
+
+|--get-role-policy-bindings
+|Lists the policies that are attached to the STS roles assigned to the cluster.
 |===
 
+
 .Example
 Describe a cluster named `mycluster`.
 [source,terminal]
@@ -671,7 +718,19 @@ a|-c, --cluster <cluster_name>\|<cluster_id>
 |-h, --help
 |Shows help for this command.
 
-|-o, --output string    
+|--name
+a| Optional. Specifies the name of the `KubeletConfig` object to describe.
+//TODO OSDOCS-10439: Add conditions back when HCP and Classic are published separately
+// ifdef::openshift-rosa-classic[]
+// Optional.
+// endif::openshift-rosa-classic[]
+// ifdef::openshift-rosa-hcp[]
+// Required.
+// endif::openshift-rosa-hcp[]
+
+|-o, --output string
+
+|-o, --output string
 |The output format. You can specify either `json` or `yaml`.
 
 |===
diff --git a/modules/rosa-modifying-node-tuning.adoc b/modules/rosa-modifying-node-tuning.adoc
index cf58e11c62bd..4a8e17bfdf08 100644
--- a/modules/rosa-modifying-node-tuning.adoc
+++ b/modules/rosa-modifying-node-tuning.adoc
@@ -31,7 +31,7 @@ The following items in this spec file are:
 <2> Provide the name of your tuning configuration.
 <3> Optionally, you can provide the output type. If you do not specify any outputs, you only see the ID and name of the tuning configuration.
 +
-.Sample output without specifying output type
+.Example output without specifying output type
 [source,terminal]
 ----
 Name:    sample-tuning
@@ -53,7 +53,7 @@ Spec:    {
 
 ----
 +
-.Sample output specifying JSON output
+.Example output specifying JSON output
 [source,terminal]
 ----
 {
@@ -95,7 +95,7 @@ In this command, you use the `spec.json` file to edit your configurations.
 $ rosa describe tuning-config -c <cluster_id> --name <name_of_tuning>
 ----
 +
-.Sample output
+.Example output
 [source,terminal]
 ----
 Name:  sample-tuning
diff --git a/modules/rosa-nodes-machine-pools-local-zones.adoc b/modules/rosa-nodes-machine-pools-local-zones.adoc
index b0b803b00fe4..796da570c895 100644
--- a/modules/rosa-nodes-machine-pools-local-zones.adoc
+++ b/modules/rosa-nodes-machine-pools-local-zones.adoc
@@ -11,7 +11,7 @@ Use the following steps to configure machine pools in Local Zones.
 
 [IMPORTANT]
 ====
-AWS Local Zones are supported on Red Hat OpenShift Service on AWS 4.12. See the link:https://access.redhat.com/articles/6989889[Red Hat Knowledgebase article] for information on how to enable Local Zones.
+AWS Local Zones are supported on Red{nbsp}Hat OpenShift Service on AWS 4.12. See the link:https://access.redhat.com/articles/6989889[Red{nbsp}Hat Knowledgebase article] for information on how to enable Local Zones.
 ====
 .Prerequisites
 
diff --git a/modules/rosa-oidc-config-overview.adoc b/modules/rosa-oidc-config-overview.adoc
index b812f4c48211..47aa44f8d272 100644
--- a/modules/rosa-oidc-config-overview.adoc
+++ b/modules/rosa-oidc-config-overview.adoc
@@ -6,4 +6,4 @@
 [id="rosa-byo-odic-overview_{context}"]
 = Creating an OpenID Connect Configuration
 
-When using a cluster hosted by Red Hat, you can create a managed or unmanaged OpenID Connect (OIDC) configuration by using the {product-title} (ROSA) CLI, `rosa`. A managed OIDC configuration is stored within Red Hat's AWS account, while a generated unmanaged OIDC configuration is stored within your AWS account. The OIDC configuration is registered to be used with {cluster-manager}. When creating an unmanaged OIDC configuration, the CLI provides the private key for you.
\ No newline at end of file
+When using a cluster hosted by Red{nbsp}Hat, you can create a managed or unmanaged OpenID Connect (OIDC) configuration by using the {product-title} (ROSA) CLI, `rosa`. A managed OIDC configuration is stored within Red{nbsp}Hat's AWS account, while a generated unmanaged OIDC configuration is stored within your AWS account. The OIDC configuration is registered to be used with {cluster-manager}. When creating an unmanaged OIDC configuration, the CLI provides the private key for you.
\ No newline at end of file
diff --git a/modules/rosa-oidc-understanding.adoc b/modules/rosa-oidc-understanding.adoc
index 53d2c310bc3b..3b4d26285ccd 100644
--- a/modules/rosa-oidc-understanding.adoc
+++ b/modules/rosa-oidc-understanding.adoc
@@ -11,11 +11,11 @@ There are three options for OIDC verification:
 
 * Unregistered, managed OIDC configuration
 +
-An unregistered, managed OIDC configuration is created for you during the cluster installation process. The configuration is hosted under Red Hat's AWS account. This option does not give you the ID that links to the OIDC configuration, so you can only use this type of OIDC configuration on a single cluster.
+An unregistered, managed OIDC configuration is created for you during the cluster installation process. The configuration is hosted under Red{nbsp}Hat's AWS account. This option does not give you the ID that links to the OIDC configuration, so you can only use this type of OIDC configuration on a single cluster.
 
 * Registered, managed OIDC configuration
 +
-You create a registered, managed OIDC configuration before you start creating your clusters. This configuration is hosted under Red Hat's AWS account like the unregistered managed OIDC configuration. When you use this option for your OIDC configuration, you receive an ID that links to the OIDC configuration. Red Hat uses this ID to identify the issuer URL and private key. You can then use this URL and private key to create an identity provider and Operator roles. These resources are created under your AWS account by using Identity and Access Management (IAM) AWS services. You can also use the OIDC configuration ID during the cluster creation process.
+You create a registered, managed OIDC configuration before you start creating your clusters. This configuration is hosted under Red{nbsp}Hat's AWS account like the unregistered managed OIDC configuration. When you use this option for your OIDC configuration, you receive an ID that links to the OIDC configuration. Red{nbsp}Hat uses this ID to identify the issuer URL and private key. You can then use this URL and private key to create an identity provider and Operator roles. These resources are created under your AWS account by using Identity and Access Management (IAM) AWS services. You can also use the OIDC configuration ID during the cluster creation process.
 
 * Registered, unmanaged OIDC configuration
 +
@@ -27,5 +27,5 @@ For ROSA Classic, you may use any of the OIDC configuration options. If you are
 
 [NOTE]
 ====
-Reusing the OIDC configurations, OIDC provider, and Operator roles between clusters is not recommended for production clusters since the authentication verification is used throughout all of these clusters. Red Hat advises to only reuse resources on non-production test environments.
+Reusing the OIDC configurations, OIDC provider, and Operator roles between clusters is not recommended for production clusters since the authentication verification is used throughout all of these clusters. Red{nbsp}Hat advises to only reuse resources on non-production test environments.
 ====
\ No newline at end of file
diff --git a/modules/rosa-operator-config.adoc b/modules/rosa-operator-config.adoc
index afcca25ffd42..3bb6e1ab7aa8 100644
--- a/modules/rosa-operator-config.adoc
+++ b/modules/rosa-operator-config.adoc
@@ -49,7 +49,7 @@ $ rosa create operator-roles --hosted-cp
 +
 You must include the `--hosted-cp` parameter to create the correct roles for {hcp-title} clusters. This command returns the following information.
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
@@ -90,7 +90,7 @@ The Operator roles are now created and ready to use for creating your {hcp-title
 $ rosa list operator-roles
 ----
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-planning-environment-cluster-max.adoc b/modules/rosa-planning-environment-cluster-max.adoc
index 073b716d7fde..88945a2a1ab1 100644
--- a/modules/rosa-planning-environment-cluster-max.adoc
+++ b/modules/rosa-planning-environment-cluster-max.adoc
@@ -11,7 +11,7 @@ Oversubscribing the physical resources on a node affects resource guarantees the
 
 Some of the tested maximums are stretched only in a single dimension. They will vary when many objects are running on the cluster.
 
-The numbers noted in this documentation are based on Red Hat testing methodology, setup, configuration, and tunings. These numbers can vary based on your own individual setup and environments.
+The numbers noted in this documentation are based on Red{nbsp}Hat testing methodology, setup, configuration, and tunings. These numbers can vary based on your own individual setup and environments.
 
 While planning your environment, determine how many pods are expected to fit per node using the following formula:
 
diff --git a/modules/rosa-policy-change-management.adoc b/modules/rosa-policy-change-management.adoc
index 3fe5eb45b7d4..464faa294627 100644
--- a/modules/rosa-policy-change-management.adoc
+++ b/modules/rosa-policy-change-management.adoc
@@ -8,7 +8,7 @@
 
 This section describes the policies about how cluster and configuration changes, patches, and releases are managed.
 
-Red Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the
+Red{nbsp}Hat is responsible for enabling changes to the cluster infrastructure and services that the customer will control, as well as maintaining versions for the control plane nodes, infrastructure nodes and services, and worker nodes. AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the
 AWS Cloud. The customer is responsible for initiating infrastructure change requests and installing and maintaining optional services and networking configurations on the cluster, as well as all changes to customer data and customer applications.
 
 [id="rosa-policy-customer-initiated-changes_{context}"]
@@ -42,9 +42,9 @@ To enforce the maintenance exclusion, ensure machine pool autoscaling or automat
 ====
 
 [id="rosa-policy-red-hat-initiated-changes_{context}"]
-== Red Hat-initiated changes
+== Red{nbsp}Hat-initiated changes
 
-Red Hat site reliability engineering (SRE) manages the infrastructure, code, and configuration of {product-title} using a GitOps workflow and fully automated CI/CD pipelines. This process ensures that Red Hat can safely introduce service improvements on a continuous basis without negatively impacting customers.
+Red{nbsp}Hat site reliability engineering (SRE) manages the infrastructure, code, and configuration of {product-title} using a GitOps workflow and fully automated CI/CD pipelines. This process ensures that Red{nbsp}Hat can safely introduce service improvements on a continuous basis without negatively impacting customers.
 
 Every proposed change undergoes a series of automated verifications immediately upon check-in. Changes are then deployed to a staging environment where they undergo automated integration testing. Finally, changes are deployed to the production environment. Each step is fully automated.
 
@@ -55,12 +55,12 @@ Some changes are released to production incrementally, using feature flags to co
 [id="rosa-policy-patch-management_{context}"]
 == Patch management
 
-OpenShift Container Platform software and the underlying immutable Red Hat CoreOS (RHCOS) operating system image are patched for bugs and vulnerabilities in regular z-stream upgrades. Read more about link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/architecture/architecture-rhcos[RHCOS architecture] in the OpenShift Container Platform documentation.
+OpenShift Container Platform software and the underlying immutable Red{nbsp}Hat CoreOS (RHCOS) operating system image are patched for bugs and vulnerabilities in regular z-stream upgrades. Read more about link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/architecture/architecture-rhcos[RHCOS architecture] in the OpenShift Container Platform documentation.
 
 [id="rosa-policy-release-management_{context}"]
 == Release management
 
-Red Hat does not automatically upgrade your clusters. You can schedule to upgrade the clusters at regular intervals (recurring upgrade) or just once (individual upgrade) using the {cluster-manager} web console. Red Hat might forcefully upgrade a cluster to a new z-stream version only if the cluster is affected by a critical impact CVE.
+Red{nbsp}Hat does not automatically upgrade your clusters. You can schedule to upgrade the clusters at regular intervals (recurring upgrade) or just once (individual upgrade) using the {cluster-manager} web console. Red{nbsp}Hat might forcefully upgrade a cluster to a new z-stream version only if the cluster is affected by a critical impact CVE.
 
 [NOTE]
 ====
@@ -77,7 +77,7 @@ You can review the history of all cluster upgrade events in the {cluster-manager
 |Customer responsibilities
 
 |Logging
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Centrally aggregate and monitor platform audit logs.
 
@@ -91,7 +91,7 @@ You can review the history of all cluster upgrade events in the {cluster-manager
 - Request platform audit logs through a support case for researching specific incidents.
 
 |Application networking
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Set up public load balancers. Provide the ability to set up private load balancers and up to one additional load balancer when required.
 
@@ -108,7 +108,7 @@ You can review the history of all cluster upgrade events in the {cluster-manager
 - Configure any necessary DNS forwarding rules.
 
 |Cluster networking
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Set up cluster management components, such as public or private service endpoints and necessary integration with Amazon VPC components.
 
@@ -118,7 +118,7 @@ You can review the history of all cluster upgrade events in the {cluster-manager
 - Request that the API service endpoint be made public or private on cluster creation or after cluster creation through {cluster-manager}.
 
 |Virtual networking management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Set up and configure Amazon VPC components required to provision the cluster, such as subnets, load balancers, internet gateways, and NAT gateways.
 
@@ -131,7 +131,7 @@ manage AWS VPN connectivity with on-premises resources, Amazon VPC-to-VPC connec
 - Request and configure any additional service load balancers for specific services.
 
 |Virtual compute management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Set up and configure the ROSA control plane and data plane to use Amazon EC2 instances for cluster compute.
 
@@ -142,7 +142,7 @@ machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`).
 - Manage changes to customer-deployed applications and application data.
 
 |Cluster version
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Enable upgrade scheduling process.
 
@@ -155,7 +155,7 @@ machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`).
 - Test customer applications on patch releases to ensure compatibility.
 
 |Capacity management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor the use of the control plane. Control planes include control plane nodes and infrastructure nodes.
 
@@ -164,10 +164,10 @@ machine pool using the OpenShift Cluster Manager or the ROSA CLI (`rosa`).
 | - Monitor worker node utilization and, if appropriate, enables the auto-scaling feature.
 - Determine the scaling strategy of the cluster. See the additional resources for more information on machine pools.
 - Use the provided {cluster-manager} controls to add or remove additional worker nodes as required.
-- Respond to Red Hat notifications regarding cluster resource requirements.
+- Respond to Red{nbsp}Hat notifications regarding cluster resource requirements.
 
 |Virtual storage management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Set up and configure Amazon EBS to provision local node storage and persistent volume storage for the cluster.
 
diff --git a/modules/rosa-policy-customer-responsibility.adoc b/modules/rosa-policy-customer-responsibility.adoc
index dbdf568b701d..894893d614a9 100644
--- a/modules/rosa-policy-customer-responsibility.adoc
+++ b/modules/rosa-policy-customer-responsibility.adoc
@@ -6,19 +6,19 @@
 [id="rosa-policy-customer-responsibility_{context}"]
 = Additional customer responsibilities for data and applications
 
-The customer is responsible for the applications, workloads, and data that they deploy to Red Hat
-OpenShift Service on AWS. However, Red Hat and AWS provide various tools to help the customer
+The customer is responsible for the applications, workloads, and data that they deploy to Red{nbsp}Hat
+OpenShift Service on AWS. However, Red{nbsp}Hat and AWS provide various tools to help the customer
 manage data and applications on the platform.
 
 [cols="2a,3a,3a",options="header"]
 |===
 
 |Resource
-|Red Hat and AWS
+|Red{nbsp}Hat and AWS
 |Customer responsibilities
 
 |Customer data
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Maintain platform-level standards for data encryption as defined by industry security and
 compliance standards.
@@ -32,11 +32,11 @@ Amazon RDS to store and manage data outside of the cluster and/or AWS.
 |- Maintain responsibility for all customer data stored on the platform and how customer applications consume and expose this data.
 
 |Customer applications
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Provision clusters with OpenShift components installed so that customers can access the OpenShift and Kubernetes APIs to deploy and manage containerized applications.
-- Create clusters with image pull secrets so that customer deployments can pull images from the Red Hat Container Catalog registry.
-- Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, and Red Hat services to the cluster.
+- Create clusters with image pull secrets so that customer deployments can pull images from the Red{nbsp}Hat Container Catalog registry.
+- Provide access to OpenShift APIs that a customer can use to set up Operators to add community, third-party, and Red{nbsp}Hat services to the cluster.
 - Provide storage classes and plugins to support persistent volumes for use with customer applications.
 - Provide a container image registry so customers can securely store application container images on the cluster to deploy and manage applications.
 
@@ -44,10 +44,10 @@ Amazon RDS to store and manage data outside of the cluster and/or AWS.
 
 - Provide Amazon EBS to support persistent volumes for use with customer applications.
 
-- Provide Amazon S3 to support Red Hat provisioning of the container image registry.
+- Provide Amazon S3 to support Red{nbsp}Hat provisioning of the container image registry.
 
 |- Maintain responsibility for customer and third-party applications, data, and their complete lifecycle.
-- If a customer adds Red Hat, community, third-party, their own, or other services to the cluster by using Operators or external images, the customer is responsible for these services and for working with the appropriate provider, including Red Hat, to troubleshoot any issues.
+- If a customer adds Red{nbsp}Hat, community, third-party, their own, or other services to the cluster by using Operators or external images, the customer is responsible for these services and for working with the appropriate provider, including Red{nbsp}Hat, to troubleshoot any issues.
 - Use the provided tools and features to configure and deploy; keep up to date; set up resource requests and limits; size the cluster to have enough resources to run apps; set up permissions; integrate with other services; manage any image streams or templates that the customer deploys; externally serve; save, back up, and restore data; and otherwise manage their highly available and resilient workloads.
 - Maintain responsibility for monitoring the applications run on {product-title}, including
 installing and operating software to gather metrics, create alerts, and protect secrets in the application.
diff --git a/modules/rosa-policy-disaster-recovery.adoc b/modules/rosa-policy-disaster-recovery.adoc
index 9fbdde1ba1c6..cdd3fbcd0257 100644
--- a/modules/rosa-policy-disaster-recovery.adoc
+++ b/modules/rosa-policy-disaster-recovery.adoc
@@ -21,14 +21,14 @@ One multi-zone cluster will not provide disaster avoidance or recovery in the ev
 |Customer responsibilities
 
 |Virtual networking management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Restore or recreate affected virtual network components that are necessary for the platform to function.
 |- Configure virtual networking connections with more than one tunnel where possible for protection against outages as recommended by the public cloud provider.
 - Maintain failover DNS and load balancing if using a global load balancer with multiple clusters.
 
 |Virtual Storage management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - For ROSA clusters created with IAM user credentials, back up all Kubernetes objects on the cluster through hourly, daily, and weekly volume snapshots. Hourly backups are retained for 24 hrs (1 day), daily backups are retained for 168 hrs (1 week), and weekly backups are retained for 720 hrs (30 days).
 
@@ -36,7 +36,7 @@ One multi-zone cluster will not provide disaster avoidance or recovery in the ev
 |- Back up customer applications and application data.
 
 |Virtual compute management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor the cluster and replace failed Amazon EC2 control plane or infrastructure nodes.
 
diff --git a/modules/rosa-policy-failure-points.adoc b/modules/rosa-policy-failure-points.adoc
index d2e098b266c5..2a9f3490e75e 100644
--- a/modules/rosa-policy-failure-points.adoc
+++ b/modules/rosa-policy-failure-points.adoc
@@ -9,7 +9,7 @@
 
 {product-title} (ROSA) provides many features and options for protecting your workloads against downtime, but applications must be architected appropriately to take advantage of these features.
 
-ROSA can help further protect you against many common Kubernetes issues by adding Red Hat site reliability engineering (SRE) support and the option to deploy a multiple availability zone cluster, but there are a number of ways in which a container or infrastructure can still fail. By understanding potential points of failure, you can understand risks and appropriately architect both your applications and your clusters to be as resilient as necessary at each specific level.
+ROSA can help further protect you against many common Kubernetes issues by adding Red{nbsp}Hat site reliability engineering (SRE) support and the option to deploy a multiple availability zone cluster, but there are several ways in which a container or infrastructure can still fail. By understanding potential points of failure, you can understand risks and appropriately architect both your applications and your clusters to be as resilient as necessary at each specific level.
 
 [NOTE]
 ====
@@ -37,11 +37,11 @@ When accounting for possible node failures, it is also important to understand h
 == Cluster failure
 Single-AZ ROSA clusters have at least three control plane and two infrastructure nodes in the same availability zone (AZ) in the private subnet.
 
-Multi-AZ ROSA clusters have at least three control plane nodes and three infrastructure nodes that are preconfigured for high availability, either in a single zone or across multiple zones, depending on the type of cluster you have selected. Control plane and infrastructure nodes have the same resiliency as worker nodes, with the added benefit of being managed completely by Red Hat.
+Multi-AZ ROSA clusters have at least three control plane nodes and three infrastructure nodes that are preconfigured for high availability, either in a single zone or across multiple zones, depending on the type of cluster you have selected. Control plane and infrastructure nodes have the same resiliency as worker nodes, with the added benefit of being managed completely by Red{nbsp}Hat.
 
 In the event of a complete control plane outage, the OpenShift APIs will not function, and existing worker node pods are unaffected. However, if there is also a pod or node outage at the same time, the control planes must recover before new pods or nodes can be added or scheduled.
 
-All services running on infrastructure nodes are configured by Red Hat to be highly available and distributed across infrastructure nodes. In the event of a complete infrastructure outage, these services are unavailable until these nodes have been recovered.
+All services running on infrastructure nodes are configured by Red{nbsp}Hat to be highly available and distributed across infrastructure nodes. In case of a complete infrastructure outage, these services are unavailable until these nodes have been recovered.
 
 [id="rosa-policy-container-zone-failure_{context}"]
 == Zone failure
diff --git a/modules/rosa-policy-incident.adoc b/modules/rosa-policy-incident.adoc
index 5c384c87e755..b8a0b91e3568 100644
--- a/modules/rosa-policy-incident.adoc
+++ b/modules/rosa-policy-incident.adoc
@@ -5,7 +5,7 @@
 [id="rosa-policy-incident_{context}"]
 = Incident and operations management
 
-Red Hat is responsible for overseeing the service components required for default platform networking.
+Red{nbsp}Hat is responsible for overseeing the service components required for default platform networking.
 AWS is responsible for protecting the hardware infrastructure that runs all of the services offered in the AWS Cloud. The customer is responsible for incident and operations management of customer application data and any custom networking the customer has configured for the cluster network or virtual network.
 
 [cols= "2a,3a,3a",options="header"]
@@ -16,15 +16,15 @@ AWS is responsible for protecting the hardware infrastructure that runs all of t
 |Customer responsibilities
 
 |Application networking
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor native OpenShift router
 service, and respond to alerts.
 |- Monitor health of application routes, and the endpoints behind them.
-- Report outages to Red Hat and AWS.
+- Report outages to Red{nbsp}Hat and AWS.
 
 |Virtual networking management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor AWS load balancers, Amazon VPC subnets, and AWS service components necessary for default
 platform networking. Respond to alerts.
@@ -34,7 +34,7 @@ Direct Connect for potential issues or
 security threats.
 
 |Virtual storage management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor Amazon EBS volumes attached to cluster nodes and Amazon S3 buckets used for the ROSA service’s built-in container image
 registry. Respond to alerts.
@@ -44,28 +44,28 @@ used, create and control the key lifecycle and
 key policies for Amazon EBS encryption.
 
 |Platform monitoring
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Maintain a centralized monitoring and alerting system for all ROSA cluster components, site reliability engineer (SRE) services, and underlying AWS accounts.
 |
 
 |Incident management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Raise and manage known incidents.
 - Share root cause analysis (RCA) drafts with the customer.
 |- Raise known incidents through a support case.
 
 |Infrastructure and data resiliency
-|**Red Hat**
+|**Red{nbsp}Hat**
 
-- There is no Red Hat-provided backup method available for ROSA clusters with STS.
-- Red Hat does not commit to any Recovery Point Objective (RPO) or Recovery Time Objective (RTO).
+- There is no Red{nbsp}Hat-provided backup method available for ROSA clusters with STS.
+- Red{nbsp}Hat does not commit to any Recovery Point Objective (RPO) or Recovery Time Objective (RTO).
 |- Take regular backups of data and deploy multi-AZ clusters with workloads that follow Kubernetes best practices to ensure high availability within a region.
 - If an entire cloud region is unavailable, install a new cluster in a different region and restore apps using backup data.
 
 |Cluster capacity
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Manage the capacity of all control plane and infrastructure nodes on the cluster.
 - Evaluate cluster capacity during upgrades and in response to cluster alerts.
@@ -96,11 +96,11 @@ Platform audit logs are securely forwarded to a centralized security information
 
 [id="rosa-policy-incident-management_{context}"]
 == Incident management
-An incident is an event that results in a degradation or outage of one or more Red Hat services. An incident can be raised by a customer or a Customer Experience and Engagement (CEE) member through a support case, directly by the centralized monitoring and alerting system, or directly by a member of the SRE team.
+An incident is an event that results in a degradation or outage of one or more Red{nbsp}Hat services. An incident can be raised by a customer or a Customer Experience and Engagement (CEE) member through a support case, directly by the centralized monitoring and alerting system, or directly by a member of the SRE team.
 
 Depending on the impact on the service and customer, the incident is categorized in terms of link:https://access.redhat.com/support/offerings/production/sla[severity].
 
-When managing a new incident, Red Hat uses the following general workflow:
+When managing a new incident, Red{nbsp}Hat uses the following general workflow:
 
 . An SRE first responder is alerted to a new incident and begins an initial investigation.
 . After the initial investigation, the incident is assigned an incident lead, who coordinates the recovery efforts.
@@ -109,8 +109,8 @@ When managing a new incident, Red Hat uses the following general workflow:
 . The incident is documented and a root cause analysis (RCA) is performed within 5 business days of the incident.
 . An RCA draft document will be shared with the customer within 7 business days of the incident.
 
-Red Hat also assists with customer incidents raised through support cases. 
-Red Hat can assist with activities including but not limited to:
+Red{nbsp}Hat also assists with customer incidents raised through support cases. 
+Red{nbsp}Hat can assist with activities including but not limited to:
 
 * Forensic gathering, including isolating virtual compute
 * Guiding compute image collection
@@ -157,4 +157,4 @@ Red Hat can assist with activities including but not limited to:
 
 The impact of a cluster upgrade on capacity is evaluated as part of the upgrade testing process to ensure that capacity is not negatively impacted by new additions to the cluster. During a cluster upgrade, additional worker nodes are added to make sure that total cluster capacity is maintained during the upgrade process.
 
-Capacity evaluations by the Red Hat SRE staff also happen in response to alerts from the cluster, after usage thresholds are exceeded for a certain period of time. Such alerts can also result in a notification to the customer.
+Capacity evaluations by the Red{nbsp}Hat SRE staff also happen in response to alerts from the cluster, after usage thresholds are exceeded for a certain period of time. Such alerts can also result in a notification to the customer.
diff --git a/modules/rosa-policy-responsibilities.adoc b/modules/rosa-policy-responsibilities.adoc
index 930c87d8f9ee..e5f60d87f765 100644
--- a/modules/rosa-policy-responsibilities.adoc
+++ b/modules/rosa-policy-responsibilities.adoc
@@ -7,11 +7,11 @@
 = Shared responsibilities for {product-title}
 
 
-While Red Hat and Amazon Web Services (AWS) manage the {product-title} services, the customer shares certain responsibilities. The {product-title} services are accessed remotely, hosted on public cloud resources, created in customer-owned AWS accounts, and have underlying platform and data security that is owned by Red Hat.
+While Red{nbsp}Hat and Amazon Web Services (AWS) manage the {product-title} services, the customer shares certain responsibilities. The {product-title} services are accessed remotely, hosted on public cloud resources, created in customer-owned AWS accounts, and have underlying platform and data security that is owned by Red{nbsp}Hat.
 
 [IMPORTANT]
 ====
-If the `cluster-admin` role is added to a user, see the responsibilities and exclusion notes in the link:https://www.redhat.com/en/about/agreements[Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services)].
+If the `cluster-admin` role is added to a user, see the responsibilities and exclusion notes in the link:https://www.redhat.com/en/about/agreements[Red{nbsp}Hat Enterprise Agreement Appendix 4 (Online Subscription Services)].
 ====
 
 [cols="2a,3a,3a,3a,3a,3a",options="header"]
@@ -30,23 +30,23 @@ If the `cluster-admin` role is added to a user, see the responsibilities and exc
 
 |Developer services |Customer |Customer |Customer |Customer |Customer
 
-|Platform monitoring |Red Hat |Red Hat |Red Hat |Red Hat |Red Hat
+|Platform monitoring |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Logging |Red Hat |Red Hat and Customer |Red Hat and Customer |Red Hat and Customer |Red Hat
+|Logging |Red{nbsp}Hat |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat
 
-|Application networking |Red Hat and Customer |Red Hat and Customer |Red Hat and Customer |Red Hat |Red Hat
+|Application networking |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Cluster networking |Red Hat |Red Hat and Customer |Red Hat and Customer |Red Hat |Red Hat
+|Cluster networking |Red{nbsp}Hat |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Virtual networking management |Red Hat and Customer |Red Hat and Customer |Red Hat and Customer |Red Hat and Customer |Red Hat and Customer
+|Virtual networking management |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer
 
-|Virtual compute management (control plane, infrastructure and worker nodes) |Red Hat |Red Hat |Red Hat |Red Hat |Red Hat
+|Virtual compute management (control plane, infrastructure and worker nodes) |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Cluster version |Red Hat |Red Hat and Customer |Red Hat |Red Hat |Red Hat
+|Cluster version |Red{nbsp}Hat |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Capacity management |Red Hat |Red Hat and Customer |Red Hat |Red Hat |Red Hat
+|Capacity management |Red{nbsp}Hat |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat
 
-|Virtual storage management |Red Hat |Red Hat |Red Hat |Red Hat |Red Hat
+|Virtual storage management |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat |Red{nbsp}Hat
 
 |AWS software (public AWS services) |AWS |AWS
 |AWS |AWS |AWS
diff --git a/modules/rosa-policy-security-and-compliance.adoc b/modules/rosa-policy-security-and-compliance.adoc
index 8f149f2f84a8..7ca27a565e75 100644
--- a/modules/rosa-policy-security-and-compliance.adoc
+++ b/modules/rosa-policy-security-and-compliance.adoc
@@ -14,14 +14,14 @@ The following table outlines the  the responsibilities in regards to security an
 |Customer responsibilities
 
 |Logging
-|**Red Hat**
+|**Red{nbsp}Hat**
 
-- Send cluster audit logs to a Red Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
+- Send cluster audit logs to a Red{nbsp}Hat SIEM to analyze for security events. Retain audit logs for a defined period of time to support forensic analysis.
 |- Analyze application logs for security events.
 - Send application logs to an external endpoint through logging sidecar containers or third-party logging applications if longer retention is required than is offered by the default logging stack.
 
 |Virtual networking management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor virtual networking components for potential issues and security threats.
 
@@ -31,7 +31,7 @@ The following table outlines the  the responsibilities in regards to security an
 - Configure any necessary firewall rules or customer data center protections as required.
 
 |Virtual storage management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor virtual storage components for potential issues and security threats.
 
@@ -56,7 +56,7 @@ images from unauthorized user access.
 persistent volume though OpenShift Cluster Manager.
 
 |Virtual compute management
-|**Red Hat**
+|**Red{nbsp}Hat**
 
 - Monitor virtual compute components for potential issues and security threats.
 
diff --git a/modules/rosa-policy-security-regulation-compliance.adoc b/modules/rosa-policy-security-regulation-compliance.adoc
index 485b7a0f660e..ecec57802f63 100644
--- a/modules/rosa-policy-security-regulation-compliance.adoc
+++ b/modules/rosa-policy-security-regulation-compliance.adoc
@@ -10,7 +10,7 @@ Security and regulation compliance includes tasks such as the implementation of
 
 [id="rosa-policy-data-classification_{context}"]
 == Data classification
-Red Hat defines and follows a data classification standard to determine the sensitivity of data and highlight inherent risk to the confidentiality and integrity of that data while it is collected, used, transmitted, stored, and processed. Customer-owned data is classified at the highest level of sensitivity and handling requirements.
+Red{nbsp}Hat defines and follows a data classification standard to determine the sensitivity of data and highlight inherent risk to the confidentiality and integrity of that data while it is collected, used, transmitted, stored, and processed. Customer-owned data is classified at the highest level of sensitivity and handling requirements.
 
 [id="rosa-policy-data-management_{context}"]
 == Data management
@@ -20,7 +20,7 @@ When a customer deletes their ROSA cluster, all cluster data is permanently dele
 
 [id="rosa-policy-vulnerability-management_{context}"]
 == Vulnerability management
-Red Hat performs periodic vulnerability scanning of ROSA using industry standard tools. Identified vulnerabilities are tracked to their remediation according to timelines based on severity. Vulnerability scanning and remediation activities are documented for verification by third-party assessors in the course of compliance certification audits.
+Red{nbsp}Hat performs periodic vulnerability scanning of ROSA using industry standard tools. Identified vulnerabilities are tracked to their remediation according to timelines based on severity. Vulnerability scanning and remediation activities are documented for verification by third-party assessors in the course of compliance certification audits.
 
 [id="rosa-policy-network-security_{context}"]
 == Network security
@@ -31,7 +31,7 @@ Each ROSA cluster is protected by a secure network configuration using firewall
 
 [id="rosa-policy-private-clusters-network-connectivity_{context}"]
 === Private clusters and network connectivity
-Customers can optionally configure their ROSA cluster endpoints, such as web console, API, and application router, to be made private so that the cluster control plane and applications are not accessible from the Internet. Red Hat SRE still requires Internet-accessible endpoints that are protected with IP allow-lists.
+Customers can optionally configure their ROSA cluster endpoints, such as web console, API, and application router, to be made private so that the cluster control plane and applications are not accessible from the Internet. Red{nbsp}Hat SRE still requires Internet-accessible endpoints that are protected with IP allow-lists.
 
 AWS customers can configure a private network connection to their ROSA cluster through technologies such as AWS VPC peering, AWS VPN, or AWS Direct Connect.
 
@@ -41,7 +41,7 @@ Fine-grained network access control rules can be configured by customers, on a p
 
 [id="rosa-policy-penetration-testing_{context}"]
 == Penetration testing
-Red Hat performs periodic penetration tests against ROSA. Tests are performed by an independent internal team by using industry standard tools and best practices.
+Red{nbsp}Hat performs periodic penetration tests against ROSA. Tests are performed by an independent internal team by using industry standard tools and best practices.
 
 Any issues that may be discovered are prioritized based on severity. Any issues found belonging to open source projects are shared with the community for resolution.
 
diff --git a/modules/rosa-policy-shared-responsibility.adoc b/modules/rosa-policy-shared-responsibility.adoc
index b6944a8243d1..d6c7d1a1161c 100644
--- a/modules/rosa-policy-shared-responsibility.adoc
+++ b/modules/rosa-policy-shared-responsibility.adoc
@@ -5,4 +5,4 @@
 [id="rosa-policy-shared-responsibility_{context}"]
 = Tasks for shared responsibilities by area
 
-Red Hat, AWS, and the customer all share responsibility for the monitoring, maintenance, and overall health of a {product-title} (ROSA) cluster. This documentation illustrates the delineation of responsibilities for each of the listed resources as shown in the tables below.
\ No newline at end of file
+Red{nbsp}Hat, AWS, and the customer all share responsibility for the monitoring, maintenance, and overall health of a {product-title} (ROSA) cluster. This documentation illustrates the delineation of responsibilities for each of the listed resources as shown in the tables below.
\ No newline at end of file
diff --git a/modules/rosa-red-hat-support-access.adoc b/modules/rosa-red-hat-support-access.adoc
index ad329e657ddb..46cc59f737d0 100644
--- a/modules/rosa-red-hat-support-access.adoc
+++ b/modules/rosa-red-hat-support-access.adoc
@@ -5,8 +5,8 @@
 :_mod-docs-content-type: REFERENCE
 
 [id="rosa-policy-rh-access_{context}"]
-= Red Hat support access
-Members of the Red Hat Customer Experience and Engagement (CEE) team typically have read-only access to parts of the cluster. Specifically, CEE has limited access to the core and product namespaces and does not have access to the customer namespaces.
+= Red{nbsp}Hat support access
+Members of the Red{nbsp}Hat Customer Experience and Engagement (CEE) team typically have read-only access to parts of the cluster. Specifically, CEE has limited access to the core and product namespaces and does not have access to the customer namespaces.
 
 [cols= "2a,4a,4a,4a,4a",options="header"]
 
@@ -97,7 +97,7 @@ Write: None
 |===
 --
 1. Limited to addressing common use cases such as failing deployments, upgrading a cluster, and replacing bad worker nodes.
-2. Red Hat associates have no access to customer data by default.
+2. Red{nbsp}Hat associates have no access to customer data by default.
 3. SRE access to the AWS account is an emergency procedure for exceptional troubleshooting during a documented incident.
 4. Limited to what is granted through RBAC by the Customer Administrator and namespaces created by the user.
 --
\ No newline at end of file
diff --git a/modules/rosa-required-aws-service-quotas.adoc b/modules/rosa-required-aws-service-quotas.adoc
index 4f0410536ce9..58175ad34212 100644
--- a/modules/rosa-required-aws-service-quotas.adoc
+++ b/modules/rosa-required-aws-service-quotas.adoc
@@ -8,7 +8,7 @@
 
 The table below describes the AWS service quotas and levels required to create and run one {product-title} cluster. Although most default values are suitable for most workloads, you might need to request additional quota for the following cases:
 
-* ROSA clusters require at least 100 vCPUs, but the default maximum value for vCPUs assigned to Running On-Demand Standard Amazon EC2 instances is `5`. Therefore if you have not created a ROSA cluster using the same AWS account previously, you must request additional EC2 quota for `Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances`.
+* ROSA (classic architecture) clusters require a minimum AWS EC2 service quota of 100 vCPUs to provide for cluster creation, availability, and upgrades. The default maximum value for vCPUs assigned to Running On-Demand Standard Amazon EC2 instances is `5`. Therefore if you have not created a ROSA cluster using the same AWS account previously, you must request additional EC2 quota for `Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances`.
 
 * Some optional cluster configuration features, such as custom security groups, might require you to request additional quota. For example, because ROSA associates 1 security group with network interfaces in worker machine pools by default, and the default quota for `Security groups per network interface` is `5`, if you want to add 5 custom security groups, you must request additional quota, because this would bring the total number of security groups on worker network interfaces to 6.
 
diff --git a/modules/rosa-rhods.adoc b/modules/rosa-rhods.adoc
index 667bd76a42aa..37bd694972f8 100644
--- a/modules/rosa-rhods.adoc
+++ b/modules/rosa-rhods.adoc
@@ -3,6 +3,6 @@
 // * adding_service_cluster/rosa-available-services.adoc
 :_mod-docs-content-type: CONCEPT
 [id="rosa-rhods_{context}"]
-= Red Hat OpenShift Data Science
+= Red{nbsp}Hat OpenShift Data Science
 
-{rhods} (RHODS) enables users to integrate data and AI and machine learning software to run end-to-end machine learning workflows. It provides a collection of notebook images with the tools and libraries required to develop and deploy data models. This allows data scientists to easily develop data models, integrate models into applications, and deploy applications using Red Hat OpenShift. RHODS is available as an add-on to Red Hat managed environments such as {osd} and {product-title} (ROSA).
+{rhods} (RHODS) enables users to integrate data and AI and machine learning software to run end-to-end machine learning workflows. It provides a collection of notebook images with the tools and libraries required to develop and deploy data models. This allows data scientists to easily develop data models, integrate models into applications, and deploy applications using Red{nbsp}Hat OpenShift. RHODS is available as an add-on to Red{nbsp}Hat managed environments such as {osd} and {product-title} (ROSA).
diff --git a/modules/rosa-scaling-worker-nodes.adoc b/modules/rosa-scaling-worker-nodes.adoc
index fb2a52cc0b21..c5aced2de661 100644
--- a/modules/rosa-scaling-worker-nodes.adoc
+++ b/modules/rosa-scaling-worker-nodes.adoc
@@ -16,7 +16,7 @@ You must scale each machine pool separately.
 
 ifdef::openshift-rosa[]
 * You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
-* You logged in to your Red Hat account using the ROSA CLI (`rosa`).
+* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
 * You created a {product-title} (ROSA) cluster.
 endif::openshift-rosa[]
 ifndef::openshift-rosa[]
diff --git a/modules/rosa-sdpolicy-am-billing.adoc b/modules/rosa-sdpolicy-am-billing.adoc
index 3ac751177e30..53e0781102c8 100644
--- a/modules/rosa-sdpolicy-am-billing.adoc
+++ b/modules/rosa-sdpolicy-am-billing.adoc
@@ -4,8 +4,11 @@
 // * rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc
 :_mod-docs-content-type: CONCEPT
 [id="rosa-sdpolicy-billing_{context}"]
-= Billing
+= Billing and pricing
 
-{product-title} is billed through Amazon Web Services (AWS) based on the usage of AWS components used by the service, such as load balancers, storage, EC2 instances, other components, and Red Hat subscriptions for the OpenShift service.
+{product-title} is billed directly to your {AWS} account. ROSA pricing is consumption based, with annual commitments or three-year commitments for greater discounting. The total cost of ROSA consists of two components:
 
-Any additional Red Hat software must be purchased separately.
\ No newline at end of file
+* ROSA service fees
+* AWS infrastructure fees
+
+Visit the link:https://aws.amazon.com/rosa/pricing/[{product-title} Pricing] page on the AWS website for more details.
\ No newline at end of file
diff --git a/modules/rosa-sdpolicy-am-compute.adoc b/modules/rosa-sdpolicy-am-compute.adoc
index 040dc874e3ff..aae881e2466a 100644
--- a/modules/rosa-sdpolicy-am-compute.adoc
+++ b/modules/rosa-sdpolicy-am-compute.adoc
@@ -22,7 +22,7 @@ Multiple availability zone clusters require a minimum of 3 control plane nodes,
 
 All {product-title} clusters support a maximum of 180 worker nodes.
 
-Control plane and infrastructure nodes are deployed and managed by Red Hat. Shutting down the underlying infrastructure through the cloud provider console is unsupported and can lead to data loss. There are at least 3 control plane nodes that handle etcd- and API-related workloads. There are at least 2 infrastructure nodes that handle metrics, routing, the web console, and other workloads. You must not run any workloads on the control and infrastructure nodes. Any workloads you intend to run must be deployed on worker nodes. See the Red Hat Operator support section below for more information about Red Hat workloads that must be deployed on worker nodes.
+Control plane and infrastructure nodes are deployed and managed by Red{nbsp}Hat. Shutting down the underlying infrastructure through the cloud provider console is unsupported and can lead to data loss. There are at least 3 control plane nodes that handle etcd- and API-related workloads. There are at least 2 infrastructure nodes that handle metrics, routing, the web console, and other workloads. You must not run any workloads on the control and infrastructure nodes. Any workloads you intend to run must be deployed on worker nodes. See the Red{nbsp}Hat Operator support section below for more information about Red{nbsp}Hat workloads that must be deployed on worker nodes.
 endif::rosa-with-hcp[]
 
 [NOTE]
diff --git a/modules/rosa-sdpolicy-am-limited-support.adoc b/modules/rosa-sdpolicy-am-limited-support.adoc
index afd09513bff0..a0a6026acbec 100644
--- a/modules/rosa-sdpolicy-am-limited-support.adoc
+++ b/modules/rosa-sdpolicy-am-limited-support.adoc
@@ -12,17 +12,17 @@ endif::[]
 [id="rosa-limited-support_{context}"]
 = Limited support status
 
-When a cluster transitions to a _Limited Support_ status, Red Hat no longer proactively monitors the cluster, the SLA is no longer applicable, and credits requested against the SLA are denied. It does not mean that you no longer have product support. In some cases, the cluster can return to a fully-supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
+When a cluster transitions to a _Limited Support_ status, Red{nbsp}Hat no longer proactively monitors the cluster, the SLA is no longer applicable, and credits requested against the SLA are denied. It does not mean that you no longer have product support. In some cases, the cluster can return to a fully-supported status if you remediate the violating factors. However, in other cases, you might have to delete and recreate the cluster.
 
 A cluster might move to a Limited Support status for many reasons, including the following scenarios:
 
 ifndef::rosa-with-hcp[]
-If you do not upgrade a cluster to a supported version before the end-of-life date:: Red Hat does not make any runtime or SLA guarantees for versions after their end-of-life date. To receive continued support, upgrade the cluster to a supported version prior to the end-of-life date. If you do not upgrade the cluster prior to the end-of-life date, the cluster transitions to a Limited Support status until it is upgraded to a supported version.
+If you do not upgrade a cluster to a supported version before the end-of-life date:: Red{nbsp}Hat does not make any runtime or SLA guarantees for versions after their end-of-life date. To receive continued support, upgrade the cluster to a supported version prior to the end-of-life date. If you do not upgrade the cluster prior to the end-of-life date, the cluster transitions to a Limited Support status until it is upgraded to a supported version.
 +
-Red Hat provides commercially reasonable support to upgrade from an unsupported version to a supported version. However, if a supported upgrade path is no longer available, you might have to create a new cluster and migrate your workloads.
+Red{nbsp}Hat provides commercially reasonable support to upgrade from an unsupported version to a supported version. However, if a supported upgrade path is no longer available, you might have to create a new cluster and migrate your workloads.
 
 endif::rosa-with-hcp[]
-If you remove or replace any native {product-title} components or any other component that is installed and managed by Red Hat:: If cluster administrator permissions were used, Red Hat is not responsible for any of your or your authorized users’ actions, including those that affect infrastructure services, service availability, or data loss. If Red Hat detects any such actions, the cluster might transition to a Limited Support status. Red Hat notifies you of the status change and you should either revert the action or create a support case to explore remediation steps that might require you to delete and recreate the cluster.
+If you remove or replace any native {product-title} components or any other component that is installed and managed by Red{nbsp}Hat:: If cluster administrator permissions were used, Red{nbsp}Hat is not responsible for any of your or your authorized users’ actions, including those that affect infrastructure services, service availability, or data loss. If Red{nbsp}Hat detects any such actions, the cluster might transition to a Limited Support status. Red{nbsp}Hat notifies you of the status change and you should either revert the action or create a support case to explore remediation steps that might require you to delete and recreate the cluster.
 
 If you have questions about a specific action that might cause a cluster to move to a Limited Support status or need further assistance, open a support ticket.
 ifeval::["{context}" == "rosa-hcp-service-definition"]
diff --git a/modules/rosa-sdpolicy-am-regions-az.adoc b/modules/rosa-sdpolicy-am-regions-az.adoc
index cb9ded83a872..81d7c21824a3 100644
--- a/modules/rosa-sdpolicy-am-regions-az.adoc
+++ b/modules/rosa-sdpolicy-am-regions-az.adoc
@@ -17,7 +17,7 @@ ifdef::rosa-with-hcp[]
 for {hcp-title}.
 endif::rosa-with-hcp[]
 ifndef::rosa-with-hcp[]
-for Red Hat OpenShift 4 and are supported for {product-title}.
+for Red{nbsp}Hat OpenShift 4 and are supported for {product-title}.
 endif::rosa-with-hcp[]
 
 [NOTE]
@@ -27,7 +27,7 @@ Regions in China are not supported, regardless of their support on OpenShift 4.
 
 [NOTE]
 ====
-For GovCloud (US) regions, you must submit an link:https://console.redhat.com/openshift/create/rosa/govcloud[Access request for Red Hat OpenShift Service on AWS (ROSA) FedRAMP].
+For GovCloud (US) regions, you must submit an link:https://console.redhat.com/openshift/create/rosa/govcloud[Access request for Red{nbsp}Hat OpenShift Service on AWS (ROSA) FedRAMP].
 
 GovCloud (US) regions are only supported on ROSA Classic clusters.
 ====
diff --git a/modules/rosa-sdpolicy-am-sla.adoc b/modules/rosa-sdpolicy-am-sla.adoc
index 46878ca798e4..8257fd150728 100644
--- a/modules/rosa-sdpolicy-am-sla.adoc
+++ b/modules/rosa-sdpolicy-am-sla.adoc
@@ -7,4 +7,4 @@
 = Service Level Agreement (SLA)
 
 //Note for writers: Do not link directly to the appendix 4 PDF, as each PDF is dated at generation and will not be kept up to date.
-Any SLAs for the service itself are defined in Appendix 4 of the link:https://www.redhat.com/en/about/appendices[Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services)].
\ No newline at end of file
+Any SLAs for the service itself are defined in Appendix 4 of the link:https://www.redhat.com/en/about/appendices[Red{nbsp}Hat Enterprise Agreement Appendix 4 (Online Subscription Services)].
\ No newline at end of file
diff --git a/modules/rosa-sdpolicy-am-support.adoc b/modules/rosa-sdpolicy-am-support.adoc
index 80c607b69500..652a97659d4b 100644
--- a/modules/rosa-sdpolicy-am-support.adoc
+++ b/modules/rosa-sdpolicy-am-support.adoc
@@ -6,7 +6,7 @@
 [id="rosa-sdpolicy-support_{context}"]
 = Support
 
-{product-title} includes Red Hat Premium Support, which can be accessed by using the link:https://access.redhat.com/support?extIdCarryOver=true&sc_cid=701f2000001Css5AAC[Red Hat Customer Portal].
+{product-title} includes Red{nbsp}Hat Premium Support, which can be accessed by using the link:https://access.redhat.com/support?extIdCarryOver=true&sc_cid=701f2000001Css5AAC[Red{nbsp}Hat Customer Portal].
 
 See {product-title} link:https://access.redhat.com/support/offerings/openshift/sla?extIdCarryOver=true&sc_cid=701f2000001Css5AAC[SLAs] for support response times.
 
diff --git a/modules/rosa-sdpolicy-networking.adoc b/modules/rosa-sdpolicy-networking.adoc
index f3683c4cbeef..0f0b26227db5 100644
--- a/modules/rosa-sdpolicy-networking.adoc
+++ b/modules/rosa-sdpolicy-networking.adoc
@@ -40,8 +40,8 @@ ifndef::rosa-with-hcp[]
 {product-title} uses up to five different load balancers:
 
 - An internal control plane load balancer that is internal to the cluster and used to balance traffic for internal cluster communications.
-- An external control plane load balancer that is used for accessing the OpenShift and Kubernetes APIs. This load balancer can be disabled in {cluster-manager}. If this load balancer is disabled, Red Hat reconfigures the API DNS to point to the internal control plane load balancer.
-- An external control plane load balancer for Red Hat that is reserved for cluster management by Red Hat. Access is strictly controlled, and communication is only possible from whitelisted bastion hosts.
+- An external control plane load balancer that is used for accessing the OpenShift and Kubernetes APIs. This load balancer can be disabled in {cluster-manager}. If this load balancer is disabled, Red{nbsp}Hat reconfigures the API DNS to point to the internal control plane load balancer.
+- An external control plane load balancer for Red{nbsp}Hat that is reserved for cluster management by Red{nbsp}Hat. Access is strictly controlled, and communication is only possible from whitelisted bastion hosts.
 - A default external router/ingress load balancer that is the default application load balancer, denoted by `apps` in the URL. The default load balancer can be configured in {cluster-manager} to be either publicly accessible over the Internet or only privately accessible over a pre-existing private connection. All application routes on the cluster are exposed on this default router load balancer, including cluster services such as the logging UI, metrics API, and registry.
 - Optional: A secondary router/ingress load balancer that is a secondary application load balancer, denoted by `apps2` in the URL. The secondary load balancer can be configured in {cluster-manager} to be either publicly accessible over the Internet or only privately accessible over a pre-existing private connection. If a `Label match` is configured for this router load balancer, then only application routes matching this label are exposed on this router load balancer; otherwise, all application routes are also exposed on this router load balancer.
 - Optional: Load balancers for services. Enable non-HTTP/SNI traffic and non-standard ports for services. These load balancers can be mapped to a service running on {product-title} to enable advanced ingress features, such as non-HTTP/SNI traffic or the use of non-standard ports. Each AWS account has a quota which link:https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-limits.html[limits the number of Classic Load Balancers] that can be used within each cluster.
@@ -87,7 +87,7 @@ endif::rosa-with-hcp[]
 
 [IMPORTANT]
 ====
-Red Hat site reliability engineers (SREs) do not monitor private network connections. Monitoring these connections is the responsibility of the customer.
+Red{nbsp}Hat site reliability engineers (SREs) do not monitor private network connections. Monitoring these connections is the responsibility of the customer.
 ====
 
 [id="rosa-sdpolicy-dns-forwarding_{context}"]
diff --git a/modules/rosa-sdpolicy-platform.adoc b/modules/rosa-sdpolicy-platform.adoc
index 28a6e7fe17dc..e913d0da5e53 100644
--- a/modules/rosa-sdpolicy-platform.adoc
+++ b/modules/rosa-sdpolicy-platform.adoc
@@ -11,7 +11,7 @@ endif::[]
 :_mod-docs-content-type: ASSEMBLY
 [id="rosa-sdpolicy-platform_{context}"]
 = Platform
-:productwinc: Red Hat OpenShift support for Windows Containers
+:productwinc: Red{nbsp}Hat OpenShift support for Windows Containers
 
 This section provides information about the service definition for the
 ifdef::rosa-with-hcp[]
@@ -26,7 +26,7 @@ endif::rosa-with-hcp[]
 
 [IMPORTANT]
 ====
-Red Hat does not provide a backup method for ROSA clusters with STS, which is the default. It is critical that customers have a backup plan for their applications and application data. 
+Red{nbsp}Hat does not provide a backup method for ROSA clusters with STS, which is the default. It is critical that customers have a backup plan for their applications and application data. 
 ifndef::rosa-with-hcp[]
 The table below only applies to clusters created with IAM user credentials.
 endif::rosa-with-hcp[]
@@ -116,7 +116,7 @@ endif::rosa-with-hcp[]
 
 [id="rosa-sdpolicy-node-labels_{context}"]
 == Node labels
-Custom node labels are created by Red Hat during node creation and cannot be changed on
+Custom node labels are created by Red{nbsp}Hat during node creation and cannot be changed on
 ifdef::rosa-with-hcp[]
 {hcp-title-first}
 endif::rosa-with-hcp[]
@@ -163,15 +163,15 @@ endif::rosa-with-hcp[]
 ifndef::rosa-with-hcp[]
 {product-title}
 endif::rosa-with-hcp[]
-runs on OpenShift 4 and uses Red Hat CoreOS as the operating system for all control plane and worker nodes.
+runs on OpenShift 4 and uses Red{nbsp}Hat CoreOS as the operating system for all control plane and worker nodes.
 
 [id="rosa-sdpolicy-red-hat-operator_{context}"]
-== Red Hat Operator support
-Red Hat workloads typically refer to Red Hat-provided Operators made available through Operator Hub. Red Hat workloads are not managed by the Red Hat SRE team, and must be deployed on worker nodes. These Operators may require additional Red Hat subscriptions, and may incur additional cloud infrastructure costs. Examples of these Red Hat-provided Operators are:
+== Red{nbsp}Hat Operator support
+Red{nbsp}Hat workloads typically refer to Red{nbsp}Hat-provided Operators made available through Operator Hub. Red{nbsp}Hat workloads are not managed by the Red{nbsp}Hat SRE team, and must be deployed on worker nodes. These Operators may require additional Red{nbsp}Hat subscriptions, and may incur additional cloud infrastructure costs. Examples of these Red{nbsp}Hat-provided Operators are:
 
 * {rhq-short}
-* Red Hat Advanced Cluster Management
-* Red Hat Advanced Cluster Security
+* Red{nbsp}Hat Advanced Cluster Management
+* Red{nbsp}Hat Advanced Cluster Security
 * {SMProductName}
 * {ServerlessProductName}
 * {logging-sd}
@@ -179,7 +179,7 @@ Red Hat workloads typically refer to Red Hat-provided Operators made available t
 
 [id="rosa-sdpolicy-kubernetes-operator_{context}"]
 == Kubernetes Operator support
-All Operators listed in the OperatorHub marketplace should be available for installation. These Operators are considered customer workloads, and are not monitored by Red Hat SRE.
+All Operators listed in the OperatorHub marketplace should be available for installation. These Operators are considered customer workloads, and are not monitored by Red{nbsp}Hat SRE.
 
 ifeval::["{context}" == "rosa-hcp-service-definition"]
 :!rosa-with-hcp:
diff --git a/modules/rosa-sdpolicy-security.adoc b/modules/rosa-sdpolicy-security.adoc
index d1ab8f0b80a2..fd3bc97e693d 100644
--- a/modules/rosa-sdpolicy-security.adoc
+++ b/modules/rosa-sdpolicy-security.adoc
@@ -32,7 +32,7 @@ Authentication for the cluster can be configured using either {cluster-manager-u
 
 [id="rosa-sdpolicy-privileged-containers_{context}"]
 == Privileged containers
-Privileged containers are available for users with the `cluster-admin` role. Usage of privileged containers as `cluster-admin` is subject to the responsibilities and exclusion notes in the link:https://www.redhat.com/en/about/agreements[Red Hat Enterprise Agreement Appendix 4] (Online Subscription Services).
+Privileged containers are available for users with the `cluster-admin` role. Usage of privileged containers as `cluster-admin` is subject to the responsibilities and exclusion notes in the link:https://www.redhat.com/en/about/agreements[Red{nbsp}Hat Enterprise Agreement Appendix 4] (Online Subscription Services).
 
 [id="rosa-sdpolicy-customer-admin-user_{context}"]
 == Customer administrator user
@@ -86,13 +86,8 @@ $ oc adm policy add-cluster-role-to-group self-provisioner system:authenticated:
 
 [id="rosa-sdpolicy-regulatory-compliance_{context}"]
 == Regulatory compliance
-
-ifdef::rosa-with-hcp[]
-{hcp-title} is currently in the process of obtaining compliance certifications.
-endif::rosa-with-hcp[]
-ifndef::rosa-with-hcp[]
-See Understanding process and security for ROSA for the latest compliance information.
-endif::rosa-with-hcp[]
+//removing conditionals and first sentence as rosa-with-hcp has now obtained compliance certifications
+See the _Compliance_ table in _Understanding process and security for ROSA_ for the latest compliance information.
 
 [id="rosa-sdpolicy-network-security_{context}"]
 == Network security
@@ -130,7 +125,7 @@ The etcd encryption feature is not enabled by default and it can be enabled only
 
 [IMPORTANT]
 ====
-By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
+By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red{nbsp}Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
 ====
 endif::rosa-with-hcp[]
 
diff --git a/modules/rosa-sdpolicy-storage.adoc b/modules/rosa-sdpolicy-storage.adoc
index 3125c3839b36..9e2ed9dbff72 100644
--- a/modules/rosa-sdpolicy-storage.adoc
+++ b/modules/rosa-sdpolicy-storage.adoc
@@ -52,7 +52,7 @@ endif::rosa-with-hcp[]
 ifndef::rosa-with-hcp[]
 {product-title}.
 endif::rosa-with-hcp[]
-A community Operator is provided to simplify setup. See link:https://access.redhat.com/articles/5025181[Amazon Elastic File Storage Setup for OpenShift Dedicated and Red Hat OpenShift Service on AWS] for details.
+A community Operator is provided to simplify setup. See link:https://access.redhat.com/articles/5025181[Amazon Elastic File Storage Setup for OpenShift Dedicated and Red{nbsp}Hat OpenShift Service on AWS] for details.
 
 ifeval::["{context}" == "rosa-hcp-service-definition"]
 :!rosa-with-hcp:
diff --git a/modules/rosa-sts-about-ocm-role.adoc b/modules/rosa-sts-about-ocm-role.adoc
index 5e4cfc9348e9..93f43b2ceb0f 100644
--- a/modules/rosa-sts-about-ocm-role.adoc
+++ b/modules/rosa-sts-about-ocm-role.adoc
@@ -5,17 +5,17 @@
 [id="rosa-sts-about-ocm-role_{context}"]
 = About the ocm-role IAM resource
 
-You must create the `ocm-role` IAM resource to enable a Red Hat organization of users to create {product-title} (ROSA) clusters. Within the context of linking to AWS, a Red Hat organization is a single user within {cluster-manager}.
+You must create the `ocm-role` IAM resource to enable a Red{nbsp}Hat organization of users to create {product-title} (ROSA) clusters. Within the context of linking to AWS, a Red{nbsp}Hat organization is a single user within {cluster-manager}.
 
 Some considerations for your `ocm-role` IAM resource are:
 
-* Only one `ocm-role` IAM role can be linked per Red Hat organization; however, you can have any number of `ocm-role` IAM roles per AWS account. The web UI requires that only one of these roles can be linked at a time.
-* Any user in a Red Hat organization may create and link an `ocm-role` IAM resource.
-* Only the Red Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red Hat organization members from disturbing the interface capabilities of other users.
+* Only one `ocm-role` IAM role can be linked per Red{nbsp}Hat organization; however, you can have any number of `ocm-role` IAM roles per AWS account. The web UI requires that only one of these roles can be linked at a time.
+* Any user in a Red{nbsp}Hat organization may create and link an `ocm-role` IAM resource.
+* Only the Red{nbsp}Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red{nbsp}Hat organization members from disturbing the interface capabilities of other users.
 +
 [NOTE]
 ====
-If you just created a Red Hat account that is not part of an existing organization, this account is also the Red Hat Organization Administrator.
+If you just created a Red{nbsp}Hat account that is not part of an existing organization, this account is also the Red{nbsp}Hat Organization Administrator.
 ====
 +
 * See "Understanding the {cluster-manager} role" in the Additional resources of this section for a list of the AWS permissions policies for the basic and admin `ocm-role` IAM resources.
@@ -24,7 +24,7 @@ Using the ROSA CLI (`rosa`), you can link your IAM resource when you create it.
 
 [NOTE]
 ====
-"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `ocm-role` IAM role and the Red Hat {cluster-manager} AWS role. After creating and linking your IAM resource, you see a trust relationship from your `ocm-role` IAM resource in AWS with the `arn:aws:iam::7333:role/RH-Managed-OpenShift-Installer` resource.
+"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `ocm-role` IAM role and the Red{nbsp}Hat {cluster-manager} AWS role. After creating and linking your IAM resource, you see a trust relationship from your `ocm-role` IAM resource in AWS with the `arn:aws:iam::7333:role/RH-Managed-OpenShift-Installer` resource.
 ====
 
-After a Red Hat Organization Administrator has created and linked an `ocm-role` IAM resource, all organization members may want to create and link their own `user-role` IAM role. This IAM resource only needs to be created and linked only once per user. If another user in your Red Hat organization has already created and linked an `ocm-role` IAM resource, you need to ensure you have created and linked your own `user-role` IAM role.
+After a Red{nbsp}Hat Organization Administrator has created and linked an `ocm-role` IAM resource, all organization members may want to create and link their own `user-role` IAM role. This IAM resource only needs to be created and linked only once per user. If another user in your Red{nbsp}Hat organization has already created and linked an `ocm-role` IAM resource, you need to ensure you have created and linked your own `user-role` IAM role.
diff --git a/modules/rosa-sts-about-user-role.adoc b/modules/rosa-sts-about-user-role.adoc
index 4633c80457d0..dde41c9134af 100644
--- a/modules/rosa-sts-about-user-role.adoc
+++ b/modules/rosa-sts-about-user-role.adoc
@@ -9,13 +9,13 @@ You need to create a `user-role` IAM role per web UI user to enable those users
 
 Some considerations for your `user-role` IAM role are:
 
-* You only need one `user-role` IAM role per Red Hat user account, but your Red Hat organization can have many of these IAM resources.
-* Any user in a Red Hat organization may create and link an `user-role` IAM role.
-* There can be numerous `user-role` IAM roles per AWS account per Red Hat organization.
-* Red Hat uses the `user-role` IAM role to identify the user. This IAM resource has no AWS account permissions.
-* Your AWS account can have multiple `user-role` IAM roles, but you must link each IAM role to each user in your Red Hat organization. No user can have more than one linked `user-role` IAM role.
+* You only need one `user-role` IAM role per Red{nbsp}Hat user account, but your Red{nbsp}Hat organization can have many of these IAM resources.
+* Any user in a Red{nbsp}Hat organization may create and link an `user-role` IAM role.
+* There can be numerous `user-role` IAM roles per AWS account per Red{nbsp}Hat organization.
+* Red{nbsp}Hat uses the `user-role` IAM role to identify the user. This IAM resource has no AWS account permissions.
+* Your AWS account can have multiple `user-role` IAM roles, but you must link each IAM role to each user in your Red{nbsp}Hat organization. No user can have more than one linked `user-role` IAM role.
 
 [NOTE]
 ====
-"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `user-role` IAM role and the Red Hat {cluster-manager} AWS role. After creating and linking this IAM resource, you see a trust relationship from your `user-role` IAM role in AWS with the `arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer` resource.
+"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `user-role` IAM role and the Red{nbsp}Hat {cluster-manager} AWS role. After creating and linking this IAM resource, you see a trust relationship from your `user-role` IAM role in AWS with the `arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer` resource.
 ====
diff --git a/modules/rosa-sts-account-roles-terraform.adoc b/modules/rosa-sts-account-roles-terraform.adoc
index 5b2186291c09..24dc27b385ac 100644
--- a/modules/rosa-sts-account-roles-terraform.adoc
+++ b/modules/rosa-sts-account-roles-terraform.adoc
@@ -63,7 +63,7 @@ $ export TF_VAR_account_role_prefix=<account_role_prefix>
 These files are created in your current directory. Ensure that you are in the directory where you want to run Terraform.
 ====
 
-.. The `main.tf` file calls the Red Hat Cloud Services Terraform provider, which allows you to use OpenShift services with Terraform. Run the following command to create the `main.tf` file:
+.. The `main.tf` file calls the Red{nbsp}Hat Cloud Services Terraform provider, which allows you to use OpenShift services with Terraform. Run the following command to create the `main.tf` file:
 +
 [source,terminal]
 ----
@@ -187,7 +187,7 @@ $ terraform init
 $ terraform validate
 ----
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
@@ -219,7 +219,7 @@ If you used the `terraform plan` command first, you can provide your created `ac
 $ rosa list account-roles
 ----
 +
-.Sample output
+.Example output
 
 [source,terminal]
 ----
diff --git a/modules/rosa-sts-account-wide-role-and-policy-commands.adoc b/modules/rosa-sts-account-wide-role-and-policy-commands.adoc
index 222ac3591115..1bd91e705794 100644
--- a/modules/rosa-sts-account-wide-role-and-policy-commands.adoc
+++ b/modules/rosa-sts-account-wide-role-and-policy-commands.adoc
@@ -11,7 +11,7 @@ This section lists the `aws` CLI commands that the `rosa` command generates in t
 [id="rosa-sts-account-wide-role-and-policy-aws-cli-manual-mode_{context}"]
 == Using manual mode for account role creation
 
-The manual role creation mode generates the `aws` commands for you to review and run. The following command starts that process, where `<openshift_version>` refers to your version of {product-title} (ROSA), such as `4.15`.
+The manual role creation mode generates the `aws` commands for you to review and run. The following command starts that process, where `<openshift_version>` refers to your version of {product-title} (ROSA), such as `4.16`.
 
 [source,terminal]
 ----
diff --git a/modules/rosa-sts-account-wide-roles-and-policies.adoc b/modules/rosa-sts-account-wide-roles-and-policies.adoc
index d4c81b896997..7732155b450a 100644
--- a/modules/rosa-sts-account-wide-roles-and-policies.adoc
+++ b/modules/rosa-sts-account-wide-roles-and-policies.adoc
@@ -7,7 +7,7 @@
 
 This section provides details about the account-wide IAM roles and policies that are required for ROSA deployments that use STS, including the Operator policies. It also includes the JSON files that define the policies.
 
-The account-wide roles and policies are specific to an OpenShift minor release version, for example OpenShift 4.15, and are backward compatible. You can minimize the required STS resources by reusing the account-wide roles and policies for multiple clusters of the same minor version, regardless of their patch version.
+The account-wide roles and policies are specific to an OpenShift minor release version, for example OpenShift 4.16, and are backward compatible. You can minimize the required STS resources by reusing the account-wide roles and policies for multiple clusters of the same minor version, regardless of their patch version.
 
 [id="rosa-sts-account-wide-roles-and-policies-creation-methods_{context}"]
 == Methods of account-wide role creation
@@ -30,7 +30,7 @@ If you use the ROSA guided installation on {cluster-manager}, you must have crea
 
 [NOTE]
 ====
-The account number present in the `sts_installer_trust_policy.json` and `sts_support_trust_policy.json` samples represents the Red Hat account that is allowed to assume the required roles.
+The account number present in the `sts_installer_trust_policy.json` and `sts_support_trust_policy.json` samples represents the Red{nbsp}Hat account that is allowed to assume the required roles.
 ====
 
 .ROSA installer role, policy, and policy files
@@ -450,10 +450,10 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
 |Resource|Description
 
 |`ManagedOpenShift-Support-Role`
-|An IAM role used by the Red Hat Site Reliability Engineering (SRE) support team.
+|An IAM role used by the Red{nbsp}Hat Site Reliability Engineering (SRE) support team.
 
 |`ManagedOpenShift-Support-Role-Policy`
-|An IAM policy that provides the Red Hat SRE support team with the permissions required to support ROSA clusters.
+|An IAM policy that provides the Red{nbsp}Hat SRE support team with the permissions required to support ROSA clusters.
 
 |===
 
diff --git a/modules/rosa-sts-associating-your-aws-account.adoc b/modules/rosa-sts-associating-your-aws-account.adoc
index 3c7cbda43eee..491ee5960b85 100644
--- a/modules/rosa-sts-associating-your-aws-account.adoc
+++ b/modules/rosa-sts-associating-your-aws-account.adoc
@@ -5,7 +5,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-sts-associating-your-aws-account_{context}"]
-= Associating your AWS account with your Red Hat organization
+= Associating your AWS account with your Red{nbsp}Hat organization
 
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
 :quick-install:
@@ -27,7 +27,7 @@ endif::rosa-hcp[]
 ifndef::rosa-hcp[]
 {product-title} (ROSA) clusters
 endif::rosa-hcp[]
-that use the AWS Security Token Service (STS), create an {cluster-manager} IAM role and link it to your Red Hat organization. Then, create a user IAM role and link it to your Red Hat user account in the same Red Hat organization.
+that use the AWS Security Token Service (STS), create an {cluster-manager} IAM role and link it to your Red{nbsp}Hat organization. Then, create a user IAM role and link it to your Red{nbsp}Hat user account in the same Red{nbsp}Hat organization.
 
 ifdef::quick-install[]
 .Prerequisites
@@ -53,13 +53,13 @@ ROSA
 endif::rosa-hcp[]
 clusters, use the latest version of the ROSA CLI.
 ====
-* You have logged in to your Red Hat account by using the ROSA CLI.
-* You have organization administrator privileges in your Red Hat organization.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
+* You have organization administrator privileges in your Red{nbsp}Hat organization.
 endif::[]
 
 .Procedure
 
-. Create an {cluster-manager} role and link it to your Red Hat organization:
+. Create an {cluster-manager} role and link it to your Red{nbsp}Hat organization:
 +
 [NOTE]
 ====
@@ -99,7 +99,7 @@ $ rosa create ocm-role
 +
 Select the default values at the prompts to quickly create and link the role.
 +
-. Create a user role and link it to your Red Hat user account:
+. Create a user role and link it to your Red{nbsp}Hat user account:
 +
 [source,terminal]
 ----
@@ -110,7 +110,7 @@ Select the default values at the prompts to quickly create and link the role.
 +
 [NOTE]
 ====
-The Red Hat user account must exist in the Red Hat organization that is linked to your {cluster-manager} role.
+The Red{nbsp}Hat user account must exist in the Red{nbsp}Hat organization that is linked to your {cluster-manager} role.
 ====
 
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
diff --git a/modules/rosa-sts-aws-requirements-access-req.adoc b/modules/rosa-sts-aws-requirements-access-req.adoc
index c25a400d6fc5..69247f996f54 100644
--- a/modules/rosa-sts-aws-requirements-access-req.adoc
+++ b/modules/rosa-sts-aws-requirements-access-req.adoc
@@ -5,7 +5,7 @@
 [id="rosa-access-requirements_{context}"]
 = Access requirements
 
-* Red Hat must have AWS console access to the customer-provided AWS account. Red Hat protects and manages this access.
+* Red{nbsp}Hat must have AWS console access to the customer-provided AWS account. Red{nbsp}Hat protects and manages this access.
 * You must not use the AWS account to elevate your permissions within the {product-title} (ROSA) cluster.
 * Actions available in the ROSA CLI (`rosa`) or {cluster-manager-url} console must not be directly performed in your AWS account.
 * You do not need to have a preconfigured domain to deploy ROSA clusters. If you wish to use a custom domain, see the Additional resources for information.
diff --git a/modules/rosa-sts-aws-requirements-account.adoc b/modules/rosa-sts-aws-requirements-account.adoc
index c0cb7bf57ce3..3039854dbe7e 100644
--- a/modules/rosa-sts-aws-requirements-account.adoc
+++ b/modules/rosa-sts-aws-requirements-account.adoc
@@ -12,12 +12,12 @@ Quota verification checks your AWS quota, but it does not compare your consumpti
 ====
 +
 * If SCP policies are applied and enforced, these policies must not be more restrictive than the roles and policies required by the cluster.
-* Your AWS account should not be transferable to Red Hat.
-* You should not impose additional AWS usage restrictions beyond the defined roles and policies on Red Hat activities. Imposing restrictions will severely hinder Red Hat's ability to respond to incidents.
+* Your AWS account should not be transferable to Red{nbsp}Hat.
+* You should not impose additional AWS usage restrictions beyond the defined roles and policies on Red{nbsp}Hat activities. Imposing restrictions will severely hinder Red{nbsp}Hat's ability to respond to incidents.
 * You may deploy native AWS services within the same AWS account.
 * Your account must have a service-linked role set up as it is required for Elastic Load Balancing (ELB) to be configured. See the "Creating the Elastic Load Balancing (ELB) service-linked role" link in the Additional resources for information about creating a service-linked role for your ELB if you have not created a load balancer in your AWS account previously.
 +
 [NOTE]
 ====
-You are encouraged, but not required, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red Hat supported services.
+You are encouraged, but not required, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red{nbsp}Hat supported services.
 ====
diff --git a/modules/rosa-sts-aws-requirements-association-concept.adoc b/modules/rosa-sts-aws-requirements-association-concept.adoc
index c60fdf34b457..edc081880475 100644
--- a/modules/rosa-sts-aws-requirements-association-concept.adoc
+++ b/modules/rosa-sts-aws-requirements-association-concept.adoc
@@ -8,4 +8,4 @@
 
 {product-title} (ROSA) cluster-provisioning tasks require linking `ocm-role` and `user-role` IAM roles to your AWS account using your Amazon Resource Name (ARN).
 
-The `ocm-role` ARN is stored as a label in your Red Hat organization while the `user-role` ARN is stored as a label inside your Red Hat user account. Red Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform the necessary tasks in the AWS account.
+The `ocm-role` ARN is stored as a label in your Red{nbsp}Hat organization while the `user-role` ARN is stored as a label inside your Red{nbsp}Hat user account. Red{nbsp}Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform the necessary tasks in the AWS account.
diff --git a/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc
new file mode 100644
index 000000000000..901ca1e7fc2c
--- /dev/null
+++ b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc
@@ -0,0 +1,375 @@
+// Module included in the following assemblies:
+//
+// * rosa_planning/rosa-sts-ocm-role.adoc
+// * rosa_architecture/rosa-sts-about-iam-resources.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-sts-aws-requirements-attaching-boundary-policy_{context}"]
+= Permission boundaries for the installer role
+
+You can apply a policy as a _permissions boundary_ on an installer role.
+You can use an AWS-managed policy or a customer-managed policy to set the boundary for an Amazon Web Services(AWS) Identity and Access Management (IAM) entity (user or role). The combination of policy and boundary policy limits the maximum permissions for the user or role. ROSA includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported.
+
+[NOTE]
+====
+This feature is only supported on Red{nbsp}Hat OpenShift Service on AWS (classic architecture) clusters.
+====
+
+The permission boundary policy files are as follows:
+
+* The _Core_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to install an {product-title} cluster.
+The installer does not have permissions to create a virtual private cloud (VPC) or PrivateLink (PL). A VPC needs to be provided.
+* The _VPC_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to create/manage the VPC. It does not include permissions for PL or core installation. If you need to install a cluster with enough permissions for the installer to install the cluster and create/manage the VPC, but you do not need to set up PL, then use the core and VPC boundary files together with the installer role.
+* The _PrivateLink (PL)_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to create the AWS PL with a cluster. It does not include permissions for VPC or core installation. Provide a pre-created VPC for all PL clusters during installation.
+
+When using the permission boundary policy files, the following combinations apply:
+
+* No permission boundary policies means that the full installer policy permissions apply to your cluster.
+* *Core* only sets the most restricted permissions for the installer role. The VPC and PL permissions are not included in the *Core only* boundary policy.
+** Installer cannot create or manage the VPC or PL.
+** You must have a customer-provided VPC, and PrivateLink (PL) is not available.
+* *Core + VPC* sets the core and VPC permissions for the installer role.
+** Installer cannot create or manage the PL.
+** Assumes you are not using custom/BYO-VPC.
+** Assumes the installer will create and manage the VPC.
+* *Core + PrivateLink (PL)* means the installer can provision the PL infrastructure.
+** You must have a customer-provided VPC.
+** This is for a private cluster with PL.
+
+This example procedure is applicable for an installer role and policy with the most restriction of permissions, using only the _core_ installer permission boundary policy for ROSA. You can complete this with the AWS console or the AWS CLI. This example uses the AWS CLI and the following policy:
+
+.`sts_installer_core_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+		    "autoscaling:DescribeAutoScalingGroups",
+		    "ec2:AllocateAddress",
+		    "ec2:AssociateAddress",
+		    "ec2:AttachNetworkInterface",
+		    "ec2:AuthorizeSecurityGroupEgress",
+		    "ec2:AuthorizeSecurityGroupIngress",
+		    "ec2:CopyImage",
+		    "ec2:CreateNetworkInterface",
+		    "ec2:CreateSecurityGroup",
+		    "ec2:CreateTags",
+		    "ec2:CreateVolume",
+		    "ec2:DeleteNetworkInterface",
+		    "ec2:DeleteSecurityGroup",
+		    "ec2:DeleteSnapshot",
+		    "ec2:DeleteTags",
+		    "ec2:DeleteVolume",
+		    "ec2:DeregisterImage",
+		    "ec2:DescribeAccountAttributes",
+		    "ec2:DescribeAddresses",
+		    "ec2:DescribeAvailabilityZones",
+		    "ec2:DescribeDhcpOptions",
+		    "ec2:DescribeImages",
+		    "ec2:DescribeInstanceAttribute",
+		    "ec2:DescribeInstanceCreditSpecifications",
+		    "ec2:DescribeInstances",
+		    "ec2:DescribeInstanceStatus",
+		    "ec2:DescribeInstanceTypeOfferings",
+		    "ec2:DescribeInstanceTypes",
+		    "ec2:DescribeInternetGateways",
+		    "ec2:DescribeKeyPairs",
+		    "ec2:DescribeNatGateways",
+		    "ec2:DescribeNetworkAcls",
+		    "ec2:DescribeNetworkInterfaces",
+		    "ec2:DescribePrefixLists",
+		    "ec2:DescribeRegions",
+		    "ec2:DescribeReservedInstancesOfferings",
+		    "ec2:DescribeRouteTables",
+		    "ec2:DescribeSecurityGroups",
+		    "ec2:DescribeSecurityGroupRules",
+		    "ec2:DescribeSubnets",
+		    "ec2:DescribeTags",
+		    "ec2:DescribeVolumes",
+		    "ec2:DescribeVpcAttribute",
+		    "ec2:DescribeVpcClassicLink",
+		    "ec2:DescribeVpcClassicLinkDnsSupport",
+		    "ec2:DescribeVpcEndpoints",
+		    "ec2:DescribeVpcs",
+		    "ec2:GetConsoleOutput",
+		    "ec2:GetEbsDefaultKmsKeyId",
+		    "ec2:ModifyInstanceAttribute",
+		    "ec2:ModifyNetworkInterfaceAttribute",
+		    "ec2:ReleaseAddress",
+		    "ec2:RevokeSecurityGroupEgress",
+		    "ec2:RevokeSecurityGroupIngress",
+		    "ec2:RunInstances",
+		    "ec2:StartInstances",
+		    "ec2:StopInstances",
+		    "ec2:TerminateInstances",
+		    "elasticloadbalancing:AddTags",
+		    "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+		    "elasticloadbalancing:AttachLoadBalancerToSubnets",
+		    "elasticloadbalancing:ConfigureHealthCheck",
+		    "elasticloadbalancing:CreateListener",
+		    "elasticloadbalancing:CreateLoadBalancer",
+		    "elasticloadbalancing:CreateLoadBalancerListeners",
+		    "elasticloadbalancing:CreateTargetGroup",
+		    "elasticloadbalancing:DeleteLoadBalancer",
+		    "elasticloadbalancing:DeleteTargetGroup",
+		    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+		    "elasticloadbalancing:DeregisterTargets",
+		    "elasticloadbalancing:DescribeInstanceHealth",
+		    "elasticloadbalancing:DescribeListeners",
+		    "elasticloadbalancing:DescribeLoadBalancerAttributes",
+		    "elasticloadbalancing:DescribeLoadBalancers",
+		    "elasticloadbalancing:DescribeTags",
+		    "elasticloadbalancing:DescribeTargetGroupAttributes",
+		    "elasticloadbalancing:DescribeTargetGroups",
+		    "elasticloadbalancing:DescribeTargetHealth",
+		    "elasticloadbalancing:ModifyLoadBalancerAttributes",
+		    "elasticloadbalancing:ModifyTargetGroup",
+		    "elasticloadbalancing:ModifyTargetGroupAttributes",
+		    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+		    "elasticloadbalancing:RegisterTargets",
+		    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+		    "iam:AddRoleToInstanceProfile",
+		    "iam:CreateInstanceProfile",
+		    "iam:DeleteInstanceProfile",
+		    "iam:GetInstanceProfile",
+		    "iam:TagInstanceProfile",
+		    "iam:GetRole",
+		    "iam:GetRolePolicy",
+		    "iam:GetUser",
+		    "iam:ListAttachedRolePolicies",
+		    "iam:ListInstanceProfiles",
+		    "iam:ListInstanceProfilesForRole",
+		    "iam:ListRolePolicies",
+		    "iam:ListRoles",
+		    "iam:ListUserPolicies",
+		    "iam:ListUsers",
+		    "iam:PassRole",
+		    "iam:RemoveRoleFromInstanceProfile",
+		    "iam:SimulatePrincipalPolicy",
+		    "iam:TagRole",
+		    "iam:UntagRole",
+		    "route53:ChangeResourceRecordSets",
+		    "route53:ChangeTagsForResource",
+		    "route53:CreateHostedZone",
+		    "route53:DeleteHostedZone",
+		    "route53:GetAccountLimit",
+		    "route53:GetChange",
+		    "route53:GetHostedZone",
+		    "route53:ListHostedZones",
+		    "route53:ListHostedZonesByName",
+		    "route53:ListResourceRecordSets",
+		    "route53:ListTagsForResource",
+		    "route53:UpdateHostedZoneComment",
+		    "s3:CreateBucket",
+		    "s3:DeleteBucket",
+		    "s3:DeleteObject",
+		    "s3:GetAccelerateConfiguration",
+		    "s3:GetBucketAcl",
+		    "s3:GetBucketCORS",
+		    "s3:GetBucketLocation",
+		    "s3:GetBucketLogging",
+		    "s3:GetBucketObjectLockConfiguration",
+		    "s3:GetBucketPolicy",
+		    "s3:GetBucketRequestPayment",
+		    "s3:GetBucketTagging",
+		    "s3:GetBucketVersioning",
+		    "s3:GetBucketWebsite",
+		    "s3:GetEncryptionConfiguration",
+		    "s3:GetLifecycleConfiguration",
+		    "s3:GetObject",
+		    "s3:GetObjectAcl",
+		    "s3:GetObjectTagging",
+		    "s3:GetObjectVersion",
+		    "s3:GetReplicationConfiguration",
+		    "s3:ListBucket",
+		    "s3:ListBucketVersions",
+		    "s3:PutBucketAcl",
+		    "s3:PutBucketTagging",
+		    "s3:PutEncryptionConfiguration",
+		    "s3:PutObject",
+		    "s3:PutObjectAcl",
+		    "s3:PutObjectTagging",
+		    "servicequotas:GetServiceQuota",
+		    "servicequotas:ListAWSDefaultServiceQuotas",
+		    "sts:AssumeRole",
+		    "sts:AssumeRoleWithWebIdentity",
+		    "sts:GetCallerIdentity",
+		    "tag:GetResources",
+		    "tag:UntagResources",
+		    "kms:DescribeKey",
+		    "cloudwatch:GetMetricData",
+		    "ec2:CreateRoute",
+		    "ec2:DeleteRoute",
+		    "ec2:CreateVpcEndpoint",
+		    "ec2:DeleteVpcEndpoints",
+		    "ec2:CreateVpcEndpointServiceConfiguration",
+		    "ec2:DeleteVpcEndpointServiceConfigurations",
+		    "ec2:DescribeVpcEndpointServiceConfigurations",
+		    "ec2:DescribeVpcEndpointServicePermissions",
+		    "ec2:DescribeVpcEndpointServices",
+		    "ec2:ModifyVpcEndpointServicePermissions"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceTag/red-hat-managed": "true"
+                }
+            }
+        }
+    ]
+}
+----
+====
+
+[IMPORTANT]
+====
+To use the permission boundaries, you will need to prepare the permission boundary policy and add it to your relevant installer role in AWS IAM.
+While the ROSA (`rosa`) CLI offers a permission boundary function, it applies to all roles and not just the installer role, which means it does not work with the provided permission boundary policies (which are only for the installer role).
+====
+
+.Prerequisites
+
+* You have an AWS account.
+* You have the permissions required to administer AWS roles and policies.
+* You have installed and configured the latest AWS (`aws`) and ROSA (`rosa`) CLIs on your workstation.
+* You have already prepared your ROSA account-wide roles, includes the installer role, and the corresponding policies. If these do not exist in your AWS account, see "Creating the account-wide STS roles and policies" in _Additional resources_.
+
+.Procedure
+
+. Prepare the policy file by entering the following command in the `rosa` CLI:
++
+[source,terminal]
+----
+$ curl -o ./rosa-installer-core.json https://raw.githubusercontent.com/openshift/managed-cluster-config/master/resources/sts/4.16/sts_installer_core_permission_boundary_policy.json
+----
+
+. Create the policy in AWS and gather its Amazon Resource Name (ARN) by entering the following command:
++
+[source,terminal]
+----
+$ aws iam create-policy \
+--policy-name rosa-core-permissions-boundary-policy \
+--policy-document file://./rosa-installer-core.json \
+--description "ROSA installer core permission boundary policy, the minimum permission set, allows BYO-VPC, disallows PrivateLink"
+----
++
+.Example output
+[source,terminal]
+----
+{
+    "Policy": {
+        "PolicyName": "rosa-core-permissions-boundary-policy",
+        "PolicyId": "<Policy ID>",
+        "Arn": "arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy",
+        "Path": "/",
+        "DefaultVersionId": "v1",
+        "AttachmentCount": 0,
+        "PermissionsBoundaryUsageCount": 0,
+        "IsAttachable": true,
+        "CreateDate": "<CreateDate>",
+        "UpdateDate": "<UpdateDate>"
+    }
+}
+----
+. Add the permission boundary policy to the installer role you want to restrict by entering the following command:
++
+[source,terminal]
+----
+$ aws iam put-role-permissions-boundary \
+--role-name ManagedOpenShift-Installer-Role \
+--permissions-boundary arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy
+----
+
+. Display the installer role to validate attached policies (including permissions boundary) by entering the following command in the `rosa` CLI:
++
+[source,terminal]
+----
+$ aws iam get-role --role-name ManagedOpenShift-Installer-Role \
+--output text | grep PERMISSIONSBOUNDARY
+----
++
+.Example output
+[source,terminal]
+----
+PERMISSIONSBOUNDARY	arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy	Policy
+----
++
+
++
+For more examples of PL and VPC permission boundary policies see:
++
+.`sts_installer_privatelink_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+"Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ModifyVpcEndpointServiceConfiguration",
+        "route53:ListHostedZonesByVPC",
+        "route53:CreateVPCAssociationAuthorization",
+        "route53:AssociateVPCWithHostedZone",
+        "route53:DeleteVPCAssociationAuthorization",
+        "route53:DisassociateVPCFromHostedZone",
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+----
+====
++
+.`sts_installer_vpc_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+     "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+		    "ec2:AssociateDhcpOptions",
+		    "ec2:AssociateRouteTable",
+		    "ec2:AttachInternetGateway",
+		    "ec2:CreateDhcpOptions",
+		    "ec2:CreateInternetGateway",
+		    "ec2:CreateNatGateway",
+		    "ec2:CreateRouteTable",
+		    "ec2:CreateSubnet",
+		    "ec2:CreateVpc",
+		    "ec2:DeleteDhcpOptions",
+		    "ec2:DeleteInternetGateway",
+		    "ec2:DeleteNatGateway",
+		    "ec2:DeleteRouteTable",
+		    "ec2:DeleteSubnet",
+		    "ec2:DeleteVpc",
+		    "ec2:DetachInternetGateway",
+		    "ec2:DisassociateRouteTable",
+		    "ec2:ModifySubnetAttribute",
+		    "ec2:ModifyVpcAttribute",
+		    "ec2:ReplaceRouteTableAssociation"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+====
diff --git a/modules/rosa-sts-aws-requirements-creating-association.adoc b/modules/rosa-sts-aws-requirements-creating-association.adoc
index a79f8116ae5c..2e16ee917e48 100644
--- a/modules/rosa-sts-aws-requirements-creating-association.adoc
+++ b/modules/rosa-sts-aws-requirements-creating-association.adoc
@@ -30,11 +30,11 @@ If `Yes` is displayed in the `Linked` column for both roles, you have already li
 
 .Procedure
 
-. From the CLI, link your `ocm-role` resource to your Red Hat organization by using your Amazon Resource Name (ARN):
+. From the CLI, link your `ocm-role` resource to your Red{nbsp}Hat organization by using your Amazon Resource Name (ARN):
 +
 [NOTE]
 ====
-You must have Red Hat Organization Administrator privileges to run the `rosa link` command. After you link the `ocm-role` resource with your AWS account, it is visible for all users in the organization.
+You must have Red{nbsp}Hat Organization Administrator privileges to run the `rosa link` command. After you link the `ocm-role` resource with your AWS account, it is visible for all users in the organization.
 ====
 +
 [source,terminal]
@@ -49,7 +49,7 @@ I: Linking OCM role
 ? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
 I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'
 ----
-. From the CLI, link your `user-role` resource to your Red Hat user account by using your Amazon Resource Name (ARN):
+. From the CLI, link your `user-role` resource to your Red{nbsp}Hat user account by using your Amazon Resource Name (ARN):
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-sts-aws-requirements-creating-multi-association.adoc b/modules/rosa-sts-aws-requirements-creating-multi-association.adoc
index aa59ebd1ee8f..b76f49f1ea66 100644
--- a/modules/rosa-sts-aws-requirements-creating-multi-association.adoc
+++ b/modules/rosa-sts-aws-requirements-creating-multi-association.adoc
@@ -5,9 +5,9 @@
 // * rosa_planning/rosa-sts-aws-prereqs.adoc
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-associating-multiple-account_{context}"]
-= Associating multiple AWS accounts with your Red Hat organization
+= Associating multiple AWS accounts with your Red{nbsp}Hat organization
 
-You can associate multiple AWS accounts with your Red Hat organization. Associating multiple accounts lets you create {product-title} (ROSA) clusters on any of the associated AWS accounts from your Red Hat organization.
+You can associate multiple AWS accounts with your Red{nbsp}Hat organization. Associating multiple accounts lets you create {product-title} (ROSA) clusters on any of the associated AWS accounts from your Red{nbsp}Hat organization.
 
 With this feature, you can create clusters in different AWS regions by using multiple AWS profiles as region-bound environments.
 
@@ -21,7 +21,7 @@ With this feature, you can create clusters in different AWS regions by using mul
 
 .Procedure
 
-To associate an additional AWS account, first create a profile in your local AWS configuration. Then, associate the account with your Red Hat organization by creating the `ocm-role`, user, and account roles in the additional AWS account.
+To associate an additional AWS account, first create a profile in your local AWS configuration. Then, associate the account with your Red{nbsp}Hat organization by creating the `ocm-role`, user, and account roles in the additional AWS account.
 
 To create the roles in an additional region, specify the `--profile <aws-profile>` parameter when running the `rosa create` commands and replace `<aws_profile>` with the additional account profile name:
 
diff --git a/modules/rosa-sts-aws-requirements-security-req.adoc b/modules/rosa-sts-aws-requirements-security-req.adoc
index 65634887e191..9bb9e913219a 100644
--- a/modules/rosa-sts-aws-requirements-security-req.adoc
+++ b/modules/rosa-sts-aws-requirements-security-req.adoc
@@ -5,5 +5,5 @@
 :_mod-docs-content-type: CONCEPT
 [id="rosa-security-requirements_{context}"]
 = Security requirements
-* Red Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
-* Red Hat must have egress allowed to the documented domains. See the "AWS firewall prerequisites" section for the designated domains.
+* Red{nbsp}Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
+* Red{nbsp}Hat must have egress allowed to the documented domains. See the "AWS firewall prerequisites" section for the designated domains.
diff --git a/modules/rosa-sts-aws-requirements-support-req.adoc b/modules/rosa-sts-aws-requirements-support-req.adoc
index b88ab0577812..d44e268a48b9 100644
--- a/modules/rosa-sts-aws-requirements-support-req.adoc
+++ b/modules/rosa-sts-aws-requirements-support-req.adoc
@@ -4,7 +4,7 @@
 :_mod-docs-content-type: CONCEPT
 [id="rosa-support-requirements_{context}"]
 = Support requirements
-* Red Hat recommends that the customer have at least link:https://aws.amazon.com/premiumsupport/plans/[Business Support] from AWS.
-* Red Hat may have permission from the customer to request AWS support on their behalf.
-* Red Hat may have permission from the customer to request AWS resource limit increases on the customer's account.
-* Red Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section.
+* Red{nbsp}Hat recommends that the customer have at least link:https://aws.amazon.com/premiumsupport/plans/[Business Support] from AWS.
+* Red{nbsp}Hat may have permission from the customer to request AWS support on their behalf.
+* Red{nbsp}Hat may have permission from the customer to request AWS resource limit increases on the customer's account.
+* Red{nbsp}Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section.
diff --git a/modules/rosa-sts-byo-oidc-options.adoc b/modules/rosa-sts-byo-oidc-options.adoc
index bfc53b6b409f..11093d41388b 100644
--- a/modules/rosa-sts-byo-oidc-options.adoc
+++ b/modules/rosa-sts-byo-oidc-options.adoc
@@ -46,7 +46,7 @@ $ rosa create oidc-config --mode=<auto|manual>
 [id="rosa-sts-byo-oidc-managed_{context}"]
 == managed
 
-Creates an OIDC configuration that is hosted under Red Hat's AWS account. This command creates a private key that responds directly with an OIDC Config ID for you to use when creating the STS cluster.
+Creates an OIDC configuration that is hosted under Red{nbsp}Hat's AWS account. This command creates a private key that responds directly with an OIDC Config ID for you to use when creating the STS cluster.
 
 .Example
 [source,terminal]
@@ -54,7 +54,7 @@ Creates an OIDC configuration that is hosted under Red Hat's AWS account. This c
 $ rosa create oidc-config --managed
 ----
 
-.Sample output
+.Example output
 [source,terminal]
 ----
 W: For a managed OIDC Config only auto mode is supported. However, you may choose the provider creation mode
diff --git a/modules/rosa-sts-cluster-terraform-destroy.adoc b/modules/rosa-sts-cluster-terraform-destroy.adoc
index dd4a1afb2e8e..917bb76b9c55 100644
--- a/modules/rosa-sts-cluster-terraform-destroy.adoc
+++ b/modules/rosa-sts-cluster-terraform-destroy.adoc
@@ -1,10 +1,13 @@
 // Module included in the following assemblies:
 //
-// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly-terraform.adoc
+// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
 //
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :tf-defaults:
 endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
+:tf-rosa-hcp:
+endif::[]
 :_content-type: PROCEDURE
 
 [id="sd-terraform-cluster-destroy_{context}"]
@@ -14,11 +17,7 @@ Use the `terraform destroy` command to remove all of the resources that were cre
 
 [NOTE]
 ====
-Do not modify your Terraform `.tf` files
-ifndef::tf-defaults[]
-or the `terraform.tfvars` file
-endif::tf-defaults[]
-before destroying your resources. These variables are matched to resources to delete.
+Do not modify your Terraform `.tf` files before destroying your resources. These variables are matched to resources to delete.
 ====
 
 .Procedure
@@ -28,33 +27,29 @@ before destroying your resources. These variables are matched to resources to de
 ----
 $ terraform destroy
 ----
-ifndef::tf-defaults[]
 +
-[IMPORTANT]
-====
-After you enter the name of the ROSA cluster and confirm destruction by entering `yes`, you cannot stop the `terraform destroy` process. Your account, Operator roles, and cluster are deleted.
-====
-
-. Enter the name of the cluster that you want to delete:
+The Terraform interface prompts you for two variables. These should match the answers you provided when creating a cluster:
 +
 [source,terminal]
 ----
-var.cluster_name
-  Provide the name of your ROSA cluster.
+var.create_vpc
+  If you would like to create a new VPC, set this value to 'true.' If you do not want to create a new VPC, set this value to 'false.'
+
+  Enter a value: 
 
-  Enter a value: <name_of_rosa_cluster> <1>
+var.private_cluster
+  If you want to create a private cluster, set this value to 'true.' If you want a publicly available cluster, set this value to 'false.'
+
+  Enter a value: 
 ----
---
-<1> A valid value is the name of the ROSA cluster you want to delete.
---
-endif::tf-defaults[]
 
 . Enter `yes` to start the role and cluster deletion:
+ifdef::tf-rosa-hcp[]
 +
-.Example output of Terraform confirmation:
+.Example output
 [source,terminal]
 ----
-Plan: 0 to add, 0 to change, 39 to destroy.
+Plan: 0 to add, 0 to change, 63 to destroy.
 
 Do you really want to destroy all resources?
   Terraform will destroy all your managed infrastructure, as shown above.
@@ -62,6 +57,21 @@ Do you really want to destroy all resources?
 
   Enter a value: yes
 ----
+endif::tf-rosa-hcp[]
+ifdef::tf-rosa-classic[]
++
+.Example output
+[source,terminal]
+----
+Plan: 0 to add, 0 to change, 74 to destroy.
+
+Do you really want to destroy all resources?
+  Terraform will destroy all your managed infrastructure, as shown above.
+  There is no undo. Only 'yes' will be accepted to confirm.
+
+  Enter a value: yes
+----
+endif::tf-rosa-classic[]
 
 .Verification
 . Verify that your cluster was destroyed by running the following command:
@@ -104,6 +114,9 @@ $ rosa list operator-roles
 I: Fetching operator roles
 I: No operator roles available
 ----
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :tf-defaults:
+endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
+:tf-rosa-hcp:
 endif::[]
\ No newline at end of file
diff --git a/modules/rosa-sts-cluster-terraform-execute.adoc b/modules/rosa-sts-cluster-terraform-execute.adoc
index e7b08386e518..fd5748e63be8 100644
--- a/modules/rosa-sts-cluster-terraform-execute.adoc
+++ b/modules/rosa-sts-cluster-terraform-execute.adoc
@@ -1,9 +1,12 @@
 // Module included in the following assemblies:
 //
-// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly-terraform.adoc
+// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
 //
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
-:tf-defaults:
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
+:tf-rosa-classic:
+endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
+:tf-rosa-hcp:
 endif::[]
 :_content-type: PROCEDURE
 
@@ -43,13 +46,41 @@ Success! The configuration is valid.
 ----
 $ terraform apply
 ----
++
+The Terraform interface asks two questions to create your cluster, similiar to the following:
++
+.Example output
+[source,terminal]
+----
+var.create_vpc
+  If you would like to create a new VPC, set this value to 'true'. If you do not want to create a new VPC, set this value to 'false'.
+
+  Enter a value: 
+
+var.private_cluster
+  If you want to create a private cluster, set this value to 'true'. If you want a publicly available cluster, set this value to 'false'.
+
+  Enter a value: 
+----
 
-. The Terraform interface lists the resources to be created or changed and prompts for confirmation. Enter `yes` to proceed or `no` to cancel:
+. Enter `yes` to proceed or `no` to cancel when the Terraform interface lists the resources to be created or changed and prompts for confirmation:
 +
+ifdef::tf-rosa-hcp[]
 .Example output
 [source,terminal]
 ----
-Plan: 39 to add, 0 to change, 0 to destroy.
+Plan: 63 to add, 0 to change, 0 to destroy.
+
+Do you want to perform these actions?
+  Terraform will perform the actions described above.
+  Only 'yes' will be accepted to approve.
+----
+endif::tf-rosa-hcp[]
+ifdef::tf-rosa-classic[]
+.Example output
+[source,terminal]
+----
+Plan: 74 to add, 0 to change, 0 to destroy.
 
 Do you want to perform these actions?
   Terraform will perform the actions described above.
@@ -57,6 +88,7 @@ Do you want to perform these actions?
 
   Enter a value: yes
 ----
+endif::tf-rosa-classic[]
 +
 If you enter `yes`, your Terraform plan starts, creating your AWS account roles, Operator roles, and your ROSA Classic cluster.
 
@@ -88,7 +120,9 @@ $ rosa list account-roles
 ----
 I: Fetching account roles
 ROLE NAME                                   ROLE TYPE      ROLE ARN                                                           OPENSHIFT VERSION  AWS Managed
+ifdef::tf-rosa-classic[]
 ROSA-demo-ControlPlane-Role                 Control plane  arn:aws:iam::<ID>:role/ROSA-demo-ControlPlane-Role                 4.14               No
+endif::tf-rosa-classic[]
 ROSA-demo-Installer-Role                    Installer      arn:aws:iam::<ID>:role/ROSA-demo-Installer-Role                    4.14               No
 ROSA-demo-Support-Role                      Support        arn:aws:iam::<ID>:role/ROSA-demo-Support-Role                      4.14               No
 ROSA-demo-Worker-Role                       Worker         arn:aws:iam::<ID>:role/ROSA-demo-Worker-Role                       4.14               No
@@ -106,9 +140,17 @@ $ rosa list operator-roles
 ----
 I: Fetching operator roles
 ROLE PREFIX    AMOUNT IN BUNDLE
+ifdef::tf-rosa-classic[]
 rosa-demo      6
+endif::tf-rosa-classic[]
+ifdef::tf-rosa-hcp[]
+rosa-demo      8
+endif::tf-rosa-hcp[]
 ----
 
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
-:tf-defaults:
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
+:tf-rosa-classic:
+endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
+:tf-rosa-hcp:
 endif::[]
diff --git a/modules/rosa-sts-cluster-terraform-file-creation.adoc b/modules/rosa-sts-cluster-terraform-file-creation.adoc
deleted file mode 100644
index a3e0be382c79..000000000000
--- a/modules/rosa-sts-cluster-terraform-file-creation.adoc
+++ /dev/null
@@ -1,542 +0,0 @@
-// Module included in the following assemblies:
-//
-// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly-terraform.adoc
-//
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
-:tf-defaults:
-endif::[]
-:_content-type: PROCEDURE
-
-[id="rosa-sts-cluster-terraform-file-creation_{context}"]
-= Creating your Terraform files locally
-
-After you set up your link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token], you need to create the Terraform files locally to build your cluster. You can create these files by using the following code templates.
-
-.Procedure
-
-. Create the `account-roles.tf` file by running the following command:
-+
-[source,terminal]
-----
-$ cat<<-EOF>account-roles.tf
-data "rhcs_policies" "all_policies" {}
-
-data "rhcs_versions" "all" {}
-
-module "create_account_roles" {
-  source  = "terraform-redhat/rosa-sts/aws"
-  version = ">=0.0.15"
-
-  create_account_roles  = true
-  create_operator_roles = false
-
-  account_role_prefix    = local.cluster_name
-  path                   = var.path
-  rosa_openshift_version = regex("^[0-9]+\\\\.[0-9]+", var.rosa_openshift_version)
-  account_role_policies  = data.rhcs_policies.all_policies.account_role_policies
-  all_versions           = data.rhcs_versions.all
-  operator_role_policies = data.rhcs_policies.all_policies.operator_role_policies
-  tags                   = var.additional_tags
-}
-
-resource "time_sleep" "wait_10_seconds" {
-  depends_on = [module.create_account_roles]
-
-  create_duration = "10s"
-}
-EOF
-----
-
-. Create the `main.tf` file by running the following command:
-ifdef::tf-defaults[]
-+
-[source,terminal]
-----
-$ cat<<-EOF>main.tf
-#
-# Copyright (c) 2023 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.20.0"
-    }
-    rhcs = {
-      version = ">= 1.5.0"
-      source  = "terraform-redhat/rhcs"
-    }
-  }
-}
-
-# Export token using the RHCS_TOKEN environment variable
-provider "rhcs" {}
-
-provider "aws" {
-  region = var.aws_region
-  ignore_tags {
-    key_prefixes = ["kubernetes.io/"]
-  }
-}
-
-data "aws_availability_zones" "available" {}
-
-locals {
-  # Extract availability zone names for the specified region, limit it to 1
-  region_azs = slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, 1)
-}
-
-resource "random_string" "random_name" {
-  length           = 6
-  special          = false
-  upper            = false
-}
-
-locals {
-  path = coalesce(var.path, "/")
-  sts_roles = {
-    role_arn         = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Installer-Role",
-    support_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Support-Role",
-    instance_iam_roles = {
-      master_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-ControlPlane-Role",
-      worker_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Worker-Role"
-    },
-    operator_role_prefix = local.cluster_name,
-    oidc_config_id       = rhcs_rosa_oidc_config.oidc_config.id
-  }
-  worker_node_replicas = coalesce(var.worker_node_replicas, 2)
-  # If cluster_name is not null, use that, otherwise generate a random cluster name
-  cluster_name = coalesce(var.cluster_name, "rosa-\${random_string.random_name.result}")
-}
-
-data "aws_caller_identity" "current" {
-}
-
-resource "rhcs_cluster_rosa_classic" "rosa_sts_cluster" {
-  name                 = local.cluster_name
-  cloud_region         = var.aws_region
-  multi_az             = false
-  aws_account_id       = data.aws_caller_identity.current.account_id
-  availability_zones   = ["us-east-1a"]
-  tags                 = var.additional_tags
-  version              = var.rosa_openshift_version
-  compute_machine_type = var.machine_type
-  replicas             = local.worker_node_replicas
-  autoscaling_enabled  = false
-  sts                  = local.sts_roles
-  properties = {
-    rosa_creator_arn = data.aws_caller_identity.current.arn
-  }
-  machine_cidr     = var.vpc_cidr_block
-
-  lifecycle {
-    precondition {
-      condition     = can(regex("^[a-z][-a-z0-9]{0,13}[a-z0-9]\$", local.cluster_name))
-      error_message = "ROSA cluster name must be less than 16 characters, be lower case alphanumeric, with only hyphens."
-    }
-  }
-
-  depends_on = [time_sleep.wait_10_seconds]
-}
-
-resource "rhcs_cluster_wait" "wait_for_cluster_build" {
-  cluster = rhcs_cluster_rosa_classic.rosa_sts_cluster.id
-  # timeout in minutes
-  timeout = 60
-}
-EOF
-----
-endif::tf-defaults[]
-ifndef::tf-defaults[]
-+
-[NOTE]
-====
-Copy and edit this file _before_ running the command to build your cluster.
-====
-+
-[source,terminal]
-----
-$ cat<<-EOF>main.tf
-#
-# Copyright (c) 2023 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.20.0"
-    }
-    rhcs = {
-      version = ">= 1.5.0"
-      source  = "terraform-redhat/rhcs"
-    }
-  }
-}
-
-# Export token using the RHCS_TOKEN environment variable
-provider "rhcs" {}
-
-provider "aws" {
-  region = var.aws_region
-  ignore_tags {
-    key_prefixes = ["kubernetes.io/"]
-  }
-}
-
-data "aws_availability_zones" "available" {
-  state = "available"
-
-  # New configuration to exclude Local Zones
-  filter {
-    name   = "opt-in-status"
-    values = ["opt-in-not-required"]
-  }
-}
-
-locals {
-  # These lines will determine how many availability zones to extract based on if you are creating a single or multi AZ cluster.
-  az_count = var.multi_az ? 3 : 1
-  region_azs = slice([for zone in data.aws_availability_zones.available.names : format("%s", zone)], 0, local.az_count)
-}
-
-resource "random_string" "random_name" {
-  length           = 6
-  special          = false
-  upper            = false
-}
-
-locals {
-  path = coalesce(var.path, "/")
-  sts_roles = {
-    role_arn         = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Installer-Role",
-    support_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Support-Role",
-    instance_iam_roles = {
-      master_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-ControlPlane-Role",
-      worker_role_arn = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:role\${local.path}\${local.cluster_name}-Worker-Role"
-    },
-    operator_role_prefix = local.cluster_name,
-    oidc_config_id       = rhcs_rosa_oidc_config.oidc_config.id
-  }
-  worker_node_replicas = var.worker_node_replicas == null ? 3 : var.worker_node_replicas
-  # If cluster_name is not null, use that, otherwise generate a random cluster name
-  cluster_name = coalesce(var.cluster_name, "rosa-${random_string.random_name.result}")
-}
-
-data "aws_caller_identity" "current" {
-}
-
-resource "rhcs_cluster_rosa_classic" "rosa_sts_cluster" {
-  name                 = local.cluster_name
-  cloud_region         = var.aws_region
-  multi_az             = var.multi_az
-  aws_account_id       = data.aws_caller_identity.current.account_id
-  availability_zones   = local.region_azs
-  tags                 = var.additional_tags
-  version              = var.rosa_openshift_version
-  proxy                = var.proxy
-  compute_machine_type = var.machine_type
-  autoscaling_enabled  = var.autoscaling_enabled
-  replicas             = local.worker_node_replicas
-  min_replicas         = var.min_replicas
-  max_replicas         = var.max_replicas
-
-  sts                  = local.sts_roles
-  properties = {
-    rosa_creator_arn = data.aws_caller_identity.current.arn
-  }
-
-    admin_credentials      = {
-    username = var.admin_username
-    password = var.admin_password
-  }
-
-#
-#Private link settings
-#
-
-  private          = var.private_cluster
-  aws_private_link = var.private_cluster
-  aws_subnet_ids   = var.create_vpc ? concat(module.vpc[0].private_subnets, module.vpc[0].public_subnets) : var.private_subnet_ids
-  machine_cidr     = var.private_cluster ? var.vpc_cidr_block : null
-
-  lifecycle {
-    precondition {
-      condition     = can(regex("^[a-z][-a-z0-9]{0,13}[a-z0-9]\$", local.cluster_name))
-      error_message = "ROSA cluster name must be less than 16 characters, be lower case alphanumeric, with only hyphens."
-    }
-  }
-
-  depends_on = [time_sleep.wait_10_seconds]
-}
-
-resource "rhcs_cluster_wait" "wait_for_cluster_build" {
-  cluster = rhcs_cluster_rosa_classic.rosa_sts_cluster.id
-  # timeout in minutes
-  timeout = 60
-}
-EOF
-----
-endif::tf-defaults[]
-
-. Create the `oidc-provider.tf` file by running the following command:
-+
-[source,terminal]
-----
-$ cat<<-EOF>oidc-provider.tf
-resource "rhcs_rosa_oidc_config" "oidc_config" {
-  managed = true
-}
-
-data "rhcs_rosa_operator_roles" "operator_roles" {
-  operator_role_prefix = local.cluster_name
-  account_role_prefix  = local.cluster_name
-}
-
-module "oidc_provider" {
-  source  = "terraform-redhat/rosa-sts/aws"
-  version = "0.0.15"
-
-  create_operator_roles = false
-  create_oidc_provider  = true
-
-  cluster_id                  = ""
-  rh_oidc_provider_thumbprint = rhcs_rosa_oidc_config.oidc_config.thumbprint
-  rh_oidc_provider_url        = rhcs_rosa_oidc_config.oidc_config.oidc_endpoint_url
-  tags                        = var.additional_tags
-  path                        = var.path
-}
-EOF
-----
-
-. Create the `operator-roles.tf` file by running the following command:
-+
-[source,terminal]
-----
-$ cat<<-EOF>operator-roles.tf
-module "operator_roles" {
-  source  = "terraform-redhat/rosa-sts/aws"
-  version = "0.0.15"
-
-  create_operator_roles = true
-  create_oidc_provider  = false
-
-  rh_oidc_provider_thumbprint = rhcs_rosa_oidc_config.oidc_config.thumbprint
-  rh_oidc_provider_url        = rhcs_rosa_oidc_config.oidc_config.oidc_endpoint_url
-  operator_roles_properties   = data.rhcs_rosa_operator_roles.operator_roles.operator_iam_roles
-  tags                        = var.additional_tags
-  path                        = var.path
-}
-EOF
-----
-
-. Create the `variables.tf` file by running the following command:
-ifndef::tf-defaults[]
-+
-[NOTE]
-====
-Copy and edit this file _before_ running the command to build your cluster.
-====
-endif::tf-defaults[]
-+
-[source,terminal]
-----
-$ cat<<-EOF>variables.tf
-variable "rosa_openshift_version" {
-  type        = string
-  default     = "4.15.0"
-  description = "Desired version of OpenShift for the cluster, for example '4.15.0'. If version is greater than the currently running version, an upgrade will be scheduled."
-}
-
-variable "account_role_policies" {
-  description = "account role policies details for account roles creation"
-  type = object({
-    sts_installer_permission_policy             = string
-    sts_support_permission_policy               = string
-    sts_instance_worker_permission_policy       = string
-    sts_instance_controlplane_permission_policy = string
-  })
-  default = null
-}
-
-variable "operator_role_policies" {
-  description = "operator role policies details for operator roles creation"
-  type = object({
-    openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy = string
-    openshift_cloud_network_config_controller_cloud_credentials_policy                = string
-    openshift_cluster_csi_drivers_ebs_cloud_credentials_policy                        = string
-    openshift_image_registry_installer_cloud_credentials_policy                       = string
-    openshift_ingress_operator_cloud_credentials_policy                               = string
-    openshift_machine_api_aws_cloud_credentials_policy                                = string
-  })
-  default = null
-}
-
-# ROSA Cluster info
-variable "cluster_name" {
-  default     = null
-  type        = string
-  description = "Provide the name of your ROSA cluster."
-}
-
-variable "additional_tags" {
-  default = {
-    Terraform   = "true"
-  }
-  description = "Additional AWS resource tags"
-  type        = map(string)
-}
-
-variable "path" {
-  description = "(Optional) The arn path for the account/operator roles as well as their policies."
-  type        = string
-  default     = null
-}
-
-variable "machine_type" {
-  description = "The AWS instance type used for your default worker pool."
-  type        = string
-  default     = "m5.xlarge"
-}
-
-variable "worker_node_replicas" {
-  default     = 2
-  description = "Number of worker nodes to provision. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes"
-  type        = number
-}
-
-variable "autoscaling_enabled" {
-  description = "Enables autoscaling. This variable requires you to set a maximum and minimum replicas range using the 'max_replicas' and 'min_replicas' variables. If the autoscaling_enabled is 'true', you cannot configure the worker_node_replicas."
-  type        = string
-  default     = "false"
-}
-
-#VPC Info
-variable "vpc_cidr_block" {
-  type        = string
-  description = "The value of the IP address block for machines or cluster nodes for the VPC."
-  default     = "10.0.0.0/16"
-}
-
-#AWS Info
-variable "aws_region" {
-  type    = string
-  default = "us-east-1"
-}
-EOF
-----
-ifndef::tf-defaults[]
-
-. Create the `vpc.tf` file by running the following command:
-+
-[source,terminal]
-----
-$ cat<<-EOF>vpc.tf
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "5.1.2"
-
-  count = var.create_vpc ? 1 : 0
-  name  = var.vpc_name
-  cidr  = var.vpc_cidr_block
-
-  azs             = var.availability_zones
-  private_subnets = var.private_subnet_cidrs
-  public_subnets  = var.public_subnet_cidrs
-
-  enable_nat_gateway   = true
-  single_nat_gateway   = var.single_nat_gateway
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-
-  tags = var.additional_tags
-}
-EOF
-----
-
-. Create the `terraform.tfvars` file by running the following command:
-+
-[NOTE]
-====
-Use the `terraform.tfvars` file to change variables in one place without modifying the rest of your Terraform files when customizing your cluster. If you do not create a `terraform.tfvars` file, you are prompted for the required variables during cluster creation.
-
-Copy and edit this file _before_ running the command to build your cluster.
-====
-+
-[source,terminal]
-----
-$ cat<<-EOF>terraform.tfvars
-
-###############################
-# General Cluster Information #
-###############################
-
-# You can choose any OpenShift version that is currently supported. Make sure to use X.Y.Z when setting your version.
-rosa_openshift_version = "4.14.0"
-
-# See the docs for options - https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-aws-instance-types_rosa-service-definition
-machine_type = "m5.xlarge"
-aws_region = "us-east-1"
-
-# If you want to create a single AZ cluster, set this variable to false, and then set the worker_node_replicas to 2. If you want to use a multi-AZ cluster, set this to true, then change the replica count to a multiple of 3. Autoscaling should also be in multiples of 3.
-multi_az = "true"
-
-#################
-# Machine pools #
-#################
-
-# Setting this as true, requires you to set a maximum and minimum replicas range using the 'max_replicas' and 'min_replicas' variables. If the autoscaling_enabled is 'true', you cannot configure the worker_node_replicas."
-
-# autoscaling_enabled = "true"
-# worker_node_replicas = null
-# min_replicas = "6"
-# max_replicas = "15"
-
-###################
-# VPC Information #
-###################
-
-vpc_cidr_block = "10.0.0.0/16"
-create_vpc = "false"
-private_cluster = "false"
-# vpc_name = "rosa-vpc-tf"
-# private_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-# public_subnet_cidrs  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
-# single_nat_gateway = "false"
-
-EOF
-----
-endif::tf-defaults[]
-
-ifdef::tf-defaults[]
-You are ready to initiate Terraform.
-endif::tf-defaults[]
-
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
-:!tf-defaults:
-endif::[]
diff --git a/modules/rosa-sts-cluster-terraform-setup.adoc b/modules/rosa-sts-cluster-terraform-setup.adoc
index 04efb7131733..4314657e5dbf 100644
--- a/modules/rosa-sts-cluster-terraform-setup.adoc
+++ b/modules/rosa-sts-cluster-terraform-setup.adoc
@@ -1,8 +1,8 @@
 // Module included in the following assemblies:
 //
-// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly-terraform.adoc
+// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
 //
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :tf-defaults:
 endif::[]
 :_content-type: PROCEDURE
@@ -43,6 +43,6 @@ This environmental variable resets at the end of each session, such as restartin
 $ echo $RHCS_TOKEN
 ----
 
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :tf-defaults:
 endif::[]
diff --git a/modules/rosa-sts-creating-a-cluster-quickly-cli.adoc b/modules/rosa-sts-creating-a-cluster-quickly-cli.adoc
index 4321f3f7076b..d084c3f04139 100644
--- a/modules/rosa-sts-creating-a-cluster-quickly-cli.adoc
+++ b/modules/rosa-sts-creating-a-cluster-quickly-cli.adoc
@@ -22,7 +22,7 @@ ifndef::quickstart[]
 * You have available AWS service quotas.
 * You have enabled the ROSA service in the AWS Console.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
-* You have logged in to your Red Hat account by using the ROSA CLI.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 * You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
 endif::[]
 
@@ -71,7 +71,7 @@ The following `State` field changes are listed in the output as the cluster inst
 +
 [NOTE]
 ====
-If the installation fails or the `State` field does not change to `ready` after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+If the installation fails or the `State` field does not change to `ready` after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
 ====
 
 . Track the progress of the cluster creation by watching the OpenShift installer logs:
diff --git a/modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc b/modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc
index 00d6cb449f66..4141a3890d0c 100644
--- a/modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc
+++ b/modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc
@@ -8,4 +8,4 @@
 
 When using {cluster-manager-first} to create a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS), you can select the default options to create the cluster quickly.
 
-Before you can use {cluster-manager} to deploy ROSA with STS clusters, you must associate your AWS account with your Red Hat organization and create the required account-wide STS roles and policies.
+Before you can use {cluster-manager} to deploy ROSA with STS clusters, you must associate your AWS account with your Red{nbsp}Hat organization and create the required account-wide STS roles and policies.
diff --git a/modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc b/modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc
index ccd08528d189..3dcc2779eb87 100644
--- a/modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc
+++ b/modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc
@@ -24,7 +24,7 @@ ifdef::quick-install[]
 * You have enabled the ROSA service in the AWS Console.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
 * You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
-* You have associated your AWS account with your Red Hat organization. When you associated your account, you applied the administrative permissions to the {cluster-manager} role. For detailed steps, see _Associating your AWS account with your Red Hat organization_.
+* You have associated your AWS account with your Red{nbsp}Hat organization. When you associated your account, you applied the administrative permissions to the {cluster-manager} role. For detailed steps, see _Associating your AWS account with your Red{nbsp}Hat organization_.
 * You have created the required account-wide STS roles and policies. For detailed steps, see _Creating the account-wide STS roles and policies_.
 endif::[]
 
@@ -38,15 +38,15 @@ endif::[]
 +
 [NOTE]
 ====
-If your AWS account ID is not listed, check that you have successfully associated your AWS account with your Red Hat organization. If your account role ARNs are not listed, check that the required account-wide STS roles exist in your AWS account.
+If your AWS account ID is not listed, check that you have successfully associated your AWS account with your Red{nbsp}Hat organization. If your account role ARNs are not listed, check that the required account-wide STS roles exist in your AWS account.
 ====
 
 . Click *Next*.
 
 . On the *Cluster details* page, enter a *Cluster name*. Leave the default values in the remaining fields and click *Next*.
 +
-====
 [NOTE]
+====
 Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on `openshiftapps.com`. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated as a 15-character string. To customize the subdomain, select the *Create custom domain prefix* checkbox, and enter your domain prefix name in the *Domain prefix* field.
 ====
 . To deploy a cluster quickly, leave the default options in the *Cluster settings*, *Networking*, *Cluster roles and policies*, and *Cluster updates* pages and click *Next* on each page.
@@ -63,7 +63,7 @@ By default, clusters are created with the delete protection feature disabled.
 +
 [NOTE]
 ====
-If the installation fails or the cluster *State* does not change to *Ready* after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+If the installation fails or the cluster *State* does not change to *Ready* after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
 ====
 
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
diff --git a/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc b/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc
index 93ec210eb8e1..274ca7939995 100644
--- a/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc
+++ b/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc
@@ -224,7 +224,7 @@ Any optional fields can be left empty and a default will be selected.
 ? Create cluster admin user: Yes <2>
 ? Username: user-admin <2>
 ? Password: [? for help] *************** <2>
-? OpenShift version: 4.15.0 <3>
+? OpenShift version: 4.16.0 <3>
 ? Configure the use of IMDSv2 for ec2 instances optional/required (optional): <4>
 I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role for the Installer role <5>
 I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role for the ControlPlane role
@@ -254,7 +254,7 @@ I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role for th
 ? Disable Workload monitoring (optional): No
 I: Creating cluster '<cluster_name>'
 I: To create this cluster again in the future, you can run:
-   rosa create cluster --cluster-name <cluster_name> --role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role --operator-roles-prefix <cluster_name>-<random_string> --region us-east-1 --version 4.15.0 --additional-compute-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-infra-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-control-plane-security-group-ids sg-0e375ff0ec4a6cfa2 --replicas 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 <14>
+   rosa create cluster --cluster-name <cluster_name> --role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role --operator-roles-prefix <cluster_name>-<random_string> --region us-east-1 --version 4.16.0 --additional-compute-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-infra-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-control-plane-security-group-ids sg-0e375ff0ec4a6cfa2 --replicas 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 <14>
 I: To view a list of clusters and their status, run 'rosa list clusters'
 I: Cluster '<cluster_name>' has been created.
 I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
@@ -262,7 +262,7 @@ I: Once the cluster is installed you will need to add an Identity Provider befor
 ----
 <1> Optional. When creating your cluster, you can customize the subdomain for your cluster on `*.openshiftapps.com` using the `--domain-prefix` flag. The value for this flag must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation. If the flag is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
 <2> When creating your cluster, you can create a local administrator user for your cluster. Selecting `Yes` then prompts you to create a user name and password for the cluster admin. The user name must not contain `/`, `:`, or `%`. The password must be at least 14 characters (ASCII-standard) without whitespaces. This process automatically configures an htpasswd identity provider.
-<3> When creating the cluster, the listed `OpenShift version` options include the major, minor, and patch versions, for example `4.15.0`.
+<3> When creating the cluster, the listed `OpenShift version` options include the major, minor, and patch versions, for example `4.16.0`.
 <4> Optional: Specify 'optional' to configure all EC2 instances to use both v1 and v2 endpoints of EC2 Instance Metadata Service (IMDS). This is the default value. Specify 'required' to configure all EC2 instances to use IMDSv2 only.
 +
 [IMPORTANT]
@@ -281,8 +281,8 @@ If you specified custom ARN paths when you created the associated account-wide r
 +
 [IMPORTANT]
 ====
-{product-title} only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
-Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed.
+{product-title} only supports custom tags to Red{nbsp}Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
+Tags that are added by Red{nbsp}Hat are required for clusters to stay in compliance with Red{nbsp}Hat production service level agreements (SLAs). These tags must not be removed.
 
 {product-title} does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
 ====
@@ -309,7 +309,7 @@ PVs created by using any other storage class are still encrypted, but the PVs ar
 +
 [IMPORTANT]
 ====
-By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
+By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red{nbsp}Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
 ====
 +
 <14> The output includes a custom command that you can run to create a cluster with the same configuration in the future.
@@ -424,7 +424,7 @@ The following `State` field changes are listed in the output as the cluster inst
 +
 [NOTE]
 ====
-If the installation fails or the `State` field does not change to `ready` after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+If the installation fails or the `State` field does not change to `ready` after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
 ====
 
 . Track the progress of the cluster creation by watching the OpenShift installer logs:
diff --git a/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc b/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc
index 55251a19e5c2..ed28c4420635 100644
--- a/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc
+++ b/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc
@@ -78,13 +78,13 @@ I: Linking OCM role
 ? Link the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role with organization '<red_hat_organization_id>'? Yes <6>
 I: Successfully linked role-arn 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' with organization account '<red_hat_organization_id>'
 ----
-<1> Specify the prefix to include in the OCM IAM role name. The default is `ManagedOpenShift`. You can create only one OCM role per AWS account for your Red Hat organization.
+<1> Specify the prefix to include in the OCM IAM role name. The default is `ManagedOpenShift`. You can create only one OCM role per AWS account for your Red{nbsp}Hat organization.
 <2> Enable the admin {cluster-manager} IAM role, which is equivalent to specifying the `--admin` argument. The admin role is required if you want to use *Auto* mode to automatically provision the cluster-specific Operator roles and the OIDC provider by using {cluster-manager}.
 <3> Optional: Specify a permissions boundary Amazon Resource Name (ARN) for the role. For more information, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities] in the AWS documentation.
 <4> Specify a custom ARN path for your OCM role. The path must contain alphanumeric characters only and start and end with `/`, for example `/test/path/dev/`. For more information, see _ARN path customization for IAM roles and policies_.
-<5> Select the role creation mode. You can use `auto` mode to automatically create the {cluster-manager} IAM role and link it to your Red Hat organization account. In `manual` mode, the ROSA CLI generates the `aws` commands needed to create and link the role. In `manual` mode, the corresponding policy JSON files are also saved to the current directory. `manual` mode enables you to review the details before running the `aws` commands manually.
-<6> Link the {cluster-manager} IAM role to your Red Hat organization account.
-.. If you opted not to link the {cluster-manager} IAM role to your Red Hat organization account in the preceding command, copy the `rosa link` command from the {cluster-manager} *OCM role* page and run it:
+<5> Select the role creation mode. You can use `auto` mode to automatically create the {cluster-manager} IAM role and link it to your Red{nbsp}Hat organization account. In `manual` mode, the ROSA CLI generates the `aws` commands needed to create and link the role. In `manual` mode, the corresponding policy JSON files are also saved to the current directory. `manual` mode enables you to review the details before running the `aws` commands manually.
+<6> Link the {cluster-manager} IAM role to your Red{nbsp}Hat organization account.
+.. If you opted not to link the {cluster-manager} IAM role to your Red{nbsp}Hat organization account in the preceding command, copy the `rosa link` command from the {cluster-manager} *OCM role* page and run it:
 +
 [source,terminal]
 ----
@@ -92,7 +92,7 @@ $ rosa link ocm-role <arn> <1>
 ----
 <1> Replace `<arn>` with the ARN of the {cluster-manager} IAM role that is included in the output of the preceding command.
 .. Select *Next* on the {cluster-manager} *OCM role* page.
-.. On the *User role* page, click the copy button for the *User role* command and run the command in the CLI. Red Hat uses the user role to verify your AWS identity when you install a cluster and the required resources with {cluster-manager}.
+.. On the *User role* page, click the copy button for the *User role* command and run the command in the CLI. Red{nbsp}Hat uses the user role to verify your AWS identity when you install a cluster and the required resources with {cluster-manager}.
 +
 Follow the prompts to create the user role:
 +
@@ -202,7 +202,7 @@ To customize the subdomain, select the *Create custom domain prefix* checkbox, a
 .. Select a cluster version from the *Version* drop-down menu.
 .. Select a cloud provider region from the *Region* drop-down menu.
 .. Select a *Single zone* or *Multi-zone* configuration.
-.. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
+.. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red{nbsp}Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
 .. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
 +
 [NOTE]
@@ -297,7 +297,7 @@ To verify whether a VPC was created by the OpenShift installer, check for the `o
 +
 [NOTE]
 ====
-If you opted to use private API endpoints, you must use an existing VPC and PrivateLink and the *Install into an existing VPC* and *Use a PrivateLink* options are automatically selected. With these options, the Red Hat Site Reliability Engineering (SRE) team can connect to the cluster to assist with support by using only AWS PrivateLink endpoints.
+If you opted to use private API endpoints, you must use an existing VPC and PrivateLink and the *Install into an existing VPC* and *Use a PrivateLink* options are automatically selected. With these options, the Red{nbsp}Hat Site Reliability Engineering (SRE) team can connect to the cluster to assist with support by using only AWS PrivateLink endpoints.
 ====
 
 . Optional: If you are installing your cluster into an existing VPC, select *Configure a cluster-wide proxy* to enable an HTTP or HTTPS proxy to deny direct access to the internet from your cluster.
@@ -380,7 +380,7 @@ You can review the end-of-life dates in the update life cycle documentation for
 +
 [NOTE]
 ====
-In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red Hat security ratings].
+In the event of critical security concerns that significantly impact the security or stability of a cluster, Red{nbsp}Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red{nbsp}Hat security ratings].
 ====
 
 . Review the summary of your selections and click *Create cluster* to start the cluster installation.
@@ -432,5 +432,5 @@ After you create your Operator roles, you must edit the _Key Policy_ in the link
 +
 [NOTE]
 ====
-If the installation fails or the cluster *State* does not change to *Ready* after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_.
+If the installation fails or the cluster *State* does not change to *Ready* after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
 ====
diff --git a/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc b/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc
index 10d1333030e7..96569cf96934 100644
--- a/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc
+++ b/modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc
@@ -23,7 +23,7 @@ ifdef::quick-install[]
 * You have available AWS service quotas.
 * You have enabled the ROSA service in the AWS Console.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
-* You have logged in to your Red Hat account by using the ROSA CLI.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 endif::[]
 
 .Procedure
diff --git a/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc b/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc
index 5c55f62353de..02849671514f 100644
--- a/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc
+++ b/modules/rosa-sts-interactive-cluster-creation-mode-options.adoc
@@ -53,8 +53,8 @@ The following table describes the interactive cluster creation mode options:
 |Specify a tag that is used on all resources created by {product-title} in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar".
 [IMPORTANT]
 ====
-{product-title} only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
-Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed.
+{product-title} only supports custom tags to Red{nbsp}Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
+Tags that are added by Red{nbsp}Hat are required for clusters to stay in compliance with Red{nbsp}Hat production service level agreements (SLAs). These tags must not be removed.
 
 {product-title} does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
 ====
@@ -66,7 +66,7 @@ Tags that are added by Red Hat are required for clusters to stay in compliance w
 |Specify the AWS region to deploy the cluster in. This overrides the `AWS_REGION` environment variable.
 
 |`PrivateLink cluster (optional)`
-|Create a cluster using AWS PrivateLink. This option provides private connectivity between Virtual Private Clouds (VPCs), AWS services, and your on-premise networks, without exposing your traffic to the public internet. To provide support, Red Hat Site Reliability Engineering (SRE) can connect to the cluster by using AWS PrivateLink Virtual Private Cloud (VPC) endpoints. This option cannot be changed after a cluster is created. The default is `No`.
+|Create a cluster using AWS PrivateLink. This option provides private connectivity between Virtual Private Clouds (VPCs), AWS services, and your on-premise networks, without exposing your traffic to the public internet. To provide support, Red{nbsp}Hat Site Reliability Engineering (SRE) can connect to the cluster by using AWS PrivateLink Virtual Private Cloud (VPC) endpoints. This option cannot be changed after a cluster is created. The default is `No`.
 
 |`Machine CIDR`
 |Specify the IP address range for machines (cluster nodes), which must encompass all CIDR address ranges for your VPC subnets. Subnets must be contiguous. A minimum IP address range of 128 addresses, using the subnet prefix `/25`, is supported for single availability zone deployments. A minimum address range of 256 addresses, using the subnet prefix `/24`, is supported for deployments that use multiple availability zones. The default is `10.0.0.0/16`. This range must not conflict with any connected networks.
@@ -115,17 +115,15 @@ Tags that are added by Red Hat are required for clusters to stay in compliance w
 
 |`Enable FIPS support (optional)`
 |Enable or disable FIPS mode. The default is `false` (disabled). If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+
+include::snippets/fips-snippet.adoc[]
 
 |`Encrypt etcd data (optional)`
 |In {product-title}, the control plane storage is encrypted at rest by default and this includes encryption of the etcd volumes. You can additionally enable the `Encrypt etcd data` option to encrypt the key values for some resources in etcd, but not the keys.
 
 [IMPORTANT]
 ====
-By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
+By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red{nbsp}Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
 ====
 
 |`Disable workload monitoring (optional)`
diff --git a/modules/rosa-sts-interactive-ocm-and-user-role-creation-mode-options.adoc b/modules/rosa-sts-interactive-ocm-and-user-role-creation-mode-options.adoc
index 661ff81eb6a6..7fdad3397fd7 100644
--- a/modules/rosa-sts-interactive-ocm-and-user-role-creation-mode-options.adoc
+++ b/modules/rosa-sts-interactive-ocm-and-user-role-creation-mode-options.adoc
@@ -6,7 +6,7 @@
 [id="rosa-sts-interactive-ocm-and-user-role-creation-mode-options_{context}"]
 = Interactive OCM and user role creation mode options
 
-Before you can use {cluster-manager-first} to create {product-title} (ROSA) clusters that use the AWS Security Token Service (STS), you must associate your AWS account with your Red Hat organization by creating and linking the OCM and user roles. You can enable interactive mode by specifying the `--interactive` option when you run the `rosa create ocm-role` command or the `rosa create user-role` command.
+Before you can use {cluster-manager-first} to create {product-title} (ROSA) clusters that use the AWS Security Token Service (STS), you must associate your AWS account with your Red{nbsp}Hat organization by creating and linking the OCM and user roles. You can enable interactive mode by specifying the `--interactive` option when you run the `rosa create ocm-role` command or the `rosa create user-role` command.
 
 The following tables describe the interactive OCM role creation mode options:
 
@@ -17,7 +17,7 @@ The following tables describe the interactive OCM role creation mode options:
 |Field|Description
 
 |`Role prefix`
-|Specify the prefix to include in the OCM IAM role name. The default is `ManagedOpenShift`. You can create only one OCM role per AWS account for your Red Hat organization.
+|Specify the prefix to include in the OCM IAM role name. The default is `ManagedOpenShift`. You can create only one OCM role per AWS account for your Red{nbsp}Hat organization.
 
 |`Enable admin capabilities for the OCM role (optional)`
 |Enable the admin OCM IAM role, which is equivalent to specifying the `--admin` argument. The admin role is required if you want to use `auto` mode to automatically provision the cluster-specific Operator roles and the OIDC provider by using {cluster-manager}.
@@ -29,13 +29,13 @@ The following tables describe the interactive OCM role creation mode options:
 |Specify a custom ARN path for your OCM role. The path must contain alphanumeric characters only and start and end with `/`, for example `/test/path/dev/`. For more information, see _ARN path customization for IAM roles and policies_.
 
 |`Role creation mode`
-|Select the role creation mode. You can use `auto` mode to automatically create the OCM role and link it to your Red Hat organization account. In `manual` mode, the ROSA CLI (`rosa`) generates the `aws` commands needed to create and link the role. In `manual` mode, the corresponding policy JSON files are also saved to the current directory. `manual` mode enables you to review the details before running the `aws` commands manually.
+|Select the role creation mode. You can use `auto` mode to automatically create the OCM role and link it to your Red{nbsp}Hat organization account. In `manual` mode, the ROSA CLI (`rosa`) generates the `aws` commands needed to create and link the role. In `manual` mode, the corresponding policy JSON files are also saved to the current directory. `manual` mode enables you to review the details before running the `aws` commands manually.
 
 |`Create the '<ocm_role_name>' role?`
 |Confirm if you want to create the OCM role.
 
 |`Link the '<ocm_role_arn>' role with organization '<red_hat_organization_id>'?`
-|Confirm if you want to link the OCM role with your Red Hat organization.
+|Confirm if you want to link the OCM role with your Red{nbsp}Hat organization.
 
 |===
 
@@ -63,6 +63,6 @@ The following tables describe the interactive user role creation mode options:
 |Confirm if you want to create the user role.
 
 |`Link the '<user_role_arn>' role with account '<red_hat_user_account_id>'?`
-|Confirm if you want to link the user role with your Red Hat user account.
+|Confirm if you want to link the user role with your Red{nbsp}Hat user account.
 
 |===
diff --git a/modules/rosa-sts-ocm-and-user-role-troubleshooting.adoc b/modules/rosa-sts-ocm-and-user-role-troubleshooting.adoc
index 1a0651de73f2..a0abccddaf83 100644
--- a/modules/rosa-sts-ocm-and-user-role-troubleshooting.adoc
+++ b/modules/rosa-sts-ocm-and-user-role-troubleshooting.adoc
@@ -8,17 +8,17 @@
 
 You may receive an error when trying to create a cluster using the {product-title} (ROSA) CLI, `rosa`.
 
-.Sample output
+.Example output
 [source,terminal]
 ----
 E: Failed to create cluster: The sts_user_role is not linked to account '1oNl'. Please create a user role and link it to the account.
 ----
 
-This error means that the `user-role` IAM role is not linked to your AWS account. The most likely cause of this error is that another user in your Red Hat organization created the `ocm-role` IAM role. Your `user-role` IAM role needs to be created.
+This error means that the `user-role` IAM role is not linked to your AWS account. The most likely cause of this error is that another user in your Red{nbsp}Hat organization created the `ocm-role` IAM role. Your `user-role` IAM role needs to be created.
 
 [NOTE]
 ====
-After any user sets up an `ocm-role` IAM resource linked to a Red Hat account, any subsequent users wishing to create a cluster in that Red Hat organization must have a `user-role` IAM role to provision a cluster.
+After any user sets up an `ocm-role` IAM resource linked to a Red{nbsp}Hat account, any subsequent users wishing to create a cluster in that Red{nbsp}Hat organization must have a `user-role` IAM role to provision a cluster.
 ====
 
 .Procedure
@@ -29,7 +29,7 @@ After any user sets up an `ocm-role` IAM resource linked to a Red Hat account, a
 $ rosa list ocm-role
 ----
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
@@ -43,7 +43,7 @@ ManagedOpenShift-OCM-Role-1158  arn:aws:iam::2066:role/ManagedOpenShift-OCM-Role
 $ rosa list user-role
 ----
 +
-.Sample output
+.Example output
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-sts-ocm-role-creation.adoc b/modules/rosa-sts-ocm-role-creation.adoc
index c42e31188ab8..d3851897092a 100644
--- a/modules/rosa-sts-ocm-role-creation.adoc
+++ b/modules/rosa-sts-ocm-role-creation.adoc
@@ -11,7 +11,7 @@ You create your `ocm-role` IAM roles by using the command-line interface (CLI).
 .Prerequisites
 
 * You have an AWS account.
-* You have Red Hat Organization Administrator privileges in the {cluster-manager} organization.
+* You have Red{nbsp}Hat Organization Administrator privileges in the {cluster-manager} organization.
 * You have the permissions required to install AWS account-wide roles.
 * You have installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your installation host.
 
diff --git a/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc b/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc
index 1ead46b34acf..4ea8c845eb99 100644
--- a/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc
+++ b/modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc
@@ -10,7 +10,10 @@ endif::[]
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
 :rosa-standalone:
 endif::[]
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
+:rosa-terraform:
+endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
 :rosa-terraform:
 endif::[]
 
@@ -55,18 +58,22 @@ endif::rosa-terraform[]
 |Cluster settings
 |
 ifdef::rosa-terraform[]
-* Default cluster version: `4.15.0`
+* Default cluster version: `4.14`
 * Cluster name: `rosa-<6-digit-alphanumeric-string>`
+* Default AWS region for installations using the {cluster-manager-first} {hybrid-console-second}: us-east-2 (US East, Ohio)
+* Availability: Multi zone for the data plane
 endif::rosa-terraform[]
 ifndef::rosa-terraform[]
 * Default cluster version: Latest
-endif::rosa-terraform[]
 ifndef::rosa-hcp[]
 * Default AWS region for installations using the {cluster-manager-first} {hybrid-console-second}: us-east-1 (US East, North Virginia)
 endif::rosa-hcp[]
+ifdef::rosa-hcp[]
 * Default AWS region for installations using the ROSA CLI (`rosa`): Defined by your `aws` CLI configuration
-* Default EC2 IMDS endpoints (both v1 and v2) are enabled
+endif::rosa-hcp[]
 * Availability: Single zone for the data plane
+endif::rosa-terraform[]
+* Default EC2 IMDS endpoints (both v1 and v2) are enabled
 * Monitoring for user-defined projects: Enabled
 
 |Encryption
@@ -86,12 +93,24 @@ endif::rosa-hcp[]
 
 |Compute node machine pool
 |* Compute node instance type: m5.xlarge (4 vCPU 16, GiB RAM)
+ifndef::rosa-terraform[]
 * Compute node count: 2
+endif::rosa-terraform[]
+ifdef::rosa-terraform[]
+* Compute node count: 3
+endif::rosa-terraform[]
 * Autoscaling: Not enabled
 * No additional node labels
 
 |Networking configuration
-|* Cluster privacy: Public
+|
+ifndef::rosa-terraform[]
+* Cluster privacy: Public
+endif::rosa-terraform[]
+ifdef::rosa-terraform[]
+* Cluster privacy: public or private
+* You can choose to create a new VPC during the Terraform cluster creation process.
+endif::rosa-terraform[]
 ifdef::rosa-hcp[]
 * You must have configured your own Virtual Private Cloud (VPC)
 endif::rosa-hcp[]
@@ -144,6 +163,6 @@ endif::[]
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
 :!rosa-standalone:
 endif::[]
-ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly-terraform"]
+ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
 :!rosa-terraform:
 endif::[]
diff --git a/modules/rosa-sts-setting-up-environment.adoc b/modules/rosa-sts-setting-up-environment.adoc
index 6b302187e4c7..0d6b5fcf4b13 100644
--- a/modules/rosa-sts-setting-up-environment.adoc
+++ b/modules/rosa-sts-setting-up-environment.adoc
@@ -12,7 +12,7 @@ Before you create a {product-title} (ROSA) cluster that uses the AWS Security To
 .Prerequisites
 
 * Review and complete the deployment prerequisites and policies.
-* Create a link:https://cloud.redhat.com[Red Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
+* Create a link:https://cloud.redhat.com[Red{nbsp}Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
 
 .Procedure
 
@@ -128,7 +128,7 @@ $ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
 $ source /etc/bash_completion.d/rosa
 ----
 
-. Log in to your Red Hat account with the ROSA CLI.
+. Log in to your Red{nbsp}Hat account with the ROSA CLI.
 +
 .. Enter the following command.
 +
@@ -177,7 +177,7 @@ After the quota check succeeds, proceed to the next step.
 +
 . Prepare your AWS account for cluster deployment:
 +
-.. Run the following command to verify your Red Hat and AWS credentials are setup correctly.  Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with {cluster-manager} for now.
+.. Run the following command to verify your Red{nbsp}Hat and AWS credentials are setup correctly.  Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with {cluster-manager} for now.
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-sts-support-considerations.adoc b/modules/rosa-sts-support-considerations.adoc
index 39350aedad39..ae7e4e87b8cc 100644
--- a/modules/rosa-sts-support-considerations.adoc
+++ b/modules/rosa-sts-support-considerations.adoc
@@ -12,5 +12,5 @@ The supported way of creating a {product-title} (ROSA) cluster that uses the AWS
 ====
 You can use `manual` mode with the ROSA CLI (`rosa`) to generate the AWS Identity and Access Management (IAM) policy files and `aws` commands that are required to install the STS resources.
 
-The files and `aws` commands are generated for review purposes only and must not be modified in any way. Red Hat cannot provide support for ROSA clusters that have been deployed by using modified versions of the policy files or `aws` commands.
+The files and `aws` commands are generated for review purposes only and must not be modified in any way. Red{nbsp}Hat cannot provide support for ROSA clusters that have been deployed by using modified versions of the policy files or `aws` commands.
 ====
diff --git a/modules/rosa-sts-terraform-considerations.adoc b/modules/rosa-sts-terraform-considerations.adoc
index 615daeaa0807..b5c7eb90e27a 100644
--- a/modules/rosa-sts-terraform-considerations.adoc
+++ b/modules/rosa-sts-terraform-considerations.adoc
@@ -5,6 +5,6 @@
 [id="rosa-sts-terraform-considerations_{context}"]
 = Considerations when using Terraform
 
-In general, using Terraform to manage cloud resources should be done with the expectation that any changes should be done using the Terraform methodology. Use caution when using tools outside of Terraform, such as the AWS console or Red Hat console, to modify cloud resources created by Terraform. Using tools outside Terraform to manage cloud resources that are already managed by Terraform introduces configuration drift from your declared Terraform configuration.
+In general, using Terraform to manage cloud resources should be done with the expectation that any changes should be done using the Terraform methodology. Use caution when using tools outside of Terraform, such as the AWS console or Red{nbsp}Hat console, to modify cloud resources created by Terraform. Using tools outside Terraform to manage cloud resources that are already managed by Terraform introduces configuration drift from your declared Terraform configuration.
 
 For example, if you upgrade your Terraform-created cluster by using the {hybrid-console-url}, you need to reconcile your Terraform state before applying any forthcoming configuration changes. For more information, see link:https://developer.hashicorp.com/terraform/tutorials/state/state-cli[Manage resources in Terraform state] in the HashiCorp Developer documentation.
\ No newline at end of file
diff --git a/modules/rosa-sts-terraform-prerequisites.adoc b/modules/rosa-sts-terraform-prerequisites.adoc
index 60517d63d7a1..0f3a4113bfbf 100644
--- a/modules/rosa-sts-terraform-prerequisites.adoc
+++ b/modules/rosa-sts-terraform-prerequisites.adoc
@@ -14,7 +14,7 @@ ifndef::tf-full[]
 .Prerequisites
 endif::tf-full[]
 
-To use link:https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs[the Red Hat Cloud Services provider] inside your Terraform configuration, you must meet the following prerequisites:
+To use link:https://registry.terraform.io/providers/terraform-redhat/rhcs/latest/docs[the Red{nbsp}Hat Cloud Services provider] inside your Terraform configuration, you must meet the following prerequisites:
 
 * You have installed the {product-title} (ROSA) command-line interface (CLI) tool.
 ifdef::tf-full[]
@@ -24,7 +24,7 @@ endif::tf-full[]
 * You have your offline link:https://console.redhat.com/openshift/token/rosa[{cluster-manager-first} token].
 ifdef::tf-full[]
 +
-This token is generated through the Red Hat Hybrid Cloud Console. It is unique to your account and should not be shared. The token is generated based off your account access and permissions.
+This token is generated through the Red{nbsp}Hat Hybrid Cloud Console. It is unique to your account and should not be shared. The token is generated based off your account access and permissions.
 endif::tf-full[]
 * You have installed link:https://developer.hashicorp.com/terraform/downloads[Terraform version 1.4.6] or newer.
 ifdef::tf-full[]
diff --git a/modules/rosa-sts-understanding-aws-account-association.adoc b/modules/rosa-sts-understanding-aws-account-association.adoc
index 82ee6e1505ec..cf2043787e41 100644
--- a/modules/rosa-sts-understanding-aws-account-association.adoc
+++ b/modules/rosa-sts-understanding-aws-account-association.adoc
@@ -31,9 +31,9 @@ endif::rosa-hcp[]
 ifndef::rosa-hcp[]
 {product-title} (ROSA)
 endif::rosa-hcp[]
-clusters that use the AWS Security Token Service (STS), you must associate your AWS account with your Red Hat organization. You can associate your account by creating and linking the following IAM roles.
+clusters that use the AWS Security Token Service (STS), you must associate your AWS account with your Red{nbsp}Hat organization. You can associate your account by creating and linking the following IAM roles.
 
-{cluster-manager} role:: Create an {cluster-manager} IAM role and link it to your Red Hat organization.
+{cluster-manager} role:: Create an {cluster-manager} IAM role and link it to your Red{nbsp}Hat organization.
 +
 You can apply basic or administrative permissions to the {cluster-manager} role. The basic permissions enable cluster maintenance using {cluster-manager}. The administrative permissions enable automatic deployment of the cluster-specific Operator roles and the OpenID Connect (OIDC) provider using {cluster-manager}.
 ifdef::quick-install[]
@@ -41,9 +41,9 @@ ifdef::quick-install[]
 You can use the administrative permissions with the {cluster-manager} role to deploy a cluster quickly.
 endif::quick-install[]
 
-User role:: Create a user IAM role and link it to your Red Hat user account. The Red Hat user account must exist in the Red Hat organization that is linked to your {cluster-manager} role.
+User role:: Create a user IAM role and link it to your Red{nbsp}Hat user account. The Red{nbsp}Hat user account must exist in the Red{nbsp}Hat organization that is linked to your {cluster-manager} role.
 +
-The user role is used by Red Hat to verify your AWS identity when you use the {cluster-manager} {hybrid-console-second} to install a cluster and the required STS resources.
+The user role is used by Red{nbsp}Hat to verify your AWS identity when you use the {cluster-manager} {hybrid-console-second} to install a cluster and the required STS resources.
 
 ifeval::["{context}" == "rosa-sts-creating-a-cluster-quickly"]
 :quick-install:
diff --git a/modules/rosa-terraform-overview.adoc b/modules/rosa-terraform-overview.adoc
new file mode 100644
index 000000000000..00258c159fb5
--- /dev/null
+++ b/modules/rosa-terraform-overview.adoc
@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
+//
+
+:_content-type: CONCEPT
+
+[id="rosa-terraform-overview_{context}"]
+= Overview of Terraform
+
+Terraform is an infrastructure-as-code tool that provides a way to configure your resources once and replicate those resources as desired. Terraform accomplishes the creation tasks by using declarative language. You declare what you want the final state of the infrastructure resource to be, and Terraform creates these resources to your specifications.
\ No newline at end of file
diff --git a/modules/rosa-troubleshooting-installing.adoc b/modules/rosa-troubleshooting-installing.adoc
index 78bd21481a71..72288e9a85d4 100644
--- a/modules/rosa-troubleshooting-installing.adoc
+++ b/modules/rosa-troubleshooting-installing.adoc
@@ -49,7 +49,7 @@ Run the following command to verify if your AWS account has the correct permissi
 $ rosa verify permissions
 ----
 
-If you receive any errors, double check to ensure than an link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html#orgs_manage_policies_scp[SCP] is not applied to your AWS account. If you are required to use an SCP, see link:https://www.openshift.com/dedicated/ccs#scp[Red Hat Requirements for Customer Cloud Subscriptions] for details on the minimum required SCP.
+If you receive any errors, double check to ensure than an link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html#orgs_manage_policies_scp[SCP] is not applied to your AWS account. If you are required to use an SCP, see link:https://www.openshift.com/dedicated/ccs#scp[Red{nbsp}Hat Requirements for Customer Cloud Subscriptions] for details on the minimum required SCP.
 
 [id="rosa-faq-verify-aws-quota_{context}"]
 == Verify your AWS account and quota
diff --git a/modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc b/modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc
index ccdac0dec8bc..134dbc954d0d 100644
--- a/modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc
+++ b/modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc
@@ -18,7 +18,7 @@ endif::hcp[]
 ifdef::hcp[]
 {hcp-title} 
 endif::hcp[]
-cluster by using {cluster-manager-first}, you also create {cluster-manager} and user Identity and Access Management (IAM) roles that link to your Red Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
+cluster by using {cluster-manager-first}, you also create {cluster-manager} and user Identity and Access Management (IAM) roles that link to your Red{nbsp}Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
 
 [IMPORTANT]
 ====
@@ -40,13 +40,13 @@ endif::hcp[]
 
 .Prerequisites
 
-* You created {cluster-manager} and user IAM roles and linked them to your Red Hat organization.
+* You created {cluster-manager} and user IAM roles and linked them to your Red{nbsp}Hat organization.
 * You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
-* You have organization administrator privileges in your Red Hat organization.
+* You have organization administrator privileges in your Red{nbsp}Hat organization.
 
 .Procedure
 
-. Unlink the {cluster-manager} IAM role from your Red Hat organization and delete the role:
+. Unlink the {cluster-manager} IAM role from your Red{nbsp}Hat organization and delete the role:
 .. List the {cluster-manager} IAM roles in your AWS account:
 +
 [source,terminal]
@@ -74,7 +74,7 @@ ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>  arn:aws:iam::<aws_
 ----
 endif::hcp[]
 +
-.. If your {cluster-manager} IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization by running the following command:
+.. If your {cluster-manager} IAM role is listed as linked in the output of the preceding command, unlink the role from your Red{nbsp}Hat organization by running the following command:
 +
 [source,terminal]
 ----
@@ -108,7 +108,7 @@ I: Successfully deleted the OCM role
 ----
 <1> Specifies the deletion mode. You can use `auto` mode to automatically delete the {cluster-manager} IAM role and policies. In `manual` mode, the ROSA CLI generates the `aws` commands needed to delete the role and policies. `manual` mode enables you to review the details before running the `aws` commands manually.
 
-. Unlink the user IAM role from your Red Hat organization and delete the role:
+. Unlink the user IAM role from your Red{nbsp}Hat organization and delete the role:
 .. List the user IAM roles in your AWS account:
 +
 [source,terminal]
@@ -124,7 +124,7 @@ ROLE NAME                                  ROLE ARN
 ManagedOpenShift-User-<ocm_user_name>-Role  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role  Yes
 ----
 +
-.. If your user IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization:
+.. If your user IAM role is listed as linked in the output of the preceding command, unlink the role from your Red{nbsp}Hat organization:
 +
 [source,terminal]
 ----
diff --git a/modules/rosa-upgrade-cluster-cli.adoc b/modules/rosa-upgrade-cluster-cli.adoc
index 8543eb1b2b4d..0c48c4f6329a 100644
--- a/modules/rosa-upgrade-cluster-cli.adoc
+++ b/modules/rosa-upgrade-cluster-cli.adoc
@@ -192,6 +192,52 @@ $ rosa delete upgrade --cluster=<cluster_name> <machinepool_name>
 |Specifies an AWS profile (string) from your credentials file.
 |===
 
+[id="rosa-upgrade-roles_{context}"]
+== upgrade roles
+Upgrades roles configured on a cluster.
+
+
+.Syntax
+[source,terminal]
+----
+$ rosa upgrade roles --cluster=<cluster_id>
+----
+
+.Arguments
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--cluster
+|Required: The name or ID (string) of the cluster.
+|===
+
+.Optional arguments inherited from parent commands
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--help
+|Shows help for this command.
+
+|--debug
+|Enables debug mode.
+
+|--profile
+|Specifies an AWS profile (string) from your credentials file.
+|===
+
+.Example
+Upgrade roles on a cluster named `mycluster`.
+[source,terminal]
+----
+$ rosa upgrade roles --cluster=mycluster
+----
+
+
+
+
+
 // .Example
 // Delete  a machine pool named `mymachinepool` on a cluster named `mycluster`.
 // [source,terminal]
diff --git a/modules/rosa-using-bash-script.adoc b/modules/rosa-using-bash-script.adoc
index 9f87ff789df9..8dbe9e1326fd 100644
--- a/modules/rosa-using-bash-script.adoc
+++ b/modules/rosa-using-bash-script.adoc
@@ -18,7 +18,7 @@ Make sure that AWS credentials are available as one of the following options:
 
 .Procedure
 
-. Initialize `rosa` using an {cluster-manager-first} offline token link:https://console.redhat.com/openshift/token/rosa[from Red Hat]:
+. Initialize `rosa` using an {cluster-manager-first} offline token link:https://console.redhat.com/openshift/token/rosa[from Red{nbsp}Hat]:
 +
 [source,terminal]
 ----
diff --git a/modules/rotating-certificate-authority.adoc b/modules/rotating-certificate-authority.adoc
new file mode 100644
index 000000000000..5d761a575eee
--- /dev/null
+++ b/modules/rotating-certificate-authority.adoc
@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// security/certificate_types_descriptions/etcd-certificates.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rotating-certificate-authority_{context}"]
+= Rotating the etcd certificate
+
+Rotate the `etcd` certificate before it expires.
+
+.Procedure
+
+. Verify the remaining lifetime of the new signer certificate by running the following command:
++
+[source,terminal]
+----
+$ oc get secret -n openshift-etcd etcd-signer -ojsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}'
+----
+
+. If the remaining lifetime is close to the current date, re-create the signer by deleting the signer and wait for the static pod roll out.
+* Delete the signer by running the following command:
++
+[source,terminal]
+----
+$ oc delete secret -n openshift-etcd etcd-signer
+----
+
+* Wait for the static pod roll out by running the following command:
++
+[source,terminal]
+----
+$ oc wait --for=condition=Progressing=False --timeout=15m clusteroperator/etcd
+----
+
+. After `etcd` restarts, switch the original CA in the `openshift-config` namespace with the new, rotated one in `openshift-etcd` by running the following command:
++
+[source,terminal]
+----
+$ oc get secret etcd-signer -n openshift-etcd -ojson | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | oc apply -n openshift-config -f -
+----
+
+. Wait for the cluster Operators to roll out and stabilize by running the following command:
++
+[source,terminal]
+----
+$ oc adm wait-for-stable-cluster --minimum-stable-period 2m
+----
diff --git a/modules/running-cluster-oci-agent-based.adoc b/modules/running-cluster-oci-agent-based.adoc
index 84df7285ec97..c8bf43a5bb50 100644
--- a/modules/running-cluster-oci-agent-based.adoc
+++ b/modules/running-cluster-oci-agent-based.adoc
@@ -13,7 +13,7 @@ To run a cluster on {oci-first}, you must upload the generated agent ISO image t
 {oci} supports the following {product-title} cluster topologies:
 
 * Installing an {product-title} cluster on a single node.
-* A highly-availabile cluster that has a minimum of three control plane instances and two compute instances.
+* A highly available cluster that has a minimum of three control plane instances and two compute instances.
 * A compact three-node cluster that has a minimum of three control plane instances.
 ====
 
diff --git a/modules/scale-down-data-plane.adoc b/modules/scale-down-data-plane.adoc
index 7d90841c19b2..d18d8de82952 100644
--- a/modules/scale-down-data-plane.adoc
+++ b/modules/scale-down-data-plane.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * hosted_control_planes/hcp-managing.adoc
+// * hosted_control_planes/hcp-troubleshooting.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="scale-down-data-plane_{context}"]
diff --git a/modules/sd-planning-considerations.adoc b/modules/sd-planning-considerations.adoc
index c8fb896bc967..41aeeeb15526 100644
--- a/modules/sd-planning-considerations.adoc
+++ b/modules/sd-planning-considerations.adoc
@@ -12,7 +12,7 @@ ifdef::openshift-rosa[]
 endif::[]
 cluster, the sizing of the control plane and infrastructure nodes are automatically determined by the compute node count.
 
-If you change the number of compute nodes in your cluster after installation, the Red Hat Site Reliability Engineering (SRE) team scales the control plane and infrastructure nodes as required to maintain cluster stability.
+If you change the number of compute nodes in your cluster after installation, the Red{nbsp}Hat Site Reliability Engineering (SRE) team scales the control plane and infrastructure nodes as required to maintain cluster stability.
 
 [id="node-sizing-during-installation_{context}"]
 == Node sizing during installation
@@ -29,7 +29,7 @@ endif::[]
 the control plane and infrastructure node sizing that is applied during installation.
 
 ifdef::openshift-dedicated[]
-AWS control plane and infrastructure node size
+AWS control plane and infrastructure node size:
 endif::[]
 [options="header",cols="3*"]
 |===
@@ -50,10 +50,12 @@ endif::[]
 
 ifdef::openshift-dedicated[]
 
-GCP control plane and infrastructure node size
-[options="header",cols="3*"]
+GCP control plane and infrastructure node size:
+[options="header",cols="2a,2a,2a"]
 |===
-|Number of compute nodes |Control plane size |Infrastructure node size
+|Number of compute nodes
+|Control plane size
+|Infrastructure node size
 
 |1 to 25
 |custom-8-32768
@@ -68,6 +70,26 @@ GCP control plane and infrastructure node size
 |custom-16-131072-ext
 |===
 
+GCP control plane and infrastructure node size for clusters created on or after 21 June 2024:
+[options="header",cols="2a,2a,2a"]
+|===
+|Number of compute nodes
+|Control plane size
+|Infrastructure node size
+
+|1 to 25
+|n2-standard-8
+|n2-highmem-4
+
+|26 to 100
+|n2-standard-16
+|n2-highmem-8
+
+|101 to 180
+|n2-standard-32
+|n2-highmem-16
+|===
+
 endif::[]
 
 [NOTE]
@@ -85,7 +107,7 @@ is 180.
 [id="node-scaling-after-installation_{context}"]
 == Node scaling after installation
 
-If you change the number of compute nodes after installation, the control plane and infrastructure nodes are scaled by the Red Hat Site Reliability Engineering (SRE) team as required. The nodes are scaled to maintain platform stability.
+If you change the number of compute nodes after installation, the control plane and infrastructure nodes are scaled by the Red{nbsp}Hat Site Reliability Engineering (SRE) team as required. The nodes are scaled to maintain platform stability.
 
 Postinstallation scaling requirements for control plane and infrastructure nodes are assessed on a case-by-case basis. Node resource consumption and received alerts are taken into consideration.
 
diff --git a/modules/sd-understanding-process-id-limits.adoc b/modules/sd-understanding-process-id-limits.adoc
index e6a4c769c0a9..7870bed09dff 100644
--- a/modules/sd-understanding-process-id-limits.adoc
+++ b/modules/sd-understanding-process-id-limits.adoc
@@ -14,8 +14,8 @@ The default value is 4,096 in {product-title} 4.11 and later. This value is cont
 
 * Maximum number of PIDs per node.
 +
-The default value depends on link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/nodes/index#nodes-nodes-resources-configuring[node resources]. In {product-title}, this value is controlled by the link:https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[`--system-reserved`] parameter, which reserves PIDs on each node based on the total resources of the node.
+The default value depends on link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/nodes/index#nodes-nodes-resources-configuring[node resources]. In {product-title}, this value is controlled by the link:https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[`--system-reserved`] parameter, which reserves PIDs on each node based on the total resources of the node.
 
 When a pod exceeds the allowed maximum number of PIDs per pod, the pod might stop functioning correctly and might be evicted from the node. See link:https://kubernetes.io/docs/concepts/scheduling-eviction/node-pressure-eviction/#eviction-signals-and-thresholds[the Kubernetes documentation for eviction signals and thresholds] for more information.
 
-When a node exceeds the allowed maximum number of PIDs per node, the node can become unstable because new processes cannot have PIDs assigned. If existing processes cannot complete without creating additional processes, the entire node can become unusable and require reboot. This situation can result in data loss, depending on the processes and applications being run. Customer administrators and Red Hat Site Reliability Engineering are notified when this threshold is reached, and a `Worker node is experiencing PIDPressure` warning will appear in the cluster logs.
+When a node exceeds the allowed maximum number of PIDs per node, the node can become unstable because new processes cannot have PIDs assigned. If existing processes cannot complete without creating additional processes, the entire node can become unusable and require reboot. This situation can result in data loss, depending on the processes and applications being run. Customer administrators and Red{nbsp}Hat Site Reliability Engineering are notified when this threshold is reached, and a `Worker node is experiencing PIDPressure` warning will appear in the cluster logs.
diff --git a/modules/sdpolicy-am-gcp-compute-types.adoc b/modules/sdpolicy-am-gcp-compute-types.adoc
index 2bce9ce0f7af..62e4d0d19da9 100644
--- a/modules/sdpolicy-am-gcp-compute-types.adoc
+++ b/modules/sdpolicy-am-gcp-compute-types.adoc
@@ -8,7 +8,7 @@
 {product-title} offers the following worker node types and sizes on Google Cloud that are chosen to have a common CPU and memory capacity that are the same as other cloud instance types:
 [NOTE]
 ====
-`e2`, `n2`, `c2`, and `a2` compute types are available for CCS only.
+`e2` and `a2` compute types are available for CCS only.
 ====
 
 .General purpose
diff --git a/modules/secrets-store-aws.adoc b/modules/secrets-store-aws.adoc
index 21b9f149acc9..382250879acf 100644
--- a/modules/secrets-store-aws.adoc
+++ b/modules/secrets-store-aws.adoc
@@ -17,11 +17,6 @@ endif::[]
 
 You can use the {secrets-store-operator} to mount secrets from {secrets-store-provider} to a CSI volume in {product-title}. To mount secrets from {secrets-store-provider}, your cluster must be installed on AWS and use AWS Security Token Service (STS).
 
-[IMPORTANT]
-====
-It is not supported to use the {secrets-store-operator} with {secrets-store-provider} in a hosted control plane cluster.
-====
-
 .Prerequisites
 
 * Your cluster is installed on AWS and uses AWS Security Token Service (STS).
diff --git a/modules/secrets-store-providers.adoc b/modules/secrets-store-providers.adoc
index 9c69cd94f192..0875f006c289 100644
--- a/modules/secrets-store-providers.adoc
+++ b/modules/secrets-store-providers.adoc
@@ -11,3 +11,4 @@ The following secrets store providers are available for use with the {secrets-st
 * AWS Secrets Manager
 * AWS Systems Manager Parameter Store
 * Azure Key Vault
+* HashiCorp Vault
diff --git a/modules/secrets-store-vault.adoc b/modules/secrets-store-vault.adoc
new file mode 100644
index 000000000000..e33fce72ffda
--- /dev/null
+++ b/modules/secrets-store-vault.adoc
@@ -0,0 +1,384 @@
+// Module included in the following assemblies:
+//
+// * nodes/pods/nodes-pods-secrets-store.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="secrets-store-vault_{context}"]
+= Mounting secrets from HashiCorp Vault
+
+You can use the {secrets-store-operator} to mount secrets from HashiCorp Vault to a CSI volume in {product-title}.
+
+[IMPORTANT]
+====
+Mounting secrets from HashiCorp Vault by using the {secrets-store-operator} has been tested with the following cloud providers:
+
+* Amazon Web Services (AWS)
+* Microsoft Azure
+
+Other cloud providers might work, but have not been tested yet. Additional cloud providers might be tested in the future.
+====
+
+.Prerequisites
+
+* You have installed the {secrets-store-operator}. See _Installing the {secrets-store-driver}_ for instructions.
+* You have installed Helm.
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. Add the HashiCorp Helm repository by running the following command:
++
+[source,terminal]
+----
+$ helm repo add hashicorp https://helm.releases.hashicorp.com
+----
+
+. Update all repositories to ensure that Helm is aware of the latest versions by running the following command:
++
+[source,terminal]
+----
+$ helm repo update
+----
+
+. Install the HashiCorp Vault provider:
+
+.. Create a new project for Vault by running the following command:
++
+[source,terminal]
+----
+$ oc new-project vault
+----
+
+.. Label the `vault` namespace for pod security admission by running the following command:
++
+[source,terminal]
+----
+$ oc label ns vault security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite
+----
+
+.. Grant privileged access to the `vault` service account by running the following command:
++
+[source,terminal]
+----
+$ oc adm policy add-scc-to-user privileged -z vault -n vault
+----
+
+.. Grant privileged access to the `vault-csi-provider` service account by running the following command:
++
+[source,terminal]
+----
+$ oc adm policy add-scc-to-user privileged -z vault-csi-provider -n vault
+----
+
+.. Deploy HashiCorp Vault by running the following command:
++
+[source,terminal]
+----
+$ helm install vault hashicorp/vault --namespace=vault \
+  --set "server.dev.enabled=true" \
+  --set "injector.enabled=false" \
+  --set "csi.enabled=true" \
+  --set "global.openshift=true" \
+  --set "injector.agentImage.repository=docker.io/hashicorp/vault" \
+  --set "server.image.repository=docker.io/hashicorp/vault" \
+  --set "csi.image.repository=docker.io/hashicorp/vault-csi-provider" \
+  --set "csi.agent.image.repository=docker.io/hashicorp/vault" \
+  --set "csi.daemonSet.providersDir=/var/run/secrets-store-csi-providers"
+----
+
+.. Patch the `vault-csi-driver` daemon set to set the `securityContext` to `privileged` by running the following command:
++
+[source,terminal]
+----
+$ oc patch daemonset -n vault vault-csi-provider --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'
+----
+
+.. Verify that the `vault-csi-provider` pods have started properly by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n vault
+----
++
+.Example output
+[source,terminal]
+----
+NAME                       READY   STATUS    RESTARTS   AGE
+vault-0                    1/1     Running   0          24m
+vault-csi-provider-87rgw   1/2     Running   0          5s
+vault-csi-provider-bd6hp   1/2     Running   0          4s
+vault-csi-provider-smlv7   1/2     Running   0          5s
+----
+
+. Configure HashiCorp Vault to store the required secrets:
+
+.. Create a secret by running the following command:
++
+[source,terminal]
+----
+$ oc exec vault-0 --namespace=vault -- vault kv put secret/example1 testSecret1=my-secret-value
+----
+
+.. Verify that the secret is readable at the path `secret/example1` by running the following command:
++
+[source,terminal]
+----
+$ oc exec vault-0 --namespace=vault -- vault kv get secret/example1
+----
++
+.Example output
+[source,terminal]
+----
+= Secret Path =
+secret/data/example1
+
+======= Metadata =======
+Key                Value
+---                -----
+created_time       2024-04-05T07:05:16.713911211Z
+custom_metadata    <nil>
+deletion_time      n/a
+destroyed          false
+version            1
+
+=== Data ===
+Key            Value
+---            -----
+testSecret1    my-secret-value
+----
+
+. Configure Vault to use Kubernetes authentication:
+
+.. Enable the Kubernetes auth method by running the following command:
++
+[source,terminal]
+----
+$ oc exec vault-0 --namespace=vault -- vault auth enable kubernetes
+----
++
+.Example output
+[source,terminal]
+----
+Success! Enabled kubernetes auth method at: kubernetes/
+----
+
+.. Configure the Kubernetes auth method:
+
+... Set the token reviewer as an environment variable by running the following command:
++
+[source,terminal]
+----
+$ TOKEN_REVIEWER_JWT="$(oc exec vault-0 --namespace=vault -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+----
+... Set the Kubernetes service IP address as an environment variable by running the following command:
++
+[source,terminal]
+----
+$ KUBERNETES_SERVICE_IP="$(oc get svc kubernetes -o go-template="{{ .spec.clusterIP }}")"
+----
+
+... Update the Kubernetes auth method by running the following command:
++
+[source,terminal]
+----
+$ oc exec -i vault-0 --namespace=vault -- vault write auth/kubernetes/config \
+  issuer="https://kubernetes.default.svc.cluster.local" \
+  token_reviewer_jwt="${TOKEN_REVIEWER_JWT}" \
+  kubernetes_host="https://${KUBERNETES_SERVICE_IP}:443" \
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+----
++
+.Example output
+[source,terminal]
+----
+Success! Data written to: auth/kubernetes/config
+----
+
+.. Create a policy for the application by running the following command:
++
+[source,terminal]
+----
+$ oc exec -i vault-0 --namespace=vault -- vault policy write csi -<<EOF
+  path "secret/data/*" {
+  capabilities = ["read"]
+  }
+  EOF
+----
++
+.Example output
+[source,terminal]
+----
+Success! Uploaded policy: csi
+----
+
+.. Create an authentication role to access the application by running the following command:
++
+[source,terminal]
+----
+$ oc exec -i vault-0 --namespace=vault -- vault write auth/kubernetes/role/csi \
+  bound_service_account_names=default \
+  bound_service_account_namespaces=default,test-ns,negative-test-ns,my-namespace \
+  policies=csi \
+  ttl=20m
+----
++
+.Example output
+[source,terminal]
+----
+Success! Data written to: auth/kubernetes/role/csi
+----
+
+.. Verify that all of the `vault` pods are running properly by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n vault
+----
++
+.Example output
+[source,terminal]
+----
+NAME                       READY   STATUS    RESTARTS   AGE
+vault-0                    1/1     Running   0          43m
+vault-csi-provider-87rgw   2/2     Running   0          19m
+vault-csi-provider-bd6hp   2/2     Running   0          19m
+vault-csi-provider-smlv7   2/2     Running   0          19m
+----
+
+.. Verify that all of the `secrets-store-csi-driver` pods are running properly by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-cluster-csi-drivers | grep -E "secrets"
+----
++
+.Example output
+[source,terminal]
+----
+secrets-store-csi-driver-node-46d2g                  3/3     Running   0             45m
+secrets-store-csi-driver-node-d2jjn                  3/3     Running   0             45m
+secrets-store-csi-driver-node-drmt4                  3/3     Running   0             45m
+secrets-store-csi-driver-node-j2wlt                  3/3     Running   0             45m
+secrets-store-csi-driver-node-v9xv4                  3/3     Running   0             45m
+secrets-store-csi-driver-node-vlz28                  3/3     Running   0             45m
+secrets-store-csi-driver-operator-84bd699478-fpxrw   1/1     Running   0             47m
+----
+
+. Create a secret provider class to define your secrets store provider:
+
+.. Create a YAML file that defines the `SecretProviderClass` object:
++
+.Example `secret-provider-class-vault.yaml`
+[source,yaml]
+----
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: my-vault-provider                   <1>
+  namespace: my-namespace                   <2>
+spec:
+  provider: vault                           <3>
+  parameters:                               <4>
+    roleName: "csi"
+    vaultAddress: "http://vault.vault:8200"
+    objects:  |
+      - secretPath: "secret/data/example1"
+        objectName: "testSecret1"
+        secretKey: "testSecret1
+----
+<1> Specify the name for the secret provider class.
+<2> Specify the namespace for the secret provider class.
+<3> Specify the provider as `vault`.
+<4> Specify the provider-specific configuration parameters.
+
+.. Create the `SecretProviderClass` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f secret-provider-class-vault.yaml
+----
+
+. Create a deployment to use this secret provider class:
+
+.. Create a YAML file that defines the `Deployment` object:
++
+.Example `deployment.yaml`
+[source,yaml]
+----
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: busybox-deployment                                    <1>
+  namespace: my-namespace                                     <2>
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+      - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+        name: busybox
+        imagePullPolicy: IfNotPresent
+        command:
+        - "/bin/sleep"
+        - "10000"
+        volumeMounts:
+        - name: secrets-store-inline
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+      volumes:
+        - name: secrets-store-inline
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "my-vault-provider"        <3>
+----
+<1> Specify the name for the deployment.
+<2> Specify the namespace for the deployment. This must be the same namespace as the secret provider class.
+<3> Specify the name of the secret provider class.
+
+.. Create the `Deployment` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f deployment.yaml
+----
+
+.Verification
+
+* Verify that you can access the secrets from your HashiCorp Vault in the pod volume mount:
+
+.. List the secrets in the pod mount by running the following command:
++
+[source,terminal]
+----
+$ oc exec busybox-<hash> -n my-namespace -- ls /mnt/secrets-store/
+----
++
+.Example output
+[source,terminal]
+----
+testSecret1
+----
+
+.. View a secret in the pod mount by running the following command:
++
+[source,terminal]
+----
+$ oc exec busybox-<hash> -n my-namespace -- cat /mnt/secrets-store/testSecret1
+----
++
+.Example output
+[source,terminal]
+----
+my-secret-value
+----
diff --git a/modules/security-compliance-nist.adoc b/modules/security-compliance-nist.adoc
index 6649094e23bc..82a2504c34ca 100644
--- a/modules/security-compliance-nist.adoc
+++ b/modules/security-compliance-nist.adoc
@@ -18,10 +18,7 @@ FIPS compliance is one of the most critical components required in
 highly secure environments, to ensure that only supported cryptographic
 technologies are allowed on nodes.
 
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode]. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
-====
+include::snippets/fips-snippet.adoc[]
 endif::openshift-origin[]
 
 To understand Red Hat's view of {product-title} compliance frameworks, refer
diff --git a/modules/serverless-quarkus-template.adoc b/modules/serverless-quarkus-template.adoc
index 19947bb04a9a..8954843deac3 100644
--- a/modules/serverless-quarkus-template.adoc
+++ b/modules/serverless-quarkus-template.adoc
@@ -45,7 +45,7 @@ Both `http` and `event` trigger functions have the same template structure:
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.15</version>
+      <version>4.16</version>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/modules/service-account-auto-secret-removed.adoc b/modules/service-account-auto-secret-removed.adoc
index 11024559fee2..9612e558e53d 100644
--- a/modules/service-account-auto-secret-removed.adoc
+++ b/modules/service-account-auto-secret-removed.adoc
@@ -5,37 +5,19 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="auto-generated-sa-token-secrets_{context}"]
-= Automatically generated secrets
+= Automatically generated image pull secrets
 
-By default, {product-title} creates the following secrets for each service account:
+By default, {product-title} creates an image pull secret for each service account.
 
-* A dockercfg image pull secret
-* A service account token secret
-+
 [NOTE]
 ====
-Prior to {product-title} 4.11, a second service account token secret was generated when a service account was created. This service account token secret was used to access the Kubernetes API.
+Prior to {product-title} 4.16, a long-lived service account API token secret was also generated for each service account that was created. Starting with {product-title} 4.16, this service account API token secret is no longer created.
 
-Starting with {product-title} 4.11, this second service account token secret is no longer created. This is because the `LegacyServiceAccountTokenNoAutoGeneration` upstream Kubernetes feature gate was enabled, which stops the automatic generation of secret-based service account tokens to access the Kubernetes API.
-
-After upgrading to {product-version}, any existing service account token secrets are not deleted and continue to function.
+After upgrading to {product-version}, any existing long-lived service account API token secrets are not deleted and will continue to function. For information about detecting long-lived API tokens that are in use in your cluster or deleting them if they are not needed, see the Red Hat Knowledgebase article link:https://access.redhat.com/articles/7058801[Long-lived service account API tokens in OpenShift Container Platform].
 ====
 
-This service account token secret and docker configuration image pull secret are necessary to integrate the {product-registry} into the cluster's user authentication and authorization system.
-
-However, if you do not enable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, these secrets are not generated for each service account.
-
-[WARNING]
-====
-Do not rely on these automatically generated secrets for your own use; they might be removed in a future {product-title} release.
-====
-
-Workloads are automatically injected with a projected volume to obtain a bound service account token. If your workload needs an additional service account token, add an additional projected volume in your workload manifest. Bound service account tokens are more secure than service account token secrets for the following reasons:
-
-* Bound service account tokens have a bounded lifetime.
-* Bound service account tokens contain audiences.
-* Bound service account tokens can be bound to pods or secrets and the bound tokens are invalidated when the bound object is removed.
+This image pull secret is necessary to integrate the {product-registry} into the cluster's user authentication and authorization system.
 
-For more information, see _Configuring bound service account tokens using volume projection_.
+However, if you do not enable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, an image pull secret is not generated for each service account.
 
-You can also manually create a service account token secret to obtain a token, if the security exposure of a non-expiring token in a readable API object is acceptable to you. For more information, see _Creating a service account token secret_.
+When the integrated {product-registry} is disabled on a cluster that previously had it enabled, the previously generated image pull secrets are deleted automatically.
diff --git a/modules/service-accounts-default.adoc b/modules/service-accounts-default.adoc
index a452f5416f6d..4bddcef57641 100644
--- a/modules/service-accounts-default.adoc
+++ b/modules/service-accounts-default.adoc
@@ -60,6 +60,11 @@ Three service accounts are automatically created in each project:
 pushing images to any imagestream in the project using the internal Docker
 registry.
 
+[NOTE]
+====
+The `builder` service account is not created if the `Build` cluster capability is not enabled.
+====
+
 |`deployer`
 |Used by deployment pods and given the `system:deployer` role, which allows
 viewing and modifying replication controllers and pods in the project.
diff --git a/modules/set-the-default-max-container-root-partition-size-for-overlay-with-crio.adoc b/modules/set-the-default-max-container-root-partition-size-for-overlay-with-crio.adoc
index 8005ca9f95fa..d33a53ca5319 100644
--- a/modules/set-the-default-max-container-root-partition-size-for-overlay-with-crio.adoc
+++ b/modules/set-the-default-max-container-root-partition-size-for-overlay-with-crio.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// post_installation_configuration/machine-configuration-tasks.adoc
+// machine_configuration/machine-configs-custom.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="set-the-default-max-container-root-partition-size-for-overlay-with-crio_{context}"]
diff --git a/modules/setting-higher-pid-limit-on-existing-cluster.adoc b/modules/setting-higher-pid-limit-on-existing-cluster.adoc
index 9104c9b1ca33..39e6b4b0d11a 100644
--- a/modules/setting-higher-pid-limit-on-existing-cluster.adoc
+++ b/modules/setting-higher-pid-limit-on-existing-cluster.adoc
@@ -4,9 +4,9 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="setting-higher-pid-limit-on-existing-cluster_{context}"]
-= Setting a higher PID limit on an existing {product-title} cluster
+= Setting a higher process ID limit on an existing {product-title} cluster
 
-You can set a higher `podPidsLimit` on an existing {product-title} cluster by creating or editing a `KubeletConfig` object that changes the `--pod-pids-limit` parameter.
+You can set a higher `podPidsLimit` on an existing {product-title} (ROSA) cluster by creating or editing a `KubeletConfig` object that changes the `--pod-pids-limit` parameter.
 
 [IMPORTANT]
 ====
@@ -15,17 +15,12 @@ Changing the `podPidsLimit` on an existing cluster will trigger non-control plan
 
 .Prerequisites
 
-* You have a ROSA Classic cluster.
-+
---
-:FeatureName: Configuring the maximum number of PIDs
-include::snippets/rosa-classic-support.adoc[]
---
+* You have a {product-title} cluster.
+* You have installed the ROSA CLI (`rosa`).
 * You have installed the OpenShift CLI (`oc`).
-* You have logged in to your Red Hat account by using the ROSA CLI.
+* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
 
 .Procedure
-
 . Create or edit the `KubeletConfig` object to change the PID limit.
 +
 --
@@ -33,21 +28,22 @@ include::snippets/rosa-classic-support.adoc[]
 +
 [source,terminal]
 ----
-$ rosa create kubeletconfig -c <cluster_name> --pod-pids-limit=<value>
+$ rosa create kubeletconfig -c <cluster_name> --name <kubeletconfig_name> --pod-pids-limit=<value>
 ----
 +
+NOTE: The `--name` parameter is optional on ROSA Classic clusters, because only one `KubeletConfig` object is supported per ROSA Classic cluster.
++
 For example, the following command sets a maximum of 16,384 PIDs per pod for cluster `my-cluster`:
 +
 [source,terminal]
 ----
-$ rosa create kubeletconfig -c my-cluster --pod-pids-limit=16384
+$ rosa create kubeletconfig -c my-cluster --name set-high-pids --pod-pids-limit=16384
 ----
-
 ** If you previously created a `KubeletConfig` object, edit the existing `KubeletConfig` object and set the `--pod-pids-limit` value by running the following command:
 +
 [source,terminal]
 ----
-$ rosa edit kubeletconfig -c <cluster_name> --pod-pids-limit=<value>
+$ rosa edit kubeletconfig -c <cluster_name> --name <kubeletconfig_name> --pod-pids-limit=<value>
 ----
 --
 +
@@ -85,4 +81,4 @@ The new PIDs limit appears in the output, as shown in the following example:
 [source,terminal]
 ----
 Pod Pids Limit:                       16384
-----
+----
\ No newline at end of file
diff --git a/modules/setting-higher-pid-limit-on-machinepool.adoc b/modules/setting-higher-pid-limit-on-machinepool.adoc
new file mode 100644
index 000000000000..e96bd88fe394
--- /dev/null
+++ b/modules/setting-higher-pid-limit-on-machinepool.adoc
@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * rosa_cluster_admin/rosa-configuring-pid-limits.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="setting-higher-pid-limit-on-machine-pool_{context}"]
+= Setting a higher process ID limit on a machine pool in a {product-title} cluster
+
+You can set a higher `podPidsLimit` for machine pools in an existing {product-title} (ROSA) cluster by creating or editing a `KubeletConfig` object that changes the `--pod-pids-limit` parameter.
+
+[IMPORTANT]
+====
+Changing the `podPidsLimit` on an existing machine pool triggers nodes in the machine pool to reboot one at a time. Make this change outside of peak usage hours for workloads in your machine pool and avoid upgrading or hibernating your cluster until all nodes have rebooted.
+====
+
+.Prerequisites
+
+* You have a {product-title} cluster.
+* You have installed the ROSA CLI (`rosa`).
+* You have logged in to your Red Hat account by using the ROSA CLI.
+
+.Procedure
+
+. Create a new `KubeletConfig` object for your cluster that specifies a new `--pod-pids-limit`:
++
+[source,terminal]
+----
+$ rosa create kubeletconfig -c <cluster_name> --name=<kubeletconfig_name>  --pod-pids-limit=<value>
+----
++
+For example, the following command creates a `set-high-pids` `KubeletConfig` object for the `my-cluster` cluster that sets a maximum of 16,384 PIDs per pod:
++
+[source,terminal]
+----
+$ rosa create kubeletconfig -c my-cluster --name=set-high-pids --pod-pids-limit=16384
+----
+
+. Associate the new `KubeletConfig` object with a new or existing machine pool.
++
+--
+** For a new machine pool:
++
+[source,terminal]
+----
+$ rosa create machinepool -c <cluster_name> --kubelet-configs=<kubeletconfig_name> --name <machinepool_name>
+----
+** For an existing machine pool:
++
+[source,terminal]
+----
+$ rosa edit machinepool -c <cluster_name> --kubelet-configs=<kubeletconfig_name> --name <machinepool_name>
+----
+--
++
+For example, the following command associates the `set-high-pids` `KubeletConfig` object with the `high-pid-pool` machine pool in the `my-cluster` cluster:
++
+[source,terminal]
+----
+$ rosa edit machinepool -c my-cluster --kubelet-configs=set-high-pids --name=high-pid-pool
+----
++
+A rolling reboot of worker nodes is triggered when a new `KubeletConfig` object is attached to an existing machine pool. You can check the progress of the rollout in the machine pool description:
++
+[source,terminal]
+----
+$ rosa describe machinepool --cluster <cluster_name> --name <machinepool_name>
+----
+
+.Verification
+
+* Confirm that the new setting is in place on nodes in the machine pool:
++
+[source,terminal]
+----
+$ rosa describe kubeletconfig --cluster=<cluster_name> --name <kubeletconfig_name>
+----
++
+The new PIDs limit appears in the output, as shown in the following example:
++
+.Example output
+[source,terminal]
+----
+Pod Pids Limit:                       16384
+----
\ No newline at end of file
diff --git a/modules/setting-up-cpu-manager.adoc b/modules/setting-up-cpu-manager.adoc
index 6ca2f625d9dd..6acd47f53b99 100644
--- a/modules/setting-up-cpu-manager.adoc
+++ b/modules/setting-up-cpu-manager.adoc
@@ -7,23 +7,25 @@
 [id="setting_up_cpu_manager_{context}"]
 = Setting up CPU Manager
 
+To configure CPU manager, create a KubeletConfig custom resource (CR) and apply it to the desired set of nodes.
+
 .Procedure
 
-. Optional: Label a node:
+. Label a node by running the following command:
 +
 [source,terminal]
 ----
 # oc label node perf-node.example.com cpumanager=true
 ----
 
-. Edit the `MachineConfigPool` of the nodes where CPU Manager should be enabled. In this example, all workers have CPU Manager enabled:
+. To enable CPU Manager for all compute nodes, edit the CR by running the following command:
 +
 [source,terminal]
 ----
 # oc edit machineconfigpool worker
 ----
 
-. Add a label to the worker machine config pool:
+. Add the `custom-kubelet: cpumanager-enabled` label to `metadata.labels` section.
 +
 [source,yaml]
 ----
@@ -55,7 +57,7 @@ spec:
 * `static`. This policy allows containers in guaranteed pods with integer CPU requests. It also limits access to exclusive CPUs on the node. If `static`, you must use a lowercase `s`.
 <2> Optional. Specify the CPU Manager reconcile frequency. The default is `5s`.
 
-. Create the dynamic kubelet config:
+. Create the dynamic kubelet config by running the following command:
 +
 [source,terminal]
 ----
@@ -64,7 +66,7 @@ spec:
 +
 This adds the CPU Manager feature to the kubelet config and, if needed, the Machine Config Operator (MCO) reboots the node. To enable CPU Manager, a reboot is not needed.
 
-. Check for the merged kubelet config:
+. Check for the merged kubelet config by running the following command:
 +
 [source,terminal]
 ----
@@ -84,7 +86,7 @@ This adds the CPU Manager feature to the kubelet config and, if needed, the Mach
         ]
 ----
 
-. Check the worker for the updated `kubelet.conf`:
+. Check the compute node for the updated `kubelet.conf` file by running the following command:
 +
 [source,terminal]
 ----
@@ -101,6 +103,13 @@ cpuManagerReconcilePeriod: 5s   <2>
 <1> `cpuManagerPolicy` is defined when you create the `KubeletConfig` CR.
 <2> `cpuManagerReconcilePeriod` is defined when you create the `KubeletConfig` CR.
 
+. Create a project by running the following command:
++
+[source,terminal]
+----
+$ oc new-project <project_name>
+----
+
 . Create a pod that requests a core or multiple cores. Both limits and requests must have their CPU value set to a whole integer. That is the number of cores that will be dedicated to this pod:
 +
 [source,terminal]
@@ -145,7 +154,9 @@ spec:
 # oc create -f cpumanager-pod.yaml
 ----
 
-. Verify that the pod is scheduled to the node that you labeled:
+.Verification
+
+. Verify that the pod is scheduled to the node that you labeled by running the following command:
 +
 [source,terminal]
 ----
@@ -172,10 +183,40 @@ QoS Class:       Guaranteed
 Node-Selectors:  cpumanager=true
 ----
 
-. Verify that the `cgroups` are set up correctly. Get the process ID (PID) of the `pause` process:
+. Verify that a CPU has been exclusively assigned to the pod by running the following command:
 +
 [source,terminal]
 ----
+# oc describe node --selector='cpumanager=true' | grep -i cpumanager- -B2
+----
++
+.Example output
+[source,terminal]
+----
+NAMESPACE    NAME                CPU Requests  CPU Limits  Memory Requests  Memory Limits  Age
+cpuman       cpumanager-mlrrz    1 (28%)       1 (28%)     1G (13%)         1G (13%)       27m
+----
+
+. Verify that the `cgroups` are set up correctly. Get the process ID (PID) of the `pause` process by running the following commands:
++
+[source,terminal]
+----
+# oc debug node/perf-node.example.com
+----
++
+[source,terminal]
+----
+sh-4.2# systemctl status | grep -B5 pause
+----
++
+[NOTE]
+====
+If the output returns multiple pause process entries, you must identify the correct pause process.
+====
++
+.Example output
+[source,terminal]
+----
 # ├─init.scope
 │ └─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 17
 └─kubepods.slice
@@ -183,15 +224,24 @@ Node-Selectors:  cpumanager=true
   │ ├─crio-b5437308f1a574c542bdf08563b865c0345c8f8c0b0a655612c.scope
   │ └─32706 /pause
 ----
+
+. Verify that pods of quality of service (QoS) tier `Guaranteed` are placed within the `kubepods.slice` subdirectory by running the following commands:
 +
-Pods of quality of service (QoS) tier `Guaranteed` are placed within the `kubepods.slice`. Pods of other QoS tiers end up in child `cgroups` of `kubepods`:
+[source,terminal]
+----
+# cd /sys/fs/cgroup/kubepods.slice/kubepods-pod69c01f8e_6b74_11e9_ac0f_0a2b62178a22.slice/crio-b5437308f1ad1a7db0574c542bdf08563b865c0345c86e9585f8c0b0a655612c.scope
+----
 +
 [source,terminal]
 ----
-# cd /sys/fs/cgroup/cpuset/kubepods.slice/kubepods-pod69c01f8e_6b74_11e9_ac0f_0a2b62178a22.slice/crio-b5437308f1ad1a7db0574c542bdf08563b865c0345c86e9585f8c0b0a655612c.scope
-# for i in `ls cpuset.cpus tasks` ; do echo -n "$i "; cat $i ; done
+# for i in `ls cpuset.cpus cgroup.procs` ; do echo -n "$i "; cat $i ; done
 ----
 +
+[NOTE]
+====
+Pods of other QoS tiers end up in child `cgroups` of the parent `kubepods`.
+====
++
 .Example output
 [source,terminal]
 ----
@@ -199,7 +249,7 @@ cpuset.cpus 1
 tasks 32706
 ----
 
-. Check the allowed CPU list for the task:
+. Check the allowed CPU list for the task by running the following command:
 +
 [source,terminal]
 ----
@@ -212,12 +262,15 @@ tasks 32706
  Cpus_allowed_list:    1
 ----
 
-. Verify that another pod (in this case, the pod in the `burstable` QoS tier) on the system cannot run on the core allocated for the `Guaranteed` pod:
+. Verify that another pod on the system cannot run on the core allocated for the `Guaranteed` pod. For example, to verify the pod in the `besteffort` QoS tier, run the following commands:
++
+[source,terminal]
+----
+# cat /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-podc494a073_6b77_11e9_98c0_06bba5c387ea.slice/crio-c56982f57b75a2420947f0afc6cafe7534c5734efc34157525fa9abbf99e3849.scope/cpuset.cpus
+----
 +
 [source,terminal]
 ----
-# cat /sys/fs/cgroup/cpuset/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-podc494a073_6b77_11e9_98c0_06bba5c387ea.slice/crio-c56982f57b75a2420947f0afc6cafe7534c5734efc34157525fa9abbf99e3849.scope/cpuset.cpus
-0
 # oc describe node perf-node.example.com
 ----
 +
diff --git a/modules/sriov-operator-hosted-control-planes.adoc b/modules/sriov-operator-hosted-control-planes.adoc
index 9044ff117063..66065aeae9c5 100644
--- a/modules/sriov-operator-hosted-control-planes.adoc
+++ b/modules/sriov-operator-hosted-control-planes.adoc
@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 // * networking/hardware_networks/configuring-sriov-operator.adoc
-// * hosted-control-planes/hcp-managing.adoc
+// * hosted-control-planes/hcp-machine-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="sriov-operator-hosted-control-planes_{context}"]
diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc
index a255c0b4860d..85ed59ec033a 100644
--- a/modules/ssh-agent-using.adoc
+++ b/modules/ssh-agent-using.adoc
@@ -1,7 +1,5 @@
 // Module included in the following assemblies:
 //
-// * installing/installing_alibaba/installing-alibaba-network-customizations.adoc
-// * installing/installing_alibaba/installing-alibaba-vpc.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
diff --git a/modules/storage-persistent-storage-block-volume.adoc b/modules/storage-persistent-storage-block-volume.adoc
index fd6e13632646..29e59821cd76 100644
--- a/modules/storage-persistent-storage-block-volume.adoc
+++ b/modules/storage-persistent-storage-block-volume.adoc
@@ -48,6 +48,7 @@ endif::openshift-dedicated,openshift-rosa[]
 ifndef::openshift-dedicated,openshift-rosa[]
 |NFS | | |
 |{rh-storage-first} | ✅ | ✅ | ✅
+|CIFS/SMB  |  ✅ |  ✅ |  ✅
 |VMware vSphere  | ✅ | ✅ | ✅
 endif::openshift-dedicated,openshift-rosa[]
 |===
diff --git a/modules/storage-persistent-storage-pv.adoc b/modules/storage-persistent-storage-pv.adoc
index cd8cb92fad3f..769fbe3e6512 100644
--- a/modules/storage-persistent-storage-pv.adoc
+++ b/modules/storage-persistent-storage-pv.adoc
@@ -73,6 +73,7 @@ ifdef::openshift-enterprise,openshift-webscale,openshift-origin,openshift-aro[]
 - {rh-storage-first}
 endif::openshift-enterprise,openshift-webscale,openshift-origin,openshift-aro[]
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
+- CIFS/SMB
 - VMware vSphere
 // - Local
 endif::openshift-enterprise,openshift-webscale,openshift-origin[]
@@ -136,59 +137,58 @@ ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 endif::[]
 |===
 --
-1. ReadWriteOncePod access mode for persistent volumes is a Technology Preview feature.
+1. RWOP uses the SELinux mount feature. This feature is driver dependent, and enabled by default in ODF, AWS EBS, Azure Disk, GCP PD, IBM VPC Block, Cinder, and vSphere. For third-party drivers, please contact your storage vendor.
 --
-:FeatureName: ReadWriteOncePod access mode for persistent volumes
-include::snippets/technology-preview.adoc[leveloffset=+1]
 endif::microshift[]
 
 ifndef::microshift[]
 .Supported access modes for persistent volumes
 [cols=",^v,^v,^v,^v", width="100%",options="header"]
 |===
-|Volume plugin  |ReadWriteOnce ^[1]^ | ReadWriteOncePod ^[2]^ |ReadOnlyMany|ReadWriteMany
-|AWS EBS ^[3]^ | ✅ | ✅ | - |  -
+|Volume plugin  |ReadWriteOnce ^[1]^ | ReadWriteOncePod |ReadOnlyMany|ReadWriteMany
+|AWS EBS ^[2]^ | ✅ | ✅ |  |  
 |AWS EFS | ✅ | ✅ | ✅ | ✅
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 |Azure File | ✅ |✅ | ✅ | ✅
-|Azure Disk | ✅ | ✅ | - | -
-//|Ceph RBD  | ✅ | ✅ |✅ |  -
+|Azure Disk | ✅ | ✅ |   |  
+//|Ceph RBD  | ✅ | ✅ |✅ |   
 //|CephFS  | ✅ | ✅ | ✅ |  ✅
-|Cinder  | ✅ | ✅ |- |  -
-|Fibre Channel  | ✅ | ✅ |✅ |  ✅ ^[4]^
+|CIFS/SMB | ✅ | ✅ | ✅ | ✅
+|Cinder  | ✅ | ✅ | |  
+|Fibre Channel  | ✅ | ✅ |✅ |  ✅ ^[3]^
 endif::[]
 ifndef::openshift-rosa[]
-|GCP Persistent Disk  | ✅ |✅ | - |  -
+|GCP Persistent Disk  | ✅ |✅ |   |   
 |GCP Filestore | ✅ | ✅ |✅ | ✅
 endif::openshift-rosa[]
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 //|GlusterFS  | ✅ |✅ | ✅ | ✅
-|HostPath  | ✅ |✅ | - |  -
+|HostPath  | ✅ |✅ |   |   
 |{ibm-power-server-title}  Disk | ✅ |✅  | ✅ |  ✅
-|{ibm-name} VPC Disk | ✅ |✅ | - |  -
-|iSCSI  | ✅ | ✅ |✅ |  ✅ ^[4]^
-|Local volume | ✅ |✅ | - |  -
+|{ibm-name} VPC Disk | ✅ |✅ |  |  
+|iSCSI  | ✅ | ✅ |✅ |  ✅ ^[3]^
+|Local volume | ✅ |✅ |  |  
 endif::[]
-|LVM Storage | ✅ | ✅ | - | -
+|LVM Storage | ✅ | ✅ |   |  
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 |NFS  | ✅ | ✅ |✅ | ✅
-|OpenStack Manila  | - |✅ | - | ✅
-|{rh-storage-first}  | ✅ |✅ | - | ✅
-|VMware vSphere | ✅ |✅ | - |  ✅ ^[5]^
+|OpenStack Manila  |  |✅ |  | ✅
+|{rh-storage-first}  | ✅ |✅ |  | ✅
+|VMware vSphere | ✅ |✅ |  |  ✅ ^[4]^
+|OpenStack Manila  |   |✅ |   | ✅
+|{rh-storage-first}  | ✅ |✅ |   | ✅
 endif::[]
 |===
 [.small]
 --
 1. ReadWriteOnce (RWO) volumes cannot be mounted on multiple nodes. If a node fails, the system does not allow the attached RWO volume to be mounted on a new node because it is already assigned to the failed node. If you encounter a multi-attach error message as a result, force delete the pod on a shutdown or crashed node to avoid data loss in critical workloads, such as when dynamic persistent volumes are attached.
 
-2. ReadWriteOncePod is a Technology Preview feature.
+2. Use a recreate deployment strategy for pods that rely on AWS EBS.
 
-3. Use a recreate deployment strategy for pods that rely on AWS EBS.
-
-4. Only raw block volumes support the ReadWriteMany (RWX) access mode for Fibre Channel and iSCSI. For more information, see "Block volume support".
+3. Only raw block volumes support the ReadWriteMany (RWX) access mode for Fibre Channel and iSCSI. For more information, see "Block volume support".
 
 ifndef::openshift-dedicated,openshift-rosa[]
-5. If the underlying vSphere environment supports the vSAN file service, then the vSphere Container Storage Interface (CSI) Driver Operator installed by
+4. If the underlying vSphere environment supports the vSAN file service, then the vSphere Container Storage Interface (CSI) Driver Operator installed by
 {product-title} supports provisioning of ReadWriteMany (RWX) volumes. If you do not have vSAN file service configured, and you request RWX, the volume fails to get created and an error is logged. For more information, see "Using Container Storage Interface" -> "VMware vSphere CSI Driver Operator".
 endif::openshift-dedicated,openshift-rosa[]
 // GCE Persistent Disks, or Openstack Cinder PVs.
@@ -308,6 +308,7 @@ ifndef::openshift-dedicated,openshift-rosa[]
 - Local volume
 - NFS
 - {rh-storage-first} (Ceph RBD only)
+- CIFS/SMB 
 - VMware vSphere
 
 [NOTE]
diff --git a/modules/telco-core-power-management.adoc b/modules/telco-core-power-management.adoc
index 136b86879f1a..b0cec97db640 100644
--- a/modules/telco-core-power-management.adoc
+++ b/modules/telco-core-power-management.adoc
@@ -11,12 +11,12 @@ New in this release::
 
 Description::
 
-The link:https://docs.openshift.com/container-platform/4.15/rest_api/node_apis/performanceprofile-performance-openshift-io-v2.html#spec-workloadhints[Performance Profile] can be used to configure a cluster in a high power, low power, or mixed mode.
+The link:https://docs.openshift.com/container-platform/4.16/rest_api/node_apis/performanceprofile-performance-openshift-io-v2.html#spec-workloadhints[Performance Profile] can be used to configure a cluster in a high power, low power, or mixed mode.
 The choice of power mode depends on the characteristics of the workloads running on the cluster, particularly how sensitive they are to latency.
 Configure the maximum latency for a low-latency pod by using the per-pod power management C-states feature.
 
 +
-For more information, see link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes].
+For more information, see link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes].
 
 Limits and requirements::
 * Power configuration relies on appropriate BIOS configuration, for example, enabling C-states and P-states. Configuration varies between hardware vendors.
diff --git a/modules/telco-core-scheduling.adoc b/modules/telco-core-scheduling.adoc
index 156e23c11676..ecaef99dfee3 100644
--- a/modules/telco-core-scheduling.adoc
+++ b/modules/telco-core-scheduling.adoc
@@ -12,12 +12,12 @@ New in this release::
 Description::
 * The scheduler is a cluster-wide component responsible for selecting the right node for a given workload. It is a core part of the platform and does not require any specific configuration in the common deployment scenarios. However, there are few specific use cases described in the following section.
 NUMA-aware scheduling can be enabled through the NUMA Resources Operator.
-For more information, see link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/cnf-numa-aware-scheduling.html[Scheduling NUMA-aware workloads].
+For more information, see link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/cnf-numa-aware-scheduling.html[Scheduling NUMA-aware workloads].
 
 Limits and requirements::
-* The default scheduler does not understand the NUMA locality of workloads. It only knows about the sum of all free resources on a worker node. This might cause workloads to be rejected when scheduled to a node with https://docs.openshift.com/container-platform/4.15/scalability_and_performance/using-cpu-manager.html#topology_manager_policies_using-cpu-manager-and-topology_manager[Topology manager policy] set to `single-numa-node` or `restricted`.
+* The default scheduler does not understand the NUMA locality of workloads. It only knows about the sum of all free resources on a worker node. This might cause workloads to be rejected when scheduled to a node with https://docs.openshift.com/container-platform/4.16/scalability_and_performance/using-cpu-manager.html#topology_manager_policies_using-cpu-manager-and-topology_manager[Topology manager policy] set to `single-numa-node` or `restricted`.
 ** For example, consider a pod requesting 6 CPUs and being scheduled to an empty node that has 4 CPUs per NUMA node. The total allocatable capacity of the node is 8 CPUs and the scheduler will place the pod there. The node local admission will fail, however, as there are only 4 CPUs available in each of the NUMA nodes.
-** All clusters with multi-NUMA nodes are required to use the https://docs.openshift.com/container-platform/4.15/scalability_and_performance/cnf-numa-aware-scheduling.html#installing-the-numa-resources-operator_numa-aware[NUMA Resources Operator]. The `machineConfigPoolSelector` of the NUMA Resources Operator must select all nodes where NUMA aligned scheduling is needed.
+** All clusters with multi-NUMA nodes are required to use the https://docs.openshift.com/container-platform/4.16/scalability_and_performance/cnf-numa-aware-scheduling.html#installing-the-numa-resources-operator_numa-aware[NUMA Resources Operator]. The `machineConfigPoolSelector` of the NUMA Resources Operator must select all nodes where NUMA aligned scheduling is needed.
 * All machine config pools must have consistent hardware configuration for example all nodes are expected to have the same NUMA zone count.
 
 Engineering considerations::
diff --git a/modules/telco-core-sriov.adoc b/modules/telco-core-sriov.adoc
index c3c78e53e01a..aed4f1f68fcf 100644
--- a/modules/telco-core-sriov.adoc
+++ b/modules/telco-core-sriov.adoc
@@ -25,7 +25,7 @@ SR-IOV enables physical network interfaces (PFs) to be divided into multiple vir
 
 Limits and requirements::
 
-* The network interface controllers supported are listed in link:https://docs.openshift.com/container-platform/4.15/networking/hardware_networks/about-sriov.html#supported-devices_about-sriov[Supported devices]
+* The network interface controllers supported are listed in link:https://docs.openshift.com/container-platform/4.16/networking/hardware_networks/about-sriov.html#supported-devices_about-sriov[Supported devices]
 * SR-IOV and IOMMU enablement in BIOS: The SR-IOV Network Operator automatically enables IOMMU on the kernel command line.
 * SR-IOV VFs do not receive link state updates from PF. If link down detection is needed, it must be done at the protocol level.
 * `MultiNetworkPolicy` CRs can be applied to `netdevice` networks only.
diff --git a/modules/telco-core-whats-new-ref-design.adoc b/modules/telco-core-whats-new-ref-design.adoc
index 234786f3ed28..87de86548f69 100644
--- a/modules/telco-core-whats-new-ref-design.adoc
+++ b/modules/telco-core-whats-new-ref-design.adoc
@@ -17,5 +17,5 @@ The following features that are included in {product-title} {product-version} an
 //CNF-5528
 |Multi-network policy support for IPv6 Networks
 |You can now create multi-network policies for IPv6 networks.
-For more information, see link:https://docs.openshift.com/container-platform/4.15/networking/multiple_networks/configuring-multi-network-policy.html#nw-multi-network-policy-ipv6-support_configuring-multi-network-policy[Supporting multi-network policies in IPv6 networks].
+For more information, see link:https://docs.openshift.com/container-platform/4.16/networking/multiple_networks/configuring-multi-network-policy.html#nw-multi-network-policy-ipv6-support_configuring-multi-network-policy[Supporting multi-network policies in IPv6 networks].
 |====
diff --git a/modules/telco-ran-bios-tuning.adoc b/modules/telco-ran-bios-tuning.adoc
index 3d6209522ed3..f85f86780e3a 100644
--- a/modules/telco-ran-bios-tuning.adoc
+++ b/modules/telco-ran-bios-tuning.adoc
@@ -11,7 +11,7 @@ New in this release::
 
 Description::
 Configure system level performance.
-See link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance] for recommended settings.
+See link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance] for recommended settings.
 +
 If Ironic inspection is enabled, the firmware setting values are available from the per-cluster `BareMetalHost` CR on the hub cluster.
 You enable Ironic inspection with a label in the `spec.clusters.nodes` field in the `SiteConfig` CR that you use to install the cluster.
diff --git a/modules/telco-ran-node-tuning-operator.adoc b/modules/telco-ran-node-tuning-operator.adoc
index 9dae6ee2912f..447446de377a 100644
--- a/modules/telco-ran-node-tuning-operator.adoc
+++ b/modules/telco-ran-node-tuning-operator.adoc
@@ -10,7 +10,7 @@ New in this release::
 * No reference design updates in this release
 
 Description::
-You tune the cluster performance by link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/cnf-create-performance-profiles.html[creating a performance profile].
+You tune the cluster performance by link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/cnf-create-performance-profiles.html[creating a performance profile].
 Settings that you configure with a performance profile include:
 +
 * Selecting the realtime or non-realtime kernel.
@@ -64,13 +64,13 @@ Variation must still meet the specified limits.
 
 * Hardware without IRQ affinity support impacts isolated CPUs.
 To ensure that pods with guaranteed whole CPU QoS have full use of the allocated CPU, all hardware in the server must support IRQ affinity.
-For more information, see link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/cnf-low-latency-tuning.html#about_irq_affinity_setting_cnf-master[About support of IRQ affinity setting].
+For more information, see link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/cnf-low-latency-tuning.html#about_irq_affinity_setting_cnf-master[About support of IRQ affinity setting].
 
 [NOTE]
 ====
 In {product-title} {product-version}, any `PerformanceProfile` CR configured on the cluster causes the Node Tuning Operator to automatically set all cluster nodes to use cgroup v1.
 
-For more information about cgroups, see link:https://docs.openshift.com/container-platform/4.15/nodes/clusters/nodes-cluster-cgroups-2.html#nodes-clusters-cgroups-2_nodes-cluster-cgroups-2[Configuring Linux cgroup].
+For more information about cgroups, see link:https://docs.openshift.com/container-platform/4.16/nodes/clusters/nodes-cluster-cgroups-2.html#nodes-clusters-cgroups-2_nodes-cluster-cgroups-2[Configuring Linux cgroup].
 ====
 
 :FeatureName: cgroup v1
diff --git a/modules/telco-ran-ptp-operator.adoc b/modules/telco-ran-ptp-operator.adoc
index 8fc21ed321f1..14f8b1dbf230 100644
--- a/modules/telco-ran-ptp-operator.adoc
+++ b/modules/telco-ran-ptp-operator.adoc
@@ -10,7 +10,7 @@ New in this release::
 * No reference design updates in this release
 
 Description::
-See link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-sno-du-configuring-ptp_sno-configure-for-vdu[PTP timing] for details of support and configuration of PTP in cluster nodes.
+See link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-sno-du-configuring-ptp_sno-configure-for-vdu[PTP timing] for details of support and configuration of PTP in cluster nodes.
 The DU node can run in the following modes:
 +
 * As an ordinary clock (OC) synced to a grandmaster clock or boundary clock (T-BC)
@@ -28,7 +28,7 @@ Highly available boundary clocks are not supported.
 
 +
 --
-Events and metrics for grandmaster clocks are a Tech Preview feature added in the 4.14 {rds} RDS. For more information see link:https://docs.openshift.com/container-platform/4.15/networking/ptp/using-ptp-events.html[Using the PTP hardware fast event notifications framework].
+Events and metrics for grandmaster clocks are a Tech Preview feature added in the 4.14 {rds} RDS. For more information see link:https://docs.openshift.com/container-platform/4.16/networking/ptp/using-ptp-events.html[Using the PTP hardware fast event notifications framework].
 
 You can subscribe applications to PTP events that happen on the node where the DU application is running.
 --
diff --git a/modules/telco-ran-red-hat-advanced-cluster-management-rhacm.adoc b/modules/telco-ran-red-hat-advanced-cluster-management-rhacm.adoc
index 1deeb5af4ffb..5ba7c6b1b09b 100644
--- a/modules/telco-ran-red-hat-advanced-cluster-management-rhacm.adoc
+++ b/modules/telco-ran-red-hat-advanced-cluster-management-rhacm.adoc
@@ -31,4 +31,4 @@ You can significantly reduce the number of policies by using a single group poli
 These configurations should be managed using {rh-rhacm} policy hub-side templating with values pulled from `ConfigMap` CRs based on the cluster name.
 
 * To save CPU resources on managed clusters, policies that apply static configurations should be unbound from managed clusters after {ztp} installation of the cluster.
-For more information, see link:https://docs.openshift.com/container-platform/4.15/storage/understanding-persistent-storage.html#releasing_understanding-persistent-storage[Release a persistent volume].
+For more information, see link:https://docs.openshift.com/container-platform/4.16/storage/understanding-persistent-storage.html#releasing_understanding-persistent-storage[Release a persistent volume].
diff --git a/modules/telemetry-showing-data-collected-from-the-cluster.adoc b/modules/telemetry-showing-data-collected-from-the-cluster.adoc
index 49601b57711d..749e5581f9c9 100644
--- a/modules/telemetry-showing-data-collected-from-the-cluster.adoc
+++ b/modules/telemetry-showing-data-collected-from-the-cluster.adoc
@@ -183,5 +183,6 @@ openshift-monitoring -o jsonpath="{.spec.host}")/federate \
 --data-urlencode 'match[]={__name__="namespace:noobaa_usage:max"}' \
 --data-urlencode 'match[]={__name__="namespace:noobaa_system_health_status:max"}' \
 --data-urlencode 'match[]={__name__="ocs_advanced_feature_usage"}' \
---data-urlencode 'match[]={__name__="os_image_url_override:sum"}'
+--data-urlencode 'match[]={__name__="os_image_url_override:sum"}' \
+--data-urlencode 'match[]={__name__="openshift:openshift_network_operator_ipsec_state:info"}'
 ----
diff --git a/modules/unauthenticated-users-cluster-role-binding-con.adoc b/modules/unauthenticated-users-cluster-role-binding-con.adoc
new file mode 100644
index 000000000000..bfbd6cc4a95a
--- /dev/null
+++ b/modules/unauthenticated-users-cluster-role-binding-con.adoc
@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-rbac.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="unauthenticated-users-cluster-role-bindings-concept_{context}"]
+= Cluster role bindings for unauthenticated groups
+
+[NOTE]
+====
+Before {product-title} 4.16, unauthenticated groups were allowed access to some cluster roles. Clusters updated from versions before {product-title} 4.16 retain this access for unauthenticated groups.
+====
+
+For security reasons {product-title} {product-version} does not allow unauthenticated groups to have default access to cluster roles.
+
+There are use cases where it might be necessary to add `system:unauthenticated` to a cluster role.
+
+Cluster administrators can add unauthenticated users to the following cluster roles:
+
+* `system:scope-impersonation`
+* `system:webhook`
+* `system:oauth-token-deleter`
+* `self-access-reviewer`
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying unauthenticated access.
+====
\ No newline at end of file
diff --git a/modules/unauthenticated-users-cluster-role-binding.adoc b/modules/unauthenticated-users-cluster-role-binding.adoc
new file mode 100644
index 000000000000..e93a8271327f
--- /dev/null
+++ b/modules/unauthenticated-users-cluster-role-binding.adoc
@@ -0,0 +1,57 @@
+// Module included in the following assemblies:
+//
+// * authentication/impersonating-system-admin.adoc
+// * authentication/tokens-scoping.adoc
+// * authentication/managing-oauth-access-tokens.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthenticated-users-cluster-role-bindings_{context}"]
+= Adding unauthenticated groups to cluster roles
+
+As a cluster administrator, you can add unauthenticated users to the following cluster roles in {product-title} by creating a cluster role binding. Unauthenticated users do not have access to non-public cluster roles. This should only be done in specific use cases when necessary.
+
+You can add unauthenticated users to the following cluster roles:
+
+* `system:scope-impersonation`
+* `system:webhook`
+* `system:oauth-token-deleter`
+* `self-access-reviewer`
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Create a YAML file named `add-<cluster_role>-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ annotations:
+   rbac.authorization.kubernetes.io/autoupdate: "true"
+ name: <cluster_role>access-unauthenticated
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: <cluster_role>
+subjects:
+ - apiGroup: rbac.authorization.k8s.io
+   kind: Group
+   name: system:unauthenticated
+----
+. Apply the configuration by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f add-<cluster_role>.yaml
+----
\ No newline at end of file
diff --git a/modules/unauthenticated-users-system-webhook.adoc b/modules/unauthenticated-users-system-webhook.adoc
new file mode 100644
index 000000000000..ced68af2483e
--- /dev/null
+++ b/modules/unauthenticated-users-system-webhook.adoc
@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+//
+// * cicd/builds/triggering-builds-build-hooks.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="unauthenticated-users-system-webhook_{context}"]
+= Adding unauthenticated users to the system:webhook role binding
+
+As a cluster administrator, you can add unauthenticated users to the `system:webhook` role binding in {product-title} for specific namespaces. The `system:webhook` role binding allows users to trigger builds from external systems that do not use an {product-title} authentication mechanism. Unauthenticated users do not have access to non-public role bindings by default. This is a change from {product-title} versions before 4.16.
+
+Adding unauthenticated users to the `system:webhook` role binding is required to successfully trigger builds from GitHub, GitLab, and Bitbucket.
+
+If it is necessary to allow unauthenticated users access to a cluster, you can do so by adding unauthenticated users to the `system:webhook` role binding in each required namespace. This method is more secure than adding unauthenticated users to the `system:webhook` cluster role binding. However, if you have a large number of namespaces, it is possible to add unauthenticated users to the `system:webhook` cluster role binding which would apply the change to all namespaces.
+
+[IMPORTANT]
+====
+Always verify compliance with your organization's security standards when modifying unauthenticated access.
+====
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Create a YAML file named `add-webhooks-unauth.yaml` and add the following content:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: webhook-access-unauthenticated
+  namespace: <namespace> <1>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "system:webhook"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: "system:unauthenticated"
+----
+<1> The namespace of your `BuildConfig`.
+
+. Apply the configuration by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f add-webhooks-unauth.yaml
+----
\ No newline at end of file
diff --git a/modules/understanding-agent-install.adoc b/modules/understanding-agent-install.adoc
index b770bfa4b199..11fc55f9a1fc 100644
--- a/modules/understanding-agent-install.adoc
+++ b/modules/understanding-agent-install.adoc
@@ -9,11 +9,6 @@ As an {product-title} user, you can leverage the advantages of the Assisted Inst
 
 The Agent-based installation comprises a bootable ISO that contains the Assisted discovery agent and the Assisted Service. Both are required to perform the cluster installation, but the latter runs on only one of the hosts.
 
-[NOTE]
-====
-Currently, ISO boot is not supported on {ibm-z-name} (`s390x`) architecture. The recommended method is by using PXE assets, which requires specifying additional kernel arguments.
-====
-
 The `openshift-install agent create image` subcommand generates an ephemeral ISO based on the inputs that you provide. You can choose to provide inputs through the following manifests:
 
 Preferred:
@@ -21,8 +16,6 @@ Preferred:
 * `install-config.yaml`
 * `agent-config.yaml`
 
-or
-
 Optional: ZTP manifests
 
 * `cluster-manifests/cluster-deployment.yaml`
diff --git a/modules/understanding-machine-config-operator.adoc b/modules/understanding-machine-config-operator.adoc
index 1eade1d53c41..a7305fbc16b2 100644
--- a/modules/understanding-machine-config-operator.adoc
+++ b/modules/understanding-machine-config-operator.adoc
@@ -44,7 +44,9 @@ When you perform node management operations, you create or modify a
 ====
 When changes are made to a machine configuration, the Machine Config Operator (MCO) automatically reboots all corresponding nodes in order for the changes to take effect.
 
-To prevent the nodes from automatically rebooting after machine configuration changes, before making the changes, you must pause the autoreboot process by setting the `spec.paused` field to `true` in the corresponding machine config pool. When paused, machine configuration changes are not applied until you set the `spec.paused` field to `false` and the nodes have rebooted into the new configuration.
+You can mitigate the disruption caused by some machine config changes by using a node disruption policy. See _Understanding node restart behaviors after machine config changes_.
+
+Alternatively, you can prevent the nodes from automatically rebooting after machine configuration changes before making the changes. Pause the autoreboot process by setting the `spec.paused` field to `true` in the corresponding machine config pool. When paused, machine configuration changes are not applied until you set the `spec.paused` field to `false` and the nodes have rebooted into the new configuration.
 
 include::snippets/node-icsp-no-drain.adoc[]
 ====
diff --git a/modules/understanding-update-channels.adoc b/modules/understanding-update-channels.adoc
index 0e0b1ddcc78d..f8617017b3af 100644
--- a/modules/understanding-update-channels.adoc
+++ b/modules/understanding-update-channels.adoc
@@ -75,7 +75,7 @@ Red Hat monitors newly released versions and update paths associated with those
 
 If Red Hat removes update recommendations from any supported release, a superseding update recommendation will be provided to a future version that corrects the regression. There may however be a delay while the defect is corrected, tested, and promoted to your selected channel.
 
-Beginning in {product-title} 4.10, when update risks are confirmed, they are declared as Conditional Update risks for the relevant updates. Each known risk may apply to all clusters or only clusters matching certain conditions. Some examples include having the `Platform` set to `None` or the CNI provider set to `OpenShiftSDN`. The Cluster Version Operator (CVO) continually evaluates known risks against the current cluster state. If no risks match, the update is recommended. If the risk matches, those updates are supported but not recommended, and a reference link is provided. The reference link helps the cluster admin decide if they would like to accept the risk and update anyway.
+Beginning in {product-title} 4.10, when update risks are confirmed, they are declared as Conditional Update risks for the relevant updates. Each known risk may apply to all clusters or only clusters matching certain conditions. Some examples include having the `Platform` set to `None` or the CNI provider set to `OpenShiftSDN`. The Cluster Version Operator (CVO) continually evaluates known risks against the current cluster state. If no risks match, the update is recommended. If the risk matches, those update paths are labeled as _updates with known issues_, and a reference link to the known issues is provided. The reference link helps the cluster admin decide if they want to accept the risk and continue to update their cluster.
 
 When Red Hat chooses to declare Conditional Update risks, that action is taken in all relevant channels simultaneously. Declaration of a Conditional Update risk may happen either before or after the update has been promoted to supported channels.
 
diff --git a/modules/update-availability-faq.adoc b/modules/update-availability-faq.adoc
index 62c38970ef83..5f4a138b4990 100644
--- a/modules/update-availability-faq.adoc
+++ b/modules/update-availability-faq.adoc
@@ -35,18 +35,16 @@ The primary purpose of the `eus` channel is to serve as a convenience for cluste
 * A release that is available on the `fast` channel always becomes available on the `stable` channel after this delay.
 
 [id="supported-updates_{context}"]
-*What does it mean if an update is supported but not recommended?*
+*What does it mean if an update has known issues?*
 
-* Red Hat continuously evaluates data from multiple sources to determine whether updates from one version to another lead to issues.
-If an issue is identified, an update path may no longer be recommended to users.
-However, even if the update path is not recommended, customers are still supported if they perform the update.
+* Red{nbsp}Hat continuously evaluates data from multiple sources to determine whether updates from one version to another have any declared issues. Identified issues are typically documented in the version's release notes.
+Even if the update path has known issues, customers are still supported if they perform the update.
 
 * Red Hat does not block users from updating to a certain version.
 Red Hat may declare conditional update risks, which may or may not apply to a particular cluster.
 
 ** Declared risks provide cluster administrators more context about a supported update.
 Cluster administrators can still accept the risk and update to that particular target version.
-This update is always supported despite not being recommended in the context of the conditional risk.
 
 [id="removed-recommendation_{context}"]
 *What if I see that an update to a particular release is no longer recommended?*
diff --git a/modules/update-cluster-version-object.adoc b/modules/update-cluster-version-object.adoc
index 05dc37f545fd..e2466ffb6a13 100644
--- a/modules/update-cluster-version-object.adoc
+++ b/modules/update-cluster-version-object.adoc
@@ -37,32 +37,45 @@ $ oc adm upgrade --include-not-recommended
 +
 [NOTE]
 ====
-The additional `--include-not-recommended` parameter includes updates that are available but not recommended due to a known risk that applies to the cluster.
+The additional `--include-not-recommended` parameter includes updates that are available with known issues that apply to the cluster.
 ====
 +
 .Example output
 [source,terminal]
 ----
-Cluster version is 4.10.22
+Cluster version is 4.13.40
 
 Upstream is unset, so the cluster will use an appropriate default.
-Channel: fast-4.11 (available channels: candidate-4.10, candidate-4.11, eus-4.10, fast-4.10, fast-4.11, stable-4.10)
+Channel: stable-4.14 (available channels: candidate-4.13, candidate-4.14, eus-4.14, fast-4.13, fast-4.14, stable-4.13, stable-4.14)
 
 Recommended updates:
 
   VERSION     IMAGE
-  4.10.26     quay.io/openshift-release-dev/ocp-release@sha256:e1fa1f513068082d97d78be643c369398b0e6820afab708d26acda2262940954
-  4.10.25     quay.io/openshift-release-dev/ocp-release@sha256:ed84fb3fbe026b3bbb4a2637ddd874452ac49c6ead1e15675f257e28664879cc
-  4.10.24     quay.io/openshift-release-dev/ocp-release@sha256:aab51636460b5a9757b736a29bc92ada6e6e6282e46b06e6fd483063d590d62a
-  4.10.23     quay.io/openshift-release-dev/ocp-release@sha256:e40e49d722cb36a95fa1c03002942b967ccbd7d68de10e003f0baa69abad457b
-
-Supported but not recommended updates:
-
-  Version: 4.11.0
-  Image: quay.io/openshift-release-dev/ocp-release@sha256:300bce8246cf880e792e106607925de0a404484637627edf5f517375517d54a4
-  Recommended: False
-  Reason: RPMOSTreeTimeout
-  Message: Nodes with substantial numbers of containers and CPU contention may not reconcile machine configuration https://bugzilla.redhat.com/show_bug.cgi?id=2111817#c22
+  4.14.27     quay.io/openshift-release-dev/ocp-release@sha256:4d30b359aa6600a89ed49ce6a9a5fdab54092bcb821a25480fdfbc47e66af9ec
+  4.14.26     quay.io/openshift-release-dev/ocp-release@sha256:4fe7d4ccf4d967a309f83118f1a380a656a733d7fcee1dbaf4d51752a6372890
+  4.14.25     quay.io/openshift-release-dev/ocp-release@sha256:a0ef946ef8ae75aef726af1d9bbaad278559ad8cab2c1ed1088928a0087990b6
+  4.14.24     quay.io/openshift-release-dev/ocp-release@sha256:0a34eac4b834e67f1bca94493c237e307be2c0eae7b8956d4d8ef1c0c462c7b0
+  4.14.23     quay.io/openshift-release-dev/ocp-release@sha256:f8465817382128ec7c0bc676174bad0fb43204c353e49c146ddd83a5b3d58d92
+  4.13.42     quay.io/openshift-release-dev/ocp-release@sha256:dcf5c3ad7384f8bee3c275da8f886b0bc9aea7611d166d695d0cf0fff40a0b55
+  4.13.41     quay.io/openshift-release-dev/ocp-release@sha256:dbb8aa0cf53dc5ac663514e259ad2768d8c82fd1fe7181a4cfb484e3ffdbd3ba
+
+Updates with known issues:
+
+  Version: 4.14.22
+  Image: quay.io/openshift-release-dev/ocp-release@sha256:7093fa606debe63820671cc92a1384e14d0b70058d4b4719d666571e1fc62190
+  Reason: MultipleReasons
+  Message: Exposure to AzureRegistryImageMigrationUserProvisioned is unknown due to an evaluation failure: client-side throttling: only 18.061µs has elapsed since the last match call completed for this cluster condition backend; this cached cluster condition request has been queued for later execution
+  In Azure clusters with the user-provisioned registry storage, the in-cluster image registry component may struggle to complete the cluster update. https://issues.redhat.com/browse/IR-468
+  
+  Incoming HTTP requests to services exposed by Routes may fail while routers reload their configuration, especially when made with Apache HTTPClient versions before 5.0. The problem is more likely to occur in clusters with higher number of Routes and corresponding endpoints. https://issues.redhat.com/browse/NE-1689
+
+  Version: 4.14.21
+  Image: quay.io/openshift-release-dev/ocp-release@sha256:6e3fba19a1453e61f8846c6b0ad3abf41436a3550092cbfd364ad4ce194582b7
+  Reason: MultipleReasons
+  Message: Exposure to AzureRegistryImageMigrationUserProvisioned is unknown due to an evaluation failure: client-side throttling: only 33.991µs has elapsed since the last match call completed for this cluster condition backend; this cached cluster condition request has been queued for later execution
+  In Azure clusters with the user-provisioned registry storage, the in-cluster image registry component may struggle to complete the cluster update. https://issues.redhat.com/browse/IR-468
+  
+  Incoming HTTP requests to services exposed by Routes may fail while routers reload their configuration, especially when made with Apache HTTPClient versions before 5.0. The problem is more likely to occur in clusters with higher number of Routes and corresponding endpoints. https://issues.redhat.com/browse/NE-1689
 ----
 +
 The `oc adm upgrade` command queries the `ClusterVersion` resource for information about available updates and presents it in a human-readable format.
diff --git a/modules/update-conditional-updates.adoc b/modules/update-conditional-updates.adoc
index 8ab611a15b42..f4bd01820b56 100644
--- a/modules/update-conditional-updates.adoc
+++ b/modules/update-conditional-updates.adoc
@@ -24,4 +24,4 @@ $ oc adm upgrade --include-not-recommended
 ----
 $ oc adm upgrade --allow-not-recommended --to <version> <.>
 ----
-<.> `<version>` is the supported but not recommended update version that you obtained from the output of the previous command.
+<.> `<version>` is the update version that you obtained from the output of the previous command, which is supported but also has known issues or risks.
diff --git a/modules/update-conditional-web-console.adoc b/modules/update-conditional-web-console.adoc
index af456be09487..0bc5ff781575 100644
--- a/modules/update-conditional-web-console.adoc
+++ b/modules/update-conditional-web-console.adoc
@@ -22,12 +22,11 @@ You can view and assess the risks associated with particular updates with condit
 .Procedure
 
 . From the web console, click *Administration* -> *Cluster settings* page and review the contents of the *Details* tab.
-
-. You can enable `Include supported but not recommended versions` in the `Select new version` dropdown of the *Update cluster* modal to populate the dropdown list with conditional updates.
+. You can enable the `Include versions with known issues` feature in the *Select new version* dropdown of the *Update cluster* modal to populate the dropdown list with conditional updates.
 +
 [NOTE]
 ====
-If a `Supported but not recommended` version is selected, more information is provided with potential issues with the version.
+If a version with known issues is selected, more information is provided with potential risks that are associated with the version.
 ====
 
 . Review the notification detailing the potential risks to updating.
\ No newline at end of file
diff --git a/modules/update-duration-mco.adoc b/modules/update-duration-mco.adoc
index accba1406323..69d5e5edc496 100644
--- a/modules/update-duration-mco.adoc
+++ b/modules/update-duration-mco.adoc
@@ -50,4 +50,4 @@ ip-10-0-207-224.us-east-2.compute.internal  Ready                       worker
 +
 If the status of the node is `NotReady` or `SchedulingDisabled`, then the node is not available and this impacts the update duration.
 +
-You can check the status of nodes from the *Administrator* perspective in the web console by expanding **Compute** → **Node**.
+You can check the status of nodes from the *Administrator* perspective in the web console by expanding **Compute** -> **Nodes**.
diff --git a/modules/update-evaluate-availability.adoc b/modules/update-evaluate-availability.adoc
index 276ccff75b2c..dac22ee1a41b 100644
--- a/modules/update-evaluate-availability.adoc
+++ b/modules/update-evaluate-availability.adoc
@@ -18,4 +18,4 @@ The CVO continuously evaluates its cluster characteristics against the condition
 If the CVO finds that the cluster does not match the risks of an update, or that there are no risks associated with the update, it stores the target version in the `availableUpdates` field of its `ClusterVersion` resource.
 
 The user interface, either the web console or the OpenShift CLI (`oc`), presents this information in sectioned headings to the administrator.
-Each *supported but not recommended* update recommendation contains a link to further resources about the risk so that the administrator can make an informed decision about the update.
+Each known issue associated with the update path contains a link to further resources about the risk so that the administrator can make an informed decision about the update.
diff --git a/modules/update-preparing-ack.adoc b/modules/update-preparing-ack.adoc
index aafb14da8e2a..5ae44cfef948 100644
--- a/modules/update-preparing-ack.adoc
+++ b/modules/update-preparing-ack.adoc
@@ -6,7 +6,7 @@
 [id="update-preparing-ack_{context}"]
 = Providing the administrator acknowledgment
 
-After you have evaluated your cluster for any removed APIs and have migrated any removed APIs, you can acknowledge that your cluster is ready to upgrade from {product-title} 4.14 to 4.15.
+After you have evaluated your cluster for any removed APIs and have migrated any removed APIs, you can acknowledge that your cluster is ready to upgrade from {product-title} 4.15 to 4.16.
 
 [WARNING]
 ====
@@ -19,9 +19,9 @@ Be aware that all responsibility falls on the administrator to ensure that all u
 
 .Procedure
 
-* Run the following command to acknowledge that you have completed the evaluation and your cluster is ready for the Kubernetes API removals in {product-title} 4.15:
+* Run the following command to acknowledge that you have completed the evaluation and your cluster is ready for the Kubernetes API removals in {product-title} 4.16:
 +
 [source,terminal]
 ----
-$ oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.13-kube-1.27-api-removals-in-4.15":"true"}}' --type=merge
+$ oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.15-kube-1.29-api-removals-in-4.16":"true"}}' --type=merge
 ----
diff --git a/modules/update-preparing-evaluate-apirequestcount-workloads.adoc b/modules/update-preparing-evaluate-apirequestcount-workloads.adoc
index d14960fbfe8f..2758f21a5fe4 100644
--- a/modules/update-preparing-evaluate-apirequestcount-workloads.adoc
+++ b/modules/update-preparing-evaluate-apirequestcount-workloads.adoc
@@ -25,14 +25,14 @@ For example:
 +
 [source,terminal]
 ----
-$ oc get apirequestcounts csistoragecapacities.v1beta1.storage.k8s.io -o yaml
+$ oc get apirequestcounts flowschemas.v1beta2.flowcontrol.apiserver.k8s.io -o yaml
 ----
 +
 You can also use `-o jsonpath` to extract the `username` and `userAgent` values from an `APIRequestCount` resource:
 +
 [source,terminal]
 ----
-$ oc get apirequestcounts csistoragecapacities.v1beta1.storage.k8s.io \
+$ oc get apirequestcounts flowschemas.v1beta2.flowcontrol.apiserver.k8s.io \
   -o jsonpath='{range .status.currentHour..byUser[*]}{..byVerb[*].verb}{","}{.username}{","}{.userAgent}{"\n"}{end}' \
   | sort -k 2 -t, -u | column -t -s, -NVERBS,USERNAME,USERAGENT
 ----
@@ -40,8 +40,8 @@ $ oc get apirequestcounts csistoragecapacities.v1beta1.storage.k8s.io \
 .Example output
 [source,terminal]
 ----
-VERBS       USERNAME                        USERAGENT
-list watch  system:kube-controller-manager  cluster-policy-controller/v0.0.0
-list watch  system:kube-controller-manager  kube-controller-manager/v1.26.5+0abcdef
-list watch  system:kube-scheduler           kube-scheduler/v1.26.5+0abcdef
+VERBS     USERNAME                            USERAGENT
+create    system:admin                        oc/4.13.0 (linux/amd64)
+list get  system:serviceaccount:myns:default  oc/4.16.0 (linux/amd64)
+watch     system:serviceaccount:myns:webhook  webhook/v1.0.0 (linux/amd64)
 ----
diff --git a/modules/update-preparing-evaluate-apirequestcount.adoc b/modules/update-preparing-evaluate-apirequestcount.adoc
index 2ac675a0f29a..6b6d550f851f 100644
--- a/modules/update-preparing-evaluate-apirequestcount.adoc
+++ b/modules/update-preparing-evaluate-apirequestcount.adoc
@@ -26,10 +26,9 @@ $ oc get apirequestcounts
 ----
 NAME                                                                 REMOVEDINRELEASE   REQUESTSINCURRENTHOUR   REQUESTSINLAST24H
 ...
-csistoragecapacities.v1.storage.k8s.io                                                  14                      380
-csistoragecapacities.v1beta1.storage.k8s.io                          1.27               0                       16
-custompolicydefinitions.v1beta1.capabilities.3scale.net                                 8                       158
-customresourcedefinitions.v1.apiextensions.k8s.io                                       1407                    30148
+flowschemas.v1beta2.flowcontrol.apiserver.k8s.io                     1.29               0                       3
+...
+prioritylevelconfigurations.v1beta2.flowcontrol.apiserver.k8s.io     1.29               0                       1
 ...
 ----
 +
@@ -51,7 +50,6 @@ $ oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease
 .Example output
 [source,terminal]
 ----
-1.27	csistoragecapacities.v1beta1.storage.k8s.io
 1.29	flowschemas.v1beta2.flowcontrol.apiserver.k8s.io
 1.29	prioritylevelconfigurations.v1beta2.flowcontrol.apiserver.k8s.io
 ----
diff --git a/modules/update-preparing-list.adoc b/modules/update-preparing-list.adoc
index 7541f5e65ec2..5ea2e7a137a8 100644
--- a/modules/update-preparing-list.adoc
+++ b/modules/update-preparing-list.adoc
@@ -5,16 +5,21 @@
 [id="update-preparing-list_{context}"]
 = Removed Kubernetes APIs
 
-{product-title} 4.15 uses Kubernetes 1.27, which removed the following deprecated APIs. You must migrate manifests and API clients to use the appropriate API version. For more information about migrating removed APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27[Kubernetes documentation].
+{product-title} 4.16 uses Kubernetes 1.29, which removed the following deprecated APIs. You must migrate manifests and API clients to use the appropriate API version. For more information about migrating removed APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29[Kubernetes documentation].
 
-.APIs removed from Kubernetes 1.27
-[cols="2,2,2",options="header",]
+.APIs removed from Kubernetes 1.29
+[cols="2,2,2,1",options="header",]
 |===
-|Resource |Removed API |Migrate to
+|Resource |Removed API |Migrate to |Notable changes
 
-|`CSIStorageCapacity`
-|`storage.k8s.io/v1beta1`
-|`storage.k8s.io/v1`
+|`FlowSchema`
+|`flowcontrol.apiserver.k8s.io/v1beta2`
+|`flowcontrol.apiserver.k8s.io/v1` or `flowcontrol.apiserver.k8s.io/v1beta3`
+|No
+
+|`PriorityLevelConfiguration`
+|`flowcontrol.apiserver.k8s.io/v1beta2`
+|`flowcontrol.apiserver.k8s.io/v1` or `flowcontrol.apiserver.k8s.io/v1beta3`
+|link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v129[Yes]
 
 |===
-// Removed the "Notable changes" column since they were all "No" and table so wide it was causing a scrollbar. Add it back in for the next time there are notable changes (1.29)
diff --git a/modules/update-preparing-migrate.adoc b/modules/update-preparing-migrate.adoc
index cf90add71747..e3242cdd9016 100644
--- a/modules/update-preparing-migrate.adoc
+++ b/modules/update-preparing-migrate.adoc
@@ -5,4 +5,4 @@
 [id="update-preparing-migrate_{context}"]
 = Migrating instances of removed APIs
 
-For information about how to migrate removed Kubernetes APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-27[Deprecated API Migration Guide] in the Kubernetes documentation.
+For information about how to migrate removed Kubernetes APIs, see the link:https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29[Deprecated API Migration Guide] in the Kubernetes documentation.
diff --git a/modules/update-service-configure-cvo.adoc b/modules/update-service-configure-cvo.adoc
index 3f2da3a97dd0..db8615b07099 100644
--- a/modules/update-service-configure-cvo.adoc
+++ b/modules/update-service-configure-cvo.adoc
@@ -5,13 +5,13 @@
 [id="update-service-configure-cvo"]
 = Configuring the Cluster Version Operator (CVO)
 
-After the OpenShift Update Service Operator has been installed and the OpenShift Update Service application has been created, the Cluster Version Operator (CVO) can be updated to pull graph data from the locally installed OpenShift Update Service.
+After the OpenShift Update Service Operator has been installed and the OpenShift Update Service application has been created, the Cluster Version Operator (CVO) can be updated to pull graph data from the OpenShift Update Service installed in your environment.
 
 .Prerequisites
 
 * The OpenShift Update Service Operator has been installed.
 * The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
-* The current release and update target releases have been mirrored to a locally accessible registry.
+* The current release and update target releases have been mirrored to a registry in the disconnected environment.
 * The OpenShift Update Service application has been created.
 
 .Procedure
@@ -44,7 +44,7 @@ $ POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.poli
 $ PATCH="{\"spec\":{\"upstream\":\"${POLICY_ENGINE_GRAPH_URI}\"}}"
 ----
 +
-. Patch the CVO to use the local OpenShift Update Service:
+. Patch the CVO to use the OpenShift Update Service in your environment:
 +
 [source,terminal]
 ----
diff --git a/modules/update-service-create-service-cli.adoc b/modules/update-service-create-service-cli.adoc
index 94197719d8ed..bf465decc866 100644
--- a/modules/update-service-create-service-cli.adoc
+++ b/modules/update-service-create-service-cli.adoc
@@ -11,7 +11,7 @@ You can use the OpenShift CLI (`oc`) to create an OpenShift Update Service appli
 
 * The OpenShift Update Service Operator has been installed.
 * The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
-* The current release and update target releases have been mirrored to a locally accessible registry.
+* The current release and update target releases have been mirrored to a registry in the disconnected environment.
 
 .Procedure
 
@@ -31,7 +31,7 @@ The namespace must match the `targetNamespaces` value from the operator group.
 $ NAME=service
 ----
 
-. Configure the local registry and repository for the release images as configured in "Mirroring the {product-title} image repository", for example, `registry.example.com/ocp4/openshift4-release-images`:
+. Configure the registry and repository for the release images as configured in "Mirroring the {product-title} image repository", for example, `registry.example.com/ocp4/openshift4-release-images`:
 //TODO: Add xref to the preceding step when allowed.
 +
 [source,terminal]
diff --git a/modules/update-service-create-service-web-console.adoc b/modules/update-service-create-service-web-console.adoc
index 5be7b0690c59..0b57059708c4 100644
--- a/modules/update-service-create-service-web-console.adoc
+++ b/modules/update-service-create-service-web-console.adoc
@@ -11,7 +11,7 @@ You can use the {product-title} web console to create an OpenShift Update Servic
 
 * The OpenShift Update Service Operator has been installed.
 * The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
-* The current release and update target releases have been mirrored to a locally accessible registry.
+* The current release and update target releases have been mirrored to a registry in the disconnected environment.
 
 .Procedure
 
@@ -28,7 +28,7 @@ You can use the {product-title} web console to create an OpenShift Update Servic
 . Enter the local pullspec in the *Graph Data Image* field to the graph data container image created in "Creating the OpenShift Update Service graph data container image", for example, `registry.example.com/openshift/graph-data:latest`.
 //TODO: Add xref to preceding step when allowed.
 
-. In the *Releases* field, enter the local registry and repository created to contain the release images in "Mirroring the OpenShift Container Platform image repository", for example, `registry.example.com/ocp4/openshift4-release-images`.
+. In the *Releases* field, enter the registry and repository created to contain the release images in "Mirroring the OpenShift Container Platform image repository", for example, `registry.example.com/ocp4/openshift4-release-images`.
 //TODO: Add xref to preceding step when allowed.
 
 . Enter `2` in the *Replicas* field.
diff --git a/modules/update-service-graph-data.adoc b/modules/update-service-graph-data.adoc
index d2f4f3c5b5e9..c11432de20dc 100644
--- a/modules/update-service-graph-data.adoc
+++ b/modules/update-service-graph-data.adoc
@@ -43,5 +43,5 @@ $ podman push registry.example.com/openshift/graph-data:latest
 +
 [NOTE]
 ====
-To push a graph data image to a local registry in a disconnected environment, copy the graph data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options.
+To push a graph data image to a registry in a disconnected environment, copy the graph data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options.
 ====
diff --git a/modules/update-service-overview.adoc b/modules/update-service-overview.adoc
index 184c57f7dd2f..00104ecb332b 100644
--- a/modules/update-service-overview.adoc
+++ b/modules/update-service-overview.adoc
@@ -19,7 +19,7 @@ To allow the OpenShift Update Service to provide only compatible updates, a rele
 
 [IMPORTANT]
 ====
-The OpenShift Update Service displays all recommended updates for your current cluster.  If an update path is not recommended by the OpenShift Update Service, it might be because of a known issue with the update or the target release.
+The OpenShift Update Service displays all recommended updates for your current cluster. If an update path is not recommended by the OpenShift Update Service, it might be because of a known issue related to the update path, such as incompatibility or availability.
 ====
 
 ////
diff --git a/modules/update-upgrading-cli.adoc b/modules/update-upgrading-cli.adoc
index 10e077e4c1d2..754e0ff8c283 100644
--- a/modules/update-upgrading-cli.adoc
+++ b/modules/update-upgrading-cli.adoc
@@ -66,7 +66,7 @@ endif::openshift-origin[]
 +
 [NOTE]
 ====
-* If there are no available updates, updates that are supported but not recommended might still be available.
+* If there are no recommended updates, updates that have known issues might still be available.
 See _Updating along a conditional update path_ for more information.
 ifndef::openshift-origin[]
 * For details and information on how to perform an `EUS-to-EUS` channel update, please refer to the _Preparing to perform an EUS-to-EUS upgrade_ page, listed in the Additional resources section.
diff --git a/modules/update-upgrading-oc-adm-upgrade-status.adoc b/modules/update-upgrading-oc-adm-upgrade-status.adoc
new file mode 100644
index 000000000000..56133a409d7c
--- /dev/null
+++ b/modules/update-upgrading-oc-adm-upgrade-status.adoc
@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+// * updating/updating_a_cluster/updating-cluster-cli.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="update-upgrading-oc-adm-upgrade-status_{context}"]
+= Retrieving information about a cluster update using oc adm upgrade status (Technology Preview)
+
+When updating your cluster, it is useful to understand how your update is progressing. While the `oc adm upgrade` command returns limited information about the status of your update, this release introduces the `oc adm upgrade status` command as a Technology Preview feature. This command decouples status information from the `oc adm upgrade` command and provides specific information regarding a cluster update, including the status of the control plane and worker node updates.
+
+The `oc adm upgrade status` command is read-only and will never alter any state in your cluster. 
+
+:FeatureName: The `oc adm upgrade status` command
+include::snippets/technology-preview.adoc[]
+
+The `oc adm upgrade status` command can be used for clusters from version 4.12 up to the latest supported release. 
+
+[IMPORTANT]
+====
+While your cluster does not need to be a Technology Preview-enabled cluster, you must enable the `OC_ENABLE_CMD_UPGRADE_STATUS` Technology Preview environment variable, otherwise the {oc-first} will not recognize the command and you will not be able to use the feature. 
+====
+
+.Procedure 
+
+. Set the `OC_ENABLE_CMD_UPGRADE_STATUS` environmental variable to `true` by running the following command:
++
+[source,terminal]
+----
+$ export OC_ENABLE_CMD_UPGRADE_STATUS=true
+----
+. Run the `oc adm upgrade status` command:
++
+[source,terminal]
+----
+$ oc adm upgrade status
+----
++
+.Example output for an update progressing successfully
+[%collapsible]
+====
+[source,terminal]
+----
+= Control Plane =
+Assessment:      Progressing
+Target Version:  4.14.1 (from 4.14.0)
+Completion:      97%
+Duration:        54m
+Operator Status: 32 Healthy, 1 Unavailable
+
+Control Plane Nodes
+NAME                                        ASSESSMENT    PHASE      VERSION   EST    MESSAGE
+ip-10-0-53-40.us-east-2.compute.internal    Progressing   Draining   4.14.0    +10m
+ip-10-0-30-217.us-east-2.compute.internal   Outdated      Pending    4.14.0    ?
+ip-10-0-92-180.us-east-2.compute.internal   Outdated      Pending    4.14.0    ?
+
+= Worker Upgrade =
+
+= Worker Pool =
+Worker Pool:     worker
+Assessment:      Progressing
+Completion:      0%
+Worker Status:   3 Total, 2 Available, 1 Progressing, 3 Outdated, 1 Draining, 0 Excluded, 0 Degraded
+
+Worker Pool Nodes
+NAME                                        ASSESSMENT    PHASE      VERSION   EST    MESSAGE
+ip-10-0-4-159.us-east-2.compute.internal    Progressing   Draining   4.14.0    +10m
+ip-10-0-20-162.us-east-2.compute.internal   Outdated      Pending    4.14.0    ?
+ip-10-0-99-40.us-east-2.compute.internal    Outdated      Pending    4.14.0    ?
+
+= Worker Pool =
+Worker Pool:     infra
+Assessment:      Progressing
+Completion:      0%
+Worker Status:   1 Total, 0 Available, 1 Progressing, 1 Outdated, 1 Draining, 0 Excluded, 0 Degraded
+
+Worker Pool Node
+NAME                                             ASSESSMENT    PHASE      VERSION   EST    MESSAGE
+ip-10-0-4-159-infra.us-east-2.compute.internal   Progressing   Draining   4.14.0    +10m
+
+= Update Health =
+SINCE   LEVEL   IMPACT   MESSAGE
+14m4s   Info    None     Update is proceeding well
+----
+====
+With this information, you can make informed decisions on how to proceed with your update.
\ No newline at end of file
diff --git a/modules/using-assisted-installer-oci-agent-iso.adoc b/modules/using-assisted-installer-oci-agent-iso.adoc
index 975969bda79e..7d0a8a343262 100644
--- a/modules/using-assisted-installer-oci-agent-iso.adoc
+++ b/modules/using-assisted-installer-oci-agent-iso.adoc
@@ -37,7 +37,7 @@ From the {oci} web console, you must create the following resources:
 |Specify the base domain of the cluster, such as `splat-oci.devcluster.openshift.com`. Provided you previously created a compartment on {oci}, you can get this information by going to *DNS management* -> *Zones* -> *List scope* and then selecting the parent compartment. Your base domain should show under the *Public zones* tab.
 
 |*OpenShift version*
-| Specify `OpenShift 4.15` or a later version.
+| Specify `OpenShift 4.16` or a later version.
 
 |*CPU architecture*
 | Specify `x86_64` or `Arm64`.
diff --git a/modules/validations-before-agent-iso-creation.adoc b/modules/validations-before-agent-iso-creation.adoc
index 908b60a93ba2..2d8a6e346d41 100644
--- a/modules/validations-before-agent-iso-creation.adoc
+++ b/modules/validations-before-agent-iso-creation.adoc
@@ -12,7 +12,6 @@ is created.
 .`install-config.yaml`
 
 * `baremetal`, `vsphere` and `none` platforms are supported.
-* If `none` is used as a platform, the number of control plane replicas must be `1` and the total number of worker replicas must be `0`.
 * The `networkType` parameter must be `OVNKubernetes` in the case of `none` platform.
 * `apiVIPs` and `ingressVIPs` parameters must be set for bare metal and vSphere platforms.
 * Some host-specific fields in the bare metal platform configuration that have equivalents in `agent-config.yaml` file are ignored. A warning message is logged if these fields are set.
diff --git a/modules/verifying-cluster-install-oci-agent-based.adoc b/modules/verifying-cluster-install-oci-agent-based.adoc
index 6a24210cde90..a92844d8d0c4 100644
--- a/modules/verifying-cluster-install-oci-agent-based.adoc
+++ b/modules/verifying-cluster-install-oci-agent-based.adoc
@@ -63,8 +63,8 @@ $ oc get co
 [source,terminal]
 ----
 NAME           VERSION     AVAILABLE  PROGRESSING    DEGRADED   SINCE   MESSAGE
-authentication 4.15.0-0    True       False          False      6m18s
-baremetal      4.15.0-0    True       False          False      2m42s
-network        4.15.0-0    True       True           False      5m58s  Progressing: …
+authentication 4.16.0-0    True       False          False      6m18s
+baremetal      4.16.0-0    True       False          False      2m42s
+network        4.16.0-0    True       True           False      5m58s  Progressing: …
     …
 ----
diff --git a/modules/virt-about-vmis.adoc b/modules/virt-about-vmis.adoc
index bb6d364ea90e..dc87169a6980 100644
--- a/modules/virt-about-vmis.adoc
+++ b/modules/virt-about-vmis.adoc
@@ -23,3 +23,5 @@ When you delete a VM, the associated VMI is automatically deleted. You delete a
 ====
 Before you uninstall {VirtProductName}, list and view the standalone VMIs by using the CLI or the web console. Then, delete any outstanding VMIs.
 ====
+
+When you edit a VM, some settings might be applied to the VMIs dynamically and without the need for a restart. Any change made to a VM object that cannot be applied to the VMIs dynamically will trigger the `RestartRequired` VM condition. Changes are effective on the next reboot, and the condition is removed.
\ No newline at end of file
diff --git a/modules/virt-checking-storage-configuration.adoc b/modules/virt-checking-storage-configuration.adoc
index 7da31be3b816..7df1c13db504 100644
--- a/modules/virt-checking-storage-configuration.adoc
+++ b/modules/virt-checking-storage-configuration.adoc
@@ -166,11 +166,11 @@ data:
   status.failureReason: "" # <2>
   status.startTimestamp: "2023-07-31T13:14:38Z" # <3>
   status.completionTimestamp: "2023-07-31T13:19:41Z" # <4>
-  status.result.cnvVersion: 4.15.2
+  status.result.cnvVersion: 4.16.2
   status.result.defaultStorageClass: trident-nfs <5>
   status.result.goldenImagesNoDataSource: <data_import_cron_list> # <6>
   status.result.goldenImagesNotUpToDate: <data_import_cron_list> # <7>
-  status.result.ocpVersion: 4.15.0
+  status.result.ocpVersion: 4.16.0
   status.result.storageMissingVolumeSnapshotClass: <storage_class_list> 
   status.result.storageProfilesWithEmptyClaimPropertySets: <storage_profile_list> # <8>
   status.result.storageProfilesWithSpecClaimPropertySets: <storage_profile_list> 
diff --git a/modules/virt-cluster-role-VNC.adoc b/modules/virt-cluster-role-VNC.adoc
new file mode 100644
index 000000000000..501bb10a072e
--- /dev/null
+++ b/modules/virt-cluster-role-VNC.adoc
@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-cluster-role-VNC_{context}"]
+= Granting token generation permission for the VNC console by using the cluster role
+
+As a cluster administrator, you can install a cluster role and bind it to a user or service account to allow access to the endpoint that generates tokens for the VNC console.
+
+.Procedure
+
+* Choose to bind the cluster role to either a user or service account.
+
+** Run the following command to bind the cluster role to a user:
++
+[source,terminal]
+----
+$ kubectl create rolebinding "${ROLE_BINDING_NAME}" --clusterrole="token.kubevirt.io:generate" --user="${USER_NAME}"
+----
+
+** Run the following command to bind the cluster role to a service account:
++
+[source,terminal]
+----
+$ kubectl create rolebinding "${ROLE_BINDING_NAME}" --clusterrole="token.kubevirt.io:generate" --serviceaccount="${SERVICE_ACCOUNT_NAME}"
+----
\ No newline at end of file
diff --git a/modules/virt-configuring-disk-sharing-lun.adoc b/modules/virt-configuring-disk-sharing-lun.adoc
index 459ad405f80e..99d8276d0785 100644
--- a/modules/virt-configuring-disk-sharing-lun.adoc
+++ b/modules/virt-configuring-disk-sharing-lun.adoc
@@ -6,12 +6,16 @@
 [id="virt-configuring-disk-sharing-lun_{context}"]
 = Configuring disk sharing by using LUN
 
-You can configure a LUN-backed virtual machine disk to be shared among multiple virtual machines by enabling SCSI persistent reservation. Enabling the shared option allows you to use advanced SCSI commands, such as those required for a Windows failover clustering implementation, against the underlying storage. Any disk to be shared must be in block mode.
+You can configure a LUN-backed virtual machine (VM) disk to be shared among multiple virtual machines by enabling SCSI persistent reservation. Enabling the shared option allows you to use advanced SCSI commands, such as those required for a Windows failover clustering implementation, against the underlying storage. Any disk to be shared must be in block mode.
 
 A disk of type `LUN` exposes the volume as a LUN device to the VM. This allows the VM to execute arbitrary iSCSI command passthrough on the disk.
 
 You reserve a LUN through the SCSI persistent reserve options to protect data on the VM from outside access. To enable the reservation, you configure the feature gate option. You then activate the option on the LUN disk to issue SCSI device-specific input and output controls (IOCTLs) that the VM requires.
 
+You can set an error policy for each LUN disk. The error policy controls how the hypervisor behaves when an input/output error occurs on a disk Read or Write. The default behavior stops the guest and generates a Kubernetes event.
+
+For a LUN disk with an iSCSi connection and a persistent reservation, as required for Windows Failover Clustering for shared volumes, you set the error policy to `report`.
+
 .Prerequisites
 
 * You must have cluster administrator privileges to configure the feature gate option.
@@ -41,10 +45,10 @@ spec:
           - disk:
               bus: sata
             name: rootdisk
-          - errorPolicy: report
-            lun: <1>
+          - errorPolicy: report <1>
+            lun: <2>
               bus: scsi
-              reservation: true <2>
+              reservation: true <3>
             name: na-shared
             serial: shared1234
       volumes:
@@ -55,7 +59,8 @@ spec:
         persistentVolumeClaim:
           claimName: pvc-na-share
 ----
-<1> Identifies a LUN disk.
-<2> Identifies that the persistent reservation is enabled.
+<1> Identifies the error policy.
+<2> Identifies a LUN disk.
+<3> Identifies that the persistent reservation is enabled.
 
 . Save the `VirtualMachine` manifest file to apply your changes.
\ No newline at end of file
diff --git a/modules/virt-configuring-vm-disk-sharing.adoc b/modules/virt-configuring-vm-disk-sharing.adoc
index 94e969d852ec..c9d6eb7b5110 100644
--- a/modules/virt-configuring-vm-disk-sharing.adoc
+++ b/modules/virt-configuring-vm-disk-sharing.adoc
@@ -10,6 +10,14 @@ You can configure block volumes so that multiple virtual machines (VMs) can shar
 
 The application running on the guest operating system determines the storage option you must configure for the VM. A disk of type `disk` exposes the volume as an ordinary disk to the VM.
 
+You can set an error policy for each disk. The error policy controls how the hypervisor behaves when an input/output error occurs while a disk is being written to or read. The default behavior stops the VM and generates a Kubernetes event.
+
+You can accept the default behavior, or you can set the error policy to one of the following options:
+
+* `report`, which reports the error in the guest.
+* `ignore`, which ignores the error. The Read or Write failure is undetected.
+* `enospace`, which produces an error indicating that there is not enough disk space.
+
 .Prerequisites
 
 * The volume access mode must be `ReadWriteMany` (RWX) if the VMs that are sharing disks are running on different nodes.
@@ -38,17 +46,19 @@ spec:
           - disk:
               bus: virtio
             name: rootdisk
-            disk1: disk_one <1>
+            errorPolicy: report <1>
+            disk1: disk_one <2>
           - disk:
               bus: virtio
             name: cloudinitdisk
             disk2: disk_two
-            shareable: true <2>
+            shareable: true <3>
           interfaces:
           - masquerade: {}
             name: default
 ----
-<1> Identifies a device as a disk.
-<2> Identifies a shared disk.
+<1> Identifies the error policy.
+<2> Identifies a device as a disk.
+<3> Identifies a shared disk.
 
 . Save the `VirtualMachine` manifest file to apply your changes.
\ No newline at end of file
diff --git a/modules/virt-configuring-vm-real-time.adoc b/modules/virt-configuring-vm-real-time.adoc
index b2b15744fa64..3dd0f52f30d7 100644
--- a/modules/virt-configuring-vm-real-time.adoc
+++ b/modules/virt-configuring-vm-real-time.adoc
@@ -6,7 +6,7 @@
 [id="virt-configuring-vm-real-time_{context}"]
 = Configuring a virtual machine for real-time workloads
 
-You can configure a virtual machines (VM) to run real-time workloads.
+You can configure a virtual machine (VM) to run real-time workloads.
 
 .Prerequisites
 * Your cluster is configured to run real-time workloads.
@@ -23,12 +23,13 @@ kind: VirtualMachine
 metadata:
   name: realtime-vm
 spec:
+  running: true
   template:
     metadata:
       annotations:
-        cpu-load-balancing.crio.io: disable <1>
-        cpu-quota.crio.io: disable <2>
-        irq-load-balancing.crio.io: disable <3>
+        cpu-load-balancing.crio.io: disable # <1>
+        cpu-quota.crio.io: disable # <2>
+        irq-load-balancing.crio.io: disable # <3>
     spec:
       domain:
         cpu:
@@ -38,8 +39,8 @@ spec:
           numa:
             guestMappingPassthrough: {}
           realtime: {}
-          sockets: 1 <4>
-          cores: 4 <5>
+          sockets: 1 # <4>
+          cores: 4 # <5>
           threads: 1
         devices:
           autoattachGraphicsDevice: false
@@ -49,56 +50,138 @@ spec:
         memory:
           guest: 4Gi
           hugepages:
-            pageSize: 1Gi <6>
+            pageSize: 1Gi # <6>
         terminationGracePeriodSeconds: 0
 # ...
 ----
 <1> This annotation specifies that load balancing is disabled for CPUs that are used by the container.
 <2> This annotation specifies that the CPU quota is disabled for CPUs that are used by the container.
 <3> This annotation specifies that interrupt request (IRQ) load balancing is disabled for CPUs that are used by the container.
-<4> The number of sockets inside the VM. 
+<4> The number of sockets inside the VM.
 <5> The number of cores inside the VM. This must be a value greater than or equal to `1`.
 <6> The size of the huge pages. The possible values for x86-64 architectures are `1Gi` and `2Mi`. In this example, the request is for 4 huge pages of size 1 Gi.
-
 . Apply the `VirtualMachine` manifest:
 +
 [source,terminal]
 ----
 $ oc apply -f <file_name>.yaml
 ----
-
-. Configure the guest operating system. The following example shows the configuration steps for a {op-system-base} 8 operating system:
+. Configure the guest operating system. The following example shows the configuration steps for a {op-system-base} 9 operating system:
 .. Run the following command to connect to the VM console:
 +
 [source,terminal]
 ----
 $ virtctl console <vm_name>
 ----
-
-.. Configure huge pages by using the GRUB boot loader command-line interface. In the following example, 8 1G huge pages are specified.
+.. If you are not already logged in as a root user, switch to the root user account to execute the remaining configuration steps.
+.. Disable the `irqbalance` service by using the following command:
 +
 [source,terminal]
 ----
-$ grubby --update-kernel=ALL --args="default_hugepagesz=1GB hugepagesz=1G hugepages=8"
+# systemctl disable irqbalance && systemctl stop irqbalance
 ----
-
-.. To achieve low-latency tuning by using the `cpu-partitioning` profile in the TuneD application, run the following commands:
+.. Enable the real-time and network function virtualization (NFV) repositories:
 +
 [source,terminal]
 ----
-$ dnf install -y tuned-profiles-cpu-partitioning
+# subscription-manager repos --enable rhel-9-for-x86_64-rt-rpms --enable rhel-9-for-x86_64-nfv-rpms
 ----
+.. Install the necessary packages by running the following command:
 +
 [source,terminal]
 ----
-$ echo isolated_cores=2-9 > /etc/tuned/cpu-partitioning-variables.conf
+# dnf install tuned cloud-init
 ----
-The first two CPUs (0 and 1) are set aside for house keeping tasks and the rest are isolated for the real-time application.
+.. To achieve low-latency tuning by using the `realtime-virtual-guest` profile in the TuneD application, run the following commands:
 +
 [source,terminal]
 ----
-$ tuned-adm profile cpu-partitioning
+# dnf install kernel-rt realtime-tests tuned-profiles-realtime
 ----
++
+[source,terminal]
+----
+# dnf install tuned-profiles-nfv-guest
+----
+.. Edit the `/etc/tuned/realtime-virtual-guest-variables.conf` file:
++
+[source,conf]
+----
+#
+# Variable settings below override the definitions from the
+# /etc/tuned/realtime-variables.conf file.
+
+#
+# Core isolation
+#
+# The 'isolated_cores=' variable below controls which cores should be
+# isolated. By default we reserve 1 core per socket for housekeeping
+# and isolate the rest. But you can isolate any range as shown in the
+# examples below. Just remember to keep only one isolated_cores= line.
+#
+# Examples:
+# isolated_cores=2,4-7
+# isolated_cores=2-23
+#
+# Reserve 1 core per socket for housekeeping, isolate the rest.
+# Change this for a core list or range as shown above.
+isolated_cores=2-3 <1>
 
+#
+# Uncomment the 'isolate_managed_irq=Y' bellow if you want to move kernel
+# managed IRQs out of isolated cores. Note that this requires kernel
+# support. Please only specify this parameter if you are sure that the
+# kernel supports it.
+#
+isolate_managed_irq=Y <2>
+
+#
+# Set the desired combined queue count value using the parameter provided
+# below. Ideally this should be set to the number of housekeeping CPUs i.e.,
+# in the example given below it is assumed that the system has 4 housekeeping
+# (non-isolated) CPUs.
+#
+# netdev_queue_count=4
+----
+<1> The first two CPUs (0 and 1) are set aside for house keeping tasks and the rest are isolated for the real-time application.
+<2> Set the `isolate_managed_irq` parameter to `Y` to move kernel-managed interrupt requests out of isolated cores.
+.. Activate the TuneD profile:
++
+[source,terminal]
+----
+# tuned-adm profile realtime-virtual-guest
+----
+.. Set the real-time kernel as the default by using the GRUB boot loader command-line interface:
++
+[source,terminal]
+----
+# grubby --set-default=/boot/vmlinuz-<installed_rt_kernel_version>
+----
+.. Set the kernel arguments by using the GRUB boot loader command-line interface:
++
+[source,terminal]
+----
+# grubby --args="iommu=pt intel_iommu=on default_hugepagesz=1G idle=poll" --update-kernel=$(grubby --default-kernel)
+----
 . Restart the VM to apply the changes.
 
+.Verification
+* Use the `cyclictest` tool to verify that the real-time guest is configured properly:
++
+[source,terminal]
+----
+# cyclictest --priority 1 --policy fifo -h 50 -a 2-3 --mainaffinity 0,1 -t 2 -m -q -i 200 -D 12h
+----
+where:
+`-a`:: Specifies the CPU set on which the test runs. This is the same as the isolated CPUs that you configured in the `realtime-variables.conf` file.
+`-D`:: Specifies the test duration. Append `m`, `h`, or `d` to specify minutes, hours or days.
+
++
+.Example output
+[source,terminal]
+----
+# Min Latencies: 00004 00004
+# Avg Latencies: 00004 00004
+# Max Latencies: 00014 00013 <1>
+----
+<1> The `Max Latencies` value in the output must be less than 40 micro seconds.
\ No newline at end of file
diff --git a/modules/virt-configuring-vm-with-persistent-efi.adoc b/modules/virt-configuring-vm-with-persistent-efi.adoc
new file mode 100644
index 000000000000..079430f43542
--- /dev/null
+++ b/modules/virt-configuring-vm-with-persistent-efi.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-vm-with-persistent-efi_{context}"]
+= Configuring VMs with persistent EFI
+
+You can configure a VM to have EFI persistence enabled by editing its manifest file.
+
+.Prerequisites
+
+* `VMPersistentState` feature gate enabled.
+
+.Procedure
+
+* Edit the VM manifest file and save to apply settings.
++
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: vm
+spec:
+  template:
+    spec:
+      domain:
+        firmware:
+          bootloader:
+            efi:
+              persistent: true
+# ...
+----
\ No newline at end of file
diff --git a/modules/virt-connecting-vm-internal-fqdn.adoc b/modules/virt-connecting-vm-internal-fqdn.adoc
new file mode 100644
index 000000000000..e2b12a65ce2a
--- /dev/null
+++ b/modules/virt-connecting-vm-internal-fqdn.adoc
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc              
+
+:_mod-docs-content-type: PROCEDURE                                   
+[id="virt-connecting-vm-internal-fqdn_{context}"]
+= Connecting to a virtual machine by using its internal FQDN
+
+You can connect to a virtual machine (VM) by using its internal fully qualified domain name (FQDN).
+
+.Prerequisites
+* You have installed the `virtctl` tool.
+* You have identified the internal FQDN of the VM from the web console or by mapping the VM to a headless service. The internal FQDN has the format `<vm.spec.hostname>.<vm.spec.subdomain>.<vm.metadata.namespace>.svc.cluster.local`.
+
+
+.Procedure
+
+. Connect to the VM console by entering the following command:
++
+[source,terminal]
+----
+$ virtctl console vm-fedora
+----
+
+. To connect to the VM by using the requested FQDN, run the following command:
++
+[source,terminal]
+----
+$ ping myvm.mysubdomain.<namespace>.svc.cluster.local
+----
++
+.Example output
+[source,terminal]
+----
+PING myvm.mysubdomain.default.svc.cluster.local (10.244.0.57) 56(84) bytes of data.
+64 bytes from myvm.mysubdomain.default.svc.cluster.local (10.244.0.57): icmp_seq=1 ttl=64 time=0.029 ms
+----
++
+In the preceding example, the DNS entry for `myvm.mysubdomain.default.svc.cluster.local` points to `10.244.0.57`, which is the cluster IP address that is currently assigned to the VM.
+
diff --git a/modules/virt-creating-headless-services.adoc b/modules/virt-creating-headless-services.adoc
new file mode 100644
index 000000000000..c2f448e2c336
--- /dev/null
+++ b/modules/virt-creating-headless-services.adoc
@@ -0,0 +1,45 @@
+// Module included in the following assemblies:
+//
+// * virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc              
+
+:_mod-docs-content-type: PROCEDURE                                   
+[id="virt-creating-headless-services_{context}"]
+= Creating a headless service in a project by using the CLI
+
+To create a headless service in a namespace, add the `clusterIP: None` parameter to the service YAML definition.
+
+.Prerequisites
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Create a `Service` manifest to expose the VM, such as the following example:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  name: mysubdomain # <1>
+spec:
+  selector:
+    expose: me # <2>
+  clusterIP: None # <3>
+  ports: # <4>
+  - protocol: TCP 
+    port: 1234
+    targetPort: 1234
+----
+<1> The name of the service. This must match the `spec.subdomain` attribute in the `VirtualMachine` manifest file.
+<2> This service selector must match the `expose:me` label in the `VirtualMachine` manifest file.
+<3> Specifies a headless service.
+<4> The list of ports that are exposed by the service. You must define at least one port. This can be any arbitrary value as it does not affect the headless service.
+
+. Save the `Service` manifest file.
+
+. Create the service by running the following command:
++
+[source,terminal]
+----
+$ oc create -f headless_service.yaml
+----
\ No newline at end of file
diff --git a/modules/virt-discovering-vm-internal-fqdn.adoc b/modules/virt-discovering-vm-internal-fqdn.adoc
new file mode 100644
index 000000000000..255c7279a1f1
--- /dev/null
+++ b/modules/virt-discovering-vm-internal-fqdn.adoc
@@ -0,0 +1,45 @@
+// Module included in the following assemblies:
+//
+// * virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc              
+
+:_mod-docs-content-type: PROCEDURE                                   
+[id="virt-discovering-vm-internal-fqdn_{context}"]
+= Mapping a virtual machine to a headless service by using the CLI
+
+To connect to a virtual machine (VM) from within the cluster by using its internal fully qualified domain name (FQDN), you must first map the VM to a headless service. Set the `spec.hostname` and `spec.subdomain` parameters in the VM configuration file.
+
+If a headless service exists with a name that matches the subdomain, a unique DNS A record is created for the VM in the form of `<vm.spec.hostname>.<vm.spec.subdomain>.<vm.metadata.namespace>.svc.cluster.local`.
+
+.Procedure
+
+. Edit the `VirtualMachine` manifest to add the service selector label and subdomain by running the following command:
++
+[source,terminal]
+----
+$ oc edit vm <vm_name>
+----
++
+.Example `VirtualMachine` manifest file
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: vm-fedora
+spec:
+  template:
+    metadata:
+      labels:
+        expose: me # <1>
+    spec:
+      hostname: "myvm" # <2>
+      subdomain: "mysubdomain" # <3>
+# ...
+----
+<1> The `expose:me` label must match the `spec.selector` attribute of the `Service` manifest that you previously created.
+<2> If this attribute is not specified, the resulting DNS A record takes the form of `<vm.metadata.name>.<vm.spec.subdomain>.<vm.metadata.namespace>.svc.cluster.local`.
+<3> The `spec.subdomain` attribute must match the `metadata.name` value of the `Service` object.
+
+. Save your changes and exit the editor.
+
+. Restart the VM to apply the changes.
\ No newline at end of file
diff --git a/modules/virt-enabling-multi-queue.adoc b/modules/virt-enabling-multi-queue.adoc
new file mode 100644
index 000000000000..7edf545073bd
--- /dev/null
+++ b/modules/virt-enabling-multi-queue.adoc
@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virtual_disks/virt-configuring-shared-volumes-for-vms.adoc
+
+:_content-type: PROCEDURE
+[id="virt-enabling-multi-queue_{context}"]
+= Enabling multi-queue functionality
+
+Enable multi-queue functionality for interfaces configured with a VirtIO model.
+
+.Procedure
+
+. Set the `networkInterfaceMultiqueue` value to `true` in the `VirtualMachine` manifest file of your VM to enable multi-queue functionality:
++
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VM
+spec:
+  domain:
+    devices:
+      networkInterfaceMultiqueue: true
+----
+
+. Save the `VirtualMachine` manifest file to apply your changes.
\ No newline at end of file
diff --git a/modules/virt-enabling-persistent-efi.adoc b/modules/virt-enabling-persistent-efi.adoc
new file mode 100644
index 000000000000..6e0d584be5c9
--- /dev/null
+++ b/modules/virt-enabling-persistent-efi.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-enabling-persistent-efi_{context}"]
+= Enabling persistent EFI
+
+You can enable EFI persistence in a VM by configuring an RWX storage class at the cluster level and adjusting the settings in the EFI section of the VM.
+
+.Prerequisites
+
+* You must have cluster administrator privileges.
+* You must have a storage class that supports RWX access mode and FS volume mode.
+
+.Procedure
+
+* Enable the `VMPersistentState` feature gate by running the following command:
++
+[source,terminal,subs="attributes+"]
+----
+$ oc patch hyperconverged kubevirt-hyperconverged -n {CNVNamespace} \
+  --type json -p '[{"op":"replace","path":"/spec/featureGates/VMPersistentState", "value": true}]'
+----
\ No newline at end of file
diff --git a/modules/virt-example-nmstate-IP-management.adoc b/modules/virt-example-nmstate-IP-management.adoc
index 75bfad366bfb..cfb3519e35b1 100644
--- a/modules/virt-example-nmstate-IP-management.adoc
+++ b/modules/virt-example-nmstate-IP-management.adoc
@@ -98,14 +98,38 @@ By default, the `nmstate` API stores DNS values globally as against storing them
 Setting a DNS configuration is comparable to modifying the `/etc/resolv.conf` file.
 ====
 
-The following examples show situations that require configuring a network interface to store DNS values:
-
 [IMPORTANT]
 ====
 You cannot use `br-ex` bridge, an OVNKubernetes-managed Open vSwitch bridge, as the interface when configuring DNS resolvers.
 ====
 
-* Configure a static DNS for a network interface with an automatic IP configuration. Note that for this configuration, you must set the `auto-dns` parameter to `false`, so that the Kubernetes NMState Operator can store custom DNS settings for the network interface.
+The following example shows a default situation that stores DNS values globally:
+
+* Configure a static DNS without a network interface. Note that when updating the `/etc/resolv.conf` file on a host node, you do not need to specify an interface (IPv4 or IPv6) in the `NodeNetworkConfigurationPolicy` (NNCP) manifest.
++
+[source,yaml]
+----
+apiVersion: nmstate.io/v1
+kind: NodeNetworkConfigurationPolicy
+metadata:
+ name: worker-0-dns-testing
+spec:
+  nodeSelector:
+    kubernetes.io/hostname: <target_node>
+dns-resolver:
+  config:
+    search:
+    - example.com
+    - example.org
+    server:
+    - 2001:db8:f::1
+    - 192.0.2.251
+# ...
+----
+
+The following examples show situations that require configuring a network interface to store DNS values:
+
+* Configure a static DNS for a network interface with an automatic IP configuration. Note that for this configuration, you must set the `auto-dns` parameter to `false`, so that the Kubernetes NMState Operator can store custom DNS settings for the network interface. 
 +
 [source,yaml]
 ----
@@ -171,7 +195,7 @@ routes:
 # ...
 ----
 
-* Configure a static DNS name server to append to Dynamic Host Configuration Protocol (DHCP) and IPv6 Stateless Address AutoConfiguration (SLAAC) servers:
+* Configure a static DNS name server to append to Dynamic Host Configuration Protocol (DHCP) and IPv6 Stateless Address AutoConfiguration (SLAAC) servers.
 +
 [source,yaml]
 ----
diff --git a/modules/virt-latency-checkup-web-console.adoc b/modules/virt-latency-checkup-web-console.adoc
new file mode 100644
index 000000000000..cd41e31f25f9
--- /dev/null
+++ b/modules/virt-latency-checkup-web-console.adoc
@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * virt/monitoring/virt-running-cluster-checkups.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-latency-checkup-web-console_{context}"]
+= Running a latency checkup in the web console
+
+Run a latency checkup to verify network connectivity and measure the latency between two virtual machines attached to a secondary network interface.
+
+.Prerequisites
+
+* You must add a `NetworkAttachmentDefinition` to the namespace.
+
+.Procedure
+
+. Navigate to *Virtualization* -> *Checkups* in the web console.
+. Click the *Network latency* tab.
+. Click *Install permissions*.
+. Click *Run checkup*.
+. Enter a name for the checkup in the *Name* field.
+. Select a *NetworkAttachmentDefinition* from the drop-down menu.
+. Optional: Set a duration for the latency sample in the *Sample duration (seconds)* field.
+. Optional: Define a maximum latency time interval by enabling *Set maximum desired latency (milliseconds)* and defining the time interval.
+. Optional: Target specific nodes by enabling *Select nodes* and specifying the *Source node* and *Target node*.
+. Click *Run*.
+
+You can view the status of the latency checkup in the *Checkups* list on the *Latency checkup* tab. Click on the name of the checkup for more details.
\ No newline at end of file
diff --git a/modules/virt-measuring-latency-vm-secondary-network.adoc b/modules/virt-measuring-latency-vm-secondary-network.adoc
index 2b2a55a61400..52b196547458 100644
--- a/modules/virt-measuring-latency-vm-secondary-network.adoc
+++ b/modules/virt-measuring-latency-vm-secondary-network.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="virt-measuring-latency-vm-secondary-network_{context}"]
-= Running a latency checkup
+= Running a latency checkup on the CLI
 
 You use a predefined checkup to verify network connectivity and measure latency between two virtual machines (VMs) that are attached to a secondary network interface. The latency checkup uses the ping utility.
 
diff --git a/modules/virt-storage-checkup-web-console.adoc b/modules/virt-storage-checkup-web-console.adoc
new file mode 100644
index 000000000000..b7a0bd652fac
--- /dev/null
+++ b/modules/virt-storage-checkup-web-console.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * virt/monitoring/virt-running-cluster-checkups.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-storage-checkup-web-console_{context}"]
+= Running a storage checkup in the web console
+
+Run a storage checkup to validate that storage is working correctly for virtual machines.
+
+.Procedure
+
+. Navigate to *Virtualization* -> *Checkups* in the web console.
+. Click the *Storage* tab.
+. Click *Install permissions*.
+. Click *Run checkup*.
+. Enter a name for the checkup in the *Name* field.
+. Enter a timeout value for the checkup in the *Timeout (minutes)* fields.
+. Click *Run*.
+
+You can view the status of the storage checkup in the *Checkups* list on the *Storage* tab. Click on the name of the checkup for more details.
\ No newline at end of file
diff --git a/modules/virt-viewing-downward-metrics-tool.adoc b/modules/virt-viewing-downward-metrics-tool.adoc
index bfb82c855eb6..f8890092571f 100644
--- a/modules/virt-viewing-downward-metrics-tool.adoc
+++ b/modules/virt-viewing-downward-metrics-tool.adoc
@@ -8,6 +8,11 @@
 
 To view downward metrics, install the `vm-dump-metrics` tool and then use the tool to expose the metrics results.
 
+[NOTE]
+====
+On Red Hat Enterprise Linux (RHEL) 9, use the command line to view downward metrics. The vm-dump-metrics tool is not supported on the Red Hat Enterprise Linux (RHEL) 9 platform.
+====
+
 .Procedure
 
 . Install the `vm-dump-metrics` tool by running the following command:
diff --git a/modules/virt-viewing-downward-metrics.adoc b/modules/virt-viewing-downward-metrics.adoc
index 0a2ff1dddcc6..bca0bb6666f0 100644
--- a/modules/virt-viewing-downward-metrics.adoc
+++ b/modules/virt-viewing-downward-metrics.adoc
@@ -11,3 +11,7 @@ You can view downward metrics by using either of the following options:
 * The command line interface (CLI)
 * The `vm-dump-metrics` tool
 
+[NOTE]
+====
+On Red Hat Enterprise Linux (RHEL) 9, use the command line to view downward metrics. The vm-dump-metrics tool is not supported on the Red Hat Enterprise Linux (RHEL) 9 platform.
+====
\ No newline at end of file
diff --git a/modules/wmco-cluster-wide-proxy.adoc b/modules/wmco-cluster-wide-proxy.adoc
new file mode 100644
index 000000000000..f43b56d5ce64
--- /dev/null
+++ b/modules/wmco-cluster-wide-proxy.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// windows_containers/enabling-windows-container-workloads.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="wmco-cluster-wide-proxy_{context}"]
+= Using Windows containers in a proxy-enabled cluster
+
+The Windows Machine Config Operator (WMCO) can consume and use a cluster-wide egress proxy configuration when making external requests outside the cluster’s internal network.
+
+This allows you to add Windows nodes and run workloads in a proxy-enabled cluster, allowing your Windows nodes to pull images from registries that are secured behind your proxy server or to make
+requests to off-cluster services and services that use a custom public key infrastructure.
+
+[NOTE]
+====
+The cluster-wide proxy affects system components only, not user workloads.
+====
+
+In proxy-enabled clusters, the WMCO is aware of the `NO_PROXY`, `HTTP_PROXY`, and `HTTPS_PROXY` values that are set for the cluster. The WMCO periodically checks whether the proxy environment variables have changed. If there is a discrepancy, the WMCO reconciles and updates the proxy environment variables on the Windows instances.
+
+Windows workloads created on Windows nodes in proxy-enabled clusters do not inherit proxy settings from the node by default, the same as with Linux nodes. Also, by default PowerShell sessions do not inherit proxy settings on Windows nodes in proxy-enabled clusters.
diff --git a/modules/ztp-add-local-reg-for-sno-duprofile.adoc b/modules/ztp-add-local-reg-for-sno-duprofile.adoc
index eb2655a04568..0e654d61c23c 100644
--- a/modules/ztp-add-local-reg-for-sno-duprofile.adoc
+++ b/modules/ztp-add-local-reg-for-sno-duprofile.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: CONCEPT
 [id="ztp-add-local-reg-for-sno-duprofile_{context}"]
@@ -11,7 +12,7 @@
 Long download times are unavoidable during initial deployment. Over time, there is a risk that CRI-O will erase the `/var/lib/containers/storage` directory in the case of an unexpected shutdown.
 To address long image download times, you can create a local image registry on remote managed clusters using {ztp-first}. This is useful in Edge computing scenarios where clusters are deployed at the far edge of the network.
 
-Before you can set up the local image registry with {ztp}, you need to configure disk partitioning in the `SiteConfig` CR that you use to install the remote managed cluster. After installation, you configure the local image registry using a `PolicyGenTemplate` CR. Then, the {ztp} pipeline creates Persistent Volume (PV) and Persistent Volume Claim (PVC) CRs and patches the `imageregistry` configuration.
+Before you can set up the local image registry with {ztp}, you need to configure disk partitioning in the `SiteConfig` CR that you use to install the remote managed cluster. After installation, you configure the local image registry using a `{policy-gen-cr}` CR. Then, the {ztp} pipeline creates Persistent Volume (PV) and Persistent Volume Claim (PVC) CRs and patches the `imageregistry` configuration.
 
 [NOTE]
 ====
diff --git a/modules/ztp-adding-new-content-to-gitops-ztp.adoc b/modules/ztp-adding-new-content-to-gitops-ztp.adoc
index ae45bb61cf21..5a38dbb6a2d3 100644
--- a/modules/ztp-adding-new-content-to-gitops-ztp.adoc
+++ b/modules/ztp-adding-new-content-to-gitops-ztp.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 
@@ -11,98 +12,29 @@ Perform the following procedure to add new content to the {ztp} pipeline.
 
 .Procedure
 
-. Create a subdirectory named `source-crs` in the directory that contains the `kustomization.yaml` file for the `PolicyGenTemplate` custom resource (CR).
+. Create a subdirectory named `source-crs` in the directory that contains the `kustomization.yaml` file for the `{policy-gen-cr}` custom resource (CR).
 
 . Add your user-provided CRs to the `source-crs` subdirectory, as shown in the following example:
 +
-[source,text]
-----
-example
-└── policygentemplates
-    ├── dev.yaml
-    ├── kustomization.yaml
-    ├── mec-edge-sno1.yaml
-    ├── sno.yaml
-    └── source-crs <1>
-        ├── PaoCatalogSource.yaml
-        ├── PaoSubscription.yaml
-        ├── custom-crs
-        |   ├── apiserver-config.yaml
-        |   └── disable-nic-lldp.yaml
-        └── elasticsearch
-            ├── ElasticsearchNS.yaml
-            └── ElasticsearchOperatorGroup.yaml
-----
-<1> The `source-crs` subdirectory must be in the same directory as the `kustomization.yaml` file.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc[]
+endif::[]
 
-. Update the required `PolicyGenTemplate` CRs to include references to the content you added in the `source-crs/custom-crs` and `source-crs/elasticsearch` directories. For example:
+. Update the required `{policy-gen-cr}` CRs to include references to the content you added in the `source-crs/custom-crs` and `source-crs/elasticsearch` directories. For example:
 +
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "group-dev"
-  namespace: "ztp-clusters"
-spec:
-  bindingRules:
-    dev: "true"
-  mcp: "master"
-  sourceFiles:
-    # These policies/CRs come from the internal container Image
-    #Cluster Logging
-    - fileName: ClusterLogNS.yaml
-      remediationAction: inform
-      policyName: "group-dev-cluster-log-ns"
-    - fileName: ClusterLogOperGroup.yaml
-      remediationAction: inform
-      policyName: "group-dev-cluster-log-operator-group"
-    - fileName: ClusterLogSubscription.yaml
-      remediationAction: inform
-      policyName: "group-dev-cluster-log-sub"
-    #Local Storage Operator
-    - fileName: StorageNS.yaml
-      remediationAction: inform
-      policyName: "group-dev-lso-ns"
-    - fileName: StorageOperGroup.yaml
-      remediationAction: inform
-      policyName: "group-dev-lso-operator-group"
-    - fileName: StorageSubscription.yaml
-      remediationAction: inform
-      policyName: "group-dev-lso-sub"
-    #These are custom local polices that come from the source-crs directory in the git repo
-    # Performance Addon Operator
-    - fileName: PaoSubscriptionNS.yaml
-      remediationAction: inform
-      policyName: "group-dev-pao-ns"
-    - fileName: PaoSubscriptionCatalogSource.yaml
-      remediationAction: inform
-      policyName: "group-dev-pao-cat-source"
-      spec:
-        image: <image_URL_here>
-    - fileName: PaoSubscription.yaml
-      remediationAction: inform
-      policyName: "group-dev-pao-sub"
-    #Elasticsearch Operator
-    - fileName: elasticsearch/ElasticsearchNS.yaml <1>
-      remediationAction: inform
-      policyName: "group-dev-elasticsearch-ns"
-    - fileName: elasticsearch/ElasticsearchOperatorGroup.yaml
-      remediationAction: inform
-      policyName: "group-dev-elasticsearch-operator-group"
-    #Custom Resources
-    - fileName: custom-crs/apiserver-config.yaml <1>
-      remediationAction: inform
-      policyName: "group-dev-apiserver-config"
-    - fileName: custom-crs/disable-nic-lldp.yaml
-      remediationAction: inform
-      policyName: "group-dev-disable-nic-lldp"
-----
-<1> Set `fileName` to include the relative path to the file from the `/source-crs` parent directory.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-adding-new-content-to-gitops-ztp.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-adding-new-content-to-gitops-ztp.adoc[]
+endif::[]
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository that is monitored by the GitOps ZTP Argo CD policies application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository that is monitored by the GitOps ZTP Argo CD policies application.
 
-. Update the `ClusterGroupUpgrade` CR to include the changed `PolicyGenTemplate` and save it as `cgu-test.yaml`. The following example shows a generated `cgu-test.yaml` file.
+. Update the `ClusterGroupUpgrade` CR to include the changed `{policy-gen-cr}` and save it as `cgu-test.yaml`. The following example shows a generated `cgu-test.yaml` file.
 +
 [source,yaml]
 ----
diff --git a/modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc b/modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc
new file mode 100644
index 000000000000..5d09fc95d2c3
--- /dev/null
+++ b/modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc
@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/ztp-configuring-managed-clusters-policygenerator.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztp-comparing-pgt-and-rhacm-pg-patching-strategies_{context}"]
+= Comparing {rh-rhacm} PolicyGenerator and PolicyGenTemplate resource patching
+
+`PolicyGenerator` custom resources (CRs) and `PolicyGenTemplate` CRs can be used in {ztp} to generate {rh-rhacm} policies for managed clusters.
+
+There are advantages to using `PolicyGenerator` CRs over `PolicyGenTemplate` CRs when it comes to patching {product-title} resources with {ztp}.
+Using the {rh-rhacm} `PolicyGenerator` API provides a generic way of patching resources which is not possible with `PolicyGenTemplate` resources.
+
+The `PolicyGenerator` API is a part of the link:https://open-cluster-management.io/[Open Cluster Management] standard, while the `PolicyGenTemplate` API is not.
+A comparison of `PolicyGenerator` and `PolicyGenTemplate` resource patching and placement strategies are described in the following table.
+
+include::snippets/pgt-deprecation-notice.adoc[]
+
+.Comparison of {rh-rhacm} PolicyGenerator and PolicyGenTemplate patching
+[cols="1,2", width="90%", options="header"]
+|====
+|PolicyGenerator patching
+|PolicyGenTemplate patching
+
+|Uses Kustomize strategic merges for merging resources.
+For more information see link:https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/[Declarative Management of Kubernetes Objects Using Kustomize].
+|Works by replacing variables with their values as defined by the patch.
+This is less flexible than Kustomize merge strategies.
+
+|Supports `ManagedClusterSet` and `Binding` resources.
+|Does not support `ManagedClusterSet` and `Binding` resources.
+
+|Relies only on patching, no embedded variable substitution is required.
+|Overwrites variable values defined in the patch.
+
+|Does not support merging lists in merge patches.
+Replacing a list in a merge patch is supported.
+|Merging and replacing lists is supported in a limited fashion - you can only merge one object in the list.
+
+|Does not currently support the link:https://spec.openapis.org/oas/latest.html[OpenAPI specification] for resource patching.
+This means that additional directives are required in the patch to merge content that does not follow a schema, for example, `PtpConfig` resources.
+|Works by replacing fields and values with values as defined by the patch.
+
+|Requires additional directives, for example, `$patch: replace` in the patch to merge content that does not follow a schema.
+|Substitutes fields and values defined in the source CR with values defined in the patch, for example `$name`.
+
+|Can patch the `Name` and `Namespace` fields defined in the reference source CR, but only if the CR file has a single object.
+|Can patch the `Name` and `Namespace` fields defined in the reference source CR.
+|====
diff --git a/modules/ztp-configuring-cluster-policies.adoc b/modules/ztp-configuring-cluster-policies.adoc
index a91bd57f3d3e..b0c8066ec802 100644
--- a/modules/ztp-configuring-cluster-policies.adoc
+++ b/modules/ztp-configuring-cluster-policies.adoc
@@ -42,10 +42,10 @@ The following recommended structuring of policies combines configuration CRs to
 |Description
 
 |Common
-|A policy that exists in the common category is applied to all clusters in the fleet. Use common `PolicyGenTemplate` CRs to apply common installation settings across all cluster types.
+|A policy that exists in the common category is applied to all clusters in the fleet. Use common `{policy-gen-cr}` CRs to apply common installation settings across all cluster types.
 
 |Groups
-|A policy that exists in the groups category is applied to a group of clusters in the fleet. Use group `PolicyGenTemplate` CRs to manage specific aspects of single-node, three-node, and standard cluster installations. Cluster groups can also follow geographic region, hardware variant, etc.
+|A policy that exists in the groups category is applied to a group of clusters in the fleet. Use group `{policy-gen-cr}` CRs to manage specific aspects of single-node, three-node, and standard cluster installations. Cluster groups can also follow geographic region, hardware variant, etc.
 
 |Sites
 |A policy that exists in the sites category is applied to a specific cluster site. Any cluster
diff --git a/modules/ztp-configuring-disk-partitioning.adoc b/modules/ztp-configuring-disk-partitioning.adoc
index 19f0557170ed..37ec8f24cab3 100644
--- a/modules/ztp-configuring-disk-partitioning.adoc
+++ b/modules/ztp-configuring-disk-partitioning.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-configuring-disk-partitioning_{context}"]
@@ -8,39 +9,195 @@
 
 Configure disk partitioning for a managed cluster using a `SiteConfig` CR and {ztp-first}. The  disk partition details in the `SiteConfig` CR must match the underlying disk.
 
-[NOTE]
+[IMPORTANT]
 ====
-Use persistent naming for devices to avoid device names such as `/dev/sda` and `/dev/sdb` being switched at every reboot. You can use `rootDeviceHints` to choose the bootable device and then use same device for further partitioning.
+You must complete this procedure at installation time.
 ====
 
 .Prerequisites
 
-* You have installed the OpenShift CLI (`oc`).
+* Install Butane.
 
-* You have logged in to the hub cluster as a user with `cluster-admin` privileges.
+.Procedure
 
-* You have created a Git repository where you manage your custom site configuration data for use with {ztp-first}.
+. Create the `storage.bu` file.
++
+[source,yaml]
+----
+variant: fcos
+version: 1.3.0
+storage:
+  disks:
+  - device: /dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0 <1>
+    wipe_table: false
+    partitions:
+    - label: var-lib-containers
+      start_mib: <start_of_partition> <2>
+      size_mib: <partition_size> <3>
+  filesystems:
+    - path: /var/lib/containers
+      device: /dev/disk/by-partlabel/var-lib-containers
+      format: xfs
+      wipe_filesystem: true
+      with_mount_unit: true
+      mount_options:
+        - defaults
+        - prjquota
+----
+<1> Specify the root disk.
+<2> Specify the start of the partition in MiB. If the value is too small, the installation fails.
+<3> Specify the size of the partition. If the value is too small, the deployments fails.
 
-.Procedure
+. Convert the `storage.bu` to an Ignition file by running the following command:
++
+--
+[source,terminal]
+----
+$ butane storage.bu
+----
 
-. Add the following YAML that describes the host disk partitioning to the `SiteConfig` CR that you use to install the managed cluster:
+.Example output
+[source,terminal]
+----
+{"ignition":{"version":"3.2.0"},"storage":{"disks":[{"device":"/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0","partitions":[{"label":"var-lib-containers","sizeMiB":0,"startMiB":250000}],"wipeTable":false}],"filesystems":[{"device":"/dev/disk/by-partlabel/var-lib-containers","format":"xfs","mountOptions":["defaults","prjquota"],"path":"/var/lib/containers","wipeFilesystem":true}]},"systemd":{"units":[{"contents":"# # Generated by Butane\n[Unit]\nRequires=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\nAfter=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\n\n[Mount]\nWhere=/var/lib/containers\nWhat=/dev/disk/by-partlabel/var-lib-containers\nType=xfs\nOptions=defaults,prjquota\n\n[Install]\nRequiredBy=local-fs.target","enabled":true,"name":"var-lib-containers.mount"}]}}
+----
+--
+
+. Use a tool such as link:https://jsonformatter.org/json-pretty-print[JSON Pretty Print] to convert the output into JSON format. 
+
+. Copy the output into the `.spec.clusters.nodes.ignitionConfigOverride` field in the `SiteConfig` CR.
 +
+.Example
 [source,yaml]
 ----
-nodes:
-    rootDeviceHints:
-      wwn: "0x62cea7f05c98c2002708a0a22ff480ea"
-    diskPartition:
-      - device: /dev/disk/by-id/wwn-0x62cea7f05c98c2002708a0a22ff480ea <1>
-        partitions:
-          - mount_point: /var/imageregistry
-            size: 102500 <2>
-            start: 344844 <3>
+[...]
+spec:
+  clusters:
+    - nodes:
+        - ignitionConfigOverride: |
+          {
+            "ignition": {
+              "version": "3.2.0"
+            },
+            "storage": {
+              "disks": [
+                {
+                  "device": "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0",
+                  "partitions": [
+                    {
+                      "label": "var-lib-containers",
+                      "sizeMiB": 0,
+                      "startMiB": 250000
+                    }
+                  ],
+                  "wipeTable": false
+                }
+              ],
+              "filesystems": [
+                {
+                  "device": "/dev/disk/by-partlabel/var-lib-containers",
+                  "format": "xfs",
+                  "mountOptions": [
+                    "defaults",
+                    "prjquota"
+                  ],
+                  "path": "/var/lib/containers",
+                  "wipeFilesystem": true
+                }
+              ]
+            },
+            "systemd": {
+              "units": [
+                {
+                  "contents": "# # Generated by Butane\n[Unit]\nRequires=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\nAfter=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\n\n[Mount]\nWhere=/var/lib/containers\nWhat=/dev/disk/by-partlabel/var-lib-containers\nType=xfs\nOptions=defaults,prjquota\n\n[Install]\nRequiredBy=local-fs.target",
+                  "enabled": true,
+                  "name": "var-lib-containers.mount"
+                }
+              ]
+            }
+          }   
+[...]
+----
++
+[NOTE]
+====
+If the `.spec.clusters.nodes.ignitionConfigOverride` field does not exist, create it.  
+====
+
+.Verification
+
+.  During or after installation, verify on the hub cluster that the `BareMetalHost` object shows the annotation by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get bmh -n my-sno-ns my-sno -ojson | jq '.metadata.annotations["bmac.agent-install.openshift.io/ignition-config-overrides"]
 ----
-<1> This setting depends on the hardware. The setting can be a serial number or device name. The value must match the value set for `rootDeviceHints`.
-<2> The minimum value for `size` is 102500 MiB.
-<3> The minimum value for `start` is 25000 MiB. The total value of `size` and `start` must not exceed the disk size, or the installation will fail.
 
-. Save the `SiteConfig` CR and push it to the site configuration repo.
+.Example output
+[source,terminal]
+----
+"{\"ignition\":{\"version\":\"3.2.0\"},\"storage\":{\"disks\":[{\"device\":\"/dev/disk/by-id/wwn-0x6b07b250ebb9d0002a33509f24af1f62\",\"partitions\":[{\"label\":\"var-lib-containers\",\"sizeMiB\":0,\"startMiB\":250000}],\"wipeTable\":false}],\"filesystems\":[{\"device\":\"/dev/disk/by-partlabel/var-lib-containers\",\"format\":\"xfs\",\"mountOptions\":[\"defaults\",\"prjquota\"],\"path\":\"/var/lib/containers\",\"wipeFilesystem\":true}]},\"systemd\":{\"units\":[{\"contents\":\"# Generated by Butane\\n[Unit]\\nRequires=systemd-fsck@dev-disk-by\\\\x2dpartlabel-var\\\\x2dlib\\\\x2dcontainers.service\\nAfter=systemd-fsck@dev-disk-by\\\\x2dpartlabel-var\\\\x2dlib\\\\x2dcontainers.service\\n\\n[Mount]\\nWhere=/var/lib/containers\\nWhat=/dev/disk/by-partlabel/var-lib-containers\\nType=xfs\\nOptions=defaults,prjquota\\n\\n[Install]\\nRequiredBy=local-fs.target\",\"enabled\":true,\"name\":\"var-lib-containers.mount\"}]}}"
+----
+--
+
+. After installation, check the {sno} disk status. 
+
+.. Enter into a debug session on the {sno} node by running the following command. This step instantiates a debug pod called `<node_name>-debug`:
++
+[source,terminal]
+----
+$ oc debug node/my-sno-node
+----
+
+.. Set `/host` as the root directory within the debug shell by running the following command. The debug pod mounts the host’s root file system in `/host` within the pod. By changing the root directory to `/host`, you can run binaries contained in the host’s executable paths:
++
+[source,terminal]
+----
+# chroot /host
+----
 
-The {ztp} pipeline provisions the cluster using the `SiteConfig` CR and configures the disk partition.
+.. List information about all available block devices by running the following command:
++
+[source,terminal]
+----
+# lsblk
+----
++
+.Example output
+[source,terminal]
+----
+NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
+sda      8:0    0 446.6G  0 disk
+├─sda1   8:1    0     1M  0 part
+├─sda2   8:2    0   127M  0 part
+├─sda3   8:3    0   384M  0 part /boot
+├─sda4   8:4    0 243.6G  0 part /var
+│                                /sysroot/ostree/deploy/rhcos/var
+│                                /usr
+│                                /etc
+│                                /
+│                                /sysroot
+└─sda5   8:5    0 202.5G  0 part /var/lib/containers
+----
+
+.. Display information about the file system disk space usage by running the following command:
++
+[source,terminal]
+----
+# df -h
+----
++
+.Example output
+[source,terminal]
+----
+Filesystem      Size  Used Avail Use% Mounted on
+devtmpfs        4.0M     0  4.0M   0% /dev
+tmpfs           126G   84K  126G   1% /dev/shm
+tmpfs            51G   93M   51G   1% /run
+/dev/sda4       244G  5.2G  239G   3% /sysroot
+tmpfs           126G  4.0K  126G   1% /tmp
+/dev/sda5       203G  119G   85G  59% /var/lib/containers
+/dev/sda3       350M  110M  218M  34% /boot
+tmpfs            26G     0   26G   0% /run/user/1000
+----
\ No newline at end of file
diff --git a/modules/ztp-configuring-hwevents-using-pgt.adoc b/modules/ztp-configuring-hwevents-using-pgt.adoc
index 558e9d6cd455..8802884f51e6 100644
--- a/modules/ztp-configuring-hwevents-using-pgt.adoc
+++ b/modules/ztp-configuring-hwevents-using-pgt.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-creating-hwevents_{context}"]
@@ -18,31 +19,26 @@ You can configure bare-metal events that use HTTP transport on managed clusters
 
 .Procedure
 
-. Configure the {redfish-operator} Operator by adding the following YAML to `spec.sourceFiles` in the `common-ranGen.yaml` file:
+. Configure the {redfish-operator} Operator by adding the following YAML to `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file:
 +
 [source,yaml]
 ----
-# Bare Metal Event Relay operator
-- fileName: BareMetalEventRelaySubscriptionNS.yaml
-  policyName: "subscriptions-policy"
-- fileName: BareMetalEventRelaySubscriptionOperGroup.yaml
-  policyName: "subscriptions-policy"
-- fileName: BareMetalEventRelaySubscription.yaml
-  policyName: "subscriptions-policy"
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-hwevents-using-pgt.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-hwevents.yaml[]
+endif::[]
 ----
 
-. Add the `HardwareEvent` CR to `spec.sourceFiles` in your specific group configuration file, for example, in the `group-du-sno-ranGen.yaml` file:
+. Add the `HardwareEvent` CR to `{rangen-yaml-path}` in your specific group configuration file, for example, in the `{policy-prefix}group-du-sno-ranGen.yaml` file:
 +
-[source,yaml]
-----
-- fileName: HardwareEvent.yaml <1>
-  policyName: "config-policy"
-  spec:
-    nodeSelector: {}
-    transportHost: "http://hw-event-publisher-service.openshift-bare-metal-events.svc.cluster.local:9043"
-    logLevel: "info"
-----
-<1> Each baseboard management controller (BMC) requires a single `HardwareEvent` CR only.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-hwevents-using-pgt-hardware-event.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-hwevents-using-pgt-hardware-event.adoc[]
+endif::[]
 +
 [NOTE]
 ====
diff --git a/modules/ztp-configuring-ipsec-using-ztp-and-siteconfig.adoc b/modules/ztp-configuring-ipsec-using-ztp-and-siteconfig.adoc
new file mode 100644
index 000000000000..68fda5157981
--- /dev/null
+++ b/modules/ztp-configuring-ipsec-using-ztp-and-siteconfig.adoc
@@ -0,0 +1,213 @@
+// Module included in the following assemblies:
+//
+// * scalability_and_performance/ztp_far_edge/ztp-advanced-install-ztp.adoc
+
+:_module-type: PROCEDURE
+[id="ztp-configuring-ipsec-using-ztp-and-siteconfig_{context}"]
+= Configuring IPsec encryption for {sno} clusters using {ztp} and SiteConfig resources
+
+You can enable IPsec encryption in managed {sno} clusters that you install using {ztp} and {rh-rhacm-first}.
+You can encrypt external traffic between pods and IPsec endpoints external to the managed cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode.
+
+[NOTE]
+====
+In {product-title} {product-version}, deploying IPsec encryption by using {ztp} and {rh-rhacm} is validated for {sno} clusters only.
+
+The {ztp} IPsec implementation assumes you are deploying to a resource constrained platform.
+As such, you install the feature with a single `MachineConfig` CR only, and you do not need to install the NMState Operator on the {sno} cluster as a prerequisite.
+====
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+
+* You have logged in to the hub cluster as a user with `cluster-admin` privileges.
+
+* You have configured {rh-rhacm} and the hub cluster for generating the required installation and policy custom resources (CRs) for managed clusters.
+
+* You have created a Git repository where you manage your custom site configuration data.
+The repository must be accessible from the hub cluster and be defined as a source repository for the Argo CD application.
+
+* You have installed the `butane` utility, version 0.20.0 or higher.
+
+* You have a PKCS#12 certificate for the IPsec endpoint and a CA cert in PEM format.
+
+.Procedure
+
+. Extract the latest version of the `ztp-site-generate` container source and merge it with your repository where you manage your custom site configuration data.
+
+. Configure `optional-extra-manifest/ipsec/ipsec-endpoint-config.yaml` with the required values that configure IPsec in the cluster. For example:
++
+[source,yaml]
+----
+interfaces:
+- name: hosta_conn
+  type: ipsec
+  libreswan:
+    left: <cluster_node> <1>
+    leftid: '%fromcert'
+    leftmodecfgclient: false
+    leftcert: <left_cert> <2>
+    leftrsasigkey: '%cert'
+    right: <external_host> <3>
+    rightid: '%fromcert'
+    rightrsasigkey: '%cert'
+    rightsubnet: <external_address> <4>
+    ikev2: insist <5>
+    type: tunnel
+----
+<1> Replace `<cluster_node>` with the IP address or DNS hostname of the cluster node for the cluster-side IPsec tunnel.
+<2> Replace `<left_cert>` with the IPsec certificate nickname.
+<3> Replace `<external_host>` with the external host IP address or DNS hostname.
+<4> Replace `<external_address>` with the IP address or subnet of the external host on the other side of the IPsec tunnel.
+<5> Use the IKEv2 VPN encryption protocol only. Do not use IKEv1, which is deprecated.
+
+. Add your `ca.pem` and `left_server.p12` certificates to the `optional-extra-manifest/ipsec` folder.
+The certificate files are required for the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in later steps.
+
+.. `left_server.p12`: The certificate bundle for the IPsec endpoints
+
+.. `ca.pem`: The certificate authority that you signed your certificates with
+
+. Open a shell prompt at the `optional-extra-manifest/ipsec` folder of the Git repository where you maintain your custom site configuration data.
+
+. Run the `optional-extra-manifest/ipsec/build.sh` script to generate the required Butane and `MachineConfig` CRs files.
++
+.Example output
+[source,terminal]
+----
+out
+ └── argocd
+      └── example
+           └── optional-extra-manifest
+                └── ipsec
+                     ├── 99-ipsec-master-endpoint-config.bu <1>
+                     ├── 99-ipsec-master-endpoint-config.yaml
+                     ├── 99-ipsec-worker-endpoint-config.bu
+                     ├── 99-ipsec-worker-endpoint-config.yaml
+                     ├── build.sh
+                     ├── ca.pem <2>
+                     ├── left_server.p12
+                     ├── enable-ipsec.yaml
+                     ├── ipsec-endpoint-config.yml
+                     └── README.md
+----
+<1> The `ipsec/build.sh` script generates the Butane and endpoint configuration CRs.
+<2> You provide `ca.pem` and `left_server.p12` certificate files that are relevant to your network.
+
+. Create a `custom-manifest/` folder in the repository where you manage your custom site configuration data.
+Add the `enable-ipsec.yaml` and `99-ipsec-*` YAML files to the directory.
+For example:
++
+[source,terminal]
+----
+siteconfig
+  ├── site1-sno-du.yaml
+  ├── extra-manifest/
+  └── custom-manifest
+        ├── enable-ipsec.yaml
+        ├── 99-ipsec-worker-endpoint-config.yaml
+        └── 99-ipsec-master-endpoint-config.yaml
+----
+
+. In your `SiteConfig` CR, add the `custom-manifest/` directory to the `extraManifests.searchPaths` field.
+For example:
++
+[source,yaml]
+----
+clusters:
+- clusterName: "site1-sno-du"
+  networkType: "OVNKubernetes"
+  extraManifests:
+    searchPaths:
+      - extra-manifest/
+      - custom-manifest/
+----
+
+. Commit the `SiteConfig` CR changes and updated files in your Git repository and push the changes to provision the managed cluster and configure IPsec encryption.
++
+The Argo CD pipeline detects the changes and begins the managed cluster deployment.
++
+During cluster provisioning, the {ztp} pipeline appends the CRs in the `/custom-manifest` directory to the default set of extra manifests stored in `extra-manifest/`.
+
+.Verification
+
+To verify that the IPsec encryption is successfully applied in the managed {sno} cluster, perform the following steps:
+
+. Start a debug pod for the managed cluster by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+. Check that the IPsec policy is applied in the cluster node:
++
+[source,terminal]
+----
+sh-5.1# ip xfrm policy
+----
++
+.Example output
+[source,terminal]
+----
+src 172.16.123.0/24 dst 10.1.232.10/32
+  dir out priority 1757377 ptype main
+  tmpl src 10.1.28.190 dst 10.1.232.10
+    proto esp reqid 16393 mode tunnel
+src 10.1.232.10/32 dst 172.16.123.0/24
+  dir fwd priority 1757377 ptype main
+  tmpl src 10.1.232.10 dst 10.1.28.190
+    proto esp reqid 16393 mode tunnel
+src 10.1.232.10/32 dst 172.16.123.0/24
+  dir in priority 1757377 ptype main
+  tmpl src 10.1.232.10 dst 10.1.28.190
+    proto esp reqid 16393 mode tunnel
+----
+
+. Check that the IPsec tunnel is up and connected:
++
+[source,terminal]
+----
+sh-5.1# ip xfrm state
+----
++
+.Example output
+[source,terminal]
+----
+src 10.1.232.10 dst 10.1.28.190
+  proto esp spi 0xa62a05aa reqid 16393 mode tunnel
+  replay-window 0 flag af-unspec esn
+  auth-trunc hmac(sha1) 0x8c59f680c8ea1e667b665d8424e2ab749cec12dc 96
+  enc cbc(aes) 0x2818a489fe84929c8ab72907e9ce2f0eac6f16f2258bd22240f4087e0326badb
+  anti-replay esn context:
+   seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
+   replay_window 128, bitmap-length 4
+   00000000 00000000 00000000 00000000
+src 10.1.28.190 dst 10.1.232.10
+  proto esp spi 0x8e96e9f9 reqid 16393 mode tunnel
+  replay-window 0 flag af-unspec esn
+  auth-trunc hmac(sha1) 0xd960ddc0a6baaccb343396a51295e08cfd8aaddd 96
+  enc cbc(aes) 0x0273c02e05b4216d5e652de3fc9b3528fea94648bc2b88fa01139fdf0beb27ab
+  anti-replay esn context:
+   seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
+   replay_window 128, bitmap-length 4
+   00000000 00000000 00000000 00000000
+----
+
+. Ping a known IP in the external host subnet.
+For example, ping an IP in the `rightsubnet` range that you set in `ipsec/ipsec-endpoint-config.yaml`:
++
+[source,terminal]
+----
+sh-5.1# ping 172.16.110.8
+----
++
+.Example output
+[source,terminal]
+----
+sh-5.1# ping 172.16.110.8
+PING 172.16.110.8 (172.16.110.8) 56(84) bytes of data.
+64 bytes from 172.16.110.8: icmp_seq=1 ttl=64 time=153 ms
+64 bytes from 172.16.110.8: icmp_seq=2 ttl=64 time=155 ms
+----
diff --git a/modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc b/modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc
index 48493e707d97..b5b485199325 100644
--- a/modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc
+++ b/modules/ztp-configuring-pgt-compliance-eval-timeouts.adoc
@@ -1,14 +1,15 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-configuring-pgt-compliance-eval-timeouts_{context}"]
-= Configuring policy compliance evaluation timeouts for PolicyGenTemplate CRs
+= Configuring policy compliance evaluation timeouts for {policy-gen-cr} CRs
 
 Use {rh-rhacm-first} installed on a hub cluster to monitor and report on whether your managed clusters are compliant with applied policies. {rh-rhacm} uses policy templates to apply predefined policy controllers and policies. Policy controllers are Kubernetes custom resource definition (CRD) instances.
 
-You can override the default policy evaluation intervals with `PolicyGenTemplate` custom resources (CRs). You configure duration settings that define how long a `ConfigurationPolicy` CR can be in a state of policy compliance or non-compliance before {rh-rhacm} re-evaluates the applied cluster policies.
+You can override the default policy evaluation intervals with `{policy-gen-cr}` custom resources (CRs). You configure duration settings that define how long a `ConfigurationPolicy` CR can be in a state of policy compliance or non-compliance before {rh-rhacm} re-evaluates the applied cluster policies.
 
 The {ztp-first} policy generator generates `ConfigurationPolicy` CR policies with pre-defined policy evaluation intervals. The default value for the `noncompliant` state is 10 seconds. The default value for the `compliant` state is 10 minutes. To disable the evaluation interval, set the value to `never`.
 
@@ -22,30 +23,56 @@ The {ztp-first} policy generator generates `ConfigurationPolicy` CR policies wit
 
 .Procedure
 
-. To configure the evaluation interval for all policies in a `PolicyGenTemplate` CR, add `evaluationInterval` to the `spec` field, and then set the appropriate `compliant` and `noncompliant` values. For example:
+. To configure the evaluation interval for all policies in a `{policy-gen-cr}` CR, set appropriate `compliant` and `noncompliant` values for the `evaluationInterval` field.
+For example:
 +
 [source,yaml]
 ----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
 spec:
   evaluationInterval:
     compliant: 30m
     noncompliant: 20s
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+policyDefaults:
+  evaluationInterval:
+    compliant: 30m
+    noncompliant: 45s
+endif::[]
 ----
++
+[NOTE]
+====
+You can also set `compliant` and `noncompliant` fields to `never` to stop evaluating the policy after it reaches particular compliance state.
+====
 
-. To configure the evaluation interval for the `spec.sourceFiles` object in a `PolicyGenTemplate` CR, add `evaluationInterval` to the `sourceFiles` field, for example:
+. To configure the evaluation interval for an individual policy object in a `{policy-gen-cr}` CR, add the `evaluationInterval` field and set appropriate values.
+For example:
 +
 [source,yaml]
 ----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
 spec:
   sourceFiles:
-   - fileName: SriovSubscription.yaml
-     policyName: "sriov-sub-policy"
-     evaluationInterval:
-       compliant: never
-       noncompliant: 10s
+    - fileName: SriovSubscription.yaml
+      policyName: "sriov-sub-policy"
+      evaluationInterval:
+        compliant: never
+        noncompliant: 10s
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+policies:
+  - name: "sriov-sub-policy"
+    manifests:
+      - path: "SriovSubscription.yaml"
+        evaluationInterval:
+          compliant: never
+          noncompliant: 10s
+endif::[]
 ----
 
-. Commit the `PolicyGenTemplate` CRs files in the Git repository and push your changes.
+. Commit the `{policy-gen-cr}` CRs files in the Git repository and push your changes.
 
 .Verification
 
diff --git a/modules/ztp-configuring-pgt-image-registry.adoc b/modules/ztp-configuring-pgt-image-registry.adoc
index d92ebe02c749..1c8315413070 100644
--- a/modules/ztp-configuring-pgt-image-registry.adoc
+++ b/modules/ztp-configuring-pgt-image-registry.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-configuring-pgt-image-registry_{context}"]
-= Configuring the image registry using PolicyGenTemplate CRs
+= Configuring the image registry using {policy-gen-cr} CRs
 
-Use `PolicyGenTemplate` (PGT) CRs to apply the CRs required to configure the image registry and patch the `imageregistry` configuration.
+Use `{policy-gen-cr}` (PGT) CRs to apply the CRs required to configure the image registry and patch the `imageregistry` configuration.
 
 .Prerequisites
 
@@ -20,7 +21,7 @@ Use `PolicyGenTemplate` (PGT) CRs to apply the CRs required to configure the ima
 
 .Procedure
 
-. Configure the storage class, persistent volume claim, persistent volume, and image registry configuration in the appropriate `PolicyGenTemplate` CR. For example, to configure an individual site, add the following YAML to the file `example-sno-site.yaml`:
+. Configure the storage class, persistent volume claim, persistent volume, and image registry configuration in the appropriate `{policy-gen-cr}` CR. For example, to configure an individual site, add the following YAML to the file `{policy-prefix}example-sno-site.yaml`:
 +
 [source,yaml]
 ----
@@ -74,7 +75,7 @@ sourceFiles:
 Do not set `complianceType: mustonlyhave` for the `- fileName: ImageRegistryConfig.yaml` configuration. This can cause the registry pod deployment to fail.
 ====
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} ArgoCD application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} ArgoCD application.
 
 .Verification
 
diff --git a/modules/ztp-configuring-ptp-fast-events-amqp.adoc b/modules/ztp-configuring-ptp-fast-events-amqp.adoc
index 3bd83aacd6fb..3b448edcb3ea 100644
--- a/modules/ztp-configuring-ptp-fast-events-amqp.adoc
+++ b/modules/ztp-configuring-ptp-fast-events-amqp.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-configuring-ptp-fast-events-amqp_{context}"]
@@ -20,67 +21,54 @@ include::snippets/ptp-amq-interconnect-eol.adoc[leveloffset=+1]
 
 .Procedure
 
-. Add the following YAML into `.spec.sourceFiles` in the `common-ranGen.yaml` file to configure the AMQP Operator:
+. Add the following YAML into `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file to configure the AMQP Operator:
 +
 [source,yaml]
 ----
-#AMQ interconnect operator for fast events
-- fileName: AmqSubscriptionNS.yaml
-  policyName: "subscriptions-policy"
-- fileName: AmqSubscriptionOperGroup.yaml
-  policyName: "subscriptions-policy"
-- fileName: AmqSubscription.yaml
-  policyName: "subscriptions-policy"
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-ptp-fast-events-amqp.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-ptp-fast-events-amqp.yaml[]
+endif::[]
 ----
 
-. Apply the following `PolicyGenTemplate` changes to `group-du-3node-ranGen.yaml`, `group-du-sno-ranGen.yaml`, or `group-du-standard-ranGen.yaml` files according to your requirements:
+. Apply the following `{policy-gen-cr}` changes to `{policy-prefix}group-du-3node-ranGen.yaml`, `{policy-prefix}group-du-sno-ranGen.yaml`, or `{policy-prefix}group-du-standard-ranGen.yaml` files according to your requirements:
 
-.. In `.sourceFiles`, add the `PtpOperatorConfig` CR file that configures the AMQ transport host to the `config-policy`:
+.. In `{rangen-yaml-path}`, add the `PtpOperatorConfig` CR file that configures the AMQ transport host to the `config-policy`:
 +
 [source,yaml]
 ----
-- fileName: PtpOperatorConfigForEvent.yaml
-  policyName: "config-policy"
-  spec:
-    daemonNodeSelector: {}
-    ptpEventConfig:
-      enableEventPublisher: true
-      transportHost: "amqp://amq-router.amq-router.svc.cluster.local"
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-ptp-fast-events-amqp-transport.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-ptp-fast-events-amqp-transport.yaml[]
+endif::[]
 ----
 
-.. Configure the `linuxptp` and `phc2sys` for the PTP clock type and interface. For example, add the following stanza into `.sourceFiles`:
+.. Configure the `linuxptp` and `phc2sys` for the PTP clock type and interface. For example, add the following YAML into `{rangen-yaml-path}`:
 +
-[source,yaml]
-----
-- fileName: PtpConfigSlave.yaml <1>
-  policyName: "config-policy"
-  metadata:
-    name: "du-ptp-slave"
-  spec:
-    profile:
-    - name: "slave"
-      interface: "ens5f1" <2>
-      ptp4lOpts: "-2 -s --summary_interval -4" <3>
-      phc2sysOpts: "-a -r -m -n 24 -N 8 -R 16" <4>
-    ptpClockThreshold: <5>
-      holdOverTimeout: 30 #secs
-      maxOffsetThreshold: 100  #nano secs
-      minOffsetThreshold: -100 #nano secs
-----
-<1> Can be one `PtpConfigMaster.yaml`, `PtpConfigSlave.yaml`, or `PtpConfigSlaveCvl.yaml` depending on your requirements. `PtpConfigSlaveCvl.yaml` configures `linuxptp` services for an Intel E810 Columbiaville NIC. For configurations based on `group-du-sno-ranGen.yaml` or `group-du-3node-ranGen.yaml`, use `PtpConfigSlave.yaml`.
-<2> Device specific interface name.
-<3> You must append the `--summary_interval -4` value to `ptp4lOpts` in `.spec.sourceFiles.spec.profile` to enable PTP fast events.
-<4> Required `phc2sysOpts` values. `-m` prints messages to `stdout`. The `linuxptp-daemon` `DaemonSet` parses the logs and generates Prometheus metrics.
-<5> Optional. If the `ptpClockThreshold` stanza is not present, default values are used for the `ptpClockThreshold` fields. The stanza shows default `ptpClockThreshold` values. The `ptpClockThreshold` values configure how long after the PTP master clock is disconnected before PTP events are triggered. `holdOverTimeout` is the time value in seconds before the PTP clock event state changes to `FREERUN` when the PTP master clock is disconnected. The `maxOffsetThreshold` and `minOffsetThreshold` settings configure offset values in nanoseconds that compare against the values for `CLOCK_REALTIME` (`phc2sys`) or master offset (`ptp4l`). When the `ptp4l` or `phc2sys` offset value is outside this range, the PTP clock state is set to `FREERUN`. When the offset value is within this range, the PTP clock state is set to `LOCKED`.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-ptp-fast-events-linuxptp.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-ptp-fast-events-linuxptp.adoc[]
+endif::[]
 
-. Apply the following `PolicyGenTemplate` changes to your specific site YAML files, for example, `example-sno-site.yaml`:
+. Apply the following `{policy-gen-cr}` changes to your specific site YAML files, for example, `{policy-prefix}example-sno-site.yaml`:
 
-.. In `.sourceFiles`, add the `Interconnect` CR file that configures the AMQ router to the `config-policy`:
+.. In `{rangen-yaml-path}`, add the `Interconnect` CR file that configures the AMQ router to the `config-policy`:
 +
 [source,yaml]
 ----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
 - fileName: AmqInstance.yaml
   policyName: "config-policy"
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+- path: source-crs/AmqInstance.yaml
+endif::[]
 ----
 
 . Merge any other required changes and files with your custom site repository.
diff --git a/modules/ztp-configuring-ptp-fast-events.adoc b/modules/ztp-configuring-ptp-fast-events.adoc
index 50178d0c175b..5fadbe04fab9 100644
--- a/modules/ztp-configuring-ptp-fast-events.adoc
+++ b/modules/ztp-configuring-ptp-fast-events.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-configuring-ptp-fast-events_{context}"]
@@ -18,19 +19,18 @@ You can configure PTP events that use HTTP transport on managed clusters that yo
 
 .Procedure
 
-. Apply the following `PolicyGenTemplate` changes to `group-du-3node-ranGen.yaml`, `group-du-sno-ranGen.yaml`, or `group-du-standard-ranGen.yaml` files according to your requirements:
+. Apply the following `{policy-gen-cr}` changes to `{policy-prefix}group-du-3node-ranGen.yaml`, `{policy-prefix}group-du-sno-ranGen.yaml`, or `{policy-prefix}group-du-standard-ranGen.yaml` files according to your requirements:
 
-.. In `.sourceFiles`, add the `PtpOperatorConfig` CR file that configures the transport host:
+.. In `{rangen-yaml-path}`, add the `PtpOperatorConfig` CR file that configures the transport host:
 +
 [source,yaml]
 ----
-- fileName: PtpOperatorConfigForEvent.yaml
-  policyName: "config-policy"
-  spec:
-    daemonNodeSelector: {}
-    ptpEventConfig:
-      enableEventPublisher: true
-      transportHost: http://ptp-event-publisher-service-NODE_NAME.openshift-ptp.svc.cluster.local:9043
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-ptp-fast-events.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-ptp-fast-events.yaml[]
+endif::[]
 ----
 +
 [NOTE]
@@ -38,30 +38,14 @@ You can configure PTP events that use HTTP transport on managed clusters that yo
 In {product-title} 4.13 or later, you do not need to set the `transportHost` field in the `PtpOperatorConfig` resource when you use HTTP transport with PTP events.
 ====
 
-.. Configure the `linuxptp` and `phc2sys` for the PTP clock type and interface. For example, add the following stanza into `.sourceFiles`:
+.. Configure the `linuxptp` and `phc2sys` for the PTP clock type and interface. For example, add the following YAML into `{rangen-yaml-path}`:
 +
-[source,yaml]
-----
-- fileName: PtpConfigSlave.yaml <1>
-  policyName: "config-policy"
-  metadata:
-    name: "du-ptp-slave"
-  spec:
-    profile:
-    - name: "slave"
-      interface: "ens5f1" <2>
-      ptp4lOpts: "-2 -s --summary_interval -4" <3>
-      phc2sysOpts: "-a -r -m -n 24 -N 8 -R 16" <4>
-    ptpClockThreshold: <5>
-      holdOverTimeout: 30 #secs
-      maxOffsetThreshold: 100  #nano secs
-      minOffsetThreshold: -100 #nano secs
-----
-<1> Can be one of `PtpConfigMaster.yaml`, `PtpConfigSlave.yaml`, or `PtpConfigSlaveCvl.yaml` depending on your requirements. `PtpConfigSlaveCvl.yaml` configures `linuxptp` services for an Intel E810 Columbiaville NIC. For configurations based on `group-du-sno-ranGen.yaml` or `group-du-3node-ranGen.yaml`, use `PtpConfigSlave.yaml`.
-<2> Device specific interface name.
-<3> You must append the `--summary_interval -4` value to `ptp4lOpts` in `.spec.sourceFiles.spec.profile` to enable PTP fast events.
-<4> Required `phc2sysOpts` values. `-m` prints messages to `stdout`. The `linuxptp-daemon` `DaemonSet` parses the logs and generates Prometheus metrics.
-<5> Optional. If the `ptpClockThreshold` stanza is not present, default values are used for the `ptpClockThreshold` fields. The stanza shows default `ptpClockThreshold` values. The `ptpClockThreshold` values configure how long after the PTP master clock is disconnected before PTP events are triggered. `holdOverTimeout` is the time value in seconds before the PTP clock event state changes to `FREERUN` when the PTP master clock is disconnected. The `maxOffsetThreshold` and `minOffsetThreshold` settings configure offset values in nanoseconds that compare against the values for `CLOCK_REALTIME` (`phc2sys`) or master offset (`ptp4l`). When the `ptp4l` or `phc2sys` offset value is outside this range, the PTP clock state is set to `FREERUN`. When the offset value is within this range, the PTP clock state is set to `LOCKED`.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-configuring-ptp-fast-events-linuxptp.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-configuring-ptp-fast-events-linuxptp.adoc[]
+endif::[]
 
 . Merge any other required changes and files with your custom site repository.
 
diff --git a/modules/ztp-creating-a-validator-inform-policy.adoc b/modules/ztp-creating-a-validator-inform-policy.adoc
index f9f63004f464..07cfe9270257 100644
--- a/modules/ztp-creating-a-validator-inform-policy.adoc
+++ b/modules/ztp-creating-a-validator-inform-policy.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-creating-a-validator-inform-policy_{context}"]
@@ -10,35 +11,14 @@ Create a validator inform policy that signals when the {ztp-first} installation
 
 .Procedure
 
-. Create a standalone `PolicyGenTemplate` custom resource (CR) that contains the source file
-`validatorCRs/informDuValidator.yaml`. You only need one standalone `PolicyGenTemplate` CR for each cluster type. For example, this CR applies a validator inform policy for {sno} clusters:
+. Create a standalone `{policy-gen-cr}` custom resource (CR) that contains the source file
+`validatorCRs/informDuValidator.yaml`. You only need one standalone `{policy-gen-cr}` CR for each cluster type. For example, this CR applies a validator inform policy for {sno} clusters:
 +
-.Example single-node cluster validator inform policy CR (group-du-sno-validator-ranGen.yaml)
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "group-du-sno-validator" <1>
-  namespace: "ztp-group" <2>
-spec:
-  bindingRules:
-    group-du-sno: "" <3>
-  bindingExcludedRules:
-    ztp-done: "" <4>
-  mcp: "master" <5>
-  sourceFiles:
-    - fileName: validatorCRs/informDuValidator.yaml
-      remediationAction: inform <6>
-      policyName: "du-policy" <7>
-----
-<1> The name of `PolicyGenTemplates` object. This name is also used as part of the names
-for the `placementBinding`, `placementRule`, and `policy` that are created in the requested `namespace`.
-<2> This value should match the `namespace` used in the group `PolicyGenTemplates`.
-<3> The `group-du-*` label defined in `bindingRules` must exist in the `SiteConfig` files.
-<4> The label defined in `bindingExcludedRules` must be`ztp-done:`. The `ztp-done` label is used in coordination with the {cgu-operator-full}.
-<5> `mcp` defines the `MachineConfigPool` object that is used in the source file `validatorCRs/informDuValidator.yaml`. It should be `master` for single node and three-node cluster deployments and `worker` for standard cluster deployments.
-<6> Optional. The default value is `inform`.
-<7> This value is used as part of the name for the generated {rh-rhacm} policy. The generated validator policy for the single node example is `group-du-sno-validator-du-policy`.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-example-single-node-cluster-validator.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-example-single-node-cluster-validator.adoc[]
+endif::[]
 
-. Commit the `PolicyGenTemplate` CR file in your Git repository and push the changes.
+. Commit the `{policy-gen-cr}` CR file in your Git repository and push the changes.
diff --git a/modules/ztp-creating-hwevents-amqp.adoc b/modules/ztp-creating-hwevents-amqp.adoc
index 34e5fcccb787..47e4f6f15d25 100644
--- a/modules/ztp-creating-hwevents-amqp.adoc
+++ b/modules/ztp-creating-hwevents-amqp.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-creating-hwevents-amqp_{context}"]
@@ -20,54 +21,46 @@ include::snippets/ptp-amq-interconnect-eol.adoc[]
 
 .Procedure
 
-. To configure the AMQ Interconnect Operator and the {redfish-operator} Operator, add the following YAML to `spec.sourceFiles` in the `common-ranGen.yaml` file:
+. To configure the AMQ Interconnect Operator and the {redfish-operator} Operator, add the following YAML to `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file:
 +
 [source,yaml]
 ----
-# AMQ interconnect operator for fast events
-- fileName: AmqSubscriptionNS.yaml
-  policyName: "subscriptions-policy"
-- fileName: AmqSubscriptionOperGroup.yaml
-  policyName: "subscriptions-policy"
-- fileName: AmqSubscription.yaml
-  policyName: "subscriptions-policy"
-# Bare Metal Event Rely operator
-- fileName: BareMetalEventRelaySubscriptionNS.yaml
-  policyName: "subscriptions-policy"
-- fileName: BareMetalEventRelaySubscriptionOperGroup.yaml
-  policyName: "subscriptions-policy"
-- fileName: BareMetalEventRelaySubscription.yaml
-  policyName: "subscriptions-policy"
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-creating-hwevents-amqp.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-creating-hwevents-amqp.yaml[]
+endif::[]
 ----
 
-. Add the `Interconnect` CR to `.spec.sourceFiles` in the site configuration file, for example, the `example-sno-site.yaml` file:
+. Add the `Interconnect` CR to `{rangen-yaml-path}` in the site configuration file, for example, the `{policy-prefix}example-sno-site.yaml` file:
 +
 [source,yaml]
 ----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
 - fileName: AmqInstance.yaml
   policyName: "config-policy"
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+- path: source-crs/AmqInstance.yaml
+endif::[]
 ----
 
-. Add the `HardwareEvent` CR to `spec.sourceFiles` in your specific group configuration file, for example, in the `group-du-sno-ranGen.yaml` file:
+. Add the `HardwareEvent` CR to `{rangen-yaml-path}` in your specific group configuration file, for example, in the `{policy-prefix}group-du-sno-ranGen.yaml` file:
 +
-[source,yaml]
-----
-- fileName: HardwareEvent.yaml
-  policyName: "config-policy"
-  spec:
-    nodeSelector: {}
-    transportHost: "amqp://<amq_interconnect_name>.<amq_interconnect_namespace>.svc.cluster.local" <1>
-    logLevel: "info"
-----
-<1>  The `transportHost` URL is composed of the existing AMQ Interconnect CR `name` and `namespace`. For example, in `transportHost: "amqp://amq-router.amq-router.svc.cluster.local"`, the AMQ Interconnect `name` and `namespace` are both set to `amq-router`.
-
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/ztp-creating-hwevents-amqp-hardware-event.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/ztp-creating-hwevents-amqp-hardware-event.adoc[]
+endif::[]
 +
 [NOTE]
 ====
 Each baseboard management controller (BMC) requires a single `HardwareEvent` resource only.
 ====
 
-. Commit the `PolicyGenTemplate` change in Git, and then push the changes to your site configuration repository to deploy bare-metal events monitoring to new sites using {ztp}.
+. Commit the `{policy-gen-cr}` change in Git, and then push the changes to your site configuration repository to deploy bare-metal events monitoring to new sites using {ztp}.
 
 . Create the Redfish Secret by running the following command:
 +
diff --git a/modules/ztp-customizing-a-managed-site-using-pgt.adoc b/modules/ztp-customizing-a-managed-site-using-pgt.adoc
index 42be665b2801..6fcc9738c59d 100644
--- a/modules/ztp-customizing-a-managed-site-using-pgt.adoc
+++ b/modules/ztp-customizing-a-managed-site-using-pgt.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-customizing-a-managed-site-using-pgt_{context}"]
-= Customizing a managed cluster with PolicyGenTemplate CRs
+= Customizing a managed cluster with {policy-gen-cr} CRs
 
 Use the following procedure to customize the policies that get applied to the managed cluster that you provision using the {ztp-first} pipeline.
 
@@ -20,49 +20,49 @@ Use the following procedure to customize the policies that get applied to the ma
 
 .Procedure
 
-. Create a `PolicyGenTemplate` CR for site-specific configuration CRs.
+. Create a `{policy-gen-cr}` CR for site-specific configuration CRs.
 
-.. Choose the appropriate example for your CR from the `out/argocd/example/policygentemplates` folder, for example, `example-sno-site.yaml` or `example-multinode-site.yaml`.
+.. Choose the appropriate example for your CR from the `{argocd-folder}` folder, for example, `{policy-prefix}example-sno-site.yaml` or `{policy-prefix}example-multinode-site.yaml`.
 
-.. Change the `bindingRules` field in the example file to match the site-specific label included in the `SiteConfig` CR. In the example `SiteConfig` file, the site-specific label is `sites: example-sno`.
+.. Change the `{binding-field}` field in the example file to match the site-specific label included in the `SiteConfig` CR. In the example `SiteConfig` file, the site-specific label is `sites: example-sno`.
 +
 [NOTE]
 ====
-Ensure that the labels defined in your `PolicyGenTemplate` `bindingRules` field correspond to the labels that are defined in the related managed clusters `SiteConfig` CR.
+Ensure that the labels defined in your `{policy-gen-cr}` `{binding-field}` field correspond to the labels that are defined in the related managed clusters `SiteConfig` CR.
 ====
 
 .. Change the content in the example file to match the desired configuration.
 
-. Optional: Create a `PolicyGenTemplate` CR for any common configuration CRs that apply to the entire fleet of clusters.
+. Optional: Create a `{policy-gen-cr}` CR for any common configuration CRs that apply to the entire fleet of clusters.
 
-.. Select the appropriate example for your CR from the `out/argocd/example/policygentemplates` folder, for example, `common-ranGen.yaml`.
+.. Select the appropriate example for your CR from the `{argocd-folder}` folder, for example, `{policy-prefix}common-ranGen.yaml`.
 
-.. Change the content in the example file to match the desired configuration.
+.. Change the content in the example file to match the required configuration.
 
-. Optional: Create a `PolicyGenTemplate` CR for any group configuration CRs that apply to the certain groups of clusters in the fleet.
+. Optional: Create a `{policy-gen-cr}` CR for any group configuration CRs that apply to the certain groups of clusters in the fleet.
 +
-Ensure that the content of the overlaid spec files matches your desired end state. As a reference, the out/source-crs directory contains the full list of source-crs available to be included and overlaid by your PolicyGenTemplate templates.
+Ensure that the content of the overlaid spec files matches your required end state. As a reference, the `out/source-crs` directory contains the full list of source-crs available to be included and overlaid by your {policy-gen-cr} templates.
 +
 [NOTE]
 ====
-Depending on the specific requirements of your clusters, you might need more than a single group policy per cluster type, especially considering that the example group policies each have a single PerformancePolicy.yaml file that can only be shared across a set of clusters if those clusters consist of identical hardware configurations.
+Depending on the specific requirements of your clusters, you might need more than a single group policy per cluster type, especially considering that the example group policies each have a single `PerformancePolicy.yaml` file that can only be shared across a set of clusters if those clusters consist of identical hardware configurations.
 ====
 
-.. Select the appropriate example for your CR from the `out/argocd/example/policygentemplates` folder, for example, `group-du-sno-ranGen.yaml`.
+.. Select the appropriate example for your CR from the `{argocd-folder}` folder, for example, `{policy-prefix}group-du-sno-ranGen.yaml`.
 
-.. Change the content in the example file to match the desired configuration.
+.. Change the content in the example file to match the required configuration.
 
-. Optional. Create a validator inform policy `PolicyGenTemplate` CR to signal when the {ztp} installation and configuration of the deployed cluster is complete. For more information, see "Creating a validator inform policy".
+. Optional. Create a validator inform policy `{policy-gen-cr}` CR to signal when the {ztp} installation and configuration of the deployed cluster is complete. For more information, see "Creating a validator inform policy".
 
-. Define all the policy namespaces in a YAML file similar to the example `out/argocd/example/policygentemplates/ns.yaml` file.
+. Define all the policy namespaces in a YAML file similar to the example `{argocd-folder}/ns.yaml` file.
 +
 [IMPORTANT]
 ====
-Do not include the `Namespace` CR in the same file with the `PolicyGenTemplate` CR.
+Do not include the `Namespace` CR in the same file with the `{policy-gen-cr}` CR.
 ====
 
-. Add the `PolicyGenTemplate` CRs and `Namespace` CR to the `kustomization.yaml` file in the generators section, similar to the example shown in `out/argocd/example/policygentemplates/kustomization.yaml`.
+. Add the `{policy-gen-cr}` CRs and `Namespace` CR to the `kustomization.yaml` file in the generators section, similar to the example shown in `{argocd-folder}kustomization.yaml`.
 
-. Commit the `PolicyGenTemplate` CRs, `Namespace` CR, and associated `kustomization.yaml` file in your Git repository and push the changes.
+. Commit the `{policy-gen-cr}` CRs, `Namespace` CR, and associated `kustomization.yaml` file in your Git repository and push the changes.
 +
-The ArgoCD pipeline detects the changes and begins the managed cluster deployment. You can push the changes to the `SiteConfig` CR and the `PolicyGenTemplate` CR simultaneously.
+The ArgoCD pipeline detects the changes and begins the managed cluster deployment. You can push the changes to the `SiteConfig` CR and the `{policy-gen-cr}` CR simultaneously.
diff --git a/modules/ztp-definition-of-done-for-ztp-installations.adoc b/modules/ztp-definition-of-done-for-ztp-installations.adoc
index dbdde7eabe93..66bd999712f1 100644
--- a/modules/ztp-definition-of-done-for-ztp-installations.adoc
+++ b/modules/ztp-definition-of-done-for-ztp-installations.adoc
@@ -17,7 +17,7 @@ The cluster configuration phase is shown by a `ztp-running` label applied the `M
 {ztp} done::
 Cluster installation and configuration is complete in the {ztp} done phase. This is shown by the removal of the `ztp-running` label and addition of the `ztp-done` label to the `ManagedCluster` CR. The `ztp-done` label shows that the configuration has been applied and the baseline DU configuration has completed cluster tuning.
 +
-The transition to the {ztp} done state is conditional on the compliant state of a {rh-rhacm-first} validator inform policy. This policy captures the existing criteria for a completed installation and validates that it moves to a compliant state only when {ztp} provisioning of the managed cluster is complete.
+The change to the {ztp} done state is conditional on the compliant state of a {rh-rhacm-first} validator inform policy. This policy captures the existing criteria for a completed installation and validates that it moves to a compliant state only when {ztp} provisioning of the managed cluster is complete.
 +
 The validator inform policy ensures the configuration of the cluster is fully applied and Operators have completed their initialization. The policy validates the following:
 +
diff --git a/modules/ztp-deploying-a-site.adoc b/modules/ztp-deploying-a-site.adoc
index 4d384db9b530..a692477e8552 100644
--- a/modules/ztp-deploying-a-site.adoc
+++ b/modules/ztp-deploying-a-site.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-deploying-far-edge-sites.adoc
+// * edge_computing/ztp-deploying-far-edge-sites.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-deploying-a-site_{context}"]
@@ -73,7 +73,7 @@ include::snippets/ztp_example-sno.yaml[]
 +
 [NOTE]
 ====
-For more information about BMC addressing, see the "Additional resources" section.
+For more information about BMC addressing, see the "Additional resources" section. The `installConfigOverrides` and  `ignitionConfigOverride` fields are expanded in the example for ease of readability.   
 ====
 
 .. You can inspect the default set of extra-manifest `MachineConfig` CRs in `out/argocd/extra-manifest`. It is automatically applied to the cluster when it is installed.
diff --git a/modules/ztp-deploying-additional-changes-to-clusters.adoc b/modules/ztp-deploying-additional-changes-to-clusters.adoc
index b4e7b44f5638..3908123cc621 100644
--- a/modules/ztp-deploying-additional-changes-to-clusters.adoc
+++ b/modules/ztp-deploying-additional-changes-to-clusters.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: CONCEPT
 [id="ztp-deploying-additional-changes-to-clusters_{context}"]
diff --git a/modules/ztp-du-host-firmware-requirements.adoc b/modules/ztp-du-host-firmware-requirements.adoc
index 6200472795a5..0bf6c574f16f 100644
--- a/modules/ztp-du-host-firmware-requirements.adoc
+++ b/modules/ztp-du-host-firmware-requirements.adoc
@@ -12,14 +12,14 @@ Bare-metal hosts require the firmware to be configured before the host can be pr
 
 . Set the *UEFI/BIOS Boot Mode* to `UEFI`.
 . In the host boot sequence order, set *Hard drive first*.
-. Apply the specific firmware configuration for your hardware. The following table describes a representative firmware configuration for an Intel Xeon Skylake or Intel Cascade Lake server, based on the Intel FlexRAN 4G and 5G baseband PHY reference design.
+. Apply the specific firmware configuration for your hardware. The following table describes a representative firmware configuration for an Intel Xeon Skylake server and later hardware generations, based on the Intel FlexRAN 4G and 5G baseband PHY reference design.
 +
 [IMPORTANT]
 ====
 The exact firmware configuration depends on your specific hardware and network requirements. The following sample configuration is for illustrative purposes only.
 ====
 +
-.Sample firmware configuration for an Intel Xeon Skylake or Cascade Lake server
+.Sample firmware configuration
 [cols=2*, width="90%", options="header"]
 |====
 |Firmware setting
diff --git a/modules/ztp-enabling-workload-partitioning-sno.adoc b/modules/ztp-enabling-workload-partitioning-sno.adoc
index 1bf2c73c93b5..1776ac5c889d 100644
--- a/modules/ztp-enabling-workload-partitioning-sno.adoc
+++ b/modules/ztp-enabling-workload-partitioning-sno.adoc
@@ -17,7 +17,7 @@ Both of these steps happen at different points during cluster provisioning.
 ====
 Configuring workload partitioning by using the `cpuPartitioningMode` field in the `SiteConfig` CR is a Tech Preview feature in {product-title} 4.13.
 
-Alternatively, you can specify cluster management CPU resources with the `cpuset` field of the `SiteConfig` custom resource (CR) and the `reserved` field of the group `PolicyGenTemplate` CR.
+Alternatively, you can specify cluster management CPU resources with the `cpuset` field of the `SiteConfig` custom resource (CR) and the `reserved` field of the group `PolicyGenerator` or `PolicyGentemplate` CR.
 The {ztp} pipeline uses these values to populate the required fields in the workload partitioning `MachineConfig` CR (`cpuset`) and the `PerformanceProfile` CR (`reserved`) that configure the {sno} cluster.
 This method is a General Availability feature in {product-title} 4.14.
 ====
diff --git a/modules/ztp-example-hub-template-functions.adoc b/modules/ztp-example-hub-template-functions.adoc
index 614040dde5a1..c7001a03d65b 100644
--- a/modules/ztp-example-hub-template-functions.adoc
+++ b/modules/ztp-example-hub-template-functions.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: REFERENCE
 [id="ztp-example-hub-template-functions_{context}"]
diff --git a/modules/ztp-generating-install-and-config-crs-manually.adoc b/modules/ztp-generating-install-and-config-crs-manually.adoc
index eb75510924d8..fed72f454cf2 100644
--- a/modules/ztp-generating-install-and-config-crs-manually.adoc
+++ b/modules/ztp-generating-install-and-config-crs-manually.adoc
@@ -6,7 +6,7 @@
 [id="ztp-generating-install-and-config-crs-manually_{context}"]
 = Generating {ztp} installation and configuration CRs manually
 
-Use the `generator` entrypoint for the `ztp-site-generate` container to generate the site installation and configuration custom resource (CRs) for a cluster based on `SiteConfig` and `PolicyGenTemplate` CRs.
+Use the `generator` entrypoint for the `ztp-site-generate` container to generate the site installation and configuration custom resource (CRs) for a cluster based on `SiteConfig` and `{policy-gen-cr}` CRs.
 
 .Prerequisites
 
@@ -30,7 +30,7 @@ $ mkdir -p ./out
 $ podman run --log-driver=none --rm registry.redhat.io/openshift4/ztp-site-generate-rhel8:v{product-version} extract /home/ztp --tar | tar x -C ./out
 ----
 +
-The `./out` directory has the reference `PolicyGenTemplate` and `SiteConfig` CRs in the `out/argocd/example/` folder.
+The `./out` directory has the reference `{policy-gen-cr}` and `SiteConfig` CRs in the `out/argocd/example/` folder.
 +
 .Example output
 [source,terminal]
@@ -38,11 +38,12 @@ The `./out` directory has the reference `PolicyGenTemplate` and `SiteConfig` CRs
 out
  └── argocd
       └── example
-           ├── policygentemplates
-           │     ├── common-ranGen.yaml
-           │     ├── example-sno-site.yaml
-           │     ├── group-du-sno-ranGen.yaml
-           │     ├── group-du-sno-validator-ranGen.yaml
+           ├── acmpolicygenerator
+           │     ├── {policy-prefix}common-ranGen.yaml
+           │     ├── {policy-prefix}example-sno-site.yaml
+           │     ├── {policy-prefix}group-du-sno-ranGen.yaml
+           │     ├── {policy-prefix}group-du-sno-validator-ranGen.yaml
+           │     ├── ...
            │     ├── kustomization.yaml
            │     └── ns.yaml
            └── siteconfig
@@ -124,7 +125,7 @@ site-machineconfig
     └── site-1-sno_machineconfig_predefined-extra-manifests-worker.yaml
 ----
 
-. Generate and export the Day 2 configuration CRs using the reference `PolicyGenTemplate` CRs from the previous step. Run the following commands:
+. Generate and export the Day 2 configuration CRs using the reference `{policy-gen-cr}` CRs from the previous step. Run the following commands:
 
 .. Create an output folder for the Day 2 CRs:
 +
@@ -137,10 +138,10 @@ $ mkdir -p ./ref
 +
 [source,terminal,subs="attributes+"]
 ----
-$ podman run -it --rm -v `pwd`/out/argocd/example/policygentemplates:/resources:Z -v `pwd`/ref:/output:Z,U registry.redhat.io/openshift4/ztp-site-generate-rhel8:v{product-version} generator config -N . /output
+$ podman run -it --rm -v `pwd`/out/argocd/example/acmpolicygenerator:/resources:Z -v `pwd`/ref:/output:Z,U registry.redhat.io/openshift4/ztp-site-generate-rhel8:v{product-version} generator config -N . /output
 ----
 +
-The command generates example group and site-specific `PolicyGenTemplate` CRs for {sno}, three-node clusters, and standard clusters in the `./ref` folder.
+The command generates example group and site-specific `{policy-gen-cr}` CRs for {sno}, three-node clusters, and standard clusters in the `./ref` folder.
 +
 .Example output
 [source,terminal]
@@ -188,4 +189,4 @@ Labels: beta.kubernetes.io/arch=amd64
         node-role.kubernetes.io/worker=
         node.openshift.io/os_id=rhcos
 ----
-<1> The custom label is applied to the node.
\ No newline at end of file
+<1> The custom label is applied to the node.
diff --git a/modules/ztp-image-based-upgrade-backup-guide.adoc b/modules/ztp-image-based-upgrade-backup-guide.adoc
new file mode 100644
index 000000000000..dc50a65e38c4
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-backup-guide.adoc
@@ -0,0 +1,81 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+[id="ztp-image-based-upgrade-backup-guide_{context}"]
+= OADP backup and restore guidelines
+
+With the OADP Operator, you can back up and restore your applications on your target clusters by using `Backup` and `Restore` CRs wrapped in `ConfigMap` objects.
+The application must work on the current and the target {product-title} versions so that they can be restored after the upgrade.
+The backups must include resources that were initially created.
+
+The following resources must be excluded from the backup:
+
+* `pods`
+* `endpoints`
+* `controllerrevision`
+* `podmetrics`
+* `packagemanifest`
+* `replicaset`
+* `localvolume`, if using Local Storage Operator (LSO)
+
+There are two local storage implementations for {sno}:
+
+Local Storage Operator (LSO):: The {lcao} backs up and restores the required artifacts, including `LocalVolumes` and their associated `StorageClasses`. You must exclude the `persistentVolumes` resource in the application `Backup` CR.
+
+{lvms}:: You must create the `Backup` and `Restore` CRs for {lvms} artifacts. You must include the `persistentVolumes` resource in the application `Backup` CR.
+
+For the image-based upgrade, only one Operator is supported on a given target cluster.
+
+[IMPORTANT]
+====
+For both Operators, you must not apply the Operator CRs as extra manifests through the `ImageBasedUpgrade` CR.
+====
+
+The persistent volume contents are preserved and used after the pivot.
+When you are configuring the `DataProtectionApplication` CR, you must ensure that the `.spec.configuration.restic.enable` is set to `false` for an image-based upgrade.
+This disables Container Storage Interface integration.
+
+[id="ztp-image-based-upgrade-apply-wave-guide_{context}"]
+== lca.openshift.io/apply-wave guidelines
+
+The `lca.openshift.io/apply-wave` annotation determines the apply order of `Backup` or `Restore` CRs.
+The value of the annotation must be a string number.
+If you define the `lca.openshift.io/apply-wave` annotation in the `Backup` or `Restore` CRs, they are applied in increasing order based on the annotation value.
+If you do not define the annotation, they are applied together.
+
+The `lca.openshift.io/apply-wave` annotation must be numerically lower in your platform `Restore` CRs, for example {rh-rhacm} and {lvms} artifacts, than that of the application.
+This way, that the platform artifacts are restored before your applications.
+
+If your application includes cluster-scoped resources, you must create separate `Backup` and `Restore` CRs to scope the backup to the specific cluster-scoped resources created by the application.
+The `Restore` CR for the cluster-scoped resources must be restored before the remaining application `Restore` CR(s).
+
+[id="ztp-image-based-upgrade-apply-label-guide_{context}"]
+== lca.openshift.io/apply-label guidelines
+
+You can back up specific resources exclusively with the `lca.openshift.io/apply-label` annotation.
+Based on which resources you define in the annotation, the {lcao} applies the `lca.openshift.io/backup: <backup_name>` label and adds the `labelSelector.matchLabels.lca.openshift.io/backup: <backup_name>` label selector to the specified resources when creating the `Backup` CRs.
+
+To use the `lca.openshift.io/apply-label` annotation for backing up specific resources, the resources listed in the annotation must also be included in the `spec` section.
+If the `lca.openshift.io/apply-label` annotation is used in the `Backup` CR, only the resources listed in the annotation are backed up, even if other resource types are specified in the `spec` section or not.
+
+.Example CR
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  name: acm-klusterlet
+  namespace: openshift-adp
+  annotations:
+    lca.openshift.io/apply-label: rbac.authorization.k8s.io/v1/clusterroles/klusterlet,apps/v1/deployments/open-cluster-management-agent/klusterlet <1>
+  labels:
+    velero.io/storage-location: default
+spec:
+  includedNamespaces:
+   - open-cluster-management-agent
+  includedClusterScopedResources:
+   - clusterroles
+  includedNamespaceScopedResources:
+   - deployments
+----
+<1> The value must be a list of comma-separated objects in `group/version/resource/name` format for cluster-scoped resources or `group/version/resource/namespace/name` format for namespace-scoped resources, and it must be attached to the related `Backup` CR.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-cluster-validated-software.adoc b/modules/ztp-image-based-upgrade-cluster-validated-software.adoc
new file mode 100644
index 000000000000..da6782fb915d
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-cluster-validated-software.adoc
@@ -0,0 +1,56 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+[id="ztp-image-based-upgrade-cluster-validated-software_{context}"]
+= Minimum software version of components
+
+Depending on your deployment method, the image-based upgrade requires the following minimum software versions.
+
+.Minimum software version of components
+[cols=3*, width="80%", options="header"]
+|====
+|Component
+|Software version
+|Required
+
+|{lcao}
+|4.16
+|Yes
+
+|OADP Operator
+|1.3.1
+|Yes
+
+|Managed cluster version
+|4.14.13
+|Yes
+
+|Hub cluster version
+|4.16
+|Yes, if using {rh-rhacm}
+
+|{rh-rhacm}
+|2.10.2
+|Yes, if using {rh-rhacm}
+
+|{ztp} plugin
+|4.16
+|Only for {ztp} deployment method
+
+|{gitops-title}
+|1.12
+|Only for {ztp} deployment method
+
+|{cgu-operator-first}
+|4.16
+|Only for {ztp} deployment method
+
+|Local Storage Operator ^[1]^
+|4.14
+|Yes
+
+|{lvms-first} ^[1]^
+|4.14.2
+|Yes
+|====
+. The persistent storage must be provided by either the {lvms} or the Local Storage Operator, not both.
diff --git a/modules/ztp-image-based-upgrade-extra-manifests-guide.adoc b/modules/ztp-image-based-upgrade-extra-manifests-guide.adoc
new file mode 100644
index 000000000000..443cf0029c1a
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-extra-manifests-guide.adoc
@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+[id="ztp-image-based-upgrade-extra-manifests-guide_{context}"]
+= Extra manifest guidelines
+
+The {lcao} uses extra manifests to restore your target clusters after rebooting with the new default stateroot deployment and before restoring application artifacts.
+
+Different deployment methods require a different way to apply the extra manifests:
+
+{ztp}:: You use the `lca.openshift.io/target-ocp-version: <target_ocp_version>` label to mark the extra manifests that the {lcao} must extract and apply after the pivot.
+You can specify the number of manifests labeled with `lca.openshift.io/target-ocp-version` by using the `lca.openshift.io/target-ocp-version-manifest-count` annotation in the `ImageBasedUpgrade` CR.
+If specified, the {lcao} verifies that the number of manifests extracted from policies matches the number provided in the annotation during the prep and upgrade stages.
++
+.Example for the lca.openshift.io/target-ocp-version-manifest-count annotation
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1
+kind: ImageBasedUpgrade
+metadata:
+  annotations:
+    lca.openshift.io/target-ocp-version-manifest-count: "5"
+  name: upgrade
+----
+
+Non-Gitops:: You mark your extra manifests with the `lca.openshift.io/apply-wave` annotation to determine the apply order. The labeled extra manifests are wrapped in `ConfigMap` objects and referenced in the `ImageBasedUpgrade` CR that the {lcao} uses after the pivot.
+
+If the target cluster uses custom catalog sources, you must include them as extra manifests that point to the correct release version.
+
+[IMPORTANT]
+====
+You cannot apply the following items as extra manifests:
+
+* `MachineConfig` objects
+* OLM Operator subscriptions
+====
diff --git a/modules/ztp-image-based-upgrade-generate-seed-image.adoc b/modules/ztp-image-based-upgrade-generate-seed-image.adoc
deleted file mode 100644
index 4afe49825e52..000000000000
--- a/modules/ztp-image-based-upgrade-generate-seed-image.adoc
+++ /dev/null
@@ -1,217 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="ztp-image-based-upgrade-seed-generation_{context}"]
-= Generating a seed image with the {lcao}
-
-Use the {lcao} to generate the seed image with the `SeedGenerator` CR. The Operator checks for required system configurations, performs any necessary system cleanup before generating the seed image, and launches the image generation. The seed image generation includes the following tasks:
-
-* Stopping cluster operators
-* Preparing the seed image configuration
-* Generating and pushing the seed image to the image repository specified in the `SeedGenerator` CR
-* Restoring cluster operators
-* Expiring seed cluster certificates
-* Generating new certificates for the seed cluster
-* Restoring and updates the `SeedGenerator` CR on the seed cluster
-
-[NOTE]
-====
-The generated seed image does not include any site-specific data.
-====
-
-[IMPORTANT]
-====
-During the Developer Preview of this feature, when upgrading a cluster, any custom trusted certificates configured on the cluster will be lost. As a temporary workaround, to preserve these certificates, you must use a seed image from a seed cluster that trusts the certificates.
-====
-
-.Prerequisites
-
-* Deploy a {sno} cluster with a DU profile.
-* Install the {lcao} on the seed cluster.
-* Install the OADP Operator on the seed cluster.
-* Log in as a user with `cluster-admin` privileges.
-* The seed cluster has the same CPU topology as the target cluster.
-* The seed cluster has the same IP version as the target cluster.
-
-+
-[NOTE]
-====
-Dual-stack networking is not supported in this release.
-====
-
-* If the target cluster has a proxy configuration, the seed cluster must have a proxy configuration too. The proxy configuration does not have to be the same.
-* The seed cluster is registered as a managed cluster.
-* The {lcao} deployed on the target cluster is compatible with the version in the seed image.
-* The seed cluster has a separate partition for the container images that will be shared between stateroots. For more information, see _Additional resources_.
-
-[WARNING]
-====
-If the target cluster has multiple IPs and one of them belongs to the subnet that was used for creating the seed image, the upgrade fails if the target cluster's node IP does not belong to that subnet.
-====
-
-.Procedure
-
-. Detach the seed cluster from the hub cluster either manually or if using ZTP, by removing the `SiteConfig` CR from the `kustomization.yaml`.
-This deletes any cluster-specific resources from the seed cluster that must not be in the seed image.
-
-.. If you are using {rh-rhacm}, manually detach the seed cluster by running the following command:
-+
-[source,terminal]
-----
-$ oc delete managedcluster sno-worker-example
-----
-
-.. Wait until the `ManagedCluster` CR is removed. Once the CR is removed, create the proper `SeedGenerator` CR. The {lcao} cleans up the {rh-rhacm} artifacts.
-
-. If you are using GitOps ZTP, detach your cluster by removing the seed cluster's `SiteConfig` CR from the `kustomization.yaml`:
-
-.. Remove your seed cluster's `SiteConfig` CR from the `kustomization.yaml`.
-+
-[source,yaml]
-----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-generators:
-#- example-seed-sno1.yaml
-- example-target-sno2.yaml
-- example-target-sno3.yaml
-----
-
-.. Commit the `kustomization.yaml` changes in your Git repository and push the changes.
-+
-The ArgoCD pipeline detects the changes and removes the managed cluster.
-
-. Create the `Secret`.
-
-.. Create the authentication file by running the following command:
-+
---
-.Authentication file
-[source,terminal]
-----
-$ MY_USER=myuserid
-$ AUTHFILE=/tmp/my-auth.json
-$ podman login --authfile ${AUTHFILE} -u ${MY_USER} quay.io/${MY_USER}
-----
-
-[source,terminal]
-----
-$ base64 -w 0 ${AUTHFILE} ; echo
-----
---
-
-.. Copy the output into the `seedAuth` field in the `Secret` YAML file named `seedgen` in the `openshift-lifecycle-agent` namespace.
-+
---
-[source,yaml]
-----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: seedgen <1>
-  namespace: openshift-lifecycle-agent
-type: Opaque
-data:
-  seedAuth: <encoded_AUTHFILE> <2>
-----
-<1> The `Secret` resource must have the `name: seedgen` and `namespace: openshift-lifecycle-agent` fields.
-<2> Specifies a base64-encoded authfile for write-access to the registry for pushing the generated seed images.
---
-
-.. Apply the `Secret`.
-+
-[source,terminal]
-----
-$ oc apply -f secretseedgenerator.yaml
-----
-
-. Create the `SeedGenerator` CR:
-+
---
-[source,yaml]
-----
-apiVersion: lca.openshift.io/v1alpha1
-kind: SeedGenerator
-metadata:
-  name: seedimage <1>
-spec:
-  seedImage: <seed_container_image> <2>
-----
-<1> The `SeedGenerator` CR must be named `seedimage`.
-<2> Specify the container image URL, for example, `quay.io/example/seed-container-image:<tag>`. It is recommended to use the `<seed_cluster_name>:<ocp_version>` format.
---
-
-. Generate the seed image by running the following command:
-+
-[source,terminal]
-----
-$ oc apply -f seedgenerator.yaml
-----
-
-+
-[IMPORTANT]
-====
-The cluster reboots and loses API capabilities while the {lcao} generates the seed image.
-Applying the `SeedGenerator` CR stops the `kubelet` and the CRI-O operations, then it starts the image generation.
-====
-
-Once the image generation is complete, the cluster can be reattached to the hub cluster, and you can access it through the API.
-
-If you want to generate further seed images, you must provision a new seed cluster with the version you want to generate a seed image from.
-
-.Verification
-
-. Once the cluster recovers and it is available, you can check the status of the `SeedGenerator` CR:
-+
---
-[source,terminal]
-----
-$ oc get seedgenerator -oyaml
-----
-
-.Example output
-[source,yaml]
-----
-status:
-  conditions:
-  - lastTransitionTime: "2024-02-13T21:24:26Z"
-    message: Seed Generation completed
-    observedGeneration: 1
-    reason: Completed
-    status: "False"
-    type: SeedGenInProgress
-  - lastTransitionTime: "2024-02-13T21:24:26Z"
-    message: Seed Generation completed
-    observedGeneration: 1
-    reason: Completed
-    status: "True"
-    type: SeedGenCompleted <1>
-  observedGeneration: 1
-----
-<1> The seed image generation is complete.
---
-
-. Verify that the {sno} cluster is running and is attached to the {rh-rhacm} hub cluster:
-+
---
-[source,terminal]
-----
-$ oc get managedclusters sno-worker-example
-----
-
-.Example output
-[source,terminal]
-----
-$ oc get managedclusters sno-worker-example
-NAME                 HUB ACCEPTED   MANAGED CLUSTER URLS                                  JOINED   AVAILABLE   AGE
-sno-worker-example   true           https://api.sno-worker-example.example.redhat.com     True     True        21h <1>
-----
-<1> The cluster is attached if you see that the value is `True` for both `JOINED` and `AVAILABLE`.
-
-[NOTE]
-====
-The cluster requires time to recover after restarting the `kubelet` operation.
-====
---
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-hub-cluster-guide.adoc b/modules/ztp-image-based-upgrade-hub-cluster-guide.adoc
new file mode 100644
index 000000000000..5a2b9447fc1f
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-hub-cluster-guide.adoc
@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+[id="ztp-image-based-upgrade-hub-cluster-guide_{context}"]
+= Hub cluster guidelines
+
+If you are using {rh-rhacm-first}, your hub cluster needs to meet the following conditions:
+
+* To avoid including any {rh-rhacm} resources in your seed image, you need to disable all optional {rh-rhacm} add-ons before generating the seed image.
+* Your hub cluster must be upgraded at least to the target version before performing an image-based upgrade a target {sno} cluster.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-installing-lcao-with-gitops.adoc b/modules/ztp-image-based-upgrade-installing-lcao-with-gitops.adoc
new file mode 100644
index 000000000000..a29d2bb735f4
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-installing-lcao-with-gitops.adoc
@@ -0,0 +1,107 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-installing-lcao-with-gitops_{context}"]
+= Installing the {lcao} with {ztp}
+
+Install the {lcao} with {ztp-first} to do an image-based upgrade.
+
+.Prerequisites
+
+* Create a directory called `custom-crs` in the `source-crs` directory. The `source-crs` directory must be in the same location as the `kustomization.yaml` file.
+
+.Procedure
+
+. Create the following CRs in the `openshift-lifecycle-agent` namespace and push them to the `source-crs/custom-crs` directory:
++
+--
+.Example `LcaSubscriptionNS.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-lifecycle-agent
+  annotations:
+    workload.openshift.io/allowed: management
+    ran.openshift.io/ztp-deploy-wave: "2"
+  labels:
+    kubernetes.io/metadata.name: openshift-lifecycle-agent
+----
+
+.Example `LcaSubscriptionOperGroup.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: lifecycle-agent-operatorgroup
+  namespace: openshift-lifecycle-agent
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+spec:
+  targetNamespaces:
+    - openshift-lifecycle-agent
+----
+
+.Example `LcaSubscription.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: Subscription
+metadata:
+  name: lifecycle-agent
+  namespace: openshift-lifecycle-agent
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+spec:
+  channel: "stable"
+  name: lifecycle-agent
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Manual
+  status:
+    state: AtLatestKnown
+----
+
+.Example directory structure
+[source,terminal]
+----
+├── kustomization.yaml
+├── sno
+│   ├── example-cnf.yaml
+│   ├── common-ranGen.yaml
+│   ├── group-du-sno-ranGen.yaml
+│   ├── group-du-sno-validator-ranGen.yaml
+│   └── ns.yaml
+├── source-crs
+│   ├── custom-crs
+│   │   ├── LcaSubscriptionNS.yaml
+│   │   ├── LcaSubscriptionOperGroup.yaml
+│   │   ├── LcaSubscription.yaml
+----
+--
+
+. Add the CRs to your common `PolicyGenTemplate`:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "example-common-latest"
+  namespace: "ztp-common"
+spec:
+  bindingRules:
+    common: "true"
+    du-profile: "latest"
+  sourceFiles:
+    - fileName: custom-crs/LcaSubscriptionNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: custom-crs/LcaSubscriptionOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: custom-crs/LcaSubscription.yaml
+      policyName: "subscriptions-policy"
+[...]
+----
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc b/modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc
deleted file mode 100644
index 47e29b932100..000000000000
--- a/modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc
+++ /dev/null
@@ -1,36 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="installing-lifecycle-agent-using-web-console_{context}"]
-= Installing the {lcao} by using the web console
-
-You can use the {product-title} web console to install the {lcao} from the 4.15 Operator catalog on both the seed and target cluster.
-
-.Prerequisites
-
-* Log in as a user with `cluster-admin` privileges.
-
-.Procedure
-
-. In the {product-title} web console, navigate to *Operators* → *OperatorHub*.
-. Search for the *{lcao}* from the list of available Operators, and then click *Install*.
-. On the *Install Operator* page, under *A specific namespace on the cluster* select *openshift-lifecycle-agent*. Then, click Install.
-. Click *Install*.
-
-.Verification
-
-To confirm that the installation is successful:
-
-. Navigate to the *Operators* → *Installed Operators* page.
-. Ensure that the {lcao} is listed in the *openshift-lifecycle-agent* project with a *Status* of *InstallSucceeded*.
-
-[NOTE]
-====
-During installation an Operator might display a *Failed* status. If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
-====
-
-If the Operator is not installed successfully:
-
-. Go to the *Operators* → *Installed Operators* page and inspect the *Operator Subscriptions* and *Install Plans* tabs for any failure or errors under *Status*.
-. Go to the *Workloads* → *Pods* page and check the logs for pods in the *openshift-lifecycle-agent* project.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-installing-oadp-with-gitops.adoc b/modules/ztp-image-based-upgrade-installing-oadp-with-gitops.adoc
new file mode 100644
index 000000000000..b38007729af5
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-installing-oadp-with-gitops.adoc
@@ -0,0 +1,263 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-installing-oadp-with-gitops_{context}"]
+= Installing and configuring the OADP Operator with {ztp}
+
+Install and configure the OADP Operator with {ztp} before starting the upgrade.
+
+.Prerequisites
+
+* Create a directory called `custom-crs` in the `source-crs` directory. The `source-crs` directory must be in the same location as the `kustomization.yaml` file.
+
+.Procedure
+
+. Create the following CRs in the `openshift-adp` namespace and push them to the `source-crs/custom-crs` directory:
++
+--
+.Example `OadpSubscriptionNS.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+  labels:
+    kubernetes.io/metadata.name: openshift-adp
+----
+
+.Example `OadpSubscriptionOperGroup.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: redhat-oadp-operator
+  namespace: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+spec:
+  targetNamespaces:
+  - openshift-adp
+----
+
+.Example `OadpSubscription.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: Subscription
+metadata:
+  name: redhat-oadp-operator
+  namespace: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+spec:
+  channel: stable-1.3
+  name: redhat-oadp-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Manual
+status:
+  state: AtLatestKnown
+----
+
+.Example `OadpOperatorStatus.yaml` file
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: Operator
+metadata:
+  name: redhat-oadp-operator.openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+status:
+  components:
+    refs:
+    - kind: Subscription
+      namespace: openshift-adp
+      conditions:
+      - type: CatalogSourcesUnhealthy
+        status: "False"
+    - kind: InstallPlan
+      namespace: openshift-adp
+      conditions:
+      - type: Installed
+        status: "True"
+    - kind: ClusterServiceVersion
+      namespace: openshift-adp
+      conditions:
+      - type: Succeeded
+        status: "True"
+        reason: InstallSucceeded
+----
+
+.Example directory structure
+[source,terminal]
+----
+├── kustomization.yaml
+├── sno
+│   ├── example-cnf.yaml
+│   ├── common-ranGen.yaml
+│   ├── group-du-sno-ranGen.yaml
+│   ├── group-du-sno-validator-ranGen.yaml
+│   └── ns.yaml
+├── source-crs
+│   ├── custom-crs
+│   │   ├── OadpSubscriptionNS.yaml
+│   │   ├── OadpSubscriptionOperGroup.yaml
+│   │   ├── OadpSubscription.yaml
+│   │   ├── OadpOperatorStatus.yaml
+----
+--
+
+. Add the CRs to your common `PolicyGenTemplate`:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "example-common-latest"
+  namespace: "ztp-common"
+spec:
+  bindingRules:
+    common: "true"
+    du-profile: "latest"
+  sourceFiles:
+    - fileName: custom-crs/OadpSubscriptionNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: custom-crs/OadpSubscriptionOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: custom-crs/OadpSubscription.yaml
+      policyName: "subscriptions-policy"
+    - fileName: custom-crs/OadpOperatorStatus.yaml
+      policyName: "subscriptions-policy"
+[...]
+----
+
+. Create the `DataProtectionApplication` CR and the S3 secret:
+
+.. Create the following CRs in your `source-crs/custom-crs` directory:
++
+--
+.Example `DataProtectionApplication.yaml` file
+[source,yaml]
+----
+apiVersion: oadp.openshift.io/v1
+kind: DataProtectionApplication
+metadata:
+  name: dataprotectionapplication
+  namespace: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "100"
+spec:
+  configuration:
+    restic:
+      enable: false <1>
+    velero:
+      defaultPlugins:
+        - aws
+        - openshift
+      resourceTimeout: 10m
+  backupLocations:
+    - velero:
+        config:
+          profile: "default"
+          region: minio
+          s3Url: $url
+          insecureSkipTLSVerify: "true"
+          s3ForcePathStyle: "true"
+        provider: aws
+        default: true
+        credential:
+          key: cloud
+          name: cloud-credentials
+        objectStorage:
+          bucket: $bucketName <2>
+          prefix: $prefixName <2>
+status:
+  conditions:
+  - reason: Complete
+    status: "True"
+    type: Reconciled
+----
+<1> The `spec.configuration.restic.enable` field must be set to `false` for an image-based upgrade because persistent volume contents are retained and reused after the upgrade.
+<2> The bucket defines the bucket name that is created in S3 backend. The prefix defines the name of the subdirectory that will be automatically created in the bucket. The combination of bucket and prefix must be unique for each target cluster to avoid interference between them. To ensure a unique storage directory for each target cluster, you can use the {rh-rhacm} hub template function, for example, `prefix: {{hub .ManagedClusterName hub}}`.
+
+.Example `OadpSecret.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloud-credentials
+  namespace: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "100"
+type: Opaque
+----
+
+.Example `OadpBackupStorageLocationStatus.yaml` file
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  namespace: openshift-adp
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "100"
+status:
+  phase: Available
+----
+
+The `OadpBackupStorageLocationStatus.yaml` CR verifies the availability of backup storage locations created by OADP.
+--
+
+.. Add the CRs to your site `PolicyGenTemplate` with overrides:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "example-cnf"
+  namespace: "ztp-site"
+spec:
+  bindingRules:
+    sites: "example-cnf"
+    du-profile: "latest"
+  mcp: "master"
+  sourceFiles:
+    ...
+    - fileName: custom-crs/OadpSecret.yaml
+      policyName: "config-policy"
+      data:
+        cloud: <your_credentials> <1>
+    - fileName: custom-crs/DataProtectionApplication.yaml
+      policyName: "config-policy"
+      spec:
+        backupLocations:
+          - velero:
+              config:
+                region: minio
+                s3Url: <your_S3_URL> <2>
+                profile: "default"
+                insecureSkipTLSVerify: "true"
+                s3ForcePathStyle: "true"
+              provider: aws
+              default: true
+              credential:
+                key: cloud
+                name: cloud-credentials
+              objectStorage:
+                bucket: <your_bucket_name> <3>
+                prefix: <cluster_name> <3>
+    - fileName: custom-crs/OadpBackupStorageLocationStatus.yaml
+      policyName: "config-policy"
+----
+<1> Specify your credentials for your S3 storage backend.
+<2> Specify the URL for your S3-compatible bucket.
+<3> The `bucket` defines the bucket name that is created in S3 backend. The `prefix` defines the name of the subdirectory that will be automatically created in the `bucket`. The combination of `bucket` and `prefix` must be unique for each target cluster to avoid interference between them. To ensure a unique storage directory for each target cluster, you can use the {rh-rhacm} hub template function, for example, `prefix: {{hub .ManagedClusterName hub}}`.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-prep-label-extramanifests.adoc b/modules/ztp-image-based-upgrade-prep-label-extramanifests.adoc
new file mode 100644
index 000000000000..1245f7ec2857
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-prep-label-extramanifests.adoc
@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-prep-label-extramanifests_{context}"]
+= Labeling extra manifests for the image-based upgrade with {ztp}
+
+Label your extra manifests so that the {lcao} can extract resources that are labeled with the `lca.openshift.io/target-ocp-version: <target_version>` label.
+
+.Prerequisites
+
+* Provision one or more managed clusters with {ztp}.
+* Log in as a user with `cluster-admin` privileges.
+* Generate a seed image from a compatible seed cluster.
+* Create a separate partition on the target cluster for the container images that is shared between stateroots. For more information, see "Configuring a shared container directory between ostree stateroots when using {ztp}".
+* Deploy a version of {lcao} that is compatible with the version used with the seed image.
+
+.Procedure
+
+. Label your required extra manifests with the `lca.openshift.io/target-ocp-version: <target_version>` label in your existing `PolicyGenTemplate` CR:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: example-sno
+spec:
+  bindingRules:
+    sites: "example-sno"
+    du-profile: "4.15"
+  mcp: "master"
+  sourceFiles:
+    - fileName: SriovNetwork.yaml
+      policyName: "config-policy"
+      metadata:
+        name: "sriov-nw-du-fh"
+        labels:
+          lca.openshift.io/target-ocp-version: "4.15" <1>
+      spec:
+        resourceName: du_fh
+        vlan: 140
+    - fileName: SriovNetworkNodePolicy.yaml
+      policyName: "config-policy"
+      metadata:
+        name: "sriov-nnp-du-fh"
+        labels:
+          lca.openshift.io/target-ocp-version: "4.15"
+      spec:
+        deviceType: netdevice
+        isRdma: false
+        nicSelector:
+          pfNames: ["ens5f0"]
+        numVfs: 8
+        priority: 10
+        resourceName: du_fh
+    - fileName: SriovNetwork.yaml
+      policyName: "config-policy"
+      metadata:
+        name: "sriov-nw-du-mh"
+        labels:
+          lca.openshift.io/target-ocp-version: "4.15"
+      spec:
+        resourceName: du_mh
+        vlan: 150
+    - fileName: SriovNetworkNodePolicy.yaml
+      policyName: "config-policy"
+      metadata:
+        name: "sriov-nnp-du-mh"
+        labels:
+          lca.openshift.io/target-ocp-version: "4.15"
+      spec:
+        deviceType: vfio-pci
+        isRdma: false
+        nicSelector:
+          pfNames: ["ens7f0"]
+        numVfs: 8
+        priority: 10
+        resourceName: du_mh
+    - fileName: DefaultCatsrc.yaml <2>
+      policyName: "config-policy"
+      metadata:
+        name: default-cat-source
+        namespace: openshift-marketplace
+        labels:
+            lca.openshift.io/target-ocp-version: "4.15"
+      spec:
+          displayName: default-cat-source
+          image: quay.io/example-org/example-catalog:v1
+----
+<1> Ensure that the `lca.openshift.io/target-ocp-version` label matches either the y-stream or the z-stream of the target {product-title} version that is specified in the `spec.seedImageRef.version` field of the `ImageBasedUpgrade` CR. The {lcao} only applies the CRs that match the specified version.
+<2> If you do not want to use custom catalog sources, remove this entry.
+
+. Push the changes to your Git repository.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-prep-oadp.adoc b/modules/ztp-image-based-upgrade-prep-oadp.adoc
new file mode 100644
index 000000000000..a51985535165
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-prep-oadp.adoc
@@ -0,0 +1,136 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zztp-image-based-upgrade-prep-oadp_{context}"]
+= Creating OADP resources for the image-based upgrade with {ztp}
+
+Prepare your OADP resources to restore your application after an upgrade.
+
+.Prerequisites
+
+* Provision one or more managed clusters with {ztp}.
+* Log in as a user with `cluster-admin` privileges.
+* Generate a seed image from a compatible seed cluster.
+* Create a separate partition on the target cluster for the container images that is shared between stateroots. For more information, see "Configuring a shared container directory between ostree stateroots when using {ztp}".
+* Deploy a version of {lcao} that is compatible with the version used with the seed image.
+* Install the OADP Operator, the `DataProtectionApplication` CR, and its secret on the target cluster.
+* Create an S3-compatible storage solution and a ready-to-use bucket with proper credentials configured. For more information, see "Installing and configuring the OADP Operator with {ztp}".
+
+.Procedure
+
+. Ensure that your Git repository that you use with the ArgoCD policies application contains the following directory structure:
++
+--
+[source,terminal]
+----
+├── source-crs/
+│   ├── ibu/
+│   │    ├── ImageBasedUpgrade.yaml
+│   │    ├── PlatformBackupRestore.yaml
+│   │    ├── PlatformBackupRestoreLvms.yaml
+├── ...
+├── ibu-upgrade-ranGen.yaml
+├── kustomization.yaml
+----
+
+[IMPORTANT]
+====
+The `kustomization.yaml` file must be located in the same directory structure as previously shown to reference the `ibu-upgrade-ranGen.yaml` manifest.
+====
+
+The `source-crs/ibu/PlatformBackupRestore.yaml` file is provided in the ZTP container image.
+
+.PlatformBackupRestore.yaml
+include::snippets/ibu-PlatformBackupRestore.adoc[]
+
+If you use {lvms} to create persistent volumes, you can use the `source-crs/ibu/PlatformBackupRestoreLvms.yaml` provided in the ZTP container image to back up your {lvms} resources.
+
+.PlatformBackupRestoreLvms.yaml
+include::snippets/ibu-PlatformBackupRestoreLvms.adoc[]
+--
+
+. Optional: If you need to restore applications after the upgrade, create the OADP `Backup` and `Restore` CRs for your application in the `openshift-adp` namespace:
+
+.. Create the OADP CRs for cluster-scoped application artifacts in the `openshift-adp` namespace:
++
+.Example OADP CRs for cluster-scoped application artifacts for LSO and {LVMS}
+include::snippets/ibu-ApplicationClusterScopedBackupRestore.adoc[]
+
+.. Create the OADP CRs for your namespace-scoped application artifacts in the `source-crs/custom-crs` directory:
++
+--
+.Example OADP CRs namespace-scoped application artifacts when LSO is used
+include::snippets/ibu-ApplicationBackupRestoreLso.adoc[]
+
+.Example OADP CRs namespace-scoped application artifacts when {lvms} is used
+include::snippets/ibu-ApplicationBackupRestoreLvms.adoc[]
+
+[IMPORTANT]
+====
+The same version of the applications must function on both the current and the target release of {product-title}.
+====
+--
+
+. Create the `oadp-cm` `ConfigMap` object through the `oadp-cm-policy` in a new `PolicyGenTemplate` called `ibu-upgrade-ranGen.yaml`:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: example-group-ibu
+  namespace: "ztp-group"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  evaluationInterval: 
+    compliant: 10s
+    noncompliant: 10s
+  sourceFiles:
+  - fileName: ConfigMapGeneric.yaml
+    complianceType: mustonlyhave
+    policyName: "oadp-cm-policy"
+    metadata:
+      name: oadp-cm
+      namespace: openshift-adp
+----
+
+. Create a `kustomization.yaml` with the following content:
++
+[source,yaml]
+----
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators: <1>
+- ibu-upgrade-ranGen.yaml
+
+configMapGenerator: <2>
+- files:
+  - source-crs/ibu/PlatformBackupRestore.yaml
+  #- source-crs/custom-crs/ApplicationClusterScopedBackupRestore.yaml
+  #- source-crs/custom-crs/ApplicationApplicationBackupRestoreLso.yaml
+  name: oadp-cm
+  namespace: ztp-group
+generatorOptions:
+  disableNameSuffixHash: true 
+
+
+patches: <3>
+- target:
+    group: policy.open-cluster-management.io
+    version: v1
+    kind: Policy
+    name: group-ibu-oadp-cm-policy
+  patch: |-
+    - op: replace
+      path: /spec/policy-templates/0/objectDefinition/spec/object-templates/0/objectDefinition/data
+      value: '{{hub copyConfigMapData "ztp-group" "oadp-cm" hub}}'
+----
+<1> Generates the `oadp-cm-policy`.
+<2> Creates the `oadp-cm` `ConfigMap` object on the hub cluster with `Backup` and `Restore` CRs.
+<3> Overrides the data field of `ConfigMap` added in `oadp-cm-policy`. A hub template is used to propagate the `oadp-cm` `ConfigMap` to all target clusters.
+
+. Push the changes to your Git repository.
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-prep.adoc b/modules/ztp-image-based-upgrade-prep.adoc
deleted file mode 100644
index 85dc97157e41..000000000000
--- a/modules/ztp-image-based-upgrade-prep.adoc
+++ /dev/null
@@ -1,249 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="ztp-image-based-upgrade-prep_{context}"]
-= Preparing the {sno} cluster for the image-based upgrade
-
-When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created.
-You edit this CR to specify the image repository of the seed image and to move through the different stages.
-
-.Prerequisites
-
-* Install {lcao} on the target cluster.
-* Generate a seed image from a compatible seed cluster.
-* Install the OADP Operator, the `DataProtectionApplication` CR and its secret on the target cluster.
-* Create an S3-compatible storage solution and a ready-to-use bucket with proper credentials configured. For more information, see _Additional resources_.
-* Create a separate partition on the target cluster for the container images that is shared between stateroots. For more information about, see _Additional resources_.
-
-[WARNING]
-====
-If the target cluster has multiple IPs and one of them belongs to the subnet that was used for creating the seed image, the upgrade fails if the target cluster's node IP does not belong to that subnet.
-====
-
-.Procedure
-
-This example procedure demonstrates how to back up and upgrade a cluster with applications which are using persistent volumes.
-
-[NOTE]
-====
-The target cluster does not need to be detached from the hub cluster.
-====
-
-. Create your OADP `Backup` and `Restore` CRs.
-
-.. To filter for backup-specific CRs, use the `lca.openshift.io/apply-label` annotation in your `Backup` CRs. Based on which resources you define in the annotation, the {lcao} applies the `lca.openshift.io/backup: <backup_name>` label and adds the `labelSelector.matchLabels.lca.openshift.io/backup: <backup_name>` label selector to the specified resources when creating the `Backup` CRs.
-+
---
-[source,yaml]
-----
-apiVersion: velero.io/v1
-kind: Backup
-metadata:
-  name: backup-acm-klusterlet
-  namespace: openshift-adp
-annotations:
-  lca.openshift.io/apply-label: rbac.authorization.k8s.io/v1/clusterroles/klusterlet,apps/v1/deployments/open-cluster-management-agent/klusterlet <1>
-labels:
-  velero.io/storage-location: default
-spec:
-  includeNamespace:
-   - open-cluster-management-agent
-  includeClusterScopedResources:
-   - clusterroles
-  includeNamespaceScopedResources:
-   - deployments
-----
-<1> The value must be a list of comma-separated objects in the `group/version/resource/name` format for cluster-scoped resources, or in the `group/version/resource/namespace/name` format for namespace-scoped resources. It must be attached to the related `Backup` CR.
-
-[IMPORTANT]
-====
-To use the `lca.openshift.io/apply-label` annotation for backing up specific resources, the resources listed in the annotation should also be included in the `spec` section.
-If the `lca.openshift.io/apply-label` annotation is used in the `Backup` CR, only the resources listed in the annotation will be backed up, even if other resource types are specified in the `spec` section or not.
-====
---
-
-.. Define the apply order for the OADP Operator in the `Backup` and `Restore` CRs by using the `lca.openshift.io/apply-wave` field:
-+
---
-[source,yaml]
-----
-apiVersion: velero.io/v1
-kind: Restore
-metadata:
-  name: restore-acm-klusterlet
-  namespace: openshift-adp
-  labels:
-    velero.io/storage-location: default
-  annotations:
-    lca.openshift.io/apply-wave: "1"
-spec:
-  backupName:
-    acm-klusterlet
----
-apiVersion: velero.io/v1
-kind: Restore
-metadata:
-  name: restore-example-app
-  namespace: openshift-adp
-  labels:
-    velero.io/storage-location: default
-  annotations:
-    lca.openshift.io/apply-wave: "3"
-spec:
-  backupName:
-    example-app
----
-apiVersion: velero.io/v1
-kind: Restore
-metadata:
-  name: restore-localvolume
-  namespace: openshift-adp
-  labels:
-    velero.io/storage-location: default
-  annotations:
-    lca.openshift.io/apply-wave: "2"
-spec:
-  backupName:
-    localvolume
-----
-
-[NOTE]
-====
-If you do not define the `lca.openshift.io/apply-wave` annotation in the `Backup` or `Restore` CRs, they will be applied together.
-====
---
-
-.. Create a `kustomization.yaml` that will append the information to a new `ConfigMap`:
-+
-[source,yaml]
-----
-configMapGenerator:
-- name: oadp-cm-example
-  namespace: openshift-adp
-  files:
-  - backup-acm-klusterlet.yaml
-  - backup-localvolume.yaml
-  - backup-example-app.yaml
-  - restore-acm-klusterlet.yaml
-  - restore-localvolume.yaml
-  - restore-example-app.yaml
-generatorOptions:
-  disableNameSuffixHash: true <1>
-----
-<1> Disables the hash generation at the end of the `ConfigMap` filename which allows the `ConfigMap` file to be overwritten when a new one is generated with the same name.
-
-.. Create the `ConfigMap`:
-+
-[source,terminal]
-----
-$ kustomize build ./ -o oadp-cm-example.yaml
-----
-+
-.Example output
-[source,terminal]
-----
-kind: ConfigMap
-metadata:
-  name: oadp-cm-example
-  namespace: openshift-adp
-[...]
-----
-
-.. Apply the `ConfigMap`:
-+
-[source,terminal]
-----
-$ oc apply -f oadp-cm-example.yaml
-----
-
-. (Optional) To keep your custom catalog sources after the upgrade, add them to the `spec.extraManifest` in the `ImageBasedUpgrade` CR. For more information, see xref:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/operators/index#olm-catalogsource_olm-understanding-olm[Catalog source].
-
-. Edit the `ImageBasedUpgrade` CR:
-+
-[source,yaml]
-----
-apiVersion: lca.openshift.io/v1alpha1
-kind: ImageBasedUpgrade
-metadata:
-  name: example-upgrade
-spec:
-  stage: Idle
-  seedImageRef:
-    version: 4.15.2 <1>
-    image: <seed_container_image> <2>
-    pullSecretRef: <seed_pull_secret> <3>
-  additionalImages:
-    name: ""
-    namespace: ""
-  autoRollbackOnFailure: {} <4>
-#    disabledForPostRebootConfig: "true" <5>
-#    disabledForUpgradeCompletion: "true" <6>
-#    disabledInitMonitor: "true" <7>
-#    initMonitorTimeoutSeconds: 1800 <8>
-#  extraManifests: <9>
-#  - name: sno-extra-manifests
-#    namespace: openshift-lifecycle-agent
-  oadpContent: <10>
-  - name: oadp-cm-example
-    namespace: openshift-adp
-----
-<1> Specify the target platform version. The value must match the version of the seed image.
-<2> Specify the repository where the target cluster can pull the seed image from.
-<3> Specify the reference to a secret with credentials to pull container images.
-<4> By default, automatic rollback on failure is enabled throughout the upgrade.
-<5> (Optional) If set to `true`, this option disables automatic rollback when the reconfiguration of the cluster fails upon the first reboot.
-<6> (Optional) If set to `true`, this option disables automatic rollback after the {lcao} reports a failed upgrade upon completion.
-<7> (Optional) If set to `true`, this option disables automatic rollback when the upgrade does not complete after reboot within the time frame specified in the `initMonitorTimeoutSeconds` field.
-<8> (Optional) Specifies the time frame in seconds. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
-<9> (Optional) Specify the extra manifests to apply to the target cluster that are not part of the seed image. You can also add your custom catalog sources that you want to retain after the upgrade.
-<10> Add the `oadpContent` section with the OADP `ConfigMap` information.
-
-. Change the value of the `stage` field to `Prep` in the `ImageBasedUpgrade` CR:
-+
-[source,terminal]
-----
-$ oc patch imagebasedupgrades.lca.openshift.io example-upgrade -p='{"spec": {"stage": "Prep"}}' --type=merge -n openshift-lifecycle-agent
-----
-
-+
-The {lcao} checks for the health of the cluster, creates a new `ostree` stateroot, and pulls the seed image to the target cluster.
-Then, the Operator precaches all the required images on the target cluster.
-
-.Verification
-
-. Check the status of the `ImageBasedUpgrade` CR.
-+
-[source,terminal]
-----
-$ oc get ibu -A -oyaml
-----
-
-+
-.Example output
-[source,yaml]
-----
-status:
-  conditions:
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: In progress
-    observedGeneration: 2
-    reason: InProgress
-    status: "False"
-    type: Idle
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: 'Prep completed: total: 121 (pulled: 1, skipped: 120, failed: 0)'
-    observedGeneration: 2
-    reason: Completed
-    status: "True"
-    type: PrepCompleted
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: Prep completed
-    observedGeneration: 2
-    reason: Completed
-    status: "False"
-    type: PrepInProgress
-  observedGeneration: 2
-----
-
-// Troubleshooting?
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-rollback.adoc b/modules/ztp-image-based-upgrade-rollback.adoc
deleted file mode 100644
index 8d52b9aae3f3..000000000000
--- a/modules/ztp-image-based-upgrade-rollback.adoc
+++ /dev/null
@@ -1,71 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="ztp-image-based-upgrade-rollback_{context}"]
-= (Optional) Initiating rollback of the {sno} cluster after an image-based upgrade
-
-You can manually roll back the changes if you encounter unresolvable issues after an upgrade.
-
-By default, an automatic rollback is initiated on the following conditions:
-
-* If the reconfiguration of the cluster fails upon the first reboot.
-* If the {lcao} reports a failed upgrade upon completing the process.
-* If the upgrade does not complete within the time frame specified in the `initMonitorTimeoutSeconds` field after rebooting.
-
-You can disable the automatic rollback configuration in the `ImageBasedUpgrade` CR at the `Prep` stage:
-
-.Example ImageBasedUpgrade CR
-[source,yaml]
-----
-apiVersion: lca.openshift.io/v1alpha1
-kind: ImageBasedUpgrade
-metadata:
-  name: example-upgrade
-spec:
-  stage: Idle
-  seedImageRef:
-    version: 4.15.2
-    image: <seed_container_image>
-  additionalImages:
-    name: ""
-    namespace: ""
-  autoRollbackOnFailure: {} <1>
-#    disabledForPostRebootConfig: "true" <2>
-#    disabledForUpgradeCompletion: "true" <3>
-#    disabledInitMonitor: "true" <4>
-#    initMonitorTimeoutSeconds: 1800 <5>
-[...]
-----
-<1> By default, automatic rollback on failure is enabled throughout the upgrade.
-<2> (Optional) If set to `true`, this option disables automatic rollback when the reconfiguration of the cluster fails upon the first reboot.
-<3> (Optional) If set to `true`, this option disables automatic rollback after the {lcao} reports a failed upgrade upon completion.
-<4> (Optional) If set to `true`, this option disables automatic rollback when the upgrade does not complete within the time frame specified in the `initMonitorTimeoutSeconds` field after reboot.
-<5> Specifies the time frame in seconds. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
-
-.Prerequisites
-
-* Log in to the hub cluster as a user with `cluster-admin` privileges.
-
-.Procedure
-
-. Move to the rollback stage by changing the value of the `stage` field to `Rollback` in the `ImageBasedUpgrade` CR.
-+
-[source,terminal]
-----
-$ oc patch imagebasedupgrades.lca.openshift.io example-upgrade -p='{"spec": {"stage": "Rollback"}}' --type=merge
-----
-
-. The {lcao} reboots the cluster with the previously installed version of {product-title} and restores the applications.
-
-. Commit to the rollback by changing the value of the `stage` field to `Idle` in the `ImageBasedUpgrade` CR:
-+
-[source,terminal]
-----
-$ oc patch imagebasedupgrades.lca.openshift.io example-upgrade -p='{"spec": {"stage": "Idle"}}' --type=merge -n openshift-lifecycle-agent
-----
-
-[WARNING]
-====
-If you move to the `Idle` stage after a rollback, the {lcao} cleans up resources that can be used to troubleshoot a failed upgrade.
-====
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-seed-image-guide.adoc b/modules/ztp-image-based-upgrade-seed-image-guide.adoc
new file mode 100644
index 000000000000..71c6131744c1
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-seed-image-guide.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/cnf-understanding-image-based-upgrade.adoc
+
+[id="ztp-image-based-upgrade-seed-image-guide_{context}"]
+= Seed image guidelines
+
+The seed image targets a set of {sno} clusters with similar configuration.
+This means that the seed cluster needs to have the same configuration as the target clusters for the following items:
+
+* Performance profile
+* `MachineConfig` resources for the target cluster
+* IP version
++
+[NOTE]
+====
+Dual-stack networking is not supported in this release.
+====
+
+* Set of Day 2 Operators, including the {lcao} and the OADP Operator
+* Disconnected registry
+* FIPS configuration
+* If the target cluster has multiple IPs and one of them belongs to the subnet that was used for creating the seed image, the upgrade fails if the target cluster's node IP does not belong to that subnet.
+
+The following configurations only have to partially match on the participating clusters:
+
+* If the target cluster has a proxy configuration, the seed cluster must have a proxy configuration too but the configuration does not have to be the same.
+* A dedicated partition on the primary disk for container storage is required on all participating clusters. However, the size and start of the partition does not have to be the same. Only the `spec.config.storage.disks.partitions.label: varlibcontainers` label in the `MachineConfig` CR must match on both the seed and target clusters.
+For more information about how to create the disk partition, see "Configuring a shared container directory between ostree stateroots" or "Configuring a shared container directory between ostree stateroots when using GitOps ZTP".
+
+For more information about what to include in the seed image, see "Seed image configuration" and "Seed image configuration using the RAN DU profile".
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-share-container-directory.adoc b/modules/ztp-image-based-upgrade-shared-container-directory.adoc
similarity index 61%
rename from modules/ztp-image-based-upgrade-share-container-directory.adoc
rename to modules/ztp-image-based-upgrade-shared-container-directory.adoc
index 4c11c2b9b4cd..759fabf8bef1 100644
--- a/modules/ztp-image-based-upgrade-share-container-directory.adoc
+++ b/modules/ztp-image-based-upgrade-shared-container-directory.adoc
@@ -1,85 +1,11 @@
 // Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
+// * edge_computing/image-based-upgrade/cnf-preparing-for-image-based-upgrade.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-image-based-upgrade-shared-container-directory_{context}"]
-= Sharing the container directory between `ostree` stateroots
+= Configuring a shared container directory between ostree stateroots when using {ztp}
 
-You must apply a `MachineConfig` to both the seed and the target clusters during installation time to create a separate partition and share the `/var/lib/containers` directory between the two `ostree` stateroots that will be used during the upgrade process.
-
-[id="ztp-image-based-upgrade-shared-container-directory-acm_{context}"]
-== Sharing the container directory between `ostree` stateroots when using {rh-rhacm}
-
-When you are using {rh-rhacm}, you must apply a `MachineConfig` to both the seed and target clusters.
-
-[IMPORTANT]
-====
-You must complete this procedure at installation time.
-====
-
-.Prerequisites
-
-* Log in as a user with `cluster-admin` privileges.
-
-.Procedure
-
-. Apply a `MachineConfig` to create a separate partition.
-+
-[source,yaml]
-----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 98-var-lib-containers-partitioned
-spec:
-  config:
-    ignition:
-      version: 3.2.0
-    storage:
-      disks:
-        - device: /dev/disk/by-id/wwn-<root_disk> <1>
-          partitions:
-            - label: varlibcontainers
-              startMiB: <start_of_parition> <2>
-              sizeMiB: <parition_size> <3>
-      filesystems:
-        - device: /dev/disk/by-partlabel/varlibcontainers
-          format: xfs
-          mountOptions:
-            - defaults
-            - prjquota
-          path: /var/lib/containers
-          wipeFilesystem: true
-    systemd:
-      units:
-        - contents: |-
-            # Generated by Butane
-            [Unit]
-            Before=local-fs.target
-            Requires=systemd-fsck@dev-disk-by\x2dpartlabel-varlibcontainers.service
-            After=systemd-fsck@dev-disk-by\x2dpartlabel-varlibcontainers.service
-
-            [Mount]
-            Where=/var/lib/containers
-            What=/dev/disk/by-partlabel/varlibcontainers
-            Type=xfs
-            Options=defaults,prjquota
-
-            [Install]
-            RequiredBy=local-fs.target
-          enabled: true
-          name: var-lib-containers.mount
-----
-<1> Specify the root disk.
-<2> Specify the start of the partition in MiB. If the value is too small, the installation will fail.
-<3> Specify the size of the partition. If the value is too small, the deployments after installation will fail.
-
-[id="ztp-image-based-upgrade-shared-container-directory-ztp_{context}"]
-== Sharing the container directory between `ostree` stateroots when using GitOps ZTP
-
-When you are using the GitOps ZTP workflow, you can do the following procedure to create a separate disk partition on both the seed and target cluster and to share the `/var/lib/containers` directory.
+When you are using the {ztp-first} workflow, you do the following procedure to create a separate disk partition on both the seed and target cluster and to share the `/var/lib/containers` directory.
 
 [IMPORTANT]
 ====
@@ -88,12 +14,11 @@ You must complete this procedure at installation time.
 
 .Prerequisites
 
-* Log in as a user with `cluster-admin` privileges.
 * Install Butane.
 
 .Procedure
 
-. Create the `storage.bu` file.
+. Create the `storage.bu` file:
 +
 [source,yaml]
 ----
@@ -105,8 +30,8 @@ storage:
     wipe_table: false
     partitions:
     - label: var-lib-containers
-      start_mib: <start_of_parition> <2>
-      size_mib: <parition_size> <3>
+      start_mib: <start_of_partition> <2>
+      size_mib: <partition_size> <3>
   filesystems:
     - path: /var/lib/containers
       device: /dev/disk/by-partlabel/var-lib-containers
@@ -119,9 +44,9 @@ storage:
 ----
 <1> Specify the root disk.
 <2> Specify the start of the partition in MiB. If the value is too small, the installation will fail.
-<3> Specify the size of the partition. If the value is too small, the deployments after installation will fail.
+<3> Specify a minimum size for the partition of 500 GB to ensure adequate disk space for precached images. If the value is too small, the deployments after installation will fail.
 
-. Convert the `storage.bu` to an Ignition file.
+. Convert the `storage.bu` to an Ignition file:
 +
 --
 [source,terminal]
@@ -136,7 +61,7 @@ $ butane storage.bu
 ----
 --
 
-. Copy the output into the `.spec.clusters.nodes.ignitionConfigOverride` field in the `SiteConfig` CR.
+. Copy the output into the `.spec.clusters.nodes.ignitionConfigOverride` field in the `SiteConfig` CR:
 +
 [source,yaml]
 ----
@@ -150,7 +75,7 @@ spec:
 
 .Verification
 
-. During or after installation, verify on the hub cluster that the `BareMetalHost` object shows the annotation.
+. During or after installation, verify on the hub cluster that the `BareMetalHost` object shows the annotation:
 +
 --
 [source,terminal]
diff --git a/modules/ztp-image-based-upgrade-talm-prep.adoc b/modules/ztp-image-based-upgrade-talm-prep.adoc
new file mode 100644
index 000000000000..5c10dd73eea2
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-talm-prep.adoc
@@ -0,0 +1,194 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-prep-gitops_{context}"]
+= Moving to the Prep stage of the image-based upgrade with {lcao} and {ztp}
+
+When you deploy the {lcao} on a cluster, an `ImageBasedUpgrade` CR is automatically created. You update this CR to specify the image repository of the seed image and to move through the different stages.
+
+.Prerequisites
+
+* Create policies and `ConfigMap` objects for resources used in the image-based upgrade. For more information, see "Creating ConfigMap objects for the image-based upgrade with {ztp}
+
+.Procedure
+
+. Add policies for the `Prep`, `Upgrade`, and `Idle` stages to your existing group `PolicyGenTemplate` called `ibu-upgrade-ranGen.yaml`:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: example-group-ibu
+  namespace: "ztp-group"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  evaluationInterval: <1>
+    compliant: 10s
+    noncompliant: 10s
+  sourceFiles:
+    - fileName: ConfigMapGeneric.yaml
+      complianceType: mustonlyhave
+      policyName: "oadp-cm-policy"
+      metadata:
+        name: oadp-cm
+        namespace: openshift-adp
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "prep-stage-policy"
+      spec:
+        stage: Prep
+        seedImageRef: <2>
+          version: "4.15.0"
+          image: "quay.io/user/lca-seed:4.15.0"
+          pullSecretRef:
+            name: "<seed_pull_secret>"
+        oadpContent: <3>
+        - name: "oadp-cm"
+          namespace: "openshift-adp"
+      status:
+        conditions:
+          - reason: Completed
+            status: "True"
+            type: PrepCompleted
+            message: "Prep stage completed successfully"
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "upgrade-stage-policy"
+      spec:
+        stage: Upgrade
+      status:
+        conditions:
+          - reason: Completed
+            status: "True"
+            type: UpgradeCompleted
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "finalize-stage-policy"
+      complianceType: mustonlyhave
+      spec:
+        stage: Idle
+    - fileName: ibu/ImageBasedUpgrade.yaml
+      policyName: "finalize-stage-policy"
+      status:
+        conditions:
+          - reason: Idle
+            status: "True"
+            type: Idle
+----
+<1> The policy evaluation interval for compliant and non-compliant policies. Set them to `10s` to ensure that the policies status accurately reflects the current upgrade status.
+<2> Define the seed image, {product-title} version, and pull secret for the upgrade in the Prep stage.
+<3> Define the OADP `ConfigMap` resources required for backup and restore.
+
+. Verify that the policies required for an image-based upgrade are created by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get policies -n spoke1 | grep -E "example-group-ibu"
+----
+
+.Example output
+[source,terminal]
+----
+ztp-group.example-group-ibu-oadp-cm-policy       inform               NonCompliant          31h
+ztp-group.example-group-ibu-prep-stage-policy          inform               NonCompliant          31h
+ztp-group.example-group-ibu-upgrade-stage-policy       inform               NonCompliant          31h
+ztp-group.example-group-ibu-finalize-stage-policy      inform               NonCompliant          31h
+ztp-group.example-group-ibu-rollback-stage-policy      inform               NonCompliant          31h
+----
+--
+
+. Update the `du-profile` cluster label to the target platform version or the corresponding policy-binding label in the `SiteConfig` CR.
++
+--
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: SiteConfig
+[...]
+spec:
+  [...]
+    clusterLabels:
+      du-profile: "4.15.0"
+----
+
+[IMPORTANT]
+====
+Updating the labels to the target platform version unbinds the existing set of policies.
+====
+--
+
+. Commit and push the updated `SiteConfig` CR to the Git repository.
+
+. When you are ready to move to the `Prep` stage, create the `ClusterGroupUpgrade` CR on the target hub cluster with the `Prep` and OADP `ConfigMap` policies:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-prep
+  namespace: default
+spec:
+  clusters:
+  - spoke1
+  enable: true
+  managedPolicies:
+  - example-group-ibu-oadp-cm-policy
+  - example-group-ibu-prep-stage-policy
+  remediationStrategy:
+    canaries:
+      - spoke1
+    maxConcurrency: 1
+    timeout: 240
+----
+
+. Apply the `Prep` policy by running the following command:
++
+--
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-prep.yml
+----
+
+If you provide `ConfigMap` objects for OADP resources and extra manifests, {lcao} validates the specified `ConfigMap` objects during the `Prep` stage.
+You might encounter the following issues: 
+
+* Validation warnings or errors if the {lcao} detects any issues with `extraManifests` 
+* Validation errors if the {lcao} detects any issues with `oadpContent`
+
+Validation warnings do not block the `Upgrade` stage but you must decide if it is safe to proceed with the upgrade.
+These warnings, for example missing CRDs, namespaces or dry run failures, update the `status.conditions` in the `Prep` stage and `annotation` fields in the `ImageBasedUpgrade` CR with details about the warning.
+
+.Example validation warning
+[source,yaml]
+----
+[...]
+metadata:
+annotations:
+  extra-manifest.lca.openshift.io/validation-warning: '...'
+[...]
+----
+
+However, validation errors, such as adding `MachineConfig` or Operator manifests to extra manifests, cause the `Prep` stage to fail and block the `Upgrade` stage.
+
+When the validations pass, the cluster creates a new `ostree` stateroot, which involves pulling and unpacking the seed image, and running host level commands.
+Finally, all the required images are precached on the target cluster.
+--
+
+. Monitor the status and wait for the `cgu-ibu-prep` `ClusterGroupUpgrade` to report `Completed` by running the following command:
++
+--
+[source,terminal]
+----
+$ oc get cgu -n default
+----
+
+.Example output
+[source,terminal]
+----
+NAME                    AGE   STATE       DETAILS
+cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
+----
+--
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-talm-rollback.adoc b/modules/ztp-image-based-upgrade-talm-rollback.adoc
new file mode 100644
index 000000000000..7fe6de1c8168
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-talm-rollback.adoc
@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-with-talm-rollback_{context}"]
+= (Optional) Moving to the Rollback stage with {lcao} and {ztp}
+
+If you encounter an issue after upgrade, you can start a manual rollback.
+
+.Procedure
+
+. Revert the `du-profile` or the corresponding policy-binding label to the original platform version in the `SiteConfig` CR:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: SiteConfig
+[...]
+spec:
+  [...]
+    clusterLabels:
+      du-profile: "4.14.x"
+----
+
+. When you are ready to initiate the rollback, add the `Rollback` policy to your existing group `PolicyGenTemplate` CR:
++
+[source,yaml]
+----
+[...]
+- fileName: ibu/ImageBasedUpgrade.yaml
+  policyName: "rollback-stage-policy"
+  spec:
+    stage: Rollback
+  status:
+    conditions:
+      - message: Rollback completed
+        reason: Completed
+        status: "True"
+        type: RollbackCompleted
+----
+
+. Create a `ClusterGroupUpgrade` CR on target hub cluster that references the `Rollback` policy:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-rollback
+  namespace: default
+spec:
+  actions:
+    beforeEnable:
+      removeClusterAnnotations:
+      - import.open-cluster-management.io/disable-auto-import
+  clusters: 
+  - spoke1
+  enable: true
+  managedPolicies: 
+  - example-group-ibu-rollback-stage-policy
+  remediationStrategy: 
+    canaries: 
+      - spoke1
+    maxConcurrency: 1 
+    timeout: 240
+----
+
+. Apply the `Rollback` policy by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-rollback.yml
+----
+
+. When you are satisfied with the changes and you are ready to finalize the rollback, create a `ClusterGroupUpgrade` CR on target hub cluster that references the policy that finalizes the rollback:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-finalize
+  namespace: default
+spec:
+  actions:
+    beforeEnable:
+      removeClusterAnnotations:
+      - import.open-cluster-management.io/disable-auto-import
+  clusters: 
+  - spoke1
+  enable: true
+  managedPolicies: 
+  - example-group-ibu-finalize-stage-policy
+  remediationStrategy: 
+    canaries:
+      - spoke1
+    maxConcurrency: 1 
+    timeout: 240
+----
+
+. Apply the policy by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-finalize.yml
+----
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-talm-upgrade.adoc b/modules/ztp-image-based-upgrade-talm-upgrade.adoc
new file mode 100644
index 000000000000..f90a408a7e6f
--- /dev/null
+++ b/modules/ztp-image-based-upgrade-talm-upgrade.adoc
@@ -0,0 +1,131 @@
+// Module included in the following assemblies:
+// * edge_computing/image-based-upgrade/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-upgrade-gitops_{context}"]
+= Moving to the Upgrade stage of the image-based upgrade with {lcao} and {ztp}
+
+After you completed the `Prep` stage, you can upgrade the target cluster. During the upgrade process, the OADP Operator creates a backup of the artifacts specified in the OADP CRs, then the {lcao} upgrades the cluster.
+
+If the upgrade fails or stops, an automatic rollback is initiated.
+If you have an issue after the upgrade, you can initiate a manual rollback.
+For more information about manual rollback, see "(Optional) Initiating a rollback with Lifecycle Agent and {ztp}".
+
+.Prerequisites
+
+* Complete the `Prep` stage.
+
+.Procedure
+
+. When you are ready to move to the `Upgrade` stage, create the `ClusterGroupUpgrade` CR on the target hub cluster that references the `Upgrade` policy:
++
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-upgrade
+  namespace: default
+spec:
+  actions:
+    beforeEnable:
+      addClusterAnnotations:
+        import.open-cluster-management.io/disable-auto-import: "true" <1>
+    afterCompletion:
+      removeClusterAnnotations:
+      - import.open-cluster-management.io/disable-auto-import <2>
+  clusters: 
+  - spoke1
+  enable: true
+  managedPolicies: 
+  - example-group-ibu-upgrade-stage-policy
+  remediationStrategy: 
+    canaries: 
+      - spoke1
+    maxConcurrency: 1 
+    timeout: 240
+----
+<1> Applies the `disable-auto-import` annotation to the managed cluster before starting the upgrade. This annotation ensures the automatic importing of managed cluster is disabled during the upgrade stage until the cluster is ready.
+<2> Removes the `disable-auto-import` annotation after the upgrade is complete.
+
+. Apply the `Upgrade` policy by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-upgrade.yml
+----
+
+. Monitor the status by running the following command and wait for the `cgu-ibu-upgrade` `ClusterGroupUpgrade` to report `Completed`:
++
+--
+[source,terminal]
+----
+$ oc get cgu -n default
+----
+
+.Example output
+[source,terminal]
+----
+NAME                              AGE   STATE       DETAILS
+cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
+cgu-ibu-upgrade         31h   Completed   All clusters are compliant with all the managed policies
+----
+--
+
+. When you are satisfied with the changes and ready to finalize the upgrade, create a `ClusterGroupUpgrade` CR on target hub cluster that references the policy that finalizes the upgrade:
++
+--
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1alpha1
+kind: ClusterGroupUpgrade
+metadata:
+  name: cgu-ibu-finalize
+  namespace: default
+spec:
+  actions:
+    beforeEnable:
+      removeClusterAnnotations:
+      - import.open-cluster-management.io/disable-auto-import
+  clusters: 
+  - spoke1
+  enable: true
+  managedPolicies: 
+  - example-group-ibu-finalize-stage-policy
+  remediationStrategy: 
+    canaries: 
+      - spoke1
+    maxConcurrency: 1 
+    timeout: 240
+----
+
+[IMPORTANT]
+====
+Ensure that no other `ClusterGroupUpgrade` CRs are in progress because this causes {cgu-operator} to continuously reconcile them. Delete all `"In-Progress"` `ClusterGroupUpgrade` CRs before applying the `cgu-ibu-finalize.yaml`. 
+====
+--
+
+. Apply the policy by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f cgu-ibu-finalize.yaml
+----
+
+. Monitor the status by running the following command: and wait for the `cgu-ibu-finalize` `ClusterGroupUpgrade` to report `Completed`:
++
+--
+[source,terminal]
+----
+$ oc get cgu -n default
+----
+
+.Example output
+[source,terminal]
+----
+NAME                    AGE   STATE       DETAILS
+cgu-ibu-finalize        30h   Completed   All clusters are compliant with all the managed policies
+cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
+cgu-ibu-upgrade         31h   Completed   All clusters are compliant with all the managed policies
+----
+--
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-talm.adoc b/modules/ztp-image-based-upgrade-talm.adoc
deleted file mode 100644
index f9a986be1f8c..000000000000
--- a/modules/ztp-image-based-upgrade-talm.adoc
+++ /dev/null
@@ -1,494 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="ztp-image-based-upgrade-with-talm_{context}"]
-= Upgrading the {sno} cluster with {lcao} through GitOps ZTP
-
-You can upgrade your managed {sno} cluster with the image-based upgrade through GitOps ZTP.
-
-[IMPORTANT]
-====
-During the Developer Preview of this feature, when upgrading a cluster, any custom trusted certificates configured on the cluster will be lost. As a temporary workaround, to preserve these certificates, you must use a seed image from a seed cluster that trusts the certificates.
-====
-
-.Prerequisites
-
-* Install {rh-rhacm} 2.9.2. or later version.
-* Install {cgu-operator}.
-* Update GitOps ZTP to the latest version.
-* Provision one or more managed clusters with GitOps ZTP.
-* Log in as a user with `cluster-admin` privileges.
-* You generated a seed image from a compatible seed cluster.
-* Create an S3-compatible storage solution and a ready-to-use bucket with proper credentials configured. For more information, see _Additional resources_.
-* Create a separate partition on the target cluster for the container images that is shared between stateroots. For more information about, see _Additional resources_.
-
-.Procedure
-
-. Create a policy for the OADP `ConfigMap`, named `oadp-cm-common-policies`. For more information about how to create the `ConfigMap`, follow the first step in _Preparing the single-node OpenShift cluster for the image-based upgrade_ in _Additional resources_.
-
-+
-[IMPORTANT]
-====
-Depending on the {rh-rhacm} configuration, the `v1/secrets/open-cluster-management-agent/open-cluster-management-image-pull-credentials` object must be backed up.
-Check if your `MultiClusterHub` CR has the `spec.imagePullSecret` field defined and the secret exists in the `open-cluster-management-agent` namespace in your hub cluster. If the `spec.imagePullSecret` field does not exist, you can remove the `v1/secrets/open-cluster-management-agent/open-cluster-management-image-pull-credentials` object from the `lca.openshift.io/apply-label` annotation.
-====
-
-. (Optional) Create a policy for the `ConfigMap` of your user-specific extra manifests that are not part of the seed image. The {lcao} does not automatically extract these extra manifests from the seed cluster, so you can add a `ConfigMap` resource of your user-specific extra manifests in the `spec.extraManifests` field in the `ImageBasedUpgrade` CR.
-
-. (Optional) To keep your custom catalog sources after the upgrade, add them to the `spec.extraManifest` in the `ImageBasedUpgrade` CR. For more information, see xref:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/operators/index#olm-catalogsource_olm-understanding-olm[Catalog source].
-
-. Create a `PolicyGenTemplate` CR that contains policies for the `Prep` and `Upgrade` stages.
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: group-ibu
-  namespace: "ztp-group"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  evaluationInterval: <1>
-    compliant: 10s
-    noncompliant: 10s
-  sourceFiles:
-    - fileName: ImageBasedUpgrade.yaml
-      policyName: "prep-policy"
-      spec:
-        stage: Prep
-        seedImageRef: <2>
-          version: "4.15.0"
-          image: "quay.io/user/lca-seed:4.15.0"
-          pullSecretRef:
-            name: "<seed_pull_secret>"
-        oadpContent: <3>
-        - name: "oadp-cm-common-policies"
-          namespace: "openshift-adp"
-#       extraManifests: <4>
-#       - name: sno-extra-manifests
-#         namespace: openshift-lifecycle-agent
-      status:
-        conditions:
-          - reason: Completed
-            status: "True"
-            type: PrepCompleted
-    - fileName: ImageBasedUpgrade.yaml
-      policyName: "upgrade-policy"
-      spec:
-        stage: Upgrade
-      status:
-        conditions:
-          - reason: Completed
-            status: "True"
-            type: UpgradeCompleted
-----
-<1> The policy evaluation interval for compliant and non-compliant policies. Set them to `10s` to ensure that the policies status accurately reflects the current upgrade status.
-<2> Define the seed image, {product-title} version, and pull secret for the upgrade in the `Prep` stage.
-<3> Define the OADP `ConfigMap` resources required for backup and restore in the `Prep` stage.
-<4> (Optional) Define the `ConfigMap` resource for your user-specific extra manifests in the `Prep` stage. You can also add your custom catalog sources that you want to retain after the upgrade.
-
-. Create a `PolicyGenTemplate` CR for the default set of extra manifests:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: sno-ibu
-spec:
-  bindingRules:
-    sites: "example-sno"
-    du-profile: "4.15.0"
-  mcp: "master"
-  sourceFiles:
-    - fileName: SriovNetwork.yaml
-      policyName: "config-policy"
-      metadata:
-        name: "sriov-nw-du-fh"
-        labels:
-          lca.openshift.io/target-ocp-version: “4.15.0” <1>
-      spec:
-        resourceName: du_fh
-        vlan: 140
-    - fileName: SriovNetworkNodePolicy.yaml
-      policyName: "config-policy"
-      metadata:
-        name: "sriov-nnp-du-fh"
-        labels:
-          lca.openshift.io/target-ocp-version: “4.15.0” <1>
-      spec:
-        deviceType: netdevice
-        isRdma: false
-        nicSelector:
-          pfNames: ["ens5f0"]
-        numVfs: 8
-        priority: 10
-        resourceName: du_fh
-    - fileName: SriovNetwork.yaml
-      policyName: "config-policy"
-      metadata:
-        name: "sriov-nw-du-mh"
-        labels:
-          lca.openshift.io/target-ocp-version: “4.15.0” <1>
-      spec:
-        resourceName: du_mh
-        vlan: 150
-    - fileName: SriovNetworkNodePolicy.yaml
-      policyName: "config-policy"
-      metadata:
-        name: "sriov-nnp-du-mh"
-        labels:
-          lca.openshift.io/target-ocp-version: “4.15.0” <1>
-      spec:
-        deviceType: vfio-pci
-        isRdma: false
-        nicSelector:
-          pfNames: ["ens7f0"]
-        numVfs: 8
-        priority: 10
-        resourceName: du_mh
-----
-<1> Ensure that the `lca.openshift.io/target-ocp-version` label matches the target {product-title} version that is specified in the `seedImageRef.version` field of the `ImageBasedUpgrade` CR. The {lcao} only applies the CRs that match the specified version.
-
-. Commit, and push the created CRs to the GitOps ZTP Git repository.
-
-.. Verify that the stage and status policies are created:
-+
---
-[source,terminal]
-----
-$ oc get policies -n spoke1 | grep -E "group-ibu"
-----
-
-.Example output
-[source,terminal]
-----
-ztp-group.group-ibu-prep-policy          inform               NonCompliant          31h
-ztp-group.group-ibu-upgrade-policy       inform               NonCompliant          31h
-----
---
-
-. To reflect the target platform version, update the `du-profile` or the corresponding policy-binding label in the `SiteConfig` CR.
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: SiteConfig
-[...]
-spec:
-  [...]
-    clusterLabels:
-      du-profile: "4.15.0"
-----
-
-+
-[IMPORTANT]
-====
-Updating the labels to the target platform version unbinds the existing set of policies.
-====
-
-. Commit and push the updated `SiteConfig` CR to the GitOps ZTP Git repository.
-
-. When you are ready to move to the `Prep` stage, create the `ClusterGroupUpgrade` CR with the `Prep` and OADP `ConfigMap` policies:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1alpha1
-kind: ClusterGroupUpgrade
-metadata:
-  name: cgu-ibu-prep
-  namespace: default
-spec:
-  clusters:
-  - spoke1
-  enable: true
-  managedPolicies:
-  - oadp-cm-common-policies
-  - group-ibu-prep-policy
-#  - user-spec-extra-manifests
-  remediationStrategy:
-    canaries:
-      - spoke1
-    maxConcurrency: 1
-    timeout: 240
-----
-
-. Apply the `Prep` policy:
-+
-[source,terminal]
-----
-$ oc apply -f cgu-ibu-prep.yml
-----
-
-.. Monitor the status and wait for the `cgu-ibu-prep` `ClusterGroupUpgrade` to report `Completed`.
-+
---
-[source,terminal]
-----
-$ oc get cgu -n default
-----
-
-.Example output
-[source,terminal]
-----
-NAME                    AGE   STATE       DETAILS
-cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
-----
---
-
-. When you are ready to move to the `Upgrade` stage, create the `ClusterGroupUpgrade` CR that references the `Upgrade` policy:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1alpha1
-kind: ClusterGroupUpgrade
-metadata:
-  name: cgu-ibu-upgrade
-  namespace: default
-spec:
-  clusters:
-  - spoke1
-  enable: true
-  managedPolicies:
-  - group-ibu-upgrade-policy
-  remediationStrategy:
-    canaries:
-      - spoke1
-    maxConcurrency: 1
-    timeout: 240
-----
-
-. Apply the `Upgrade` policy:
-+
-[source,terminal]
-----
-$ oc apply -f cgu-ibu-upgrade.yml
-----
-
-.. Monitor the status and wait for the `cgu-ibu-upgrade` `ClusterGroupUpgrade` to report `Completed`.
-+
---
-[source,terminal]
-----
-$ oc get cgu -n default
-----
-
-.Example output
-[source,terminal]
-----
-NAME                    AGE   STATE       DETAILS
-cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
-cgu-ibu-upgrade         31h   Completed   All clusters are compliant with all the managed policies
-----
---
-
-. When you are satisfied with the changes and ready to finalize the upgrade, create the `PolicyGenTemplate` to finalize the upgrade:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: group-ibu
-  namespace: "ztp-group"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  evaluationInterval:
-    compliant: 10s
-    noncompliant: 10s
-  sourceFiles:
-    - fileName: ImageBasedUpgrade.yaml
-      policyName: "finalize-policy"
-      spec:
-        stage: Idle
-      status:
-        conditions:
-          - status: "True"
-            type: Idle
-----
-
-. Create a `ClusterGroupUpgrade` CR that references the policy that finalizes the upgrade:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1alpha1
-kind: ClusterGroupUpgrade
-metadata:
-  name: cgu-ibu-finalize
-  namespace: default
-spec:
-  clusters:
-  - spoke1
-  enable: true
-  managedPolicies:
-  - group-ibu-finalize-policy
-  remediationStrategy:
-    canaries:
-      - spoke1
-    maxConcurrency: 1
-    timeout: 240
-----
-
-. Apply the policy:
-+
-[source,terminal]
-----
-$ oc apply -f cgu-ibu-finalize.yml
-----
-
-.. Monitor the status and wait for the `cgu-ibu-upgrade` `ClusterGroupUpgrade` to report `Completed`.
-+
---
-[source,terminal]
-----
-$ oc get cgu -n default
-----
-
-.Example output
-[source,terminal]
-----
-NAME                    AGE   STATE       DETAILS
-cgu-ibu-finalize        30h   Completed   All clusters are compliant with all the managed policies
-cgu-ibu-prep            31h   Completed   All clusters are compliant with all the managed policies
-cgu-ibu-upgrade         31h   Completed   All clusters are compliant with all the managed policies
-----
---
-
-[id="ztp-image-based-upgrade-with-talm-rollback_{context}"]
-== (Optional) Rollback the upgrade with {cgu-operator}
-
-If you encounter an issue after upgrade, you can start a manual rollback.
-
-.Procedure
-
-. Update the `du-profile` or the corresponding policy-binding label with the original platform version in the `SiteConfig` CR:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: SiteConfig
-[...]
-spec:
-  [...]
-    clusterLabels:
-      du-profile: "4.15.2"
-----
-
-. When you are ready to move to the `Rollback` stage, create a `PolicyGenTemplate` CR for the `Rollback` policies:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: group-ibu
-  namespace: "ztp-group"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  evaluationInterval:
-    compliant: 10s
-    noncompliant: 10s
-  sourceFiles:
-    - fileName: ImageBasedUpgrade.yaml
-      policyName: "rollback-policy"
-      spec:
-        stage: Rollback
-      status:
-        conditions:
-          - message: Rollback completed
-            reason: Completed
-            status: "True"
-            type: RollbackCompleted
-----
-
-. Create a `ClusterGroupUpgrade` CR that references the `Rollback` policies:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1alpha1
-kind: ClusterGroupUpgrade
-metadata:
-  name: cgu-ibu-rollback
-  namespace: default
-spec:
-  clusters:
-  - spoke1
-  enable: true
-  managedPolicies:
-  - group-ibu-rollback-policy
-  remediationStrategy:
-    canaries:
-      - spoke1
-    maxConcurrency: 1
-    timeout: 240
-----
-
-. Apply the `Rollback` policy:
-+
-[source,terminal]
-----
-$ oc apply -f cgu-ibu-rollback.yml
-----
-
-. When you are satisfied with the changes and ready to finalize the rollback, create the `PolicyGenTemplate` CR:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: group-ibu
-  namespace: "ztp-group"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  evaluationInterval:
-    compliant: 10s
-    noncompliant: 10s
-  sourceFiles:
-    - fileName: ImageBasedUpgrade.yaml
-      policyName: "finalize-policy"
-      spec:
-        stage: Idle
-      status:
-        conditions:
-          - status: "True"
-            type: Idle
-----
-
-. Create a `ClusterGroupUpgrade` CR that references the policy that finalizes the upgrade:
-+
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1alpha1
-kind: ClusterGroupUpgrade
-metadata:
-  name: cgu-ibu-finalize
-  namespace: default
-spec:
-  clusters:
-  - spoke1
-  enable: true
-  managedPolicies:
-  - group-ibu-finalize-policy
-  remediationStrategy:
-    canaries:
-      - spoke1
-    maxConcurrency: 1
-    timeout: 240
-----
-
-. Apply the policy:
-+
-[source,terminal]
-----
-$ oc apply -f cgu-ibu-finalize.yml
-----
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade-with-backup.adoc b/modules/ztp-image-based-upgrade-with-backup.adoc
deleted file mode 100644
index 227719493691..000000000000
--- a/modules/ztp-image-based-upgrade-with-backup.adoc
+++ /dev/null
@@ -1,158 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="ztp-image-based-upgrading-with-backup_{context}"]
-= Upgrading the {sno} cluster with {lcao}
-
-Once you generated the seed image and completed the `Prep` stage, you can upgrade the target cluster.
-During the upgrade process, the OADP Operator creates a backup of the artifacts specified in the OADP CRs, then the {lcao} upgrades the cluster.
-
-If the upgrade fails or stops, an automatic rollback is initiated.
-If you have an issue after the upgrade, you can initiate a manual rollback.
-For more information about manual rollback, see "(Optional) Initiating rollback of the {sno} clusters after an image-based upgrade".
-
-[IMPORTANT]
-====
-During the Developer Preview of this feature, when upgrading a cluster, any custom trusted certificates configured on the cluster will be lost. As a temporary workaround, to preserve these certificates, you must use a seed image from a seed cluster that trusts the certificates.
-====
-
-.Prerequisites
-
-* Complete the `Prep` stage.
-
-.Procedure
-
-. When you are ready, move to the upgrade stage by changing the value of the `stage` field to `Upgrade` in the `ImageBasedUpgrade` CR.
-+
-[source,terminal]
-----
-$ oc patch imagebasedupgrades.lca.openshift.io example-upgrade -p='{"spec": {"stage": "Upgrade"}}' --type=merge
-----
-
-. Check the status of the `ImageBasedUpgrade` CR:
-+
-[source,terminal]
-----
-$ oc get ibu -A -oyaml
-----
-
-+
-.Example output
-[source,yaml]
-----
-status:
-  conditions:
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: In progress
-    observedGeneration: 2
-    reason: InProgress
-    status: "False"
-    type: Idle
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: 'Prep completed: total: 121 (pulled: 1, skipped: 120, failed: 0)'
-    observedGeneration: 2
-    reason: Completed
-    status: "True"
-    type: PrepCompleted
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: Prep completed
-    observedGeneration: 2
-    reason: Completed
-    status: "False"
-    type: PrepInProgress
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: Upgrade completed
-    observedGeneration: 3
-    reason: Completed
-    status: "True"
-    type: UpgradeCompleted
-----
-
-. The OADP Operator creates a backup of the data specified in the OADP `Backup` and `Restore` CRs.
-
-. The target cluster reboots.
-
-. Monitor the status of the CR:
-+
-[source,terminal]
-----
-$ oc get ibu -A -oyaml
-----
-
-. The cluster reboots.
-
-. Once you are satisfied with the upgrade, commit to the changes by changing the value of the `stage` field to `Idle` in the `ImageBasedUpgrade` CR:
-+
-[source,terminal]
-----
-$ oc patch imagebasedupgrades.lca.openshift.io example-upgrade -p='{"spec": {"stage": "Idle"}}' --type=merge
-----
-
-+
-[IMPORTANT]
-====
-You cannot roll back the changes once you move to the `Idle` stage after an upgrade.
-====
-
-+
---
-The {lcao} deletes all resources created during the upgrade process.
---
-
-.Verification
-
-. Check the status of the `ImageBasedUpgrade` CR:
-+
-[source,terminal]
-----
-$ oc get ibu -A -oyaml
-----
-
-+
-.Example output
-[source,yaml]
-----
-status:
-  conditions:
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: In progress
-    observedGeneration: 2
-    reason: InProgress
-    status: "False"
-    type: Idle
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: 'Prep completed: total: 121 (pulled: 1, skipped: 120, failed: 0)'
-    observedGeneration: 2
-    reason: Completed
-    status: "True"
-    type: PrepCompleted
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: Prep completed
-    observedGeneration: 2
-    reason: Completed
-    status: "False"
-    type: PrepInProgress
-  - lastTransitionTime: "2024-01-01T09:00:00Z"
-    message: Upgrade completed
-    observedGeneration: 3
-    reason: Completed
-    status: "True"
-    type: UpgradeCompleted
-----
-
-. Check the status of the cluster restoration:
-+
-[source,terminal]
-----
-$ oc get restores -n openshift-adp -o custom-columns=NAME:.metadata.name,Status:.status.phase,Reason:.status.failureReason
-----
-
-+
-[source,terminal]
-----
-NAME             Status      Reason
-acm-klusterlet   Completed   <none>
-apache-app       Completed   <none>
-localvolume      Completed   <none>
-----
\ No newline at end of file
diff --git a/modules/ztp-image-based-upgrade.adoc b/modules/ztp-image-based-upgrade.adoc
deleted file mode 100644
index b358174cfe00..000000000000
--- a/modules/ztp-image-based-upgrade.adoc
+++ /dev/null
@@ -1,149 +0,0 @@
-// Module included in the following assemblies:
-// * scalability_and_performance/ztp-image-based-upgrade.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="ztp-image-based-upgrade-concept_{context}"]
-= Image-based upgrade for {sno} cluster with the {lcao}
-
-From {product-title} 4.14.7, the {lcao} 4.15 provides you with an alternative way to upgrade the platform version of a {sno} cluster.
-The image-based upgrade is faster than the standard upgrade method and allows you to directly upgrade from {product-title} <4.y> to <4.y+2>, and <4.y.z> to <4.y.z+n>.
-
-This upgrade method utilizes a generated OCI image from a dedicated seed cluster that is installed on the target {sno} cluster as a new `ostree` stateroot.
-A seed cluster is a {sno} cluster deployed with the target {product-title} version, Day 2 Operators, and configurations that is common to all target clusters.
-
-You can use the seed image, which is generated from the seed cluster, to upgrade the platform version on any {sno} cluster that has the same combination of hardware, Day 2 Operators, and cluster configuration as the seed cluster.
-
-[IMPORTANT]
-====
-The image-based upgrade uses custom images that are specific to the hardware platform that the clusters are running on.
-Each different hardware platform requires a separate seed image.
-====
-
-The {lcao} uses two custom resources (CRs) on the participating clusters to orchestrate the upgrade:
-
-* On the seed cluster, the `SeedGenerator` CR allows for the seed image generation. This CR specifies the repository to push the seed image to.
-* On the target cluster, the `ImageBasedUpgrade` CR specifies the seed container image for the upgrade of the target cluster and the backup configurations for your workloads.
-
-.Example SeedGenerator CR
-[source,yaml]
-----
-apiVersion: lca.openshift.io/v1alpha1
-kind: SeedGenerator
-metadata:
-  name: seedimage
-spec:
-  seedImage: <seed_container_image>
-----
-
-.Example ImageBasedUpgrade CR
-[source,yaml]
-----
-apiVersion: lca.openshift.io/v1alpha1
-kind: ImageBasedUpgrade
-metadata:
-  name: example-upgrade
-spec:
-  stage: Idle <1>
-  seedImageRef: <2>
-    version: <target_version>
-    image: <seed_container_image>
-    pullSecretRef: <seed_pull_secret>
-  additionalImages:
-    name: ""
-    namespace: ""
-  autoRollbackOnFailure: {} <3>
-#    disabledForPostRebootConfig: "true" <4>
-#    disabledForUpgradeCompletion: "true" <5>
-#    disabledInitMonitor: "true" <6>
-#    initMonitorTimeoutSeconds: 1800 <7>
-#  extraManifests: <8>
-#  - name: sno-extra-manifests
-#    namespace: openshift-lifecycle-agent
-  oadpContent: <9>
-  - name: oadp-cm-example
-    namespace: openshift-adp
-----
-<1> Defines the desired stage for the `ImageBasedUpgrade` CR. The value can be `Idle`, `Prep`, `Upgrade`, or `Rollback`.
-<2> Defines the target platform version, the seed image to be used, and the secret required to access the image.
-<3> Configures the automatic rollback. By default, automatic rollback on failure is enabled throughout the upgrade.
-<4> (Optional) If set to `true`, this option disables automatic rollback when the reconfiguration of the cluster fails upon the first reboot.
-<5> (Optional) If set to `true`, this option disables automatic rollback after the {lcao} reports a failed upgrade upon completion.
-<6> (Optional) If set to `true`, this option disables automatic rollback when the upgrade does not complete after reboot within the time frame specified in the `initMonitorTimeoutSeconds` field.
-<7> (Optional) Specifies the time frame in seconds. If not defined or set to `0`, the default value of `1800` seconds (30 minutes) is used.
-<8> (Optional) Specify the list of `ConfigMap` resources that contain the additional extra manifests that you want to apply to the target cluster. You can also add your custom catalog sources that you want to retain after the upgrade.
-<9> Specify the list of `ConfigMap` resources that contain the OADP `Backup` and `Restore` CRs.
-
-After generating the seed image on the seed cluster, you can move through the stages on the target cluster by setting the `spec.stage` field to the following values in the `ImageBasedUpgrade` CR:
-
-* `Idle`
-* `Prep`
-* `Upgrade`
-* `Rollback` (Optional)
-
-[id="ztp-image-based-upgrade-concept-idle_{context}"]
-== Idle stage
-
-The {lcao} creates an `ImageBasedUpgrade` CR set to `stage: Idle` when the Operator is first deployed.
-This is the default stage.
-There is no ongoing upgrade and the cluster is ready to move to the `Prep` stage.
-
-After a successful upgrade or a rollback, you commit to the change by patching the `stage` field to `Idle` in the `ImageBasedUpgrade` CR.
-Changing to this stage ensures that the {lcao} cleans up resources, so the cluster is ready for upgrades again.
-
-[id="ztp-image-based-upgrade-concept-prep_{context}"]
-== Prep stage
-
-[NOTE]
-====
-You can complete this stage before a scheduled maintenance window.
-====
-
-During the `Prep` stage, you specify the following upgrade details in the `ImageBasedUpgrade` CR:
-
-* seed image to use
-* resources to back up
-* extra manifests to apply after upgrade
-
-Then, based on what you specify, the {lcao} prepares for the upgrade without impacting the current running version.
-This preparation includes ensuring that the target cluster is ready to proceed to the `Upgrade` stage by checking if it meets certain conditions and pulling the seed image to the target cluster with additional container images specified in the seed image.
-
-You also prepare backup resources with the OADP Operator's `Backup` and `Restore` CRs.
-These CRs are used in the `Upgrade` stage to reconfigure the cluster, register the cluster with {rh-rhacm}, and restore application artifacts.
-
-[IMPORTANT]
-====
-The same version of the applications must function on both the current and the target release of {product-title}.
-====
-
-Additionally to the OADP Operator, the {lcao} uses the `ostree` versioning system to create a backup, which allow complete cluster reconfiguration after both upgrade and rollback.
-
-You can stop the upgrade process at this point by moving to the `Idle` stage or you can start the upgrade by moving to the `Upgrade` stage in the `ImageBasedUpgrade` CR .
-If you stop, the Operator performs cleanup operations.
-
-[id="ztp-image-based-upgrade-concept-upgrade_{context}"]
-== Upgrade stage
-
-Just before the {lcao} starts the upgrade process, the backup of your cluster resources specified in the `Prep` stage are created on a compatible Object storage solution.
-After the target cluster reboots with the new platform version, the Operator applies the cluster and application configurations defined in the `Backup` and `Restore` CRs, and applies any extra manifests that are specified in the referenced `ConfigMap` resource.
-
-The Operator also regenerates the seed image's cluster cryptography.
-This ensures that each {sno} cluster upgraded with the same seed image has unique and valid cryptographic objects.
-
-Once you are satisfied with the changes, you can finalize the upgrade by moving to the `Idle` stage.
-If you encounter issues after the upgrade, you can move to the `Rollback` stage for a manual rollback.
-
-[id="ztp-image-based-upgrade-concept-rollback_{context}"]
-== (Optional) Rollback stage
-
-The rollback stage can be initiated manually or automatically upon failure.
-During the `Rollback` stage, the {lcao} sets the original `ostree` stateroot as default.
-Then, the node reboots with the previous release of {product-title} and application configurations.
-
-By default, automatic rollback is enabled in the `ImageBasedUpgrade` CR.
-The {lcao} can initiate an automatic rollback if the upgrade fails or if the upgrade does not complete within the specified time limit.
-For more information about the automatic rollback configurations, see the _(Optional) Initiating rollback of the single-node OpenShift cluster after an image-based upgrade_ section.
-
-[WARNING]
-====
-If you move to the `Idle` stage after a rollback, the {lcao} cleans up resources that can be used to troubleshoot a failed upgrade.
-====
\ No newline at end of file
diff --git a/modules/ztp-monitoring-policy-deployment-progress.adoc b/modules/ztp-monitoring-policy-deployment-progress.adoc
index 66ef343ce4de..e4d5324d5b51 100644
--- a/modules/ztp-monitoring-policy-deployment-progress.adoc
+++ b/modules/ztp-monitoring-policy-deployment-progress.adoc
@@ -6,7 +6,7 @@
 [id="ztp-monitoring-policy-deployment-progress_{context}"]
 = Monitoring managed cluster policy deployment progress
 
-The ArgoCD pipeline uses `PolicyGenTemplate` CRs in Git to generate the {rh-rhacm} policies and then sync them to the hub cluster. You can monitor the progress of the managed cluster policy synchronization after the assisted service installs {product-title} on the managed cluster.
+The ArgoCD pipeline uses `{policy-gen-cr}` CRs in Git to generate the {rh-rhacm} policies and then sync them to the hub cluster. You can monitor the progress of the managed cluster policy synchronization after the assisted service installs {product-title} on the managed cluster.
 
 .Prerequisites
 
diff --git a/modules/ztp-pgt-config-best-practices.adoc b/modules/ztp-pgt-config-best-practices.adoc
index 831a6c786dc7..d4ddeedcebbe 100644
--- a/modules/ztp-pgt-config-best-practices.adoc
+++ b/modules/ztp-pgt-config-best-practices.adoc
@@ -4,14 +4,14 @@
 
 :_module-type: CONCEPT
 [id="ztp-pgt-config-best-practices_{context}"]
-= Recommendations when customizing PolicyGenTemplate CRs
+= Recommendations when customizing {policy-gen-cr} CRs
 
-Consider the following best practices when customizing site configuration `PolicyGenTemplate` custom resources (CRs):
+Consider the following best practices when customizing site configuration `{policy-gen-cr}` custom resources (CRs):
 
-* Use as few policies as are necessary. Using fewer policies requires less resources. Each additional policy creates overhead for the hub cluster and the deployed managed cluster. CRs are combined into policies based on the `policyName` field in the `PolicyGenTemplate` CR. CRs in the same `PolicyGenTemplate` which have the same value for `policyName` are managed under a single policy.
+* Use as few policies as are necessary. Using fewer policies requires less resources. Each additional policy creates increased CPU load for the hub cluster and the deployed managed cluster. CRs are combined into policies based on the `policyName` field in the `{policy-gen-cr}` CR. CRs in the same `{policy-gen-cr}` which have the same value for `policyName` are managed under a single policy.
 
 * In disconnected environments, use a single catalog source for all Operators by configuring the registry as a single index containing all Operators. Each additional `CatalogSource` CR on the managed clusters increases CPU usage.
 
 * `MachineConfig` CRs should be included as `extraManifests` in the `SiteConfig` CR so that they are applied during installation. This can reduce the overall time taken until the cluster is ready to deploy applications.
 
-* `PolicyGenTemplates` should override the channel field to explicitly identify the desired version. This ensures that changes in the source CR during upgrades does not update the generated subscription.
+* `{policy-gen-cr}` CRs should override the channel field to explicitly identify the desired version. This ensures that changes in the source CR during upgrades does not update the generated subscription.
diff --git a/modules/ztp-policygentemplates-for-ran.adoc b/modules/ztp-policygentemplates-for-ran.adoc
index e3921f5e5272..8acea32b2a0c 100644
--- a/modules/ztp-policygentemplates-for-ran.adoc
+++ b/modules/ztp-policygentemplates-for-ran.adoc
@@ -4,48 +4,51 @@
 
 :_module-type: CONCEPT
 [id="ztp-policygentemplates-for-ran_{context}"]
-= PolicyGenTemplate CRs for RAN deployments
+= {policy-gen-cr} CRs for RAN deployments
 
-Use `PolicyGenTemplate` (PGT) custom resources (CRs) to customize the configuration applied to the cluster by using the {ztp-first} pipeline. The PGT CR allows you to generate one or more policies to manage the set of configuration CRs on your fleet of clusters. The PGT identifies the set of managed CRs, bundles them into policies, builds the policy wrapping around those CRs, and associates the policies with clusters by using label binding rules.
+Use `{policy-gen-cr}` custom resources (CRs) to customize the configuration applied to the cluster by using the {ztp-first} pipeline. The `{policy-gen-cr}` CR allows you to generate one or more policies to manage the set of configuration CRs on your fleet of clusters. The `{policy-gen-cr}` CR identifies the set of managed CRs, bundles them into policies, builds the policy wrapping around those CRs, and associates the policies with clusters by using label binding rules.
 
-The reference configuration, obtained from the {ztp} container, is designed to provide a set of critical features and node tuning settings that ensure the cluster can support the stringent performance and resource utilization constraints typical of RAN (Radio Access Network) Distributed Unit (DU) applications. Changes or omissions from the baseline configuration can affect feature availability, performance, and resource utilization. Use the reference `PolicyGenTemplate` CRs as the basis to create a hierarchy of configuration files tailored to your specific site requirements.
+The reference configuration, obtained from the {ztp} container, is designed to provide a set of critical features and node tuning settings that ensure the cluster can support the stringent performance and resource utilization constraints typical of RAN (Radio Access Network) Distributed Unit (DU) applications. Changes or omissions from the baseline configuration can affect feature availability, performance, and resource utilization. Use the reference `{policy-gen-cr}` CRs as the basis to create a hierarchy of configuration files tailored to your specific site requirements.
 
-The baseline `PolicyGenTemplate` CRs that are defined for RAN DU cluster configuration can be extracted from the {ztp} `ztp-site-generate` container. See "Preparing the {ztp} site configuration repository" for further details.
+The baseline `{policy-gen-cr}` CRs that are defined for RAN DU cluster configuration can be extracted from the {ztp} `ztp-site-generate` container. See "Preparing the {ztp} site configuration repository" for further details.
 
-The `PolicyGenTemplate` CRs can be found in the `./out/argocd/example/policygentemplates` folder. The reference architecture has common, group, and site-specific configuration CRs. Each `PolicyGenTemplate` CR refers to other CRs that can be found in the `./out/source-crs` folder.
+The `{policy-gen-cr}` CRs can be found in the `./{argocd-folder}` folder. The reference architecture has common, group, and site-specific configuration CRs. Each `{policy-gen-cr}` CR refers to other CRs that can be found in the `./out/source-crs` folder.
 
-The `PolicyGenTemplate` CRs relevant to RAN cluster configuration are described below. Variants are provided for the group `PolicyGenTemplate` CRs to account for differences in single-node, three-node compact, and standard cluster configurations. Similarly, site-specific configuration variants are provided for single-node clusters and multi-node (compact or standard) clusters. Use the group and site-specific configuration variants that are relevant for your deployment.
+The `{policy-gen-cr}` CRs relevant to RAN cluster configuration are described below. Variants are provided for the group `{policy-gen-cr}` CRs to account for differences in single-node, three-node compact, and standard cluster configurations. Similarly, site-specific configuration variants are provided for single-node clusters and multi-node (compact or standard) clusters. Use the group and site-specific configuration variants that are relevant for your deployment.
 
-.PolicyGenTemplate CRs for RAN deployments
+.{policy-gen-cr} CRs for RAN deployments
 [cols=2*, options="header"]
 |====
-|PolicyGenTemplate CR
+|{policy-gen-cr} CR
 |Description
 
-|`example-multinode-site.yaml`
+|`{policy-prefix}example-multinode-site.yaml`
 |Contains a set of CRs that get applied to multi-node clusters. These CRs configure SR-IOV features typical for RAN installations.
 
-|`example-sno-site.yaml`
+|`{policy-prefix}example-sno-site.yaml`
 |Contains a set of CRs that get applied to {sno} clusters. These CRs configure SR-IOV features typical for RAN installations.
 
-|`common-ranGen.yaml`
+|`{policy-prefix}common-mno-ranGen.yaml`
+|Contains a set of common RAN policy configuration that get applied to multi-node clusters.
+
+|`{policy-prefix}common-ranGen.yaml`
 |Contains a set of common RAN CRs that get applied to all clusters. These CRs subscribe to a set of operators providing cluster features typical for RAN as well as baseline cluster tuning.
 
-|`group-du-3node-ranGen.yaml`
+|`{policy-prefix}group-du-3node-ranGen.yaml`
 |Contains the RAN policies for three-node clusters only.
 
-|`group-du-sno-ranGen.yaml`
+|`{policy-prefix}group-du-sno-ranGen.yaml`
 |Contains the RAN policies for single-node clusters only.
 
-|`group-du-standard-ranGen.yaml`
+|`{policy-prefix}group-du-standard-ranGen.yaml`
 |Contains the RAN policies for standard three control-plane clusters.
 
-|`group-du-3node-validator-ranGen.yaml`
-|`PolicyGenTemplate` CR used to generate the various policies required for three-node clusters.
+|`{policy-prefix}group-du-3node-validator-ranGen.yaml`
+|`{policy-gen-cr}` CR used to generate the various policies required for three-node clusters.
 
-|`group-du-standard-validator-ranGen.yaml`
-|`PolicyGenTemplate` CR used to generate the various policies required for standard clusters.
+|`{policy-prefix}group-du-standard-validator-ranGen.yaml`
+|`{policy-gen-cr}` CR used to generate the various policies required for standard clusters.
 
-|`group-du-sno-validator-ranGen.yaml`
-|`PolicyGenTemplate` CR used to generate the various policies required for {sno} clusters.
+|`{policy-prefix}group-du-sno-validator-ranGen.yaml`
+|`{policy-gen-cr}` CR used to generate the various policies required for {sno} clusters.
 |====
diff --git a/modules/ztp-precaching-troubleshooting.adoc b/modules/ztp-precaching-troubleshooting.adoc
index 76cc73a375d3..21f95d28640b 100644
--- a/modules/ztp-precaching-troubleshooting.adoc
+++ b/modules/ztp-precaching-troubleshooting.adoc
@@ -4,9 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-pre-staging-troubleshooting_{context}"]
-= Troubleshooting
-
-== Rendered catalog is invalid
+= Troubleshooting a "Rendered catalog is invalid" error
 
 When you download images by using a local or disconnected registry, you might see the `The rendered catalog is invalid` error. This means that you are missing certificates of the new registry you want to pull content from.
 
diff --git a/modules/ztp-precaching-ztp-config.adoc b/modules/ztp-precaching-ztp-config.adoc
index 068de9307b0b..c86f84b24e61 100644
--- a/modules/ztp-precaching-ztp-config.adoc
+++ b/modules/ztp-precaching-ztp-config.adoc
@@ -45,7 +45,52 @@ spec:
     networkType: "OVNKubernetes"
     additionalNTPSources:
       - clock.corp.redhat.com
-    ignitionConfigOverride: '{"ignition":{"version":"3.1.0"},"systemd":{"units":[{"name":"var-mnt.mount","enabled":true,"contents":"[Unit]\nDescription=Mount partition with artifacts\nBefore=precache-images.service\nBindsTo=precache-images.service\nStopWhenUnneeded=true\n\n[Mount]\nWhat=/dev/disk/by-partlabel/data\nWhere=/var/mnt\nType=xfs\nTimeoutSec=30\n\n[Install]\nRequiredBy=precache-images.service"},{"name":"precache-images.service","enabled":true,"contents":"[Unit]\nDescription=Extracts the precached images in discovery stage\nAfter=var-mnt.mount\nBefore=agent.service\n\n[Service]\nType=oneshot\nUser=root\nWorkingDirectory=/var/mnt\nExecStart=bash /usr/local/bin/extract-ai.sh\n#TimeoutStopSec=30\n\n[Install]\nWantedBy=multi-user.target default.target\nWantedBy=agent.service"}]},"storage":{"files":[{"overwrite":true,"path":"/usr/local/bin/extract-ai.sh","mode":755,"user":{"name":"root"},"contents":{"source":"data:,%23%21%2Fbin%2Fbash%0A%0AFOLDER%3D%22%24%7BFOLDER%3A-%24%28pwd%29%7D%22%0AOCP_RELEASE_LIST%3D%22%24%7BOCP_RELEASE_LIST%3A-ai-images.txt%7D%22%0ABINARY_FOLDER%3D%2Fvar%2Fmnt%0A%0Apushd%20%24FOLDER%0A%0Atotal_copies%3D%24%28sort%20-u%20%24BINARY_FOLDER%2F%24OCP_RELEASE_LIST%20%7C%20wc%20-l%29%20%20%23%20Required%20to%20keep%20track%20of%20the%20pull%20task%20vs%20total%0Acurrent_copy%3D1%0A%0Awhile%20read%20-r%20line%3B%0Ado%0A%20%20uri%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%241%7D%27%29%0A%20%20%23tar%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%242%7D%27%29%0A%20%20podman%20image%20exists%20%24uri%0A%20%20if%20%5B%5B%20%24%3F%20-eq%200%20%5D%5D%3B%20then%0A%20%20%20%20%20%20echo%20%22Skipping%20existing%20image%20%24tar%22%0A%20%20%20%20%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20%20%20%20%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%0A%20%20%20%20%20%20continue%0A%20%20fi%0A%20%20tar%3D%24%28echo%20%22%24uri%22%20%7C%20%20rev%20%7C%20cut%20-d%20%22%2F%22%20-f1%20%7C%20rev%20%7C%20tr%20%22%3A%22%20%22_%22%29%0A%20%20tar%20zxvf%20%24%7Btar%7D.tgz%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-f%20%24%7Btar%7D.gz%3B%20fi%0A%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20skopeo%20copy%20dir%3A%2F%2F%24%28pwd%29%2F%24%7Btar%7D%20containers-storage%3A%24%7Buri%7D%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-rf%20%24%7Btar%7D%3B%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%3B%20fi%0Adone%20%3C%20%24%7BBINARY_FOLDER%7D%2F%24%7BOCP_RELEASE_LIST%7D%0A%0A%23%20workaround%20while%20https%3A%2F%2Fgithub.com%2Fopenshift%2Fassisted-service%2Fpull%2F3546%0A%23cp%20%2Fvar%2Fmnt%2Fmodified-rhcos-4.10.3-x86_64-metal.x86_64.raw.gz%20%2Fvar%2Ftmp%2F.%0A%0Aexit%200"}},{"overwrite":true,"path":"/usr/local/bin/agent-fix-bz1964591","mode":755,"user":{"name":"root"},"contents":{"source":"data:,%23%21%2Fusr%2Fbin%2Fsh%0A%0A%23%20This%20script%20is%20a%20workaround%20for%20bugzilla%201964591%20where%20symlinks%20inside%20%2Fvar%2Flib%2Fcontainers%2F%20get%0A%23%20corrupted%20under%20some%20circumstances.%0A%23%0A%23%20In%20order%20to%20let%20agent.service%20start%20correctly%20we%20are%20checking%20here%20whether%20the%20requested%0A%23%20container%20image%20exists%20and%20in%20case%20%22podman%20images%22%20returns%20an%20error%20we%20try%20removing%20the%20faulty%0A%23%20image.%0A%23%0A%23%20In%20such%20a%20scenario%20agent.service%20will%20detect%20the%20image%20is%20not%20present%20and%20pull%20it%20again.%20In%20case%0A%23%20the%20image%20is%20present%20and%20can%20be%20detected%20correctly%2C%20no%20any%20action%20is%20required.%0A%0AIMAGE%3D%24%28echo%20%241%20%7C%20sed%20%27s%2F%3A.%2A%2F%2F%27%29%0Apodman%20image%20exists%20%24IMAGE%20%7C%7C%20echo%20%22already%20loaded%22%20%7C%7C%20echo%20%22need%20to%20be%20pulled%22%0A%23podman%20images%20%7C%20grep%20%24IMAGE%20%7C%7C%20podman%20rmi%20--force%20%241%20%7C%7C%20true"}}]}}'
+    ignitionConfigOverride: 
+      '{
+        "ignition": {
+          "version": "3.1.0"
+        },
+        "systemd": {
+          "units": [
+            {
+              "name": "var-mnt.mount",
+              "enabled": true,
+              "contents": "[Unit]\nDescription=Mount partition with artifacts\nBefore=precache-images.service\nBindsTo=precache-images.service\nStopWhenUnneeded=true\n\n[Mount]\nWhat=/dev/disk/by-partlabel/data\nWhere=/var/mnt\nType=xfs\nTimeoutSec=30\n\n[Install]\nRequiredBy=precache-images.service"
+            },
+            {
+              "name": "precache-images.service",
+              "enabled": true,
+              "contents": "[Unit]\nDescription=Extracts the precached images in discovery stage\nAfter=var-mnt.mount\nBefore=agent.service\n\n[Service]\nType=oneshot\nUser=root\nWorkingDirectory=/var/mnt\nExecStart=bash /usr/local/bin/extract-ai.sh\n#TimeoutStopSec=30\n\n[Install]\nWantedBy=multi-user.target default.target\nWantedBy=agent.service"
+            }
+          ]
+        },
+        "storage": {
+          "files": [
+            {
+              "overwrite": true,
+              "path": "/usr/local/bin/extract-ai.sh",
+              "mode": 755,
+              "user": {
+                "name": "root"
+              },
+              "contents": {
+                "source": "data:,%23%21%2Fbin%2Fbash%0A%0AFOLDER%3D%22%24%7BFOLDER%3A-%24%28pwd%29%7D%22%0AOCP_RELEASE_LIST%3D%22%24%7BOCP_RELEASE_LIST%3A-ai-images.txt%7D%22%0ABINARY_FOLDER%3D%2Fvar%2Fmnt%0A%0Apushd%20%24FOLDER%0A%0Atotal_copies%3D%24%28sort%20-u%20%24BINARY_FOLDER%2F%24OCP_RELEASE_LIST%20%7C%20wc%20-l%29%20%20%23%20Required%20to%20keep%20track%20of%20the%20pull%20task%20vs%20total%0Acurrent_copy%3D1%0A%0Awhile%20read%20-r%20line%3B%0Ado%0A%20%20uri%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%241%7D%27%29%0A%20%20%23tar%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%242%7D%27%29%0A%20%20podman%20image%20exists%20%24uri%0A%20%20if%20%5B%5B%20%24%3F%20-eq%200%20%5D%5D%3B%20then%0A%20%20%20%20%20%20echo%20%22Skipping%20existing%20image%20%24tar%22%0A%20%20%20%20%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20%20%20%20%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%0A%20%20%20%20%20%20continue%0A%20%20fi%0A%20%20tar%3D%24%28echo%20%22%24uri%22%20%7C%20%20rev%20%7C%20cut%20-d%20%22%2F%22%20-f1%20%7C%20rev%20%7C%20tr%20%22%3A%22%20%22_%22%29%0A%20%20tar%20zxvf%20%24%7Btar%7D.tgz%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-f%20%24%7Btar%7D.gz%3B%20fi%0A%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20skopeo%20copy%20dir%3A%2F%2F%24%28pwd%29%2F%24%7Btar%7D%20containers-storage%3A%24%7Buri%7D%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-rf%20%24%7Btar%7D%3B%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%3B%20fi%0Adone%20%3C%20%24%7BBINARY_FOLDER%7D%2F%24%7BOCP_RELEASE_LIST%7D%0A%0A%23%20workaround%20while%20https%3A%2F%2Fgithub.com%2Fopenshift%2Fassisted-service%2Fpull%2F3546%0A%23cp%20%2Fvar%2Fmnt%2Fmodified-rhcos-4.10.3-x86_64-metal.x86_64.raw.gz%20%2Fvar%2Ftmp%2F.%0A%0Aexit%200"
+              }
+            },
+            {
+              "overwrite": true,
+              "path": "/usr/local/bin/agent-fix-bz1964591",
+              "mode": 755,
+              "user": {
+                "name": "root"
+              },
+              "contents": {
+                "source": "data:,%23%21%2Fusr%2Fbin%2Fsh%0A%0A%23%20This%20script%20is%20a%20workaround%20for%20bugzilla%201964591%20where%20symlinks%20inside%20%2Fvar%2Flib%2Fcontainers%2F%20get%0A%23%20corrupted%20under%20some%20circumstances.%0A%23%0A%23%20In%20order%20to%20let%20agent.service%20start%20correctly%20we%20are%20checking%20here%20whether%20the%20requested%0A%23%20container%20image%20exists%20and%20in%20case%20%22podman%20images%22%20returns%20an%20error%20we%20try%20removing%20the%20faulty%0A%23%20image.%0A%23%0A%23%20In%20such%20a%20scenario%20agent.service%20will%20detect%20the%20image%20is%20not%20present%20and%20pull%20it%20again.%20In%20case%0A%23%20the%20image%20is%20present%20and%20can%20be%20detected%20correctly%2C%20no%20any%20action%20is%20required.%0A%0AIMAGE%3D%24%28echo%20%241%20%7C%20sed%20%27s%2F%3A.%2A%2F%2F%27%29%0Apodman%20image%20exists%20%24IMAGE%20%7C%7C%20echo%20%22already%20loaded%22%20%7C%7C%20echo%20%22need%20to%20be%20pulled%22%0A%23podman%20images%20%7C%20grep%20%24IMAGE%20%7C%7C%20podman%20rmi%20--force%20%241%20%7C%7C%20true"
+              }
+            }
+          ]
+        }
+      }'
     nodes:
       - hostName: "snonode.sno-worker-0.example.domain.redhat.com"
         role: "master"
@@ -55,10 +100,43 @@ spec:
         bootMACAddress: "e4:43:4b:bd:90:46"
         bootMode: "UEFI"
         rootDeviceHints:
-          deviceName: /dev/nvme0n1
-        cpuset: "0-1,40-41"
+          deviceName: /dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0
         installerArgs: '["--save-partlabel", "data"]'
-        ignitionConfigOverride: '{"ignition":{"version":"3.1.0"},"systemd":{"units":[{"name":"var-mnt.mount","enabled":true,"contents":"[Unit]\nDescription=Mount partition with artifacts\nBefore=precache-ocp-images.service\nBindsTo=precache-ocp-images.service\nStopWhenUnneeded=true\n\n[Mount]\nWhat=/dev/disk/by-partlabel/data\nWhere=/var/mnt\nType=xfs\nTimeoutSec=30\n\n[Install]\nRequiredBy=precache-ocp-images.service"},{"name":"precache-ocp-images.service","enabled":true,"contents":"[Unit]\nDescription=Extracts the precached OCP images into containers storage\nAfter=var-mnt.mount\nBefore=machine-config-daemon-pull.service nodeip-configuration.service\n\n[Service]\nType=oneshot\nUser=root\nWorkingDirectory=/var/mnt\nExecStart=bash /usr/local/bin/extract-ocp.sh\nTimeoutStopSec=60\n\n[Install]\nWantedBy=multi-user.target"}]},"storage":{"files":[{"overwrite":true,"path":"/usr/local/bin/extract-ocp.sh","mode":755,"user":{"name":"root"},"contents":{"source":"data:,%23%21%2Fbin%2Fbash%0A%0AFOLDER%3D%22%24%7BFOLDER%3A-%24%28pwd%29%7D%22%0AOCP_RELEASE_LIST%3D%22%24%7BOCP_RELEASE_LIST%3A-ocp-images.txt%7D%22%0ABINARY_FOLDER%3D%2Fvar%2Fmnt%0A%0Apushd%20%24FOLDER%0A%0Atotal_copies%3D%24%28sort%20-u%20%24BINARY_FOLDER%2F%24OCP_RELEASE_LIST%20%7C%20wc%20-l%29%20%20%23%20Required%20to%20keep%20track%20of%20the%20pull%20task%20vs%20total%0Acurrent_copy%3D1%0A%0Awhile%20read%20-r%20line%3B%0Ado%0A%20%20uri%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%241%7D%27%29%0A%20%20%23tar%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%242%7D%27%29%0A%20%20podman%20image%20exists%20%24uri%0A%20%20if%20%5B%5B%20%24%3F%20-eq%200%20%5D%5D%3B%20then%0A%20%20%20%20%20%20echo%20%22Skipping%20existing%20image%20%24tar%22%0A%20%20%20%20%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20%20%20%20%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%0A%20%20%20%20%20%20continue%0A%20%20fi%0A%20%20tar%3D%24%28echo%20%22%24uri%22%20%7C%20%20rev%20%7C%20cut%20-d%20%22%2F%22%20-f1%20%7C%20rev%20%7C%20tr%20%22%3A%22%20%22_%22%29%0A%20%20tar%20zxvf%20%24%7Btar%7D.tgz%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-f%20%24%7Btar%7D.gz%3B%20fi%0A%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20skopeo%20copy%20dir%3A%2F%2F%24%28pwd%29%2F%24%7Btar%7D%20containers-storage%3A%24%7Buri%7D%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-rf%20%24%7Btar%7D%3B%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%3B%20fi%0Adone%20%3C%20%24%7BBINARY_FOLDER%7D%2F%24%7BOCP_RELEASE_LIST%7D%0A%0Aexit%200"}}]}}'
+        ignitionConfigOverride: | 
+           {
+            "ignition": {
+              "version": "3.1.0"
+            },
+            "systemd": {
+              "units": [
+                {
+                  "name": "var-mnt.mount",
+                  "enabled": true,
+                  "contents": "[Unit]\nDescription=Mount partition with artifacts\nBefore=precache-ocp-images.service\nBindsTo=precache-ocp-images.service\nStopWhenUnneeded=true\n\n[Mount]\nWhat=/dev/disk/by-partlabel/data\nWhere=/var/mnt\nType=xfs\nTimeoutSec=30\n\n[Install]\nRequiredBy=precache-ocp-images.service"
+                },
+                {
+                  "name": "precache-ocp-images.service",
+                  "enabled": true,
+                  "contents": "[Unit]\nDescription=Extracts the precached OCP images into containers storage\nAfter=var-mnt.mount\nBefore=machine-config-daemon-pull.service nodeip-configuration.service\n\n[Service]\nType=oneshot\nUser=root\nWorkingDirectory=/var/mnt\nExecStart=bash /usr/local/bin/extract-ocp.sh\nTimeoutStopSec=60\n\n[Install]\nWantedBy=multi-user.target"
+                }
+              ]
+            },
+            "storage": {
+              "files": [
+                {
+                  "overwrite": true,
+                  "path": "/usr/local/bin/extract-ocp.sh",
+                  "mode": 755,
+                  "user": {
+                    "name": "root"
+                  },
+                  "contents": {
+                    "source": "data:,%23%21%2Fbin%2Fbash%0A%0AFOLDER%3D%22%24%7BFOLDER%3A-%24%28pwd%29%7D%22%0AOCP_RELEASE_LIST%3D%22%24%7BOCP_RELEASE_LIST%3A-ocp-images.txt%7D%22%0ABINARY_FOLDER%3D%2Fvar%2Fmnt%0A%0Apushd%20%24FOLDER%0A%0Atotal_copies%3D%24%28sort%20-u%20%24BINARY_FOLDER%2F%24OCP_RELEASE_LIST%20%7C%20wc%20-l%29%20%20%23%20Required%20to%20keep%20track%20of%20the%20pull%20task%20vs%20total%0Acurrent_copy%3D1%0A%0Awhile%20read%20-r%20line%3B%0Ado%0A%20%20uri%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%241%7D%27%29%0A%20%20%23tar%3D%24%28echo%20%22%24line%22%20%7C%20awk%20%27%7Bprint%242%7D%27%29%0A%20%20podman%20image%20exists%20%24uri%0A%20%20if%20%5B%5B%20%24%3F%20-eq%200%20%5D%5D%3B%20then%0A%20%20%20%20%20%20echo%20%22Skipping%20existing%20image%20%24tar%22%0A%20%20%20%20%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20%20%20%20%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%0A%20%20%20%20%20%20continue%0A%20%20fi%0A%20%20tar%3D%24%28echo%20%22%24uri%22%20%7C%20%20rev%20%7C%20cut%20-d%20%22%2F%22%20-f1%20%7C%20rev%20%7C%20tr%20%22%3A%22%20%22_%22%29%0A%20%20tar%20zxvf%20%24%7Btar%7D.tgz%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-f%20%24%7Btar%7D.gz%3B%20fi%0A%20%20echo%20%22Copying%20%24%7Buri%7D%20%5B%24%7Bcurrent_copy%7D%2F%24%7Btotal_copies%7D%5D%22%0A%20%20skopeo%20copy%20dir%3A%2F%2F%24%28pwd%29%2F%24%7Btar%7D%20containers-storage%3A%24%7Buri%7D%0A%20%20if%20%5B%20%24%3F%20-eq%200%20%5D%3B%20then%20rm%20-rf%20%24%7Btar%7D%3B%20current_copy%3D%24%28%28current_copy%20%2B%201%29%29%3B%20fi%0Adone%20%3C%20%24%7BBINARY_FOLDER%7D%2F%24%7BOCP_RELEASE_LIST%7D%0A%0Aexit%200"
+                  }
+                }
+              ]
+            }
+           }
         nodeNetwork:
           config:
             interfaces:
@@ -149,6 +227,5 @@ To extract all the images before the {product-title} installation, you must exec
 ====
 
 `extract-ocp.sh`:: The `extract-ocp.sh` script extracts and loads the required images from the disk partition to the local container storage.
-When the script finishes successfully, you can use the images locally.
 
-When you upload the `SiteConfig` and the optional `PolicyGenTemplates` custom resources (CRs) to the Git repo, which Argo CD is monitoring, you can start the {ztp} workflow by syncing the CRs with the hub cluster.
+When you commit the `SiteConfig` and optional `PolicyGenerator` or `PolicyGenTemplate` custom resources (CRs) to the Git repo that Argo CD is monitoring, you can start the {ztp} workflow by syncing the CRs with the hub cluster.
diff --git a/modules/ztp-preparing-for-the-gitops-ztp-upgrade.adoc b/modules/ztp-preparing-for-the-gitops-ztp-upgrade.adoc
index 75a85025db40..5d69146b2a36 100644
--- a/modules/ztp-preparing-for-the-gitops-ztp-upgrade.adoc
+++ b/modules/ztp-preparing-for-the-gitops-ztp-upgrade.adoc
@@ -27,9 +27,9 @@ $ podman run --log-driver=none --rm registry.redhat.io/openshift4/ztp-site-gener
 The `/update` directory contains the following subdirectories:
 +
 * `update/extra-manifest`: contains the source CR files that the `SiteConfig` CR uses to generate the extra manifest `configMap`.
-* `update/source-crs`: contains the source CR files that the `PolicyGenTemplate` CR uses to generate the {rh-rhacm-first} policies.
+* `update/source-crs`: contains the source CR files that the `PolicyGenerator` or `PolicyGentemplate` CR uses to generate the {rh-rhacm-first} policies.
 * `update/argocd/deployment`: contains patches and YAML files to apply on the hub cluster for use in the next step of this procedure.
-* `update/argocd/example`: contains example `SiteConfig` and `PolicyGenTemplate` files that represent the recommended configuration.
+* `update/argocd/example`: contains example `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` files that represent the recommended configuration.
 
 . Update the `clusters-app.yaml` and `policies-app.yaml` files to reflect the name of your applications and the URL, branch, and path for your Git repository.
 +
diff --git a/modules/ztp-preparing-the-hub-cluster-for-ztp.adoc b/modules/ztp-preparing-the-hub-cluster-for-ztp.adoc
index 4ced482d7e9d..c604e1bd641e 100644
--- a/modules/ztp-preparing-the-hub-cluster-for-ztp.adoc
+++ b/modules/ztp-preparing-the-hub-cluster-for-ztp.adoc
@@ -37,7 +37,7 @@ You can configure the hub cluster with a set of ArgoCD applications that generat
 
 *** The `targetRevision` indicates which Git repository branch to monitor.
 
-*** `path` specifies the path to the `SiteConfig` and `PolicyGenTemplate` CRs, respectively.
+*** `path` specifies the path to the `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` CRs, respectively.
 
 [start=2]
 include::snippets/ztp-patch-argocd-hub-cluster.adoc[]
diff --git a/modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc b/modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc
index 7dc154c00f5c..9aacf70fb696 100644
--- a/modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc
+++ b/modules/ztp-preparing-the-ztp-git-repository-ver-ind.adoc
@@ -9,11 +9,22 @@
 You can use {ztp} to manage source custom resources (CRs) for managed clusters that are running different versions of {product-title}.
 This means that the version of {product-title} running on the hub cluster can be independent of the version running on the managed clusters.
 
+[NOTE]
+====
+The following procedure assumes you are using `PolicyGenerator` resources instead of `PolicyGentemplate` resources for cluster policies management.
+====
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+
+* You have logged in as a user with `cluster-admin` privileges.
+
 .Procedure
 
-. Create a directory structure with separate paths for the `SiteConfig` and `PolicyGenTemplate` CRs.
+. Create a directory structure with separate paths for the `SiteConfig` and `PolicyGenerator` CRs.
 
-. Within the `PolicyGenTemplate` directory, create a directory for each {product-title} version you want to make available.
+. Within the `PolicyGenerator` directory, create a directory for each {product-title} version you want to make available.
 For each version, create the following resources:
 * `kustomization.yaml` file that explicitly includes the files in that directory
 * `source-crs` directory to contain reference CR configuration files from the `ztp-site-generate` container
@@ -26,7 +37,7 @@ The following example describes a structure using user-provided manifests and CR
 +
 [source,text]
 ----
-├── policygentemplates
+├── acmpolicygenerator
 │   ├── kustomization.yaml <1>
 │   ├── version_4.13 <2>
 │   │   ├── common-ranGen.yaml
@@ -63,7 +74,7 @@ The following example describes a structure using user-provided manifests and CR
 
 ----
 <1> Create a top-level `kustomization` YAML file.
-<2> Create the version-specific directories within the custom `/policygentemplates` directory.
+<2> Create the version-specific directories within the custom `/acmpolicygenerator` directory.
 <3> Create a `kustomization.yaml` file for each version.
 <4> Create a `source-crs` directory for each version to contain reference CRs from the `ztp-site-generate` container.
 <5> Create the `reference-crs` directory for policy CRs that are extracted from the ZTP container.
diff --git a/modules/ztp-preparing-the-ztp-git-repository.adoc b/modules/ztp-preparing-the-ztp-git-repository.adoc
index fa594dc35198..0b01ba6a5b76 100644
--- a/modules/ztp-preparing-the-ztp-git-repository.adoc
+++ b/modules/ztp-preparing-the-ztp-git-repository.adoc
@@ -16,12 +16,12 @@ Before you can use the {ztp-first} pipeline, you need to prepare the Git reposit
 
 .Procedure
 
-. Create a directory structure with separate paths for the `SiteConfig` and `PolicyGenTemplate` CRs.
+. Create a directory structure with separate paths for the `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` CRs.
 +
 [NOTE]
 ====
-Keep `SiteConfig` and `PolicyGenTemplate` CRs in separate directories.
-Both the `SiteConfig` and `PolicyGenTemplate` directories must contain a `kustomization.yaml` file that explicitly includes the files in that directory.
+Keep `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` CRs in separate directories.
+Both the `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` directories must contain a `kustomization.yaml` file that explicitly includes the files in that directory.
 ====
 
 . Export the `argocd` directory from the `ztp-site-generate` container image using the following commands:
@@ -41,16 +41,14 @@ $ mkdir -p ./out
 $ podman run --log-driver=none --rm registry.redhat.io/openshift4/ztp-site-generate-rhel8:v{product-version} extract /home/ztp --tar | tar x -C ./out
 ----
 
-
 . Check that the `out` directory contains the following subdirectories:
 +
 * `out/extra-manifest` contains the source CR files that `SiteConfig` uses to generate extra manifest `configMap`.
-* `out/source-crs` contains the source CR files that `PolicyGenTemplate` uses to generate the {rh-rhacm-first} policies.
+* `out/source-crs` contains the source CR files that `PolicyGenerator` uses to generate the {rh-rhacm-first} policies.
 * `out/argocd/deployment` contains patches and YAML files to apply on the hub cluster for use in the next step of this procedure.
-* `out/argocd/example` contains the examples for `SiteConfig` and `PolicyGenTemplate` files that represent the recommended configuration.
-
+* `out/argocd/example` contains the examples for `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` files that represent the recommended configuration.
 
-. Copy the `out/source-crs` folder and contents to the `PolicyGentemplate` directory.
+. Copy the `out/source-crs` folder and contents to the `PolicyGenerator` or `PolicyGentemplate` directory.
 
 . The out/extra-manifests directory contains the reference manifests for a RAN DU cluster.
 Copy the `out/extra-manifests` directory into the `SiteConfig` folder.
@@ -62,24 +60,29 @@ For example:
 [source,text]
 ----
 example/
-  ├── policygentemplates
+  ├── acmpolicygenerator
+  │   ├── kustomization.yaml
+  │   └── source-crs/
+  ├── policygentemplates <1>
   │   ├── kustomization.yaml
   │   └── source-crs/
   └── siteconfig
         ├── extra-manifests
         └── kustomization.yaml
 ----
+<1> Using `PolicyGenTemplate` CRs to manage and deploy polices to manage clusters will be deprecated in a future {product-title} release.
+Equivalent and improved functionality is available by using {rh-rhacm-first} and `PolicyGenerator` CRs.
 
 . Commit the directory structure and the `kustomization.yaml` files and push to your Git repository.
 The initial push to Git should include the `kustomization.yaml` files.
 
 You can use the directory structure under `out/argocd/example` as a reference for the structure and content of your Git repository.
-That structure includes `SiteConfig` and `PolicyGenTemplate` reference CRs for single-node, three-node, and standard clusters.
+That structure includes `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` reference CRs for single-node, three-node, and standard clusters.
 Remove references to cluster types that you are not using.
 
 For all cluster types, you must:
 
-* Add the `source-crs` subdirectory to the `policygentemplate` directory.
+* Add the `source-crs` subdirectory to the `acmpolicygenerator` or `policygentemplates` directory.
 * Add the `extra-manifests` directory to the `siteconfig` directory.
 
 The following example describes a set of CRs for a network of single-node clusters:
@@ -87,10 +90,10 @@ The following example describes a set of CRs for a network of single-node cluste
 [source,text]
 ----
 example/
-  ├── policygentemplates
-  │   ├── common-ranGen.yaml
-  │   ├── example-sno-site.yaml
-  │   ├── group-du-sno-ranGen.yaml
+  ├── acmpolicygenerator
+  │   ├── acm-common-ranGen.yaml
+  │   ├── acm-example-sno-site.yaml
+  │   ├── acm-group-du-sno-ranGen.yaml
   │   ├── group-du-sno-validator-ranGen.yaml
   │   ├── kustomization.yaml
   │   ├── source-crs/
diff --git a/modules/ztp-provisioning-lvm-storage.adoc b/modules/ztp-provisioning-lvm-storage.adoc
index 56b5d14e622e..b0c4dbccb3ac 100644
--- a/modules/ztp-provisioning-lvm-storage.adoc
+++ b/modules/ztp-provisioning-lvm-storage.adoc
@@ -1,10 +1,11 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-provisioning-lvm-storage_{context}"]
-= Configuring {lvms} using PolicyGenTemplate CRs
+= Configuring {lvms} using {policy-gen-cr} CRs
 
 You can configure {lvms-first} for managed clusters that you deploy with {ztp-first}.
 
@@ -25,57 +26,46 @@ Use the Local Storage Operator for persistent storage that uses local volumes in
 
 .Procedure
 
-. To configure {lvms} for new managed clusters, add the following YAML to `spec.sourceFiles` in the `common-ranGen.yaml` file:
+. To configure {lvms} for new managed clusters, add the following YAML to `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file:
 +
-[source,yaml,subs="attributes+"]
-----
-- fileName: StorageLVMOSubscriptionNS.yaml
-  policyName: subscription-policies
-- fileName: StorageLVMOSubscriptionOperGroup.yaml
-  policyName: subscription-policies
-- fileName: StorageLVMOSubscription.yaml
-  spec:
-    name: lvms-operator
-    channel: stable-{product-version}
-  policyName: subscription-policies
-----
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-provisioning-lvm-storage.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-provisioning-lvm-storage.adoc[]
+endif::[]
 +
 [NOTE]
 ====
 The Storage LVMO subscription is deprecated. In future releases of {product-title}, the storage LVMO subscription will not be available. Instead, you must use the Storage LVMS subscription.
 
-In {product-title} {product-version}, you can use the Storage LVMS subscription instead of the LVMO subscription. The LVMS subscription does not require manual overrides in the `common-ranGen.yaml` file. Add the following YAML to `spec.sourceFiles` in the `common-ranGen.yaml` file to use the Storage LVMS subscription:
+In {product-title} {product-version}, you can use the Storage LVMS subscription instead of the LVMO subscription. The LVMS subscription does not require manual overrides in the `{policy-prefix}common-ranGen.yaml` file. Add the following YAML to `{rangen-yaml-path}` in the `{policy-prefix}common-ranGen.yaml` file to use the Storage LVMS subscription:
 
 [source,yaml]
 ----
-- fileName: StorageLVMSubscriptionNS.yaml
-  policyName: subscription-policies
-- fileName: StorageLVMSubscriptionOperGroup.yaml
-  policyName: subscription-policies
-- fileName: StorageLVMSubscription.yaml
-  policyName: subscription-policies
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-provisioning-lvm-storage-sub.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-provisioning-lvm-storage-sub.yaml[]
+endif::[]
 ----
-
 ====
 
-. Add the `LVMCluster` CR to `spec.sourceFiles` in your specific group or individual site configuration file. For example, in the `group-du-sno-ranGen.yaml` file, add the following:
+. Add the `LVMCluster` CR to `{rangen-yaml-path}` in your specific group or individual site configuration file. For example, in the `{policy-prefix}group-du-sno-ranGen.yaml` file, add the following:
 +
-[source,yaml]
-----
-- fileName: StorageLVMCluster.yaml
-  policyName: "lvms-config" <1>
-  spec:
-    storage:
-      deviceClasses:
-      - name: vg1
-        thinPoolConfig:
-          name: thin-pool-1
-          sizePercent: 90
-          overprovisionRatio: 10
-----
-<1> This example configuration creates a volume group (`vg1`) with all the available devices, except the disk where {product-title} is installed.
+--
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-provisioning-lvm-storage-cluster.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-provisioning-lvm-storage-cluster.adoc[]
+endif::[]
+
+This example configuration creates a volume group (`vg1`) with all the available devices, except the disk where {product-title} is installed.
 A thin-pool logical volume is also created.
+--
 
 . Merge any other required changes and files with your custom site repository.
 
-. Commit the `PolicyGenTemplate` changes in Git, and then push the changes to your site configuration repository to deploy {lvms} to new sites using {ztp}.
+. Commit the `{policy-gen-cr}` changes in Git, and then push the changes to your site configuration repository to deploy {lvms} to new sites using {ztp}.
diff --git a/modules/ztp-recommended-cluster-kernel-config.adoc b/modules/ztp-recommended-cluster-kernel-config.adoc
index cdcfdd99b77e..511adf4c157f 100644
--- a/modules/ztp-recommended-cluster-kernel-config.adoc
+++ b/modules/ztp-recommended-cluster-kernel-config.adoc
@@ -12,17 +12,60 @@ Always use the latest supported real-time kernel version in your cluster. Ensure
 +
 [source,yaml]
 ----
+apiVersion: performance.openshift.io/v2
+kind: PerformanceProfile
+# ...
 spec:
   additionalKernelArgs:
   - "rcupdate.rcu_normal_after_boot=0"
   - "efi=runtime"
-  - "module_blacklist=irdma"
+  - "vfio_pci.enable_sriov=1"
+  - "vfio_pci.disable_idle_d3=1"
+  - "module_blacklist=irdma"  
+  
+  # ...
+----
+
+. Optional: Set the CPU frequency under the `hardwareTuning` field:
++
+You can use hardware tuning to tune CPU frequencies for reserved and isolated core CPUs.
+For FlexRAN like applications, hardware vendors recommend that you run CPU frequencies below the default provided frequencies.
+It is highly recommended that, before setting any frequencies, you refer to the hardware vendor’s guidelines for maximum frequency settings for your processor generation.
+This example shows the frequencies for reserved and isolated CPUs for Sapphire Rapid hardware:
++
+[source,yaml]
+----
+apiVersion: performance.openshift.io/v2
+kind: PerformanceProfile
+metadata:
+  name: openshift-node-performance-profile
+spec:
+      cpu:
+        isolated: "2-19,22-39"
+        reserved: "0-1,20-21"
+      hugepages:
+        defaultHugepagesSize: 1G
+        pages:
+          - size: 1G
+            count: 32
+      realTimeKernel:
+          enabled: true
+      hardwareTuning:
+          isolatedCpuFreq: 2500000
+          reservedCpuFreq: 2800000
 ----
 
 . Ensure that the `performance-patch` profile in the `Tuned` CR configures the correct CPU isolation set that matches the `isolated` CPU set in the related `PerformanceProfile` CR, for example:
 +
 [source,yaml]
 ----
+apiVersion: tuned.openshift.io/v1
+kind: Tuned
+metadata:
+  name: performance-patch
+  namespace: openshift-cluster-node-tuning-operator
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "10"
 spec:
   profile:
     - name: performance-patch
@@ -33,12 +76,12 @@ spec:
         [main]
         summary=Configuration changes profile inherited from performance created tuned
         include=openshift-node-performance-openshift-node-performance-profile
-        [sysctl]
-        kernel.timer_migration=1
         [scheduler]
         group.ice-ptp=0:f:10:*:ice-ptp.*
         group.ice-gnss=0:f:10:*:ice-gnss.*
+        group.ice-dplls=0:f:10:*:ice-dplls.*
         [service]
         service.stalld=start,enable
         service.chronyd=stop,disable
+# ...
 ----
diff --git a/modules/ztp-removing-content-from-managed-clusters.adoc b/modules/ztp-removing-content-from-managed-clusters.adoc
index b1c2da749cbf..519b006ad0a2 100644
--- a/modules/ztp-removing-content-from-managed-clusters.adoc
+++ b/modules/ztp-removing-content-from-managed-clusters.adoc
@@ -8,7 +8,7 @@
 
 You can remove content from a custom resource (CR) that is deployed in a managed cluster through a policy.
 
-By default, all `Policy` CRs created from a `PolicyGenTemplate` CR have the `complianceType` field set to `musthave`.
+By default, all `Policy` CRs created from a `{policy-gen-cr}` CR have the `complianceType` field set to `musthave`.
 A `musthave` policy without the removed content is still compliant because the CR on the managed cluster has all the specified content.
 With this configuration, when you remove content from a CR, {cgu-operator} removes the content from the policy but the content is not removed from the CR on the managed cluster.
 
@@ -45,16 +45,28 @@ spec:
   enableOperatorWebhook: true
 ----
 
-. Change the `complianceType` of the affected policies to `mustonlyhave` in the `group-du-sno-ranGen.yaml` file.
+. Change the `complianceType` of the affected policies to `mustonlyhave` in the `{policy-prefix}group-du-sno-ranGen.yaml` file.
 +
 .Example YAML
 [source,yaml]
 ----
-# ...
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
 - fileName: SriovOperatorConfig.yaml
   policyName: "config-policy"
   complianceType: mustonlyhave
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+# ...
+policyDefaults:
+  complianceType: "mustonlyhave"
 # ...
+policies:
+  - name: config-policy
+    policyAnnotations:
+      ran.openshift.io/ztp-deploy-wave: ""
+    manifests:
+      - path: source-crs/SriovOperatorConfig.yaml
+endif::[]
 ----
 
 . Create a `ClusterGroupUpdates` CR and specify the clusters that must receive the CR changes::
@@ -124,4 +136,4 @@ $ oc get <kind> <changed_cr_name>
 ----
 
 +
-If there are no results, the CR is removed from the managed cluster.
\ No newline at end of file
+If there are no results, the CR is removed from the managed cluster.
diff --git a/modules/ztp-removing-obsolete-content.adoc b/modules/ztp-removing-obsolete-content.adoc
index 4c37b6707b9d..654eb3e34c87 100644
--- a/modules/ztp-removing-obsolete-content.adoc
+++ b/modules/ztp-removing-obsolete-content.adoc
@@ -6,7 +6,7 @@
 [id="ztp-removing-obsolete-content_{context}"]
 = Removing obsolete content from the {ztp} pipeline
 
-If a change to the `PolicyGenTemplate` configuration results in obsolete policies, for example, if you rename policies, use the following procedure to remove the obsolete policies.
+If a change to the `PolicyGenerator` or `PolicyGentemplate` configuration results in obsolete policies, for example, if you rename policies, use the following procedure to remove the obsolete policies.
 
 .Prerequisites
 
@@ -16,18 +16,18 @@ If a change to the `PolicyGenTemplate` configuration results in obsolete policie
 
 .Procedure
 
-. Remove the affected `PolicyGenTemplate` files from the Git repository, commit and push to the remote repository.
+. Remove the affected `PolicyGenerator` or `PolicyGentemplate` files from the Git repository, commit and push to the remote repository.
 
 . Wait for the changes to synchronize through the application and the affected policies to be removed from the hub cluster.
 
-. Add the updated `PolicyGenTemplate` files back to the Git repository, and then commit and push to the remote repository.
+. Add the updated `PolicyGenerator` or `PolicyGentemplate` files back to the Git repository, and then commit and push to the remote repository.
 +
 [NOTE]
 ====
 Removing {ztp-first} policies from the Git repository, and as a result also removing them from the hub cluster, does not affect the configuration of the managed cluster. The policy and CRs managed by that policy remains in place on the managed cluster.
 ====
 
-. Optional: As an alternative, after making changes to `PolicyGenTemplate` CRs that result in obsolete policies, you can remove these policies from the hub cluster manually. You can delete policies from the {rh-rhacm} console using the *Governance* tab or by running the following command:
+. Optional: As an alternative, after making changes to `PolicyGenerator` or `PolicyGentemplate` CRs that result in obsolete policies, you can remove these policies from the hub cluster manually. You can delete policies from the {rh-rhacm} console using the *Governance* tab or by running the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/ztp-required-changes-to-the-git-repository.adoc b/modules/ztp-required-changes-to-the-git-repository.adoc
index ceafb63998db..451214d7f3b0 100644
--- a/modules/ztp-required-changes-to-the-git-repository.adoc
+++ b/modules/ztp-required-changes-to-the-git-repository.adoc
@@ -8,17 +8,22 @@
 
 When upgrading the `ztp-site-generate` container from an earlier release of {ztp-first} to 4.10 or later, there are additional requirements for the contents of the Git repository. Existing content in the repository must be updated to reflect these changes.
 
-* Make required changes to `PolicyGenTemplate` files:
+[NOTE]
+====
+The following procedure assumes you are using `PolicyGenerator` resources instead of `PolicyGentemplate` resources for cluster policies management.
+====
+
+* Make required changes to `PolicyGenerator` files:
 +
-All `PolicyGenTemplate` files must be created in a `Namespace` prefixed with `ztp`. This ensures that the {ztp} application is able to manage the policy CRs generated by {ztp} without conflicting with the way {rh-rhacm-first} manages the policies internally.
+All `PolicyGenerator` files must be created in a `Namespace` prefixed with `ztp`. This ensures that the {ztp} application is able to manage the policy CRs generated by {ztp} without conflicting with the way {rh-rhacm-first} manages the policies internally.
 
 * Add the `kustomization.yaml` file to the repository:
 +
-All `SiteConfig` and `PolicyGenTemplate` CRs must be included in a `kustomization.yaml` file under their respective directory trees. For example:
+All `SiteConfig` and `PolicyGenerator` CRs must be included in a `kustomization.yaml` file under their respective directory trees. For example:
 +
 [source,terminal]
 ----
-├── policygentemplates
+├── acmpolicygenerator
 │   ├── site1-ns.yaml
 │   ├── site1.yaml
 │   ├── site2-ns.yaml
@@ -36,10 +41,10 @@ All `SiteConfig` and `PolicyGenTemplate` CRs must be included in a `kustomizatio
 +
 [NOTE]
 ====
-The files listed in the `generator` sections must contain either `SiteConfig` or `PolicyGenTemplate` CRs only. If your existing YAML files contain other CRs, for example, `Namespace`, these other CRs must be pulled out into separate files and listed in the `resources` section.
+The files listed in the `generator` sections must contain either `SiteConfig` or `{policy-gen-cr}` CRs only. If your existing YAML files contain other CRs, for example, `Namespace`, these other CRs must be pulled out into separate files and listed in the `resources` section.
 ====
 +
-The `PolicyGenTemplate` kustomization file must contain all `PolicyGenTemplate` YAML files in the `generator` section and `Namespace` CRs in the `resources` section. For example:
+The `PolicyGenerator` kustomization file must contain all `PolicyGenerator` YAML files in the `generator` section and `Namespace` CRs in the `resources` section. For example:
 +
 [source,yaml]
 ----
@@ -47,14 +52,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 generators:
-- common-ranGen.yaml
-- group-du-sno-ranGen.yaml
+- acm-common-ranGen.yaml
+- acm-group-du-sno-ranGen.yaml
 - site1.yaml
 - site2.yaml
 
 resources:
 - common-ns.yaml
-- group-du-sno-ranGen-ns.yaml
+- acm-group-du-sno-ranGen-ns.yaml
 - site1-ns.yaml
 - site2-ns.yaml
 ----
@@ -77,11 +82,11 @@ In {product-title} 4.10 and later, the `pre-sync.yaml` and `post-sync.yaml` file
 +
 [NOTE]
 ====
-There is a set of `pre-sync.yaml` and `post-sync.yaml` files under both the `SiteConfig` and `PolicyGenTemplate` trees.
+There is a set of `pre-sync.yaml` and `post-sync.yaml` files under both the `SiteConfig` and `{policy-gen-cr}` trees.
 ====
 
 * Review and incorporate recommended changes
 +
 Each release may include additional recommended changes to the configuration applied to deployed clusters. Typically these changes result in lower CPU use by the OpenShift platform, additional features, or improved tuning of the platform.
 +
-Review the reference `SiteConfig` and `PolicyGenTemplate` CRs applicable to the types of cluster in your network. These examples can be found in the `argocd/example` directory extracted from the {ztp} container.
+Review the reference `SiteConfig` and `PolicyGenerator` CRs applicable to the types of cluster in your network. These examples can be found in the `argocd/example` directory extracted from the {ztp} container.
diff --git a/modules/ztp-restarting-policies-reconciliation.adoc b/modules/ztp-restarting-policies-reconciliation.adoc
index bf041b2ad7af..5cbc3faa45b4 100644
--- a/modules/ztp-restarting-policies-reconciliation.adoc
+++ b/modules/ztp-restarting-policies-reconciliation.adoc
@@ -36,6 +36,6 @@ $ oc get clustergroupupgrades -n ztp-install $CLUSTER -o jsonpath='{.status.cond
 $ oc delete clustergroupupgrades -n ztp-install $CLUSTER
 ----
 
-Note that when the `ClusterGroupUpgrade` CR completes with status `UpgradeCompleted` and the managed cluster has the label `ztp-done` applied, you can make additional configuration changes using `PolicyGenTemplate`. Deleting the existing `ClusterGroupUpgrade` CR will not make the {cgu-operator} generate a new CR.
+Note that when the `ClusterGroupUpgrade` CR completes with status `UpgradeCompleted` and the managed cluster has the label `ztp-done` applied, you can make additional configuration changes by using `{policy-gen-cr}`. Deleting the existing `ClusterGroupUpgrade` CR will not make the {cgu-operator} generate a new CR.
 
 At this point, {ztp} has completed its interaction with the cluster and any further interactions should be treated as an update and a new `ClusterGroupUpgrade` CR created for remediation of the policies.
diff --git a/modules/ztp-site-cleanup.adoc b/modules/ztp-site-cleanup.adoc
index 3008d64a123a..f25a990d9fd8 100644
--- a/modules/ztp-site-cleanup.adoc
+++ b/modules/ztp-site-cleanup.adoc
@@ -16,10 +16,10 @@ You can remove a managed site and the associated installation and configuration
 
 .Procedure
 
-. Remove a site and the associated CRs by removing the associated `SiteConfig` and `PolicyGenTemplate` files from the `kustomization.yaml` file.
+. Remove a site and the associated CRs by removing the associated `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` files from the `kustomization.yaml` file.
 +
 When you run the {ztp} pipeline again, the generated CRs are removed.
 
-. Optional: If you want to permanently remove a site, you should also remove the `SiteConfig` and site-specific `PolicyGenTemplate` files from the Git repository.
+. Optional: If you want to permanently remove a site, you should also remove the `SiteConfig` and site-specific `PolicyGenerator` or `PolicyGentemplate` files from the Git repository.
 
-. Optional: If you want to remove a site temporarily, for example when redeploying a site, you can leave the `SiteConfig` and site-specific `PolicyGenTemplate` CRs in the Git repository.
+. Optional: If you want to remove a site temporarily, for example when redeploying a site, you can leave the `SiteConfig` and site-specific `PolicyGenerator` or `PolicyGentemplate` CRs in the Git repository.
diff --git a/modules/ztp-sno-accelerated-ztp.adoc b/modules/ztp-sno-accelerated-ztp.adoc
new file mode 100644
index 000000000000..134ddefe2bd9
--- /dev/null
+++ b/modules/ztp-sno-accelerated-ztp.adoc
@@ -0,0 +1,80 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/ztp-deploying-far-edge-sites.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztp-sno-accelerated-ztp_{context}"]
+= Accelerated provisioning of {ztp}
+
+:FeatureName: Accelerated provisioning of {ztp}
+include::snippets/technology-preview.adoc[]
+
+You can reduce the time taken for cluster installation by using accelerated provisioning of {ztp} for {sno}. 
+Accelerated ZTP speeds up installation by applying Day 2 manifests derived from policies at an earlier stage. 
+
+[IMPORTANT]
+====
+Accelerated provisioning of {ztp} is supported only when installing {sno} with Assisted Installer. Otherwise this installation method will fail.
+====
+
+[id="activating-accelerated-ztp_{context}"]
+== Activating accelerated ZTP
+
+You can activate accelerated ZTP using the `spec.clusters.clusterLabels.accelerated-ztp` label, as in the following example:
+
+.Example Accelerated ZTP `SiteConfig` CR.
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v2
+kind: SiteConfig
+metadata:
+  name: "example-sno"
+  namespace: "example-sno"
+spec:
+  baseDomain: "example.com"
+  pullSecretRef:
+    name: "assisted-deployment-pull-secret"
+  clusterImageSetNameRef: "openshift-4.10"
+  sshPublicKey: "ssh-rsa AAAA..."
+  clusters:
+  # ...
+    clusterLabels:
+        common: true
+        group-du-sno: ""
+        sites : "example-sno"
+        accelerated-ztp: full
+
+----
+
+You can use `accelerated-ztp: full` to fully automate the accelerated process. 
+{ztp} updates the `AgentClusterInstall` resource with a reference to the accelerated {ztp} `ConfigMap`, and includes resources extracted from policies by {cgu-operator}, and accelerated ZTP job manifests. 
+
+If you use `accelerated-ztp: partial`, {ztp} does not include the accelerated job manifests, but includes policy-derived objects created during the cluster installation of the following `kind` types:
+
+* `PerformanceProfile.performance.openshift.io`
+* `Tuned.tuned.openshift.io`
+* `Namespace`
+* `CatalogSource.operators.coreos.com`
+* `ContainerRuntimeConfig.machineconfiguration.openshift.io`
+
+This partial acceleration can reduce the number of reboots done by the node when applying resources of the kind `Performance Profile`, `Tuned`, and `ContainerRuntimeConfig`. 
+{cgu-operator} installs the Operator subscriptions derived from policies after {rh-rhacm} completes the import of the cluster, following the same flow as standard {ztp}.
+
+The benefits of accelerated ZTP increase with the scale of your deployment. 
+Using `accelerated-ztp: full` gives more benefit on a large number of clusters. 
+With a smaller number of clusters, the reduction in installation time is less significant.
+Full accelerated ZTP leaves behind a namespace and a completed job on the spoke that need to be manually removed.
+
+One benefit of using `accelerated-ztp: partial` is that you can override the functionality of the on-spoke job if something goes wrong with the stock implementation or if you require a custom functionality.
+
+[id="the-accelerated-ztp-process_{context}"]
+== The accelerated ZTP process
+
+Accelerated ZTP uses an additional `ConfigMap` to create the resources derived from policies on the spoke cluster.  
+The standard `ConfigMap` includes manifests that the {ztp} workflow uses to customize cluster installs. 
+
+{cgu-operator} detects that the `accelerated-ztp` label is set and then creates a second `ConfigMap`.
+As part of accelerated ZTP, the `SiteConfig` generator adds a reference to that second `ConfigMap` using the naming convention `<spoke-cluster-name>-aztp`. 
+
+After {cgu-operator} creates that second `ConfigMap`, it finds all policies bound to the managed cluster and extracts the {ztp} profile information. 
+{cgu-operator} adds the {ztp} profile information to the `<spoke-cluster-name>-aztp` `ConfigMap` custom resource (CR) and applies the CR to the hub cluster API. 
diff --git a/modules/ztp-sno-du-accelerating-container-startup.adoc b/modules/ztp-sno-du-accelerating-container-startup.adoc
deleted file mode 100644
index b7b5ebc52963..000000000000
--- a/modules/ztp-sno-du-accelerating-container-startup.adoc
+++ /dev/null
@@ -1,15 +0,0 @@
-// Module included in the following assemblies:
-//
-// * scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="ztp-sno-du-accelerating-container-startup_{context}"]
-= Accelerated container startup
-
-The following `MachineConfig` CR configures core OpenShift processes and containers to use all available CPU cores during system startup and shutdown. This accelerates the system recovery during initial boot and reboots.
-
-.Recommended accelerated container startup configuration (`04-accelerated-container-startup-master.yaml`)
-[source,yaml]
-----
-include::snippets/ztp_04-accelerated-container-startup-master.yaml[]
-----
diff --git a/modules/ztp-sno-du-tuning-the-performance-patch.adoc b/modules/ztp-sno-du-tuning-the-performance-patch.adoc
index 3855f4dff191..8bf6e4fe74d7 100644
--- a/modules/ztp-sno-du-tuning-the-performance-patch.adoc
+++ b/modules/ztp-sno-du-tuning-the-performance-patch.adoc
@@ -23,6 +23,4 @@ include::snippets/ztp_TunedPerformancePatch.yaml[]
 |`spec.profile.data`
 a|* The `include` line that you set in `spec.profile.data` must match the associated `PerformanceProfile` CR name.
 For example, `include=openshift-node-performance-${PerformanceProfile.metadata.name}`.
-
-* When using the non-realtime kernel, remove the `timer_migration override` line from the `[sysctl]` section.
 |====
diff --git a/modules/ztp-sno-siteconfig-config-reference.adoc b/modules/ztp-sno-siteconfig-config-reference.adoc
index 537281ec4de9..ba459f2cf519 100644
--- a/modules/ztp-sno-siteconfig-config-reference.adoc
+++ b/modules/ztp-sno-siteconfig-config-reference.adoc
@@ -40,8 +40,11 @@ Adding additional components back into the system might require additional reser
 |Specifies the cluster image set used to deploy an individual cluster. If defined, it overrides the `spec.clusterImageSetNameRef` at site level.
 
 |`spec.clusters.clusterLabels`
-|Configure cluster labels to correspond to the `bindingRules` field in the `PolicyGenTemplate` CRs that you define.
-For example, `policygentemplates/common-ranGen.yaml` applies to all clusters with `common: true` set, `policygentemplates/group-du-sno-ranGen.yaml` applies to all clusters with `group-du-sno: ""` set.
+|Configure cluster labels to correspond to the binding rules in the `PolicyGenerator` or `PolicyGentemplate` CRs that you define.
+`PolicyGenerator` CRs use the `policyDefaults.placement.labelSelector` field.
+`PolicyGentemplate` CRs use the `spec.bindingRules` field.
+
+For example, `acmpolicygenerator/acm-common-ranGen.yaml` applies to all clusters with `common: true` set, `acmpolicygenerator/acm-group-du-sno-ranGen.yaml` applies to all clusters with `group-du-sno: ""` set.
 
 |`spec.clusters.crTemplates.KlusterletAddonConfig`
 |Optional. Set `KlusterletAddonConfig` to `KlusterletAddonConfigOverride.yaml to override the default `KlusterletAddonConfig` that is created for the cluster.
@@ -80,18 +83,12 @@ When creating the `bmh-secret` CR, use the same namespace as the `SiteConfig` CR
 The default value is `UEFI`. Use `UEFISecureBoot` to enable secure boot on the host.
 
 |`spec.clusters.nodes.rootDeviceHints`
-|Specifies the device for deployment. Identifiers that are stable across reboots are recommended, for example, `wwn: <disk_wwn>` or `deviceName: /dev/disk/by-path/<device_path>`. For a detailed list of stable identifiers, see the "About root device hints section".
-
-|`spec.clusters.nodes.diskPartition`
-|Optional. The provided example `diskPartition` is used to configure additional disk partitions.
+|Specifies the device for deployment. Identifiers that are stable across reboots are recommended. For example, `wwn: <disk_wwn>` or `deviceName: /dev/disk/by-path/<device_path>`. `<by-path>` values are preferred. For a detailed list of stable identifiers, see the "About root device hints" section.
 
 |`spec.clusters.nodes.ignitionConfigOverride`
 |Optional. Use this field to assign partitions for persistent storage.
 Adjust disk ID and size to the specific hardware.
 
-|`spec.clusters.nodes.cpuset`
-|Configure `cpuset` to match value that you set in the cluster `PerformanceProfile` CR `spec.cpu.reserved` field for workload partitioning.
-
 |`spec.clusters.nodes.nodeNetwork`
 |Configure the network settings for the node.
 
diff --git a/modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc b/modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc
index ec4e6831aa3f..54fed2d18044 100644
--- a/modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc
+++ b/modules/ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates.adoc
@@ -4,16 +4,16 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-specifying-nics-in-pgt-crs-with-hub-cluster-templates_{context}"]
-= Specifying group and site configuration in group PolicyGenTemplate CRs with hub templates
+= Specifying group and site configurations in group PolicyGenerator or PolicyGentemplate CRs
 
 You can manage the configuration of fleets of clusters with `ConfigMap` CRs by using hub templates to populate the group and site values in the generated policies that get applied to the managed clusters.
-Using hub templates in site `PolicyGenTemplate` (PGT) CRs means that you do not need to create a `PolicyGenTemplate` CR for each site.
+Using hub templates in site `PolicyGenerator` or `PolicyGentemplate` CRs means that you do not need to create a policy CR for each site.
 
 You can group the clusters in a fleet in various categories, depending on the use case, for example hardware type or region. 
 Each cluster should have a label corresponding to the group or groups that the cluster is in. 
-If you manage the configuration values for each group in different `ConfigMap` CRs, then you require only one group `PolicyGenTemplate` CR to apply the changes to all the clusters in the group by using hub templates.
+If you manage the configuration values for each group in different `ConfigMap` CRs, then you require only one group policy CR to apply the changes to all the clusters in the group by using hub templates.
 
-The following example shows you how to use three `ConfigMap` CRs and one group `PolicyGenTemplate` CR to apply both site and group configuration to clusters grouped by hardware type and region.
+The following example shows you how to use three `ConfigMap` CRs and one `PolicyGenerator` CR to apply both site and group configuration to clusters grouped by hardware type and region.
 
 [NOTE]
 ====
@@ -91,7 +91,7 @@ data:
 +
 [NOTE]
 ====
-Each `ConfigMap` CR must be in the same namespace as the policy to be generated from the group `PolicyGenTemplate` CR.
+Each `ConfigMap` CR must be in the same namespace as the policy to be generated from the group `PolicyGenerator` CR.
 ====
 
 . Commit the `ConfigMap` CRs in Git, and then push to the Git repository being monitored by the Argo CD application.
@@ -104,109 +104,43 @@ The following command applies to a single cluster named `du-sno-1-zone-1` and th
 $ oc patch managedclusters.cluster.open-cluster-management.io/du-sno-1-zone-1 --type merge -p '{"metadata":{"labels":{"hardware-type": "hardware-type-1", "group-du-sno-zone": "zone-1"}}}'
 ----
 
-. Create a group `PolicyGenTemplate` CR that uses hub templates to obtain the required data from the `ConfigMap` objects. 
+. Depending on your requirements, Create a group `PolicyGenerator` or `PolicyGentemplate` CR that uses hub templates to obtain the required data from the `ConfigMap` objects:
++
+--
+.. Create a group `PolicyGenerator` CR.
+This example `PolicyGenerator` CR configures logging, VLAN IDs, NICs and Performance Profile for the clusters that match the labels listed the under `policyDefaults.placement` field:
++
+[source,yaml]
+----
+include::snippets/pg-ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml[]
+----
+
+.. Create a group `PolicyGenTemplate` CR.
 This example `PolicyGenTemplate` CR configures logging, VLAN IDs, NICs and Performance Profile for the clusters that match the labels listed under `spec.bindingRules`:
 +
 [source,yaml]
 ----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: group-du-sno-pgt
-  namespace: ztp-group
-spec:
-  bindingRules:
-    # These policies will correspond to all clusters with these labels
-    group-du-sno-zone: "zone-1"
-    hardware-type: "hardware-type-1"
-  mcp: "master"
-  sourceFiles:
-    - fileName: ClusterLogForwarder.yaml # wave 10
-      policyName: "group-du-sno-cfg-policy"
-      spec:
-        outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
-        pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
-
-    - fileName: PerformanceProfile.yaml # wave 10
-      policyName: "group-du-sno-cfg-policy"
-      metadata:
-        name: openshift-node-performance-profile
-      spec:
-        additionalKernelArgs:
-        - rcupdate.rcu_normal_after_boot=0
-        - vfio_pci.enable_sriov=1
-        - vfio_pci.disable_idle_d3=1
-        - efi=runtime
-        cpu:
-          isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}'
-          reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}'
-        hugepages:
-          defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}'
-          pages:
-            - size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}'
-              count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}'
-        realTimeKernel:
-          enabled: true
-
-    - fileName: SriovNetwork.yaml # wave 100
-      policyName: "group-du-sno-sriov-policy"
-      metadata:
-        name: sriov-nw-du-fh
-      spec:
-        resourceName: du_fh
-        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}'
-        
-    - fileName: SriovNetworkNodePolicy.yaml # wave 100
-      policyName: "group-du-sno-sriov-policy"
-      metadata:
-        name: sriov-nnp-du-fh
-      spec:
-        deviceType: netdevice
-        isRdma: false
-        nicSelector:
-          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
-        numVfs: 8
-        priority: 10
-        resourceName: du_fh
-
-    - fileName: SriovNetwork.yaml # wave 100
-      policyName: "group-du-sno-sriov-policy"
-      metadata:
-        name: sriov-nw-du-mh
-      spec:
-        resourceName: du_mh
-        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}'
-
-    - fileName: SriovNetworkNodePolicy.yaml # wave 100
-      policyName: "group-du-sno-sriov-policy"
-      metadata:
-        name: sriov-nw-du-fh
-      spec:
-        deviceType: netdevice
-        isRdma: false
-        nicSelector:
-          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
-        numVfs: 8
-        priority: 10
-        resourceName: du_fh
+include::snippets/ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml[]
 ----
+--
+
 +
 [NOTE]
 ====
-To retrieve site-specific configuration values, use the `.ManagedClusterName` field. 
+To retrieve site-specific configuration values, use the `.ManagedClusterName` field.
 This is a template context value set to the name of the target managed cluster.
 
-To retrieve group-specific configuration, use the `.ManagedClusterLabels` field. 
+To retrieve group-specific configuration, use the `.ManagedClusterLabels` field.
 This is a template context value set to the value of the managed cluster's labels.
 ====
 
-. Commit the site `PolicyGenTemplate` CR in Git and push to the Git repository that is monitored by the ArgoCD application.
+. Commit the site `PolicyGenerator` or `PolicyGentemplate` CR in Git and push to the Git repository that is monitored by the ArgoCD application.
 +
 [NOTE]
 ====
 Subsequent changes to the referenced `ConfigMap` CR are not automatically synced to the applied policies. 
-You need to manually sync the new `ConfigMap` changes to update existing `PolicyGenTemplate` CRs. See "Syncing new ConfigMap changes to existing PolicyGenTemplate CRs".
+You need to manually sync the new `ConfigMap` changes to update existing `PolicyGenerator` CRs. See "Syncing new ConfigMap changes to existing PolicyGenerator or PolicyGenTemplate CRs".
 
-You can use the same `PolicyGenTemplate` CR for multiple clusters. 
+You can use the same `PolicyGenerator` or `PolicyGentemplate` CR for multiple clusters.
 If there is a configuration change, then the only modifications you need to make are to the `ConfigMap` objects that hold the configuration for each cluster and the labels of the managed clusters.
 ====
diff --git a/modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc b/modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc
index 88ea45d380a5..b1791df016c1 100644
--- a/modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc
+++ b/modules/ztp-syncing-new-configmap-changes-to-existing-pgt-crs.adoc
@@ -1,10 +1,10 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-using-hub-cluster-templates.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-syncing-new-configmap-changes-to-existing-pgt-crs_{context}"]
-= Syncing new ConfigMap changes to existing PolicyGenTemplate CRs
+= Syncing new ConfigMap changes to existing PolicyGenerator or PolicyGentemplate CRs
 
 .Prerequisites
 
@@ -12,7 +12,7 @@
 
 * You have logged in to the hub cluster as a user with `cluster-admin` privileges.
 
-* You have created a `PolicyGenTemplate` CR that pulls information from a `ConfigMap` CR using hub cluster templates.
+* You have created a `PolicyGenerator` or `PolicyGentemplate` CR that pulls information from a `ConfigMap` CR using hub cluster templates.
 
 .Procedure
 
@@ -20,7 +20,7 @@
 
 . To sync the contents of the updated `ConfigMap` CR to the deployed policy, do either of the following:
 
-.. Option 1: Delete the existing policy. ArgoCD uses the `PolicyGenTemplate` CR to immediately recreate the deleted policy. For example, run the following command:
+.. Option 1: Delete the existing policy. ArgoCD uses the `PolicyGenerator` or `PolicyGentemplate` CR to immediately recreate the deleted policy. For example, run the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/ztp-talo-integration.adoc b/modules/ztp-talo-integration.adoc
index 05ba8bcb5de6..f5c3fcb74822 100644
--- a/modules/ztp-talo-integration.adoc
+++ b/modules/ztp-talo-integration.adoc
@@ -25,11 +25,11 @@ To automate the initial configuration of newly deployed clusters, {cgu-operator}
 The automatic creation of an enabled `ClusterGroupUpgrade` ensures that initial zero-touch deployment of clusters proceeds without the need for user intervention. Additionally, the automatic creation of a `ClusterGroupUpgrade` CR for any `ManagedCluster` without the `ztp-done` label allows a failed {ztp} installation to be restarted by simply deleting the `ClusterGroupUpgrade` CR for the cluster.
 
 Waves::
-Each policy generated from a `PolicyGenTemplate` CR includes a `ztp-deploy-wave` annotation. This annotation is based on the same annotation from each CR which is included in that policy. The wave annotation is used to order the policies in the auto-generated `ClusterGroupUpgrade` CR. The wave annotation is not used other than for the auto-generated `ClusterGroupUpgrade` CR.
+Each policy generated from a `PolicyGenerator` or `PolicyGentemplate` CR includes a `ztp-deploy-wave` annotation. This annotation is based on the same annotation from each CR which is included in that policy. The wave annotation is used to order the policies in the auto-generated `ClusterGroupUpgrade` CR. The wave annotation is not used other than for the auto-generated `ClusterGroupUpgrade` CR.
 +
 [NOTE]
 ====
-All CRs in the same policy must have the same setting for the `ztp-deploy-wave` annotation. The default value of this annotation for each CR can be overridden in the `PolicyGenTemplate`. The wave annotation in the source CR is used for determining and setting the policy wave annotation. This annotation is removed from each built CR which is included in the generated policy at runtime.
+All CRs in the same policy must have the same setting for the `ztp-deploy-wave` annotation. The default value of this annotation for each CR can be overridden in the `PolicyGenerator` or `PolicyGentemplate`. The wave annotation in the source CR is used for determining and setting the policy wave annotation. This annotation is removed from each built CR which is included in the generated policy at runtime.
 ====
 +
 The {cgu-operator} applies the configuration policies in the order specified by the wave annotations. The {cgu-operator} waits for each policy to be compliant before moving to the next policy. It is important to ensure that the wave annotation for each CR takes into account any prerequisites for those CRs to be applied to the cluster. For example, an Operator must be installed before or concurrently with the configuration for the Operator. Similarly, the `CatalogSource` for an Operator must be installed in a wave before or concurrently with the Operator Subscription. The default wave value for each CR takes these prerequisites into account.
diff --git a/modules/ztp-telco-ran-software-versions.adoc b/modules/ztp-telco-ran-software-versions.adoc
index f739364c2539..2e5a1220e3c2 100644
--- a/modules/ztp-telco-ran-software-versions.adoc
+++ b/modules/ztp-telco-ran-software-versions.adoc
@@ -16,28 +16,28 @@ The Red Hat telco RAN DU {product-version} solution has been validated using the
 |Software version
 
 |Managed cluster version
-|4.15
+|4.16
 
 |Cluster Logging Operator
-|5.8
+|5.9
 
 |Local Storage Operator
-|4.15
+|4.16
 
 |PTP Operator
-|4.15
+|4.16
 
 |SRIOV Operator
-|4.15
+|4.16
 
 |Node Tuning Operator
-|4.15
+|4.16
 
 |Logging Operator
-|4.15
+|4.16
 
 |SRIOV-FEC Operator
-|2.8
+|2.9
 |====
 
 .Hub cluster validated software components
@@ -47,17 +47,17 @@ The Red Hat telco RAN DU {product-version} solution has been validated using the
 |Software version
 
 |Hub cluster version
-|4.15
+|4.16
 
 |{ztp} plugin
-|4.15
+|4.16
 
 |{rh-rhacm-first}
-|2.9, 2.10
+|2.11
 
 |{gitops-title}
-|1.11
+|1.12
 
 |{cgu-operator-first}
-|4.15
+|4.16
 |====
diff --git a/modules/ztp-the-policygentemplate.adoc b/modules/ztp-the-policygentemplate.adoc
index d16c4838849b..a1e141a1d93a 100644
--- a/modules/ztp-the-policygentemplate.adoc
+++ b/modules/ztp-the-policygentemplate.adoc
@@ -4,106 +4,30 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="ztp-the-policygentemplate_{context}"]
-= About the PolicyGenTemplate CRD
+= About the {policy-gen-cr} CRD
 
-The `PolicyGenTemplate` custom resource definition (CRD) tells the `PolicyGen` policy generator what custom resources (CRs) to include in the cluster configuration, how to combine the CRs into the generated policies, and what items in those CRs need to be updated with overlay content.
+The `{policy-gen-cr}` custom resource definition (CRD) tells the `PolicyGen` policy generator what custom resources (CRs) to include in the cluster configuration, how to combine the CRs into the generated policies, and what items in those CRs need to be updated with overlay content.
 
-The following example shows a `PolicyGenTemplate` CR (`common-du-ranGen.yaml`) extracted from the `ztp-site-generate` reference container. The `common-du-ranGen.yaml` file defines two {rh-rhacm-first} policies. The polices manage a collection of configuration CRs, one for each unique value of `policyName` in the CR. `common-du-ranGen.yaml` creates a single placement binding and a placement rule to bind the policies to clusters based on the labels listed in the `bindingRules` section.
+The following example shows a `{policy-gen-cr}` CR (`{policy-prefix}common-du-ranGen.yaml`) extracted from the `ztp-site-generate` reference container. The `{policy-prefix}common-du-ranGen.yaml` file defines two {rh-rhacm-first} policies. The polices manage a collection of configuration CRs, one for each unique value of `policyName` in the CR. `{policy-prefix}common-du-ranGen.yaml` creates a single placement binding and a placement rule to bind the policies to clusters based on the labels listed in the `{binding-field}` section.
 
-.Example PolicyGenTemplate CR - common-du-ranGen.yaml
-[source,yaml]
-----
----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "common"
-  namespace: "ztp-common"
-spec:
-  bindingRules:
-    common: "true" <1>
-  sourceFiles: <2>
-    - fileName: SriovSubscription.yaml
-      policyName: "subscriptions-policy"
-    - fileName: SriovSubscriptionNS.yaml
-      policyName: "subscriptions-policy"
-    - fileName: SriovSubscriptionOperGroup.yaml
-      policyName: "subscriptions-policy"
-    - fileName: SriovOperatorStatus.yaml
-      policyName: "subscriptions-policy"
-    - fileName: PtpSubscription.yaml
-      policyName: "subscriptions-policy"
-    - fileName: PtpSubscriptionNS.yaml
-      policyName: "subscriptions-policy"
-    - fileName: PtpSubscriptionOperGroup.yaml
-      policyName: "subscriptions-policy"
-    - fileName: PtpOperatorStatus.yaml
-      policyName: "subscriptions-policy"
-    - fileName: ClusterLogNS.yaml
-      policyName: "subscriptions-policy"
-    - fileName: ClusterLogOperGroup.yaml
-      policyName: "subscriptions-policy"
-    - fileName: ClusterLogSubscription.yaml
-      policyName: "subscriptions-policy"
-    - fileName: ClusterLogOperatorStatus.yaml
-      policyName: "subscriptions-policy"
-    - fileName: StorageNS.yaml
-      policyName: "subscriptions-policy"
-    - fileName: StorageOperGroup.yaml
-      policyName: "subscriptions-policy"
-    - fileName: StorageSubscription.yaml
-      policyName: "subscriptions-policy"
-    - fileName: StorageOperatorStatus.yaml
-      policyName: "subscriptions-policy"
-    - fileName: ReduceMonitoringFootprint.yaml
-      policyName: "config-policy"
-    - fileName: OperatorHub.yaml <3>
-      policyName: "config-policy"
-    - fileName: DefaultCatsrc.yaml <4>
-      policyName: "config-policy" <5>
-      metadata:
-        name: redhat-operators
-      spec:
-        displayName: disconnected-redhat-operators
-        image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.9
-    - fileName: DisconnectedICSP.yaml
-      policyName: "config-policy"
-      spec:
-        repositoryDigestMirrors:
-        - mirrors:
-          - registry.example.com:5000
-          source: registry.redhat.io
-----
-<1> `common: "true"` applies the policies to all clusters with this label.
-<2> Files listed under `sourceFiles` create the Operator policies for installed clusters.
-<3> `OperatorHub.yaml` configures the OperatorHub for the disconnected registry.
-<4> `DefaultCatsrc.yaml` configures the catalog source for the disconnected registry.
-<5> `policyName: "config-policy"` configures Operator subscriptions. The `OperatorHub` CR disables the default and this CR replaces `redhat-operators` with a `CatalogSource` CR that points to the disconnected registry.
+.Example {policy-gen-cr} CR - {policy-prefix}common-ranGen.yaml
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-the-policygentemplate.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-the-policygenerator.adoc[]
+endif::[]
 
-A `PolicyGenTemplate` CR can be constructed with any number of included CRs. Apply the following example CR in the hub cluster to generate a policy containing a single CR:
+A `{policy-gen-cr}` CR can be constructed with any number of included CRs. Apply the following example CR in the hub cluster to generate a policy containing a single CR:
 
 [source,yaml]
 ----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "group-du-sno"
-  namespace: "ztp-group"
-spec:
-  bindingRules:
-    group-du-sno: ""
-  mcp: "master"
-  sourceFiles:
-    - fileName: PtpConfigSlave.yaml
-      policyName: "config-policy"
-      metadata:
-        name: "du-ptp-slave"
-      spec:
-        profile:
-        - name: "slave"
-          interface: "ens5f0"
-          ptp4lOpts: "-2 -s --summary_interval -4"
-          phc2sysOpts: "-a -r -n 24"
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/ztp-the-policygentemplate-single.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/ztp-the-policygenerator-single.yaml[]
+endif::[]
 ----
 
 Using the source file `PtpConfigSlave.yaml` as an example, the file defines a `PtpConfig` CR. The generated policy for the `PtpConfigSlave` example is named `group-du-sno-config-policy`. The `PtpConfig` CR defined in the generated `group-du-sno-config-policy` is named `du-ptp-slave`. The `spec` defined in `PtpConfigSlave.yaml` is placed under `du-ptp-slave` along with the other `spec` items defined under the source file.
@@ -112,59 +36,10 @@ The following example shows the `group-du-sno-config-policy` CR:
 
 [source,yaml]
 ----
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: group-du-ptp-config-policy
-  namespace: groups-sub
-  annotations:
-    policy.open-cluster-management.io/categories: CM Configuration Management
-    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
-    policy.open-cluster-management.io/standards: NIST SP 800-53
-spec:
-    remediationAction: inform
-    disabled: false
-    policy-templates:
-        - objectDefinition:
-            apiVersion: policy.open-cluster-management.io/v1
-            kind: ConfigurationPolicy
-            metadata:
-                name: group-du-ptp-config-policy-config
-            spec:
-                remediationAction: inform
-                severity: low
-                namespaceselector:
-                    exclude:
-                        - kube-*
-                    include:
-                        - '*'
-                object-templates:
-                    - complianceType: musthave
-                      objectDefinition:
-                        apiVersion: ptp.openshift.io/v1
-                        kind: PtpConfig
-                        metadata:
-                            name: du-ptp-slave
-                            namespace: openshift-ptp
-                        spec:
-                            recommend:
-                                - match:
-                                - nodeLabel: node-role.kubernetes.io/worker-du
-                                  priority: 4
-                                  profile: slave
-                            profile:
-                                - interface: ens5f0
-                                  name: slave
-                                  phc2sysOpts: -a -r -n 24
-                                  ptp4lConf: |
-                                    [global]
-                                    #
-                                    # Default Data Set
-                                    #
-                                    twoStepFlag 1
-                                    slaveOnly 0
-                                    priority1 128
-                                    priority2 128
-                                    domainNumber 24
-                                    .....
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-group-du-sno-config-policy.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-group-du-sno-config-policy.yaml[]
+endif::[]
 ----
diff --git a/modules/ztp-troubleshooting-ztp-gitops-installation-crs.adoc b/modules/ztp-troubleshooting-ztp-gitops-installation-crs.adoc
index 5c2a8f1511ba..729631cde561 100644
--- a/modules/ztp-troubleshooting-ztp-gitops-installation-crs.adoc
+++ b/modules/ztp-troubleshooting-ztp-gitops-installation-crs.adoc
@@ -6,7 +6,7 @@
 [id="ztp-troubleshooting-ztp-gitops-installation-crs_{context}"]
 = Troubleshooting {ztp} by validating the installation CRs
 
-The ArgoCD pipeline uses the `SiteConfig` and `PolicyGenTemplate` custom resources (CRs) to generate the cluster configuration CRs and {rh-rhacm-first} policies. Use the following steps to troubleshoot issues that might occur during this process.
+The ArgoCD pipeline uses the `SiteConfig` and `PolicyGenerator` or `PolicyGentemplate` custom resources (CRs) to generate the cluster configuration CRs and {rh-rhacm-first} policies. Use the following steps to troubleshoot issues that might occur during this process.
 
 .Prerequisites
 
diff --git a/modules/ztp-troubleshooting-ztp-gitops-supermicro-tls.adoc b/modules/ztp-troubleshooting-ztp-gitops-supermicro-tls.adoc
index 557dc2c771a8..b06e5e3d8cab 100644
--- a/modules/ztp-troubleshooting-ztp-gitops-supermicro-tls.adoc
+++ b/modules/ztp-troubleshooting-ztp-gitops-supermicro-tls.adoc
@@ -4,7 +4,7 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-troubleshooting-ztp-gitops-supermicro-tls_{context}"]
-= Troubleshooting {ztp} virtual media booting on Supermicro servers
+= Troubleshooting {ztp} virtual media booting on SuperMicro servers
 
 SuperMicro X11 servers do not support virtual media installations when the image is served using the `https` protocol. As a result, {sno} deployments for this environment fail to boot on the target node. To avoid this issue, log in to the hub cluster and disable Transport Layer Security (TLS) in the `Provisioning` resource. This ensures the image is not served with TLS even though the image address uses the `https` scheme. 
 
diff --git a/modules/ztp-using-pgt-to-configure-high-performance-mode.adoc b/modules/ztp-using-pgt-to-configure-high-performance-mode.adoc
index 3342f3148c2c..04cd3f2cb7c6 100644
--- a/modules/ztp-using-pgt-to-configure-high-performance-mode.adoc
+++ b/modules/ztp-using-pgt-to-configure-high-performance-mode.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-using-pgt-to-configure-high-performance-mode_{context}"]
-= Configuring high-performance mode using PolicyGenTemplate CRs
+= Configuring high-performance mode using {policy-gen-cr} CRs
 
-Follow this example to set high performance mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `PolicyGenTemplate` CR in the `group-du-sno-ranGen.yaml`.
+Follow this example to set high performance mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `{policy-gen-cr}` CR in the `{policy-prefix}group-du-sno-ranGen.yaml`.
 
 High performance mode provides ultra low latency at the highest power consumption.
 
@@ -16,20 +17,16 @@ High performance mode provides ultra low latency at the highest power consumptio
 
 .Procedure
 
-. Update the `PolicyGenTemplate` entry for `PerformanceProfile` in the `group-du-sno-ranGen.yaml` reference file in `out/argocd/example/policygentemplates` as follows to set high-performance mode.
+. Update the `{policy-gen-cr}` entry for `PerformanceProfile` in the `{policy-prefix}group-du-sno-ranGen.yaml` reference file in `{argocd-folder}` as follows to set high-performance mode.
 +
 [source,yaml]
 ----
-- fileName: PerformanceProfile.yaml
-  policyName: "config-policy"
-  metadata:
-    [...]
-  spec:
-    [...]
-    workloadHints:
-         realTime: true
-         highPowerConsumption: true
-         perPodPowerManagement: false
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-using-pgt-to-configure-high-performance-mode.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-using-pg-to-configure-high-performance-mode.yaml[]
+endif::[]
 ----
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
diff --git a/modules/ztp-using-pgt-to-configure-performance-mode.adoc b/modules/ztp-using-pgt-to-configure-performance-mode.adoc
index 00f2c942c99e..c0892bec5791 100644
--- a/modules/ztp-using-pgt-to-configure-performance-mode.adoc
+++ b/modules/ztp-using-pgt-to-configure-performance-mode.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-using-pgt-to-configure-performance-mode_{context}"]
-= Configuring performance mode using PolicyGenTemplate CRs
+= Configuring performance mode using {policy-gen-cr} CRs
 
-Follow this example to set performance mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `PolicyGenTemplate` CR in the `group-du-sno-ranGen.yaml`.
+Follow this example to set performance mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `{policy-gen-cr}` CR in the `{policy-prefix}group-du-sno-ranGen.yaml`.
 
 Performance mode provides low latency at a relatively high power consumption.
 
@@ -16,20 +17,16 @@ Performance mode provides low latency at a relatively high power consumption.
 
 .Procedure
 
-. Update the `PolicyGenTemplate` entry for `PerformanceProfile` in the `group-du-sno-ranGen.yaml` reference file in `out/argocd/example/policygentemplates` as follows to set performance mode.
+. Update the `{policy-gen-cr}` entry for `PerformanceProfile` in the `{policy-prefix}group-du-sno-ranGen.yaml` reference file in `{argocd-folder}/` as follows to set performance mode.
 +
 [source,yaml]
 ----
-- fileName: PerformanceProfile.yaml
-  policyName: "config-policy"
-  metadata:
-    [...]
-  spec:
-    [...]
-    workloadHints:
-         realTime: true
-         highPowerConsumption: false
-         perPodPowerManagement: false
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-using-pgt-to-configure-performance-mode.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-using-pg-to-configure-performance-mode.yaml[]
+endif::[]
 ----
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
diff --git a/modules/ztp-using-pgt-to-configure-power-saving-mode.adoc b/modules/ztp-using-pgt-to-configure-power-saving-mode.adoc
index a0f5b070c89d..7a369db7f0ab 100644
--- a/modules/ztp-using-pgt-to-configure-power-saving-mode.adoc
+++ b/modules/ztp-using-pgt-to-configure-power-saving-mode.adoc
@@ -1,12 +1,13 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-using-pgt-to-configure-power-saving-mode_{context}"]
-= Configuring power saving mode using PolicyGenTemplate CRs
+= Configuring power saving mode using {policy-gen-cr} CRs
 
-Follow this example to set power saving mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `PolicyGenTemplate` CR in the `group-du-sno-ranGen.yaml`.
+Follow this example to set power saving mode by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `{policy-gen-cr}` CR in the `{policy-prefix}group-du-sno-ranGen.yaml`.
 
 The power saving mode balances reduced power consumption with increased latency.
 
@@ -16,28 +17,16 @@ The power saving mode balances reduced power consumption with increased latency.
 
 .Procedure
 
-. Update the `PolicyGenTemplate` entry for `PerformanceProfile` in the `group-du-sno-ranGen.yaml` reference file in `out/argocd/example/policygentemplates` as follows to configure power saving mode. It is recommended to configure the CPU governor for the power saving mode through the additional kernel arguments object.
+. Update the `{policy-gen-cr}` entry for `PerformanceProfile` in the `{policy-prefix}group-du-sno-ranGen.yaml` reference file in `{argocd-folder}` as follows to configure power saving mode. It is recommended to configure the CPU governor for the power saving mode through the additional kernel arguments object.
 +
-[source,yaml]
-----
-- fileName: PerformanceProfile.yaml
-  policyName: "config-policy"
-  metadata:
-    [...]
-  spec:
-    [...]
-    workloadHints:
-         realTime: true
-         highPowerConsumption: false
-         perPodPowerManagement: true
-    [...]
-    additionalKernelArgs:
-       - [...]
-       - "cpufreq.default_governor=schedutil" <1>
-----
-<1> The `schedutil` governor is recommended, however, other governors that can be used include `ondemand` and `powersave`.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-using-pgt-to-configure-power-saving-mode.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-using-pg-to-configure-power-saving-mode.adoc[]
+endif::[]
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
 
 .Verification
 
diff --git a/modules/ztp-using-pgt-to-configure-power-states.adoc b/modules/ztp-using-pgt-to-configure-power-states.adoc
index b01b8eba290d..1e7c17fab30a 100644
--- a/modules/ztp-using-pgt-to-configure-power-states.adoc
+++ b/modules/ztp-using-pgt-to-configure-power-states.adoc
@@ -1,11 +1,12 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: CONCEPT
 
 [id="ztp-using-pgt-to-configure-power-saving-states_{context}"]
-= Configuring power states using PolicyGenTemplates CRs
+= Configuring power states using {policy-gen-cr} CRs
 
 For low latency and high-performance edge deployments, it is necessary to disable or limit C-states and P-states.
 With this configuration, the CPU runs at a constant frequency, which is typically the maximum turbo frequency. This ensures that the CPU is always running at its maximum speed, which results in high performance and low latency.
@@ -20,9 +21,9 @@ Workloads can be classified as critical or non-critical, with critical workloads
 
 The default configuration is for a low latency, performance mode.
 
-`PolicyGenTemplate` custom resources (CRs) allow you to overlay additional configuration details onto the base source CRs provided with the GitOps plugin in the `ztp-site-generate` container.
+`{policy-gen-cr}` custom resources (CRs) allow you to overlay additional configuration details onto the base source CRs provided with the GitOps plugin in the `ztp-site-generate` container.
 
-Configure the power states by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `PolicyGenTemplate` CR in the `group-du-sno-ranGen.yaml`.
+Configure the power states by updating the `workloadHints` fields in the generated `PerformanceProfile` CR for the reference configuration, based on the `{policy-gen-cr}` CR in the `{policy-prefix}group-du-sno-ranGen.yaml`.
 
 The following common prerequisites apply to configuring all three power states.
 
diff --git a/modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc b/modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc
index c608944c2008..1959aece0aac 100644
--- a/modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc
+++ b/modules/ztp-using-pgt-to-maximize-power-saving-mode.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-using-pgt-to-maximize-power-savings-mode_{context}"]
@@ -9,34 +10,26 @@
 Limiting the maximum CPU frequency is recommended to achieve maximum power savings.
 Enabling C-states on the non-critical workload CPUs without restricting the maximum CPU frequency negates much of the power savings by boosting the frequency of the critical CPUs.
 
-Maximize power savings by updating the `sysfs` plugin fields, setting an appropriate value for `max_perf_pct` in the `TunedPerformancePatch` CR for the reference configuration. This example based on the `group-du-sno-ranGen.yaml` describes the procedure to follow to restrict the maximum CPU frequency.
+Maximize power savings by updating the `sysfs` plugin fields, setting an appropriate value for `max_perf_pct` in the `TunedPerformancePatch` CR for the reference configuration. This example based on the `{policy-prefix}group-du-sno-ranGen.yaml` describes the procedure to follow to restrict the maximum CPU frequency.
 
 .Prerequisites
 
-* You have configured power savings mode as described in "Using PolicyGenTemplate CRs to configure power savings mode".
+* You have configured power savings mode as described in "Using {policy-gen-cr} CRs to configure power savings mode".
 
 .Procedure
 
-. Update the `PolicyGenTemplate` entry for `TunedPerformancePatch` in the `group-du-sno-ranGen.yaml` reference file in `out/argocd/example/policygentemplates`. To maximize power savings, add `max_perf_pct` as shown in the following example:
+. Update the `{policy-gen-cr}` entry for `TunedPerformancePatch` in the `{policy-prefix}group-du-sno-ranGen.yaml` reference file in `{argocd-folder}`. To maximize power savings, add `max_perf_pct` as shown in the following example:
 +
-[source,yaml]
-----
-- fileName: TunedPerformancePatch.yaml
-      policyName: "config-policy"
-      spec:
-        profile:
-          - name: performance-patch
-            data: |
-              [...]
-              [sysfs]
-              /sys/devices/system/cpu/intel_pstate/max_perf_pct=<x> <1>
-----
-+
-<1> 	The `max_perf_pct` controls the maximum frequency the `cpufreq` driver is allowed to set as a percentage of the maximum supported CPU frequency. This value applies to all CPUs. You can check the maximum supported frequency in `/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq`. As a starting point, you can use a percentage that caps all CPUs at the `All Cores Turbo` frequency. The `All Cores Turbo` frequency is the frequency that all cores will run at when the cores are all fully occupied.
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-using-pgt-to-maximize-power-saving-mode.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-using-pg-to-maximize-power-saving-mode.adoc[]
+endif::[]
 +
 [NOTE]
 ====
 To maximize power savings, set a lower value. Setting a lower value for `max_perf_pct` limits the maximum CPU frequency, thereby reducing power consumption, but also potentially impacting performance. Experiment with different values and monitor the system's performance and power consumption to find the optimal setting for your use-case.
 ====
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} Argo CD application.
diff --git a/modules/ztp-using-pgt-to-update-source-crs.adoc b/modules/ztp-using-pgt-to-update-source-crs.adoc
index 33f8ffdc80f7..539752827360 100644
--- a/modules/ztp-using-pgt-to-update-source-crs.adoc
+++ b/modules/ztp-using-pgt-to-update-source-crs.adoc
@@ -1,14 +1,15 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_module-type: PROCEDURE
 [id="ztp-using-pgt-to-update-source-crs_{context}"]
-= Using PolicyGenTemplate CRs to override source CRs content
+= Using {policy-gen-cr} CRs to override source CRs content
 
-`PolicyGenTemplate` custom resources (CRs) allow you to overlay additional configuration details on top of the base source CRs provided with the GitOps plugin in the `ztp-site-generate` container. You can think of `PolicyGenTemplate` CRs as a logical merge or patch to the base CR. Use `PolicyGenTemplate` CRs to update a single field of the base CR, or overlay the entire contents of the base CR. You can update values and insert fields that are not in the base CR.
+`{policy-gen-cr}` custom resources (CRs) allow you to overlay additional configuration details on top of the base source CRs provided with the GitOps plugin in the `ztp-site-generate` container. You can think of `{policy-gen-cr}` CRs as a logical merge or patch to the base CR. Use `{policy-gen-cr}` CRs to update a single field of the base CR, or overlay the entire contents of the base CR. You can update values and insert fields that are not in the base CR.
 
-The following example procedure describes how to update fields in the generated `PerformanceProfile` CR for the reference configuration based on the `PolicyGenTemplate` CR in the `group-du-sno-ranGen.yaml` file. Use the procedure as a basis for modifying other parts of the `PolicyGenTemplate` based on your requirements.
+The following example procedure describes how to update fields in the generated `PerformanceProfile` CR for the reference configuration based on the `{policy-gen-cr}` CR in the `{policy-prefix}group-du-sno-ranGen.yaml` file. Use the procedure as a basis for modifying other parts of the `{policy-gen-cr}` based on your requirements.
 
 .Prerequisites
 
@@ -16,7 +17,7 @@ The following example procedure describes how to update fields in the generated
 
 .Procedure
 
-. Review the baseline source CR for existing content. You can review the source CRs listed in the reference `PolicyGenTemplate` CRs by extracting them from the {ztp-first} container.
+. Review the baseline source CR for existing content. You can review the source CRs listed in the reference `{policy-gen-cr}` CRs by extracting them from the {ztp-first} container.
 
 .. Create an `/out` folder:
 +
@@ -69,37 +70,26 @@ spec:
 +
 [NOTE]
 ====
-Any fields in the source CR which contain `$...` are removed from the generated CR if they are not provided in the `PolicyGenTemplate` CR.
+Any fields in the source CR which contain `$...` are removed from the generated CR if they are not provided in the `{policy-gen-cr}` CR.
 ====
 
-. Update the `PolicyGenTemplate` entry for `PerformanceProfile` in the `group-du-sno-ranGen.yaml` reference file. The following example `PolicyGenTemplate` CR stanza supplies appropriate CPU specifications, sets the `hugepages` configuration, and adds a new field that sets `globallyDisableIrqLoadBalancing` to false.
+. Update the `{policy-gen-cr}` entry for `PerformanceProfile` in the `{policy-prefix}group-du-sno-ranGen.yaml` reference file. The following example `{policy-gen-cr}` CR stanza supplies appropriate CPU specifications, sets the `hugepages` configuration, and adds a new field that sets `globallyDisableIrqLoadBalancing` to false.
 +
 [source,yaml]
 ----
-- fileName: PerformanceProfile.yaml
-  policyName: "config-policy"
-  metadata:
-    name: openshift-node-performance-profile
-  spec:
-    cpu:
-      # These must be tailored for the specific hardware platform
-      isolated: "2-19,22-39"
-      reserved: "0-1,20-21"
-    hugepages:
-      defaultHugepagesSize: 1G
-      pages:
-        - size: 1G
-          count: 10
-    globallyDisableIrqLoadBalancing: false
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-using-ztp-to-update-source-crs.yaml[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-using-ztp-to-update-source-crs.yaml[]
+endif::[]
 ----
 
-. Commit the `PolicyGenTemplate` change in Git, and then push to the Git repository being monitored by the {ztp} argo CD application.
-
-
+. Commit the `{policy-gen-cr}` change in Git, and then push to the Git repository being monitored by the {ztp} argo CD application.
++
 .Example output
-
-The {ztp} application generates an {rh-rhacm} policy that contains the generated `PerformanceProfile` CR. The contents of that CR are derived by merging the `metadata` and `spec` contents from the `PerformanceProfile` entry in the `PolicyGenTemplate` onto the source CR. The resulting CR has the following content:
-
+The {ztp} application generates an {rh-rhacm} policy that contains the generated `PerformanceProfile` CR. The contents of that CR are derived by merging the `metadata` and `spec` contents from the `PerformanceProfile` entry in the `{policy-gen-cr}` onto the source CR. The resulting CR has the following content:
++
 [source,yaml]
 ----
 ---
@@ -134,9 +124,9 @@ spec:
 
 [NOTE]
 ====
-In the `/source-crs` folder that you extract from the `ztp-site-generate` container,  the `$` syntax is not used for template substitution as implied by the syntax. Rather, if the `policyGen` tool sees the `$` prefix for a string and you do not specify a value for that field in the related `PolicyGenTemplate` CR, the field is omitted from the output CR entirely.
+In the `/source-crs` folder that you extract from the `ztp-site-generate` container,  the `$` syntax is not used for template substitution as implied by the syntax. Rather, if the `policyGen` tool sees the `$` prefix for a string and you do not specify a value for that field in the related `{policy-gen-cr}` CR, the field is omitted from the output CR entirely.
 
-An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `PolicyGenTemplate` CR. For example, in `example/policygentemplates/group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`:
+An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `{policy-gen-cr}` CR. For example, in `example/policygentemplates/{policy-prefix}group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`:
 
 [source,yaml]
 ----
diff --git a/modules/ztp-using-hub-cluster-templates.adoc b/modules/ztp-using-rhacm-hub-cluster-templates.adoc
similarity index 79%
rename from modules/ztp-using-hub-cluster-templates.adoc
rename to modules/ztp-using-rhacm-hub-cluster-templates.adoc
index ca34dbcaf466..8b6375d5929c 100644
--- a/modules/ztp-using-hub-cluster-templates.adoc
+++ b/modules/ztp-using-rhacm-hub-cluster-templates.adoc
@@ -1,22 +1,14 @@
 // Module included in the following assemblies:
 //
-// * scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policy-config.adoc
+// * edge_computing/ztp-advanced-policygenerator-config.adoc
 
 :_mod-docs-content-type: CONCEPT
-[id="ztp-using-hub-cluster-templates_{context}"]
-= Using hub templates in PolicyGenTemplate CRs
+[id="ztp-using-rhacm-hub-cluster-templates_{context}"]
+= Using {rh-rhacm} hub cluster templates in configuration policies
 
 {cgu-operator-full} supports partial {rh-rhacm-first} hub cluster template functions in configuration policies used with {ztp-first}.
 
-Hub-side cluster templates allow you to define configuration policies that can be dynamically customized to the target clusters.
-This reduces the need to create separate policies for many clusters with similiar configurations but with different values.
-
-[IMPORTANT]
-====
-Policy templates are restricted to the same namespace as the namespace where the policy is defined.
-This means that you must create the objects referenced in the hub template in the same namespace where the policy is created.
-====
-
 The following supported hub template functions are available for use in {ztp} with {cgu-operator}:
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/governance/index#fromConfigmap-func[`fromConfigmap`] returns the value of the provided data key in the named `ConfigMap` resource.
diff --git a/modules/ztp-validating-the-generation-of-configuration-policy-crs.adoc b/modules/ztp-validating-the-generation-of-configuration-policy-crs.adoc
index e347474018a3..ddd2fb87570f 100644
--- a/modules/ztp-validating-the-generation-of-configuration-policy-crs.adoc
+++ b/modules/ztp-validating-the-generation-of-configuration-policy-crs.adoc
@@ -6,7 +6,7 @@
 [id="ztp-validating-the-generation-of-configuration-policy-crs_{context}"]
 = Validating the generation of configuration policy CRs
 
-Policy custom resources (CRs) are generated in the same namespace as the `PolicyGenTemplate` from which they are created. The same troubleshooting flow applies to all policy CRs generated from a `PolicyGenTemplate` regardless of whether they are `ztp-common`, `ztp-group`, or `ztp-site` based, as shown using the following commands:
+`Policy` custom resources (CRs) are generated in the same namespace as the `{policy-gen-cr}` from which they are created. The same troubleshooting flow applies to all policy CRs generated from a `{policy-gen-cr}` regardless of whether they are `ztp-common`, `ztp-group`, or `ztp-site` based, as shown using the following commands:
 
 [source,terminal]
 ----
@@ -31,7 +31,7 @@ If the policies failed synchronization, use the following troubleshooting steps.
 $ oc describe -n openshift-gitops application policies
 ----
 
-. Check for `Status: Conditions:` to show the error logs. For example, setting an invalid `sourceFile→fileName:` generates the error shown below:
+. Check for `Status: Conditions:` to show the error logs. For example, setting an invalid `sourceFile` entry to `fileName:` generates the error shown below:
 +
 [source,text]
 ----
@@ -74,37 +74,37 @@ NAME                                         REMEDIATION ACTION   COMPLIANCE STA
 ztp-common.common-config-policy              inform               Compliant          13d
 ztp-common.common-subscriptions-policy       inform               Compliant          13d
 ztp-group.group-du-sno-config-policy         inform               Compliant          13d
-Ztp-group.group-du-sno-validator-du-policy   inform               Compliant          13d
+ztp-group.group-du-sno-validator-du-policy   inform               Compliant          13d
 ztp-site.example-sno-config-policy           inform               Compliant          13d
 ----
 +
-{rh-rhacm} copies all applicable policies into the cluster namespace. The copied policy names have the format: `<policyGenTemplate.Namespace>.<policyGenTemplate.Name>-<policyName>`.
+{rh-rhacm} copies all applicable policies into the cluster namespace. The copied policy names have the format: `<{policy-gen-cr}.Namespace>.<{policy-gen-cr}.Name>-<policyName>`.
 
-. Check the placement rule for any policies not copied to the cluster namespace. The `matchSelector` in the `PlacementRule` for those policies should match labels on the `ManagedCluster` object:
+. Check the placement rule for any policies not copied to the cluster namespace. The `matchSelector` in the `{placement-rule-cr}` for those policies should match labels on the `ManagedCluster` object:
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc get placementrule -n $NS
+$ oc get {placement-rule-cr} -n $NS
 ----
 
-. Note the `PlacementRule` name appropriate for the missing policy, common, group, or site, using the following command:
+. Note the `{placement-rule-cr}` name appropriate for the missing policy, common, group, or site, using the following command:
 +
-[source,terminal]
+[source,terminal,subs="attributes+"]
 ----
-$ oc get placementrule -n $NS <placementRuleName> -o yaml
+$ oc get {placement-rule-cr} -n $NS <placement_rule_name> -o yaml
 ----
 +
 * The status-decisions should include your cluster name.
 * The key-value pair of the `matchSelector` in the spec must match the labels on your managed cluster.
 
-. Check the labels on the `ManagedCluster` object using the following command:
+. Check the labels on the `ManagedCluster` object by using the following command:
 +
 [source,terminal]
 ----
 $ oc get ManagedCluster $CLUSTER -o jsonpath='{.metadata.labels}' | jq
 ----
 
-. Check to see which policies are compliant using the following command:
+. Check to see what policies are compliant by using the following command:
 +
 [source,terminal]
 ----
diff --git a/modules/ztp-worker-node-applying-du-profile.adoc b/modules/ztp-worker-node-applying-du-profile.adoc
index 825f4bc032b9..a12446e2c923 100644
--- a/modules/ztp-worker-node-applying-du-profile.adoc
+++ b/modules/ztp-worker-node-applying-du-profile.adoc
@@ -4,12 +4,20 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="ztp-additional-worker-apply-du-profile_{context}"]
-= Applying profiles to the worker node
+= Applying profiles to the worker node with PolicyGenerator or PolicyGenTemplate resources
 
 You can configure the additional worker node with a DU profile.
 
-You can apply a RAN distributed unit (DU) profile to the worker node cluster using the {ztp-first} common, group, and site-specific `PolicyGenTemplate` resources. The {ztp} pipeline that is linked to the ArgoCD `policies` application includes the following CRs that you can find in the `out/argocd/example/policygentemplates` folder when you extract the `ztp-site-generate` container:
+You can apply a RAN distributed unit (DU) profile to the worker node cluster using the {ztp-first} common, group, and site-specific `PolicyGenerator` or  `PolicyGenTemplate` resources. The {ztp} pipeline that is linked to the ArgoCD `policies` application includes the following CRs that you can find in the relevant `out/argocd/example` folder when you extract the `ztp-site-generate` container:
 
+/acmpolicygenerator resources::
+* `acm-common-ranGen.yaml`
+* `acm-group-du-sno-ranGen.yaml`
+* `acm-example-sno-site.yaml`
+* `ns.yaml`
+* `kustomization.yaml`
+
+/policygentemplates resources::
 * `common-ranGen.yaml`
 * `group-du-sno-ranGen.yaml`
 * `example-sno-site.yaml`
diff --git a/modules/ztp-worker-node-daemon-selector-compatibility.adoc b/modules/ztp-worker-node-daemon-selector-compatibility.adoc
index f0afdc0d15ea..4e0a53898395 100644
--- a/modules/ztp-worker-node-daemon-selector-compatibility.adoc
+++ b/modules/ztp-worker-node-daemon-selector-compatibility.adoc
@@ -4,9 +4,9 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="ztp-additional-worker-daemon-selector-comp_{context}"]
-= (Optional) Ensuring PTP and SR-IOV daemon selector compatibility
+= Ensuring PTP and SR-IOV daemon selector compatibility
 
-If the DU profile was deployed using the {ztp-first} plugin version 4.11 or earlier, the PTP and SR-IOV Operators might be configured to place the daemons only on nodes labelled as `master`. This configuration prevents the PTP and SR-IOV daemons from operating on the worker node. If the PTP and SR-IOV daemon node selectors are incorrectly configured on your system, you must change the daemons before proceeding with the worker DU profile configuration.
+If the DU profile was deployed using the {ztp-first} plugin version 4.11 or earlier, the PTP and SR-IOV Operators might be configured to place the daemons only on nodes labeled as `master`. This configuration prevents the PTP and SR-IOV daemons from operating on the worker node. If the PTP and SR-IOV daemon node selectors are incorrectly configured on your system, you must change the daemons before proceeding with the worker DU profile configuration.
 
 .Procedure
 
diff --git a/modules/ztp-worker-node-preparing-policies.adoc b/modules/ztp-worker-node-preparing-policies.adoc
index 3e5902a82a46..370023462b98 100644
--- a/modules/ztp-worker-node-preparing-policies.adoc
+++ b/modules/ztp-worker-node-preparing-policies.adoc
@@ -3,98 +3,25 @@
 // * scalability_and_performance/ztp_far_edge/ztp-sno-additional-worker-node.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="ztp-additional-worker-policies_{context}"]
-= Using PolicyGenTemplate CRs to apply worker node policies to worker nodes
-include::../_attributes/common-attributes.adoc[]
+[id="ztp-additional-worker-policies-{policy-gen-cr}_{context}"]
+= Using {policy-gen-cr} CRs to apply worker node policies to worker nodes
 
-You can create policies for worker nodes.
+You can create policies for worker nodes using `{policy-gen-cr}` CRs.
 
 .Procedure
 
-. Create the following policy template:
+. Create the following `{policy-gen-cr}` CR:
 +
-[source,yaml]
-----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
-metadata:
-  name: "example-sno-workers"
-  namespace: "example-sno"
-spec:
-  bindingRules:
-    sites: "example-sno" <1>
-  mcp: "worker" <2>
-  sourceFiles:
-    - fileName: MachineConfigGeneric.yaml <3>
-      policyName: "config-policy"
-      metadata:
-        labels:
-          machineconfiguration.openshift.io/role: worker
-        name: enable-workload-partitioning
-      spec:
-        config:
-          storage:
-            files:
-            - contents:
-                source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS53b3JrbG9hZHMubWFuYWdlbWVudF0KYWN0aXZhdGlvbl9hbm5vdGF0aW9uID0gInRhcmdldC53b3JrbG9hZC5vcGVuc2hpZnQuaW8vbWFuYWdlbWVudCIKYW5ub3RhdGlvbl9wcmVmaXggPSAicmVzb3VyY2VzLndvcmtsb2FkLm9wZW5zaGlmdC5pbyIKcmVzb3VyY2VzID0geyAiY3B1c2hhcmVzIiA9IDAsICJjcHVzZXQiID0gIjAtMyIgfQo=
-              mode: 420
-              overwrite: true
-              path: /etc/crio/crio.conf.d/01-workload-partitioning
-              user:
-                name: root
-            - contents:
-                source: data:text/plain;charset=utf-8;base64,ewogICJtYW5hZ2VtZW50IjogewogICAgImNwdXNldCI6ICIwLTMiCiAgfQp9Cg==
-              mode: 420
-              overwrite: true
-              path: /etc/kubernetes/openshift-workload-pinning
-              user:
-                name: root
-    - fileName: PerformanceProfile.yaml
-      policyName: "config-policy"
-      metadata:
-        name: openshift-worker-node-performance-profile
-      spec:
-        cpu: <4>
-          isolated: "4-47"
-          reserved: "0-3"
-        hugepages:
-          defaultHugepagesSize: 1G
-          pages:
-            - size: 1G
-              count: 32
-        realTimeKernel:
-          enabled: true
-    - fileName: TunedPerformancePatch.yaml
-      policyName: "config-policy"
-      metadata:
-        name: performance-patch-worker
-      spec:
-        profile:
-          - name: performance-patch-worker
-            data: |
-              [main]
-              summary=Configuration changes profile inherited from performance created tuned
-              include=openshift-node-performance-openshift-worker-node-performance-profile
-              [bootloader]
-              cmdline_crash=nohz_full=4-47 <5>
-              [sysctl]
-              kernel.timer_migration=1
-              [scheduler]
-              group.ice-ptp=0:f:10:*:ice-ptp.*
-              [service]
-              service.stalld=start,enable
-              service.chronyd=stop,disable
-        recommend:
-        - profile: performance-patch-worker
-----
-<1> The policies are applied to all clusters with this label.
-<2> The `MCP` field must be set to `worker`.
-<3> This generic `MachineConfig` CR is used to configure workload partitioning on the worker node.
-<4> The `cpu.isolated` and `cpu.reserved` fields must be configured for each particular hardware platform.
-<5> The `cmdline_crash` CPU set must match the `cpu.isolated` set in the `PerformanceProfile` section.
+--
+ifeval::["{policy-gen-cr}" == "PolicyGenTemplate"]
+include::snippets/pgt-ztp-worker-node-preparing-policies.adoc[]
+endif::[]
+ifeval::["{policy-gen-cr}" == "PolicyGenerator"]
+include::snippets/pg-ztp-worker-node-preparing-policies.adoc[]
+endif::[]
 
-+
 A generic `MachineConfig` CR is used to configure workload partitioning on the worker node. You can generate the content of `crio` and `kubelet` configuration files.
+--
 
 . Add the created policy template to the Git repository monitored by the ArgoCD `policies` application.
 
diff --git a/networking/about-networking.adoc b/networking/about-networking.adoc
index ab0bd5bfff1a..ae5e06a531d8 100644
--- a/networking/about-networking.adoc
+++ b/networking/about-networking.adoc
@@ -27,4 +27,5 @@ The following list highlights some of the most commonly used {openshift-networki
 - {SMProductName} for discovery, load balancing, service-to-service authentication, failure recovery, metrics, and monitoring of services
 - {sno-caps}
 - Network Observability Operator for network debugging and insights
-- link:https://catalog.redhat.com/software/container-stacks/detail/5f0c67b7ce85fb9e399f3a12[Submariner] and link:https://access.redhat.com/documentation/en-us/red_hat_application_interconnect/1.0/html/introduction_to_application_interconnect/index[Red Hat Application Interconnect] technologies for inter-cluster networking
+- link:https://catalog.redhat.com/software/container-stacks/detail/5f0c67b7ce85fb9e399f3a12[Submariner] for inter-cluster networking
+- link:https://docs.redhat.com/en/documentation/red_hat_service_interconnect/[Red Hat Service Interconnect] for layer 7 inter-cluster networking
diff --git a/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc b/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc
index 8fa110efacd4..18e4be454bee 100644
--- a/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc
+++ b/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc
@@ -1,7 +1,7 @@
 :_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
 [id="albo-sts-cluster"]
 = Preparing for the AWS Load Balancer Operator on a cluster using the AWS {sts-full}
-include::_attributes/common-attributes.adoc[]
 :context: albo-sts-cluster
 
 toc::[]
diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc
index 3c8bac590dfd..79d3bfa9262d 100644
--- a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc
+++ b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc
@@ -63,6 +63,6 @@ The Ingress Operator manages wildcard DNS. For more information, see the followi
 
 * xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere]
 
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 
 endif::[]
diff --git a/networking/enable-cluster-wide-proxy.adoc b/networking/enable-cluster-wide-proxy.adoc
index cbf34318be54..26f4499aa1a5 100644
--- a/networking/enable-cluster-wide-proxy.adoc
+++ b/networking/enable-cluster-wide-proxy.adoc
@@ -34,3 +34,4 @@ include::modules/nw-proxy-remove.adoc[leveloffset=+1]
 
 * xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Replacing the CA Bundle certificate]
 * xref:../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificate customization]
+* link:https://access.redhat.com/solutions/7065528[How is the cluster-wide proxy setting applied to {product-title} nodes?]
diff --git a/networking/hardware_networks/installing-sriov-operator.adoc b/networking/hardware_networks/installing-sriov-operator.adoc
index 0816b4144cea..f9b4ca65eadd 100644
--- a/networking/hardware_networks/installing-sriov-operator.adoc
+++ b/networking/hardware_networks/installing-sriov-operator.adoc
@@ -13,4 +13,4 @@ include::modules/nw-sriov-installing-operator.adoc[leveloffset=+1]
 [id="installing-sriov-operator-next-steps"]
 == Next steps
 
-* Optional: xref:../../networking/hardware_networks/configuring-sriov-operator.adoc#configuring-sriov-operator[Configuring the SR-IOV Network Operator]
+* xref:../../networking/hardware_networks/configuring-sriov-operator.adoc#configuring-sriov-operator[Configuring the SR-IOV Network Operator]
diff --git a/networking/ingress-operator.adoc b/networking/ingress-operator.adoc
index 997064ceb131..c88ca0a43563 100644
--- a/networking/ingress-operator.adoc
+++ b/networking/ingress-operator.adoc
@@ -39,6 +39,8 @@ include::modules/nw-ingress-operator-logs.adoc[leveloffset=+1]
 
 include::modules/nw-ingress-controller-status.adoc[leveloffset=+1]
 
+include::modules/nw-create-custom-ingress-controller.adoc[leveloffset=+1]
+
 //ifndef::openshift-rosa,openshift-dedicated[] NOTE: commenting out this ifndef to track what was in place before OSDOCS-4883.
 [id="configuring-ingress-controller"]
 == Configuring the Ingress Controller
diff --git a/networking/metallb/metallb-frr-k8s.adoc b/networking/metallb/metallb-frr-k8s.adoc
new file mode 100644
index 000000000000..96cca081157e
--- /dev/null
+++ b/networking/metallb/metallb-frr-k8s.adoc
@@ -0,0 +1,30 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="metallb-configure-frr-k8s"]
+= Configuring the integration of MetalLB and FRR-K8s
+include::_attributes/common-attributes.adoc[]
+:context: configure-metallb-frr-k8s
+
+toc::[]
+
+:FeatureName: The `FRRConfiguration` custom resource
+include::snippets/technology-preview.adoc[]
+
+FRRouting (FRR) is a free, open source internet routing protocol suite for Linux and UNIX platforms.
+`FRR-K8s` is a Kubernetes based DaemonSet that exposes a subset of the `FRR` API in a Kubernetes-compliant manner.
+As a cluster administrator, you can use the `FRRConfiguration` custom resource (CR) to configure `MetalLB` to use `FRR-K8s` as the backend.
+You can use this to avail of FRR services, for example, receiving routes.
+If you run `MetalLB` with `FRR-K8s` as a backend, `MetalLB` generates the `FRR-K8s` configuration corresponding to the MetalLB configuration applied.
+
+image::695_OpenShift_MetalLB_FRRK8s_integration_0624.png[MetalLB integration with FRR]
+
+// Activating integration of MetalLB and FRR-K8s
+include::modules/nw-metallb-configuring-frr-8ks.adoc[leveloffset=+1]
+
+// FRR configurations
+include::modules/nw-metallb-frr-configurations.adoc[leveloffset=+1]
+
+// The FRRConfiguration CRD
+include::modules/nw-metallb-frr-k8s-configuration-crd.adoc[leveloffset=+1]
+
+//How multiple configurations are merged together
+include::modules/nw-metallb-frr-k8s-merge-multiple-configurations.adoc[leveloffset=+1]
diff --git a/networking/multiple_networks/configuring-multi-network-policy.adoc b/networking/multiple_networks/configuring-multi-network-policy.adoc
index b370feb516ed..51e03af038ed 100644
--- a/networking/multiple_networks/configuring-multi-network-policy.adoc
+++ b/networking/multiple_networks/configuring-multi-network-policy.adoc
@@ -6,13 +6,11 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-As a cluster administrator, you can configure multi-network for additional networks. You can specify multi-network policy for SR-IOV, macvlan, and OVN-Kubernetes additional networks. Macvlan additional networks are fully supported. Other types of additional networks, such as ipvlan, are not supported.
+As a cluster administrator, you can configure a multi-network policy for a Single-Root I/O Virtualization (SR-IOV), MAC Virtual Local Area Network (MacVLAN), or OVN-Kubernetes additional networks. MacVLAN additional networks are fully supported. Other types of additional networks, such as IP Virtual Local Area Network (IPVLAN), are not supported. 
 
-[IMPORTANT]
+[NOTE]
 ====
-Support for configuring multi-network policies for SR-IOV additional networks is a Technology Preview feature and is only supported with kernel network interface cards (NICs). SR-IOV is not supported for Data Plane Development Kit (DPDK) applications.
-
-For more information about the support scope of Red Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
+Support for configuring multi-network policies for SR-IOV additional networks is only supported with kernel network interface controllers (NICs). SR-IOV is not supported for Data Plane Development Kit (DPDK) applications.
 ====
 
 include::modules/nw-multi-network-policy-differences.adoc[leveloffset=+1]
@@ -43,7 +41,7 @@ include::modules/nw-networkpolicy-allow-application-particular-namespace.adoc[le
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[Understanding multiple networks]
 * xref:../../networking/multiple_networks/configuring-additional-network.adoc#nw-multus-macvlan-object_configuring-additional-network[Configuring a macvlan network]
 * xref:../../networking/hardware_networks/configuring-sriov-device.adoc#configuring-sriov-device[Configuring an SR-IOV network device]
diff --git a/networking/network_security/AdminNetworkPolicy/_attributes b/networking/network_security/AdminNetworkPolicy/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/networking/network_security/AdminNetworkPolicy/images b/networking/network_security/AdminNetworkPolicy/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/networking/network_security/AdminNetworkPolicy/modules b/networking/network_security/AdminNetworkPolicy/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/networking/network_security/AdminNetworkPolicy/ovn-k-anp-banp-metrics.adoc b/networking/network_security/AdminNetworkPolicy/ovn-k-anp-banp-metrics.adoc
new file mode 100644
index 000000000000..aad252ae5716
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/ovn-k-anp-banp-metrics.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-anp-banp-metrics"]
+= Monitoring ANP and BANP
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-anp-banp-metrics
+
+toc::[]
+
+`AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` resources have metrics that can be used for monitoring and managing your policies. See the following table for more details on the metrics.
+
+include::modules/nw-anp-banp-metrics.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/networking/network_security/AdminNetworkPolicy/ovn-k-anp-troubleshooting.adoc b/networking/network_security/AdminNetworkPolicy/ovn-k-anp-troubleshooting.adoc
new file mode 100644
index 000000000000..46a291455943
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/ovn-k-anp-troubleshooting.adoc
@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-anp-troubleshooting"]
+= Troubleshooting AdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-anp
+
+toc::[]
+
+include::modules/nw-ovn-k-anp-troubeshooting.adoc[leveloffset=+1]
+
+include::modules/nw-ovn-k-anp-nbctl.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+* xref:../../../networking/ovn_kubernetes_network_provider/ovn-kubernetes-tracing-using-ovntrace.adoc#ovn-kubernetes-tracing-using-ovntrace[Tracing Openflow with ovnkube-trace]
+
+* xref:../../../networking/ovn_kubernetes_network_provider/ovn-kubernetes-troubleshooting-sources.adoc#ovn-kubernetes-troubleshooting-sources[Troubleshooting OVN-Kubernetes]
\ No newline at end of file
diff --git a/networking/openshift_network_security/ovn-k-anp.adoc b/networking/network_security/AdminNetworkPolicy/ovn-k-anp.adoc
similarity index 100%
rename from networking/openshift_network_security/ovn-k-anp.adoc
rename to networking/network_security/AdminNetworkPolicy/ovn-k-anp.adoc
diff --git a/networking/openshift_network_security/ovn-k-banp.adoc b/networking/network_security/AdminNetworkPolicy/ovn-k-banp.adoc
similarity index 100%
rename from networking/openshift_network_security/ovn-k-banp.adoc
rename to networking/network_security/AdminNetworkPolicy/ovn-k-banp.adoc
diff --git a/networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.adoc b/networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.adoc
new file mode 100644
index 000000000000..5cb1d52015c8
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="ovn-k-egress-nodes-networks-peer"]
+= Egress nodes and networks peer for AdminNetworkPolicy
+include::_attributes/common-attributes.adoc[]
+:context: ovn-k-egress-nodes-networks-peer
+
+toc::[]
+
+This section explains `nodes` and `networks` peers. Administrators can use the examples in this section to design `AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` to control northbound traffic in their cluster.
+
+include::modules/nw-anp-nodes-peer-concept.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/networking/network_security/AdminNetworkPolicy/snippets b/networking/network_security/AdminNetworkPolicy/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/networking/network_security/AdminNetworkPolicy/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/networking/network_security/_attributes b/networking/network_security/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/networking/network_security/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/networking/openshift_network_security/configuring-ipsec-ovn.adoc b/networking/network_security/configuring-ipsec-ovn.adoc
similarity index 100%
rename from networking/openshift_network_security/configuring-ipsec-ovn.adoc
rename to networking/network_security/configuring-ipsec-ovn.adoc
diff --git a/networking/network_security/egress_firewall/_attributes b/networking/network_security/egress_firewall/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/networking/network_security/egress_firewall/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/networking/openshift_network_security/configuring-egress-firewall-ovn.adoc b/networking/network_security/egress_firewall/configuring-egress-firewall-ovn.adoc
similarity index 100%
rename from networking/openshift_network_security/configuring-egress-firewall-ovn.adoc
rename to networking/network_security/egress_firewall/configuring-egress-firewall-ovn.adoc
diff --git a/networking/ovn_kubernetes_network_provider/editing-egress-firewall-ovn.adoc b/networking/network_security/egress_firewall/editing-egress-firewall-ovn.adoc
similarity index 100%
rename from networking/ovn_kubernetes_network_provider/editing-egress-firewall-ovn.adoc
rename to networking/network_security/egress_firewall/editing-egress-firewall-ovn.adoc
diff --git a/networking/network_security/egress_firewall/images b/networking/network_security/egress_firewall/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/networking/network_security/egress_firewall/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/networking/network_security/egress_firewall/modules b/networking/network_security/egress_firewall/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/networking/network_security/egress_firewall/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/networking/ovn_kubernetes_network_provider/removing-egress-firewall-ovn.adoc b/networking/network_security/egress_firewall/removing-egress-firewall-ovn.adoc
similarity index 100%
rename from networking/ovn_kubernetes_network_provider/removing-egress-firewall-ovn.adoc
rename to networking/network_security/egress_firewall/removing-egress-firewall-ovn.adoc
diff --git a/networking/network_security/egress_firewall/snippets b/networking/network_security/egress_firewall/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/networking/network_security/egress_firewall/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/networking/ovn_kubernetes_network_provider/viewing-egress-firewall-ovn.adoc b/networking/network_security/egress_firewall/viewing-egress-firewall-ovn.adoc
similarity index 100%
rename from networking/ovn_kubernetes_network_provider/viewing-egress-firewall-ovn.adoc
rename to networking/network_security/egress_firewall/viewing-egress-firewall-ovn.adoc
diff --git a/networking/network_security/images b/networking/network_security/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/networking/network_security/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/networking/openshift_network_security/ingress-node-firewall-operator.adoc b/networking/network_security/ingress-node-firewall-operator.adoc
similarity index 100%
rename from networking/openshift_network_security/ingress-node-firewall-operator.adoc
rename to networking/network_security/ingress-node-firewall-operator.adoc
diff --git a/networking/network_security/logging-network-security.adoc b/networking/network_security/logging-network-security.adoc
new file mode 100644
index 000000000000..9edea938d43b
--- /dev/null
+++ b/networking/network_security/logging-network-security.adoc
@@ -0,0 +1,37 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="logging-network-security"]
+= Audit logging for network security
+include::_attributes/common-attributes.adoc[]
+:context: logging-network-security
+
+toc::[]
+
+The OVN-Kubernetes network plugin uses Open Virtual Network (OVN) access control lists (ACLs) to manage `AdminNetworkPolicy`, `BaselineAdminNetworkPolicy`, `NetworkPolicy`, and `EgressFirewall` objects. Audit logging exposes `allow` and `deny` ACL events for `NetworkPolicy`, `EgressFirewall` and `BaselineAdminNetworkPolicy` custom resources (CR). Logging also exposes `allow`, `deny`, and `pass` ACL events for `AdminNetworkPolicy` (ANP) CR.
+
+[NOTE]
+====
+Audit logging is available for only the xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin].
+====
+
+include::modules/nw-audit-configuration.adoc[leveloffset=+1]
+
+include::modules/nw-operator-cr.adoc[tag=policy-audit]
+
+include::modules/nw-networkpolicy-audit-concept.adoc[leveloffset=+1]
+
+include::modules/nw-anp-audit-logging-concept.adoc[leveloffset=+1]
+
+include::modules/nw-banp-audit-logging-concept.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-configure.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-enable.adoc[leveloffset=+1]
+
+include::modules/nw-networkpolicy-audit-disable.adoc[leveloffset=+1]
+
+[id="{context}-additional-resources"]
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/egress_firewall/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
diff --git a/networking/network_security/modules b/networking/network_security/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/networking/network_security/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/networking/openshift_network_security/ovn-k-network-policy.adoc b/networking/network_security/network-policy-apis.adoc
similarity index 61%
rename from networking/openshift_network_security/ovn-k-network-policy.adoc
rename to networking/network_security/network-policy-apis.adoc
index 32a935b3c99d..a04fd574dc1e 100644
--- a/networking/openshift_network_security/ovn-k-network-policy.adoc
+++ b/networking/network_security/network-policy-apis.adoc
@@ -1,14 +1,14 @@
 :_mod-docs-content-type: ASSEMBLY
-[id="about-ovn-k-network-policy"]
-= About OVN-Kubernetes network policy
+[id="network-policy-apis"]
+= Understanding network policy APIs
 include::_attributes/common-attributes.adoc[]
-:context: ovn-k-network-policy
+:context: network-policy-apis
 
 toc::[]
 
-Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies. For more information, see xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#nw-networkpolicy-about_about-network-policy[About network policy].
+Kubernetes offers two features that users can use to enforce network security. One feature that allows users to enforce network policy is the `NetworkPolicy` API that is designed mainly for application developers and namespace tenants to protect their namespaces by creating namespace-scoped policies.
 
-The second feature is `AdminNetworkPolicy` which consists of two APIs: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to set up and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects when necessary. When used together, ANP and BANP can create a multi-tenancy policy that administrators can use to secure their cluster.
+The second feature is `AdminNetworkPolicy` which consists of two APIs: the `AdminNetworkPolicy` (ANP) API and the `BaselineAdminNetworkPolicy` (BANP) API. ANP and BANP are designed for cluster and network administrators to protect their entire cluster by creating cluster-scoped policies. Cluster administrators can use ANPs to enforce non-overridable policies that take precedence over `NetworkPolicy` objects. Administrators can use BANP to set up and enforce optional cluster-scoped network policy rules that are overridable by users using `NetworkPolicy` objects when necessary. When used together, ANP, BANP, and network policy can achieve full multi-tenant isolation that administrators can use to secure their cluster.
 
 OVN-Kubernetes CNI in {product-title} implements these network policies using Access Control List (ACL) Tiers to evaluate and apply them. ACLs are evaluated in descending order from Tier 1 to Tier 3.
 
@@ -16,4 +16,6 @@ Tier 1 evaluates `AdminNetworkPolicy` (ANP) objects. Tier 2 evaluates `NetworkPo
 
 image::615_OpenShift_OVN-K_ACLs_0324.png[OVK-Kubernetes Access Control List (ACL)]
 
-When traffic matches an ANP rule, the rules in that ANP are evaluated first. When the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicy` and `BaselineAdminNetworkPolicy` (BANP) objects in the cluster are skipped from evaluation. When the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACL to tier 2 where the `NetworkPolicy` policy is evaluated.
\ No newline at end of file
+ANPs are evaluated first. When the match is an ANP `allow` or `deny` rule, any existing `NetworkPolicy` and `BaselineAdminNetworkPolicy` (BANP) objects in the cluster are skipped from evaluation. When the match is an ANP `pass` rule, then evaluation moves from tier 1 of the ACL to tier 2 where the `NetworkPolicy` policy is evaluated. If no `NetworkPolicy` matches the traffic then evaluation moves from tier 2 ACLs to tier 3 ACLs where BANP is evaluated.
+
+include::modules/nw-anp-np-reference.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/networking/network_security/network_policy/_attributes b/networking/network_security/network_policy/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/networking/network_security/network_policy/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/networking/openshift_network_security/network_policy/about-network-policy.adoc b/networking/network_security/network_policy/about-network-policy.adoc
similarity index 67%
rename from networking/openshift_network_security/network_policy/about-network-policy.adoc
rename to networking/network_security/network_policy/about-network-policy.adoc
index c02568829655..24abc59a07da 100644
--- a/networking/openshift_network_security/network_policy/about-network-policy.adoc
+++ b/networking/network_security/network_policy/about-network-policy.adoc
@@ -20,15 +20,15 @@ include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1]
 [id="about-network-policy-next-steps"]
 == Next steps
 
-* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+* xref:../../../networking/network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
 ifndef::openshift-rosa,openshift-dedicated[]
-* Optional: xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for projects]
+* Optional: xref:../../../networking/network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for projects]
 
 [role="_additional-resources"]
 [id="about-network-policy-additional-resources"]
 == Additional resources
 
 * xref:../../../authentication/using-rbac.adoc#rbac-projects-namespaces_using-rbac[Projects and namespaces]
-* xref:../../../networking/openshift_network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant isolation with network policy]
+* xref:../../../networking/network_security/network_policy/multitenant-network-policy.adoc#multitenant-network-policy[Configuring multitenant isolation with network policy]
 * xref:../../../rest_api/network_apis/networkpolicy-networking-k8s-io-v1.adoc#networkpolicy-networking-k8s-io-v1[NetworkPolicy API]
 endif::[]
diff --git a/networking/openshift_network_security/network_policy/creating-network-policy.adoc b/networking/network_security/network_policy/creating-network-policy.adoc
similarity index 87%
rename from networking/openshift_network_security/network_policy/creating-network-policy.adoc
rename to networking/network_security/network_policy/creating-network-policy.adoc
index 93cc1c69f447..a2511fa913de 100644
--- a/networking/openshift_network_security/network_policy/creating-network-policy.adoc
+++ b/networking/network_security/network_policy/creating-network-policy.adoc
@@ -32,5 +32,5 @@ ifndef::openshift-rosa,openshift-dedicated[]
 == Additional resources
 
 * xref:../../../web_console/web-console.adoc#web-console[Accessing the web console]
-* xref:../../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
+* xref:../../../networking/network_security/logging-network-security.adoc#logging-network-security[Logging for egress firewall and network policy rules]
 endif::[]
diff --git a/networking/openshift_network_security/network_policy/default-network-policy.adoc b/networking/network_security/network_policy/default-network-policy.adoc
similarity index 100%
rename from networking/openshift_network_security/network_policy/default-network-policy.adoc
rename to networking/network_security/network_policy/default-network-policy.adoc
diff --git a/networking/openshift_network_security/network_policy/deleting-network-policy.adoc b/networking/network_security/network_policy/deleting-network-policy.adoc
similarity index 100%
rename from networking/openshift_network_security/network_policy/deleting-network-policy.adoc
rename to networking/network_security/network_policy/deleting-network-policy.adoc
diff --git a/networking/openshift_network_security/network_policy/editing-network-policy.adoc b/networking/network_security/network_policy/editing-network-policy.adoc
similarity index 77%
rename from networking/openshift_network_security/network_policy/editing-network-policy.adoc
rename to networking/network_security/network_policy/editing-network-policy.adoc
index fc4f98edd856..f72f99889307 100644
--- a/networking/openshift_network_security/network_policy/editing-network-policy.adoc
+++ b/networking/network_security/network_policy/editing-network-policy.adoc
@@ -15,4 +15,4 @@ include::modules/nw-networkpolicy-object.adoc[leveloffset=+1]
 [role="_additional-resources"]
 [id="editing-network-policy-additional-resources"]
 == Additional resources
-* xref:../../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
+* xref:../../../networking/network_security/network_policy/creating-network-policy.adoc#creating-network-policy[Creating a network policy]
diff --git a/networking/network_security/network_policy/images b/networking/network_security/network_policy/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/networking/network_security/network_policy/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/networking/network_security/network_policy/modules b/networking/network_security/network_policy/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/networking/network_security/network_policy/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/networking/openshift_network_security/network_policy/multitenant-network-policy.adoc b/networking/network_security/network_policy/multitenant-network-policy.adoc
similarity index 87%
rename from networking/openshift_network_security/network_policy/multitenant-network-policy.adoc
rename to networking/network_security/network_policy/multitenant-network-policy.adoc
index 7a73489af4b3..62c9c3f86505 100644
--- a/networking/openshift_network_security/network_policy/multitenant-network-policy.adoc
+++ b/networking/network_security/network_policy/multitenant-network-policy.adoc
@@ -22,7 +22,7 @@ ifndef::openshift-rosa,openshift-dedicated[]
 [id="multitenant-network-policy-next-steps"]
 == Next steps
 
-* xref:../../../networking/openshift_network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for a project]
+* xref:../../../networking/network_security/network_policy/default-network-policy.adoc#default-network-policy[Defining a default network policy for a project]
 
 [role="_additional-resources"]
 [id="multitenant-network-policy-additional-resources"]
diff --git a/networking/network_security/network_policy/snippets b/networking/network_security/network_policy/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/networking/network_security/network_policy/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/networking/openshift_network_security/network_policy/viewing-network-policy.adoc b/networking/network_security/network_policy/viewing-network-policy.adoc
similarity index 100%
rename from networking/openshift_network_security/network_policy/viewing-network-policy.adoc
rename to networking/network_security/network_policy/viewing-network-policy.adoc
diff --git a/networking/network_security/snippets b/networking/network_security/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/networking/network_security/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/networking/openshift_sdn/migrate-to-openshift-sdn.adoc b/networking/openshift_sdn/migrate-to-openshift-sdn.adoc
index 921a775ba698..912dd14ae9cf 100644
--- a/networking/openshift_sdn/migrate-to-openshift-sdn.adoc
+++ b/networking/openshift_sdn/migrate-to-openshift-sdn.adoc
@@ -21,7 +21,7 @@ include::modules/nw-ovn-kubernetes-rollback.adoc[leveloffset=+1]
 
 * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-openshift-sdn_cluster-network-operator[Configuration parameters for the OpenShift SDN network plugin]
 * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd]
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * OpenShift SDN capabilities
 - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project]
 - xref:../../networking/openshift_sdn/configuring-egress-firewall.adoc#configuring-egress-firewall[Configuring an egress firewall for a project]
diff --git a/networking/openshift_sdn/rollback-to-ovn-kubernetes.adoc b/networking/openshift_sdn/rollback-to-ovn-kubernetes.adoc
index 661017548f4e..bdf2ec36b6c5 100644
--- a/networking/openshift_sdn/rollback-to-ovn-kubernetes.adoc
+++ b/networking/openshift_sdn/rollback-to-ovn-kubernetes.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-As a cluster administrator, you can rollback to the OVN-Kubernetes network plugin from the OpenShift SDN network plugin if the migration to OpenShift SDN is unsuccessful.
+As a cluster administrator, you can roll back to the OVN-Kubernetes network plugin from the OpenShift SDN network plugin if the migration to OpenShift SDN is unsuccessful.
 
 include::snippets/sdn-deprecation-statement.adoc[]
 
diff --git a/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc b/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc
index 5689b1acb1a0..48032ca52d4a 100644
--- a/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc
+++ b/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc
@@ -46,9 +46,9 @@ include::modules/nw-ovn-kubernetes-session-affinity.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
-* xref:../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging network policy events]
+* xref:../../networking/network_security/egress_firewall/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/logging-network-security.adoc#logging-network-security[Logging network policy events]
 * xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
-* xref:../../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
+* xref:../../networking/network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn[Configuring IPsec encryption]
 * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1\]]
diff --git a/networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc b/networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc
new file mode 100644
index 000000000000..f576fc02cfc0
--- /dev/null
+++ b/networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc
@@ -0,0 +1,13 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="configure-ovn-kubernetes-subnets"]
+= Configuring OVN-Kubernetes internal IP address subnets
+include::_attributes/common-attributes.adoc[]
+:context: configure-ovn-kubernetes-subnets
+
+toc::[]
+
+[role="_abstract"]
+As a cluster administrator, you can change the IP address ranges that the OVN-Kubernetes network plugin uses for the join and transit subnets.
+
+include::modules/nw-ovn-kuberentes-change-join-subnet.adoc[leveloffset=+1]
+include::modules/nw-ovn-kuberentes-change-transit-subnet.adoc[leveloffset=+1]
diff --git a/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc b/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
deleted file mode 100644
index 9004a7181ffe..000000000000
--- a/networking/ovn_kubernetes_network_provider/logging-network-policy.adoc
+++ /dev/null
@@ -1,53 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="logging-network-policy"]
-= Logging for egress firewall and network policy rules
-include::_attributes/common-attributes.adoc[]
-:context: logging-network-policy
-
-toc::[]
-
-As a cluster administrator, you can configure audit logging for your cluster and enable logging for one or more namespaces. {product-title} produces audit logs for both egress firewalls and network policies.
-
-[NOTE]
-====
-Audit logging is available for only the xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin].
-====
-
-include::modules/nw-networkpolicy-audit-concept.adoc[leveloffset=+1]
-
-[id="network-policy-audit-configuration-{context}"]
-== Audit configuration
-
-The configuration for audit logging is specified as part of the OVN-Kubernetes cluster network provider configuration. The following YAML illustrates the default values for the audit logging:
-
-.Audit logging configuration
-[source,yaml]
-----
-apiVersion: operator.openshift.io/v1
-kind: Network
-metadata:
-  name: cluster
-spec:
-  defaultNetwork:
-    ovnKubernetesConfig:
-      policyAuditConfig:
-        destination: "null"
-        maxFileSize: 50
-        rateLimit: 20
-        syslogFacility: local0
-----
-
-The following table describes the configuration fields for audit logging.
-
-include::modules/nw-operator-cr.adoc[tag=policy-audit]
-
-include::modules/nw-networkpolicy-audit-configure.adoc[leveloffset=+1]
-include::modules/nw-networkpolicy-audit-enable.adoc[leveloffset=+1]
-include::modules/nw-networkpolicy-audit-disable.adoc[leveloffset=+1]
-
-[id="{context}-additional-resources"]
-[role="_additional-resources"]
-== Additional resources
-
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
-* xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
diff --git a/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc b/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
index 3ea0be4fd4dc..85e9decd8dfb 100644
--- a/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+++ b/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
@@ -6,14 +6,19 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-As a cluster administrator, you can migrate to the OVN-Kubernetes network plugin from the OpenShift SDN network plugin.
+As a cluster administrator, you can migrate to the OVN-Kubernetes network plugin from the OpenShift SDN network plugin using the _offline_ migration method or the limited live migration method.
 
 To learn more about OVN-Kubernetes, read xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes#about-ovn-kubernetes[About the OVN-Kubernetes network plugin].
 
 include::modules/nw-ovn-kubernetes-migration-about.adoc[leveloffset=+1]
 include::modules/nw-network-plugin-migration-process.adoc[leveloffset=+2]
+include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+2]
 
-include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+1]
+include::modules/nw-ovn-kubernetes-live-migration-about.adoc[leveloffset=+1]
+include::modules/how-the-live-migration-process-works.adoc[leveloffset=+2]
+include::modules/nw-ovn-kubernetes-live-migration.adoc[leveloffset=+2]
+include::modules/nw-ovn-kubernetes-checking-live-migration-metrics.adoc[leveloffset=+2]
+include::modules/live-migration-metrics-information.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 [id="migrate-from-openshift-sdn-additional-resources"]
@@ -22,15 +27,16 @@ include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+1]
 * link:https://access.redhat.com/labs/ocpnc/[Red Hat OpenShift Network Calculator]
 * xref:../../networking/cluster-network-operator.adoc#nw-operator-configuration-parameters-for-ovn-sdn_cluster-network-operator[Configuration parameters for the OVN-Kubernetes network plugin]
 * xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[Backing up etcd]
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/changing-cluster-network-mtu.adoc#nw-cluster-mtu-change_changing-cluster-network-mtu[Changing the cluster MTU]
 * xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[MTU value selection]
 * OVN-Kubernetes capabilities
 - xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[Configuring an egress IP address]
-- xref:../../networking/openshift_network_security/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
+- xref:../../networking/network_security/egress_firewall/configuring-egress-firewall-ovn.adoc#configuring-egress-firewall-ovn[Configuring an egress firewall for a project]
 - xref:../../networking/ovn_kubernetes_network_provider/enabling-multicast.adoc#nw-ovn-kubernetes-enabling-multicast[Enabling multicast for a project]
 * OpenShift SDN capabilities
 - xref:../../networking/openshift_sdn/assigning-egress-ips.adoc#assigning-egress-ips[Configuring egress IPs for a project]
 - xref:../../networking/openshift_sdn/configuring-egress-firewall.adoc#configuring-egress-firewall[Configuring an egress firewall for a project]
 - xref:../../networking/openshift_sdn/enabling-multicast.adoc#enabling-multicast[Enabling multicast for a project]
+- xref:../../networking/openshift_sdn/deploying-egress-router-layer3-redirection.adoc#deploying-egress-router-layer3-redirection[Deploying an egress router pod in redirect mode]
 * xref:../../rest_api/operator_apis/network-operator-openshift-io-v1.adoc#network-operator-openshift-io-v1[Network [operator.openshift.io/v1]]
diff --git a/networking/ovn_kubernetes_network_provider/rollback-to-openshift-sdn.adoc b/networking/ovn_kubernetes_network_provider/rollback-to-openshift-sdn.adoc
index 61864ea97252..665f57a77f06 100644
--- a/networking/ovn_kubernetes_network_provider/rollback-to-openshift-sdn.adoc
+++ b/networking/ovn_kubernetes_network_provider/rollback-to-openshift-sdn.adoc
@@ -6,8 +6,15 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-As a cluster administrator, you can rollback to the OpenShift SDN from the OVN-Kubernetes network plugin only after the migration to the OVN-Kubernetes network plugin is completed and successful.
+As a cluster administrator, you can roll back to the OpenShift SDN network plugin from the OVN-Kubernetes network plugin using either the _offline_ migration method, or the limited live migration method. This can only be done after the migration to the OVN-Kubernetes network plugin has successfully completed.
+
+[NOTE]
+====
+* If you used the offline migration method to migrate to the OpenShift SDN network plugin from the OVN-Kubernetes network plugin, you should use the offline migration rollback method. 
+* If you used the limited live migration method to migrate to the OpenShift SDN network plugin from the OVN-Kubernetes network plugin, you should use the limited live migration rollback method.
+====
 
 include::snippets/sdn-deprecation-statement.adoc[]
 
 include::modules/nw-ovn-kubernetes-rollback.adoc[leveloffset=+1]
+include::modules/nw-ovn-kubernetes-rollback-live.adoc[leveloffset=+1]
diff --git a/networking/ptp/about-ptp.adoc b/networking/ptp/about-ptp.adoc
index 79ee2ad18b63..4b0f3b2a4f4c 100644
--- a/networking/ptp/about-ptp.adoc
+++ b/networking/ptp/about-ptp.adoc
@@ -28,7 +28,7 @@ include::modules/nw-ptp-introduction.adoc[leveloffset=+1]
 
 [IMPORTANT]
 ====
-Before enabling PTP, ensure that NTP is disabled for the required nodes. You can disable the chrony time service (`chronyd`) using a `MachineConfig` custom resource. For more information, see xref:../../post_installation_configuration/machine-configuration-tasks.adoc#cnf-disable-chronyd_post-install-machine-configuration-tasks[Disabling chrony time service].
+Before enabling PTP, ensure that NTP is disabled for the required nodes. You can disable the chrony time service (`chronyd`) using a `MachineConfig` custom resource. For more information, see xref:../../machine_configuration/machine-configs-configure.adoc#cnf-disable-chronyd_machine-configs-configure[Disabling chrony time service].
 ====
 
 include::modules/ptp-dual-nics.adoc[leveloffset=+1]
diff --git a/networking/routes/secured-routes.adoc b/networking/routes/secured-routes.adoc
index 5cd7bef36113..7bd896457ff3 100644
--- a/networking/routes/secured-routes.adoc
+++ b/networking/routes/secured-routes.adoc
@@ -25,3 +25,10 @@ include::modules/nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate
 include::modules/nw-ingress-creating-an-edge-route-with-a-custom-certificate.adoc[leveloffset=+1]
 
 include::modules/nw-ingress-creating-a-passthrough-route.adoc[leveloffset=+1]
+
+include::modules/nw-ingress-route-secret-load-external-cert.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For troubleshooting routes with externally managed certificates, check the {product-title} router pod logs for errors, see xref:../../support/troubleshooting/investigating-pod-issues.adoc[Investigating pod issues].
\ No newline at end of file
diff --git a/networking/verifying-connectivity-endpoint.adoc b/networking/verifying-connectivity-endpoint.adoc
index 57e75e4e899e..fd26fff9b76a 100644
--- a/networking/verifying-connectivity-endpoint.adoc
+++ b/networking/verifying-connectivity-endpoint.adoc
@@ -11,5 +11,6 @@ By reviewing the results of the health checks, you can diagnose connection probl
 
 include::modules/nw-pod-network-connectivity-checks.adoc[leveloffset=+1]
 include::modules/nw-pod-network-connectivity-implementation.adoc[leveloffset=+1]
+include::modules/nw-pod-network-connectivity-configuration.adoc[leveloffset=+1]
 include::modules/nw-pod-network-connectivity-check-object.adoc[leveloffset=+1]
 include::modules/nw-pod-network-connectivity-verify.adoc[leveloffset=+1]
diff --git a/networking/zero-trust-networking.adoc b/networking/zero-trust-networking.adoc
index 8dd1302e3f83..1da4a2b15c12 100644
--- a/networking/zero-trust-networking.adoc
+++ b/networking/zero-trust-networking.adoc
@@ -30,7 +30,7 @@ Ensure that all traffic on the wire is encrypted and the endpoints are identifia
 
 Leverage:
 
-* {product-title}: With transparent xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/openshift_network_security/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster.
+* {product-title}: With transparent xref:../networking/network_security/configuring-ipsec-ovn.adoc#configuring-ipsec-ovn-pod-to-pod-ipsec[pod-to-pod IPsec], the source and destination of the traffic can be identified by the IP address. There is the capability for egress traffic to be xref:../networking/network_security/configuring-ipsec-ovn.adoc#nw-ovn-ipsec-north-south-enable_configuring-ipsec-ovn[encrypted using IPsec]. By using the xref:../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[egress IP] feature, the source IP address of the traffic can be used to identify the source of the traffic inside the cluster.
 * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Provides powerful xref:../service_mesh/v2x/ossm-security.adoc#ossm-security-mtls_ossm-security[mTLS capabilities] that can transparently augment traffic leaving a pod to provide authentication and encryption.
 * xref:../security/cert_manager_operator/index.adoc#cert-manager-operator-about[OpenShift cert-manager Operator]: Use custom resource definitions (CRDs) to request certificates that can be mounted for your programs to use for SSL/TLS protocols.
 
@@ -53,7 +53,7 @@ It is critical to be able to control access to services based on the identity of
 
 Leverage:
 
-* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/openshift_network_security/ovn-k-anp.adoc#ovn-k-anp[`AdminNetworkPolicy`] objects.
+* {product-title}: Can enforce isolation in the networking layer of the platform using the Kubernetes xref:../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[`NetworkPolicy`] and xref:../networking/network_security/AdminNetworkPolicy/ovn-k-anp.adoc#ovn-k-anp[`AdminNetworkPolicy`] objects.
 * xref:../service_mesh/v2x/ossm-about.adoc#ossm-about[{SMProductName}]: Sophisticated L4 and L7 xref:../service_mesh/v2x/ossm-security.adoc#ossm-security[control of traffic] using standard Istio objects and using mTLS to identify the source and destination of traffic and then apply policies based on that information.
 
 [id="zero-trust-transaction-level-verification"]
diff --git a/nodes/containers/nodes-containers-using.adoc b/nodes/containers/nodes-containers-using.adoc
index 18eb3ab8301a..31acf09126e4 100644
--- a/nodes/containers/nodes-containers-using.adoc
+++ b/nodes/containers/nodes-containers-using.adoc
@@ -70,7 +70,7 @@ runC has some benefits over crun, including:
 
 You can move between the two container runtimes as needed.
 
-For information on setting which container runtime to use, see xref:../../post_installation_configuration/machine-configuration-tasks.adoc#create-a-containerruntimeconfig_post-install-machine-configuration-tasks[Creating a `ContainerRuntimeConfig` CR to edit CRI-O parameters].
+For information on setting which container runtime to use, see xref:../../machine_configuration/machine-configs-custom.adoc#create-a-containerruntimeconfig_machine-configs-custom[Creating a `ContainerRuntimeConfig` CR to edit CRI-O parameters].
 endif::openshift-rosa,openshift-dedicated[]
 
 ifdef::openshift-rosa,openshift-dedicated[]
diff --git a/nodes/nodes-sigstore-using.adoc b/nodes/nodes-sigstore-using.adoc
new file mode 100644
index 000000000000..fac9b8354169
--- /dev/null
+++ b/nodes/nodes-sigstore-using.adoc
@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="nodes-sigstore-using"]
+= Manage secure signatures with sigstore
+include::_attributes/common-attributes.adoc[]
+:context: nodes-sigstore-using
+
+toc::[]
+
+You can use the sigstore project with {product-title} to improve supply chain security.
+
+// The following include statements pull in the module files that comprise
+// the assembly. Include any combination of concept, procedure, or reference
+// modules required to cover the user story. You can also include other
+// assemblies.
+
+// AManage secure signatures with SigStore
+include::modules/nodes-sigstore-using-about.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/nodes/nodes/nodes-nodes-managing.adoc b/nodes/nodes/nodes-nodes-managing.adoc
index b01be5512afd..8ff08fad90d6 100644
--- a/nodes/nodes/nodes-nodes-managing.adoc
+++ b/nodes/nodes/nodes-nodes-managing.adoc
@@ -21,6 +21,15 @@ configuration of nodes. By creating an instance of a `KubeletConfig` object, a m
 // assemblies.
 
 include::modules/nodes-nodes-managing-about.adoc[leveloffset=+1]
+include::modules/mco-update-boot-images.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+
+include::modules/mco-update-boot-images-disable.adoc[leveloffset=+2]
+
 include::modules/nodes-nodes-working-master-schedulable.adoc[leveloffset=+1]
 include::modules/nodes-nodes-working-setting-booleans.adoc[leveloffset=+1]
 include::modules/nodes-nodes-kernel-arguments.adoc[leveloffset=+1]
diff --git a/nodes/pods/nodes-pods-secrets-store.adoc b/nodes/pods/nodes-pods-secrets-store.adoc
index 63e1c3a1d382..646ac7eec39a 100644
--- a/nodes/pods/nodes-pods-secrets-store.adoc
+++ b/nodes/pods/nodes-pods-secrets-store.adoc
@@ -33,6 +33,7 @@ After installing the {secrets-store-operator}, you can mount secrets from one of
 * xref:../../nodes/pods/nodes-pods-secrets-store.adoc#secrets-store-aws_nodes-pods-secrets-store[AWS Secrets Manager]
 * xref:../../nodes/pods/nodes-pods-secrets-store.adoc#secrets-store-aws_nodes-pods-secrets-store-parameter-store[AWS Systems Manager Parameter Store]
 * xref:../../nodes/pods/nodes-pods-secrets-store.adoc#secrets-store-azure_nodes-pods-secrets-store[Azure Key Vault]
+* xref:../../nodes/pods/nodes-pods-secrets-store.adoc#secrets-store-vault_nodes-pods-secrets-store[HashiCorp Vault]
 
 // Mounting secrets from AWS Secrets Manager
 :secrets-store-provider: AWS Secrets Manager
@@ -63,6 +64,9 @@ include::modules/secrets-store-aws.adoc[leveloffset=+2]
 // Mounting secrets from Azure Key Vault
 include::modules/secrets-store-azure.adoc[leveloffset=+2]
 
+// Mounting secrets from HashiCorp Vault
+include::modules/secrets-store-vault.adoc[leveloffset=+2]
+
 // Enabling synchronization of mounted content as Kubernetes secrets
 include::modules/secrets-store-sync-secrets.adoc[leveloffset=+1]
 
diff --git a/nodes/pods/nodes-pods-secrets.adoc b/nodes/pods/nodes-pods-secrets.adoc
index 648853a23402..466e3f7297af 100644
--- a/nodes/pods/nodes-pods-secrets.adoc
+++ b/nodes/pods/nodes-pods-secrets.adoc
@@ -14,13 +14,6 @@ include::modules/nodes-pods-secrets-about.adoc[leveloffset=+1]
 
 include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
 
-.Additional resources
-
-ifndef::openshift-rosa,openshift-dedicated[]
-* For information about requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens]
-endif::openshift-rosa,openshift-dedicated[]
-* For information about creating a service account token secret, see xref:../../nodes/pods/nodes-pods-secrets.doc#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret].
-
 include::modules/nodes-pods-secrets-creating.adoc[leveloffset=+1]
 
 include::modules/nodes-pods-secrets-creating-opaque.adoc[leveloffset=+2]
@@ -28,20 +21,20 @@ include::modules/nodes-pods-secrets-creating-opaque.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* For more information on using secrets in pods, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets].
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets]
 
 include::modules/nodes-pods-secrets-creating-sa.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* For more information on using secrets in pods, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets].
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets]
 
 ifndef::openshift-rosa,openshift-dedicated[]
 
-* For information on requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens]
+* xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]
 
-* For information on creating service accounts, see xref:../../authentication/understanding-and-creating-service-accounts.adoc#understanding-and-creating-service-accounts[Understanding and creating service accounts].
+* xref:../../authentication/understanding-and-creating-service-accounts.adoc#understanding-and-creating-service-accounts[Understanding and creating service accounts]
 endif::openshift-rosa,openshift-dedicated[]
 
 include::modules/nodes-pods-secrets-creating-basic.adoc[leveloffset=+2]
@@ -49,21 +42,21 @@ include::modules/nodes-pods-secrets-creating-basic.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* For more information on using secrets in pods, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets].
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets]
 
 include::modules/nodes-pods-secrets-creating-ssh.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets].
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets]
 
 include::modules/nodes-pods-secrets-creating-docker.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* For more information on using secrets in pods, see xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets].
+* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating_nodes-pods-secrets[Understanding how to create secrets]
 
 include::modules/nodes-pods-secrets-creating-web-console-secrets.adoc[leveloffset=+2]
 
diff --git a/nodes/pods/nodes-pods-vertical-autoscaler.adoc b/nodes/pods/nodes-pods-vertical-autoscaler.adoc
index 24b0656f8695..6a6f1b5b9264 100644
--- a/nodes/pods/nodes-pods-vertical-autoscaler.adoc
+++ b/nodes/pods/nodes-pods-vertical-autoscaler.adoc
@@ -22,6 +22,12 @@ include::modules/nodes-pods-vertical-autoscaler-about.adoc[leveloffset=+1]
 
 include::modules/nodes-pods-vertical-autoscaler-install.adoc[leveloffset=+1]
 
+include::modules/nodes-pods-vertical-autoscaler-moving-vpa.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../../machine_management/creating-infrastructure-machinesets.adoc#creating-infrastructure-machinesets-production[Creating infrastructure machine sets] 
+
 include::modules/nodes-pods-vertical-autoscaler-using-about.adoc[leveloffset=+1]
 
 include::modules/nodes-pods-vertical-autoscaler-tuning.adoc[leveloffset=+2]
diff --git a/nodes/scheduling/secondary_scheduler/index.adoc b/nodes/scheduling/secondary_scheduler/index.adoc
index d8c70a90d36b..db48a388669c 100644
--- a/nodes/scheduling/secondary_scheduler/index.adoc
+++ b/nodes/scheduling/secondary_scheduler/index.adoc
@@ -8,5 +8,8 @@ toc::[]
 
 You can install the {secondary-scheduler-operator} to run a custom secondary scheduler alongside the default scheduler to schedule pods.
 
+:operator-name: The {secondary-scheduler-operator}
+include::snippets/operator-not-available.adoc[]
+
 // About the {secondary-scheduler-operator}
 include::modules/nodes-secondary-scheduler-about.adoc[leveloffset=+1]
diff --git a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-configuring.adoc b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-configuring.adoc
index 8c852325abc2..e23c9ae72fda 100644
--- a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-configuring.adoc
+++ b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-configuring.adoc
@@ -4,9 +4,13 @@
 include::_attributes/common-attributes.adoc[]
 :context: secondary-scheduler-configuring
 
+toc::[]
+
 You can run a custom secondary scheduler in {product-title} by installing the {secondary-scheduler-operator}, deploying the secondary scheduler, and setting the secondary scheduler in the pod definition.
 
-toc::[]
+:operator-name: The {secondary-scheduler-operator}
+include::snippets/operator-not-available.adoc[]
+
 
 // Installing the {secondary-scheduler-operator}
 include::modules/nodes-secondary-scheduler-install-console.adoc[leveloffset=+1]
diff --git a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.adoc b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.adoc
index a49a96288157..f5bfbc895971 100644
--- a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.adoc
+++ b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.adoc
@@ -10,57 +10,7 @@ The {secondary-scheduler-operator-full} allows you to deploy a custom secondary
 
 These release notes track the development of the {secondary-scheduler-operator-full}.
 
-For more information, see xref:../../../nodes/scheduling/secondary_scheduler/index.adoc#nodes-secondary-scheduler-about_nodes-secondary-scheduler-about[About the {secondary-scheduler-operator}].
-
-[id="secondary-scheduler-operator-release-notes-1.2.1"]
-== Release notes for {secondary-scheduler-operator-full} 1.2.1
-
-Issued: 2024-03-06
-
-The following advisory is available for the {secondary-scheduler-operator-full} 1.2.1:
-
-* link:https://access.redhat.com/errata/RHSA-2024:0281[RHSA-2024:0281]
-
-[id="secondary-scheduler-operator-1.2.1-new-features-and-enhancements"]
-=== New features and enhancements
-
-[discrete]
-==== Resource limits removed to support large clusters
-
-With this release, resource limits were removed to allow you to use the {secondary-scheduler-operator} for large clusters with many nodes and pods without failing due to out-of-memory errors.
-
-[id="secondary-scheduler-1.2.1-bug-fixes"]
-=== Bug fixes
-
-* This release of the {secondary-scheduler-operator} addresses several Common Vulnerabilities and Exposures (CVEs).
-
-[id="secondary-scheduler-operator-1.2.1-known-issues"]
-=== Known issues
+:operator-name: The {secondary-scheduler-operator}
+include::snippets/operator-not-available.adoc[]
 
-* Currently, you cannot deploy additional resources, such as config maps, CRDs, or RBAC policies through the {secondary-scheduler-operator}. Any resources other than roles and role bindings that are required by your custom secondary scheduler must be applied externally. (link:https://issues.redhat.com/browse/WRKLDS-645[*WRKLDS-645*])
-
-[id="secondary-scheduler-operator-release-notes-1.2.0"]
-== Release notes for {secondary-scheduler-operator-full} 1.2.0
-
-Issued: 2023-11-01
-
-The following advisory is available for the {secondary-scheduler-operator-full} 1.2.0:
-
-* link:https://access.redhat.com/errata/RHSA-2023:6154[RHSA-2023:6154]
-
-////
-// No enhancements in this release
-[id="secondary-scheduler-operator-1.2.0-new-features-and-enhancements"]
-=== New features and enhancements
-* None
-////
-
-[id="secondary-scheduler-1.2.0-bug-fixes"]
-=== Bug fixes
-
-* This release of the {secondary-scheduler-operator} addresses several Common Vulnerabilities and Exposures (CVEs).
-
-[id="secondary-scheduler-operator-1.2.0-known-issues"]
-=== Known issues
-
-* Currently, you cannot deploy additional resources, such as config maps, CRDs, or RBAC policies through the {secondary-scheduler-operator}. Any resources other than roles and role bindings that are required by your custom secondary scheduler must be applied externally. (link:https://issues.redhat.com/browse/WRKLDS-645[*WRKLDS-645*])
+For more information, see xref:../../../nodes/scheduling/secondary_scheduler/index.adoc#nodes-secondary-scheduler-about_nodes-secondary-scheduler-about[About the {secondary-scheduler-operator}].
diff --git a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-uninstalling.adoc b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-uninstalling.adoc
index 6f8929ad7e07..d42e48e49ca4 100644
--- a/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-uninstalling.adoc
+++ b/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-uninstalling.adoc
@@ -8,6 +8,9 @@ toc::[]
 
 You can remove the {secondary-scheduler-operator-full} from {product-title} by uninstalling the Operator and removing its related resources.
 
+:operator-name: The {secondary-scheduler-operator}
+include::snippets/operator-not-available.adoc[]
+
 // Uninstalling the {secondary-scheduler-operator}
 include::modules/nodes-secondary-scheduler-uninstall-console.adoc[leveloffset=+1]
 
diff --git a/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-1-1.adoc b/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-1-1.adoc
deleted file mode 100644
index b1fb380c6970..000000000000
--- a/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-1-1.adoc
+++ /dev/null
@@ -1,73 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-include::_attributes/common-attributes.adoc[]
-[id="distributed-tracing-rn-3-1-1"]
-= Release notes for {DTProductName} 3.1.1
-:context: distributed-tracing-rn-3-1-1
-
-toc::[]
-
-include::modules/distr-tracing-product-overview.adoc[leveloffset=+1]
-
-You can use the {DTShortName} xref:../../otel/otel-forwarding.adoc#otel-forwarding-traces[in combination with] the xref:../../otel/otel-installing.adoc#install-otel[{OTELName}].
-
-This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
-
-[id="distributed-tracing-rn_3-1-1_cves"]
-== CVEs
-
-This release fixes link:https://access.redhat.com/security/cve/cve-2023-39326[CVE-2023-39326].
-
-// Tempo section
-[id="distributed-tracing-rn_3-1-1_tempo-release-notes"]
-== {TempoName}
-
-The {TempoName} is provided through the {TempoOperator}.
-
-[id="distributed-tracing-rn_3-1-1_tempo-release-notes_known-issues"]
-=== Known issues
-
-//There is currently a known issue:
-There are currently known issues:
-
-* Currently, when used with the {TempoOperator}, the Jaeger UI only displays services that have sent traces in the last 15 minutes. For services that did not send traces in the last 15 minutes, traces are still stored but not displayed in the Jaeger UI. (link:https://issues.redhat.com/browse/TRACING-3139[TRACING-3139])
-* Currently, the {TempoShortName} fails on the IBM Z (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
-
-// Jaeger section
-[id="distributed-tracing-rn_3-1-1_jaeger-release-notes"]
-== {JaegerName}
-
-The {JaegerName} is provided through the {JaegerOperator} Operator.
-
-[IMPORTANT]
-====
-Jaeger does not use FIPS validated cryptographic modules.
-====
-
-[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_support-for-elasticsearch-operator"]
-=== Support for {es-op}
-
-{JaegerName} 3.1.1 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
-
-[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_deprecated-functionality"]
-=== Deprecated functionality
-
-In the {DTProductName} 3.1.1, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release. Red Hat will provide critical and above CVE bug fixes and support for these components during the current release lifecycle, but these components will no longer receive feature enhancements.
-
-In the {DTProductName} 3.1.1, Tempo provided by the {TempoOperator} and the OpenTelemetry Collector provided by the {OTELName} are the preferred Operators for distributed tracing collection and storage. The OpenTelemetry and Tempo distributed tracing stack is to be adopted by all users because this will be the stack that will be enhanced going forward.
-
-[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_known-issues"]
-=== Known issues
-
-//There is currently a known issue:
-There are currently known issues:
-
-* Currently, Apache Spark is not supported.
-
-ifndef::openshift-rosa[]
-
-* Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
-endif::openshift-rosa[]
-
-include::modules/support.adoc[leveloffset=+1]
-
-include::modules/making-open-source-more-inclusive.adoc[leveloffset=+1]
diff --git a/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-2-1.adoc b/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-2-1.adoc
new file mode 100644
index 000000000000..c86b2f9cc1c8
--- /dev/null
+++ b/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-3-2-1.adoc
@@ -0,0 +1,138 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="distributed-tracing-rn-3-2-1"]
+= Release notes for {DTProductName} 3.2.1
+:context: distributed-tracing-rn-3-2-1
+
+toc::[]
+
+include::modules/distr-tracing-product-overview.adoc[leveloffset=+1]
+
+You can use the {DTShortName} xref:../../otel/otel-forwarding.adoc#otel-forwarding-traces[in combination with] the xref:../../otel/otel-installing.adoc#install-otel[{OTELName}].
+
+This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
+
+[id="distributed-tracing-rn_3-2-1_cves_{context}"]
+== CVEs
+
+This release fixes link:https://access.redhat.com/security/cve/CVE-2024-25062/[CVE-2024-25062].
+
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_{context}"]
+== {TempoName}
+
+The {TempoName} is provided through the {TempoOperator}.
+
+////
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_technology-preview-features_{context}"]
+=== Technology Preview features
+
+This update introduces the following Technology Preview feature:
+
+* Support for the Tempo monolithic deployment.
+
+:FeatureName: The Tempo monolithic deployment
+include::snippets/technology-preview.adoc[leveloffset=+1]
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_new-features-and-enhancements_{context}"]
+=== New features and enhancements
+
+This update introduces the following enhancements:
+
+* {TempoName} 3.2.1 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.4.1.
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_deprecated-functionality_{context}"]
+=== Deprecated functionality
+
+In the {TempoName} 3.2.1, ???
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_removal-notice_{context}"]
+=== Removal notice
+
+In {TempoName} 3.2.1, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_bug-fixes_{context}"]
+=== Bug fixes
+
+This update introduces the following bug fixes:
+
+* Before this update, ... . (link:https://issues.redhat.com/browse/TRACING-????[TRACING-????])
+////
+
+[id="distributed-tracing-rn_3-2-1_tempo-release-notes_known-issues_{context}"]
+=== Known issues
+
+There is currently a known issue:
+
+* Currently, the {TempoShortName} fails on the IBM Z (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
+
+
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_{context}"]
+== {JaegerName}
+
+The {JaegerName} is provided through the {JaegerOperator} Operator.
+
+[IMPORTANT]
+====
+Jaeger does not use FIPS validated cryptographic modules.
+====
+
+////
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_support-for-elasticsearch-operator_{context}"]
+=== Support for {es-op}
+
+{JaegerName} 3.2.1 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_deprecated-functionality_{context}"]
+=== Deprecated functionality
+
+In the {DTProductName} 3.2.1, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release.
+Red Hat will provide support for these components and fixes for CVEs and bugs with critical and higher severity during the current release lifecycle, but these components will no longer receive feature enhancements.
+The {TempoOperator} and the {OTELName} are the preferred Operators for distributed tracing collection and storage.
+Users must adopt the OpenTelemetry and Tempo distributed tracing stack because it is the stack to be enhanced going forward.
+
+In the {DTProductName} 3.2.1, the Jaeger agent is deprecated and planned to be removed in the following release.
+Red Hat will provide bug fixes and support for the Jaeger agent during the current release lifecycle, but the Jaeger agent will no longer receive enhancements and will be removed.
+The OpenTelemetry Collector provided by the {OTELName} is the preferred Operator for injecting the trace collector agent.
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_removal-notice_{context}"]
+=== Removal notice
+
+In {DTProductName} 3.2.1, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+////
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_new-features-and-enhancements_{context}"]
+=== New features and enhancements
+
+This update introduces the following enhancements for the {JaegerShortName}:
+
+* {JaegerName} 3.2.1 is based on the open source link:https://www.jaegertracing.io/[Jaeger] release 1.57.0.
+////
+
+[id="distributed-tracing-rn_3-2-1_jaeger-release-notes_known-issues_{context}"]
+=== Known issues
+
+There is currently a known issue:
+
+* Currently, Apache Spark is not supported.
+
+ifndef::openshift-rosa[]
+
+* Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
+endif::openshift-rosa[]
+
+include::modules/support.adoc[leveloffset=+1]
+
+include::modules/making-open-source-more-inclusive.adoc[leveloffset=+1]
diff --git a/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-past-releases.adoc b/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-past-releases.adoc
index 0d207abf4754..42e86f6b3cf0 100644
--- a/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-past-releases.adoc
+++ b/observability/distr_tracing/distr_tracing_rn/distr-tracing-rn-past-releases.adoc
@@ -10,19 +10,197 @@ include::modules/distr-tracing-product-overview.adoc[leveloffset=+1]
 
 You can use the {DTShortName} xref:../../otel/otel-forwarding.adoc#otel-forwarding-traces[in combination with] the xref:../../otel/otel-installing.adoc#install-otel[{OTELName}].
 
-[id="distributed-tracing-rn-3-1"]
+[id="distributed-tracing-rn-3-2_{context}"]
+== Release notes for {DTProductName} 3.2
+
+This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
+
+////
+[id="distributed-tracing-rn_3-2_cves_{context}"]
+=== CVEs
+
+This release fixes link:https://access.redhat.com/security/cve/cve-202?-?????[CVE-202?-?????].
+////
+
+[id="distributed-tracing-rn_3-2_tempo-release-notes_{context}"]
+=== {TempoName}
+
+The {TempoName} is provided through the {TempoOperator}.
+
+[id="distributed-tracing-rn_3-2_tempo-release-notes_technology-preview-features_{context}"]
+==== Technology Preview features
+
+This update introduces the following Technology Preview feature:
+
+* Support for the Tempo monolithic deployment.
+
+:FeatureName: The Tempo monolithic deployment
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+[id="distributed-tracing-rn_3-2_tempo-release-notes_new-features-and-enhancements_{context}"]
+==== New features and enhancements
+
+This update introduces the following enhancements:
+
+* {TempoName} 3.2 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.4.1.
+* Allowing the overriding of resources per component.
+
+////
+[id="distributed-tracing-rn_3-2_tempo-release-notes_deprecated-functionality_{context}"]
+==== Deprecated functionality
+
+In the {TempoName} 3.2, ???
+////
+
+////
+[id="distributed-tracing-rn_3-2_tempo-release-notes_removal-notice_{context}"]
+==== Removal notice
+
+In {TempoName} 3.2, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+[id="distributed-tracing-rn_3-2_tempo-release-notes_bug-fixes_{context}"]
+==== Bug fixes
+
+This update introduces the following bug fixes:
+
+* Before this update, the Jaeger UI only displayed services that sent traces in the previous 15 minutes. With this update, the availability of the service and operation names can be configured by using the following field: `spec.template.queryFrontend.jaegerQuery.servicesQueryDuration`. (link:https://issues.redhat.com/browse/TRACING-3139[TRACING-3139])
+* Before this update, the `query-frontend` pod might get stopped when out-of-memory (OOM) as a result of searching a large trace. With this update, resource limits can be set to prevent this issue. (link:https://issues.redhat.com/browse/TRACING-4009[TRACING-4009])
+
+[id="distributed-tracing-rn_3-2_tempo-release-notes_known-issues_{context}"]
+==== Known issues
+
+There is currently a known issue:
+
+* Currently, the {TempoShortName} fails on the IBM Z (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
+
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_{context}"]
+=== {JaegerName}
+
+The {JaegerName} is provided through the {JaegerOperator} Operator.
+
+[IMPORTANT]
+====
+Jaeger does not use FIPS validated cryptographic modules.
+====
+
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_support-for-elasticsearch-operator_{context}"]
+==== Support for {es-op}
+
+{JaegerName} 3.2 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
+
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_deprecated-functionality_{context}"]
+==== Deprecated functionality
+
+In the {DTProductName} 3.2, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release.
+Red Hat will provide support for these components and fixes for CVEs and bugs with critical and higher severity during the current release lifecycle, but these components will no longer receive feature enhancements.
+The {TempoOperator} and the {OTELName} are the preferred Operators for distributed tracing collection and storage.
+Users must adopt the OpenTelemetry and Tempo distributed tracing stack because it is the stack to be enhanced going forward.
+
+In the {DTProductName} 3.2, the Jaeger agent is deprecated and planned to be removed in the following release.
+Red Hat will provide bug fixes and support for the Jaeger agent during the current release lifecycle, but the Jaeger agent will no longer receive enhancements and will be removed.
+The OpenTelemetry Collector provided by the {OTELName} is the preferred Operator for injecting the trace collector agent.
+
+////
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_removal-notice_{context}"]
+==== Removal notice
+
+In {DTProductName} 3.2, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_new-features-and-enhancements_{context}"]
+==== New features and enhancements
+
+This update introduces the following enhancements for the {JaegerShortName}:
+
+* {JaegerName} 3.2 is based on the open source link:https://www.jaegertracing.io/[Jaeger] release 1.57.0.
+
+[id="distributed-tracing-rn_3-2_jaeger-release-notes_known-issues_{context}"]
+==== Known issues
+
+There is currently a known issue:
+
+* Currently, Apache Spark is not supported.
+
+ifndef::openshift-rosa[]
+
+* Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
+endif::openshift-rosa[]
+
+[id="distributed-tracing-rn-3-1-1_{context}"]
+== Release notes for {DTProductName} 3.1.1
+
+This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
+
+[id="distributed-tracing-rn_3-1-1_cves_{context}"]
+=== CVEs
+
+This release fixes link:https://access.redhat.com/security/cve/cve-2023-39326[CVE-2023-39326].
+
+// Tempo section
+[id="distributed-tracing-rn_3-1-1_tempo-release-notes_{context}"]
+=== {TempoName}
+
+The {TempoName} is provided through the {TempoOperator}.
+
+[id="distributed-tracing-rn_3-1-1_tempo-release-notes_known-issues_{context}"]
+==== Known issues
+
+//There is currently a known issue:
+There are currently known issues:
+
+* Currently, when used with the {TempoOperator}, the Jaeger UI only displays services that have sent traces in the last 15 minutes. For services that did not send traces in the last 15 minutes, traces are still stored but not displayed in the Jaeger UI. (link:https://issues.redhat.com/browse/TRACING-3139[TRACING-3139])
+* Currently, the {TempoShortName} fails on the IBM Z (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
+
+// Jaeger section
+[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_{context}"]
+=== {JaegerName}
+
+The {JaegerName} is provided through the {JaegerOperator} Operator.
+
+[IMPORTANT]
+====
+Jaeger does not use FIPS validated cryptographic modules.
+====
+
+[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_support-for-elasticsearch-operator_{context}"]
+==== Support for {es-op}
+
+{JaegerName} 3.1.1 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
+
+[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_deprecated-functionality_{context}"]
+==== Deprecated functionality
+
+In the {DTProductName} 3.1.1, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release. Red Hat will provide critical and above CVE bug fixes and support for these components during the current release lifecycle, but these components will no longer receive feature enhancements.
+
+In the {DTProductName} 3.1.1, Tempo provided by the {TempoOperator} and the OpenTelemetry Collector provided by the {OTELName} are the preferred Operators for distributed tracing collection and storage. The OpenTelemetry and Tempo distributed tracing stack is to be adopted by all users because this will be the stack that will be enhanced going forward.
+
+[id="distributed-tracing-rn_3-1-1_jaeger-release-notes_known-issues_{context}"]
+==== Known issues
+
+//There is currently a known issue:
+There are currently known issues:
+
+* Currently, Apache Spark is not supported.
+
+ifndef::openshift-rosa[]
+
+* Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
+endif::openshift-rosa[]
+
+[id="distributed-tracing-rn-3-1_{context}"]
 == Release notes for {DTProductName} 3.1
 
 This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
 
 // Tempo section
-[id="distributed-tracing-rn_3-1_tempo-release-notes"]
+[id="distributed-tracing-rn_3-1_tempo-release-notes_{context}"]
 === {TempoName}
 
 The {TempoName} is provided through the {TempoOperator}.
 
 ////
-[id="technology-preview-features_jaeger-release-notes_distributed-tracing-rn-3-1"]
+[id="technology-preview-features_jaeger-release-notes_distributed-tracing-rn-3-1_{context}"]
 ==== Technology Preview features
 
 This update introduces the following Technology Preview feature for the {TempoShortName}:
@@ -33,7 +211,7 @@ This update introduces the following Technology Preview feature for the {TempoSh
 include::snippets/technology-preview.adoc[leveloffset=+1]
 ////
 
-[id="distributed-tracing-rn_3-1_tempo-release-notes_new-features-and-enhancements"]
+[id="distributed-tracing-rn_3-1_tempo-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 
 This update introduces the following enhancements for the {TempoShortName}:
@@ -42,7 +220,7 @@ This update introduces the following enhancements for the {TempoShortName}:
 * Support for cluster-wide proxy environments.
 * Support for TraceQL to Gateway component.
 
-[id="distributed-tracing-rn_3-1_tempo-release-notes_bug-fixes"]
+[id="distributed-tracing-rn_3-1_tempo-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 This update introduces the following bug fixes for the {TempoShortName}:
@@ -50,7 +228,7 @@ This update introduces the following bug fixes for the {TempoShortName}:
 * Before this update, when a TempoStack instance was created with the `monitorTab` enabled in {product-title} 4.15, the required `tempo-redmetrics-cluster-monitoring-view` ClusterRoleBinding was not created. This update resolves the issue by fixing the Operator RBAC for the monitor tab when the Operator is deployed in an arbitrary namespace. (link:https://issues.redhat.com/browse/TRACING-3786[TRACING-3786])
 * Before this update, when a TempoStack instance was created on an {product-title} cluster with only an IPv6 networking stack, the compactor and ingestor pods ran in the `CrashLoopBackOff` state, resulting in multiple errors. This update provides support for IPv6 clusters.(link:https://issues.redhat.com/browse/TRACING-3226[TRACING-3226])
 
-[id="distributed-tracing-rn_3-1_tempo-release-notes_known-issues"]
+[id="distributed-tracing-rn_3-1_tempo-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -60,7 +238,7 @@ There are currently known issues:
 * Currently, the {TempoShortName} fails on the IBM Z (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
 
 // Jaeger section
-[id="distributed-tracing-rn_3-1_jaeger-release-notes"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_{context}"]
 === {JaegerName}
 
 The {JaegerName} is provided through the {JaegerOperator} Operator.
@@ -70,33 +248,33 @@ The {JaegerName} is provided through the {JaegerOperator} Operator.
 Jaeger does not use FIPS validated cryptographic modules.
 ====
 
-[id="distributed-tracing-rn_3-1_jaeger-release-notes_support-for-elasticsearch-operator"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_support-for-elasticsearch-operator_{context}"]
 ==== Support for {es-op}
 
 {JaegerName} 3.1 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
 
-[id="distributed-tracing-rn_3-1_jaeger-release-notes_deprecated-functionality"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_deprecated-functionality_{context}"]
 ==== Deprecated functionality
 
 In the {DTProductName} 3.1, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release. Red Hat will provide critical and above CVE bug fixes and support for these components during the current release lifecycle, but these components will no longer receive feature enhancements.
 
 In the {DTProductName} 3.1, Tempo provided by the {TempoOperator} and the OpenTelemetry Collector provided by the {OTELName} are the preferred Operators for distributed tracing collection and storage. The OpenTelemetry and Tempo distributed tracing stack is to be adopted by all users because this will be the stack that will be enhanced going forward.
 
-[id="distributed-tracing-rn_3-1_jaeger-release-notes_new-features-and-enhancements"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 
 This update introduces the following enhancements for the {JaegerShortName}:
 
 * {JaegerName} 3.1 is based on the open source link:https://www.jaegertracing.io/[Jaeger] release 1.53.0.
 
-[id="distributed-tracing-rn_3-1_jaeger-release-notes_bug-fixes"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 This update introduces the following bug fix for the {JaegerShortName}:
 
 * Before this update, the connection target URL for the `jaeger-agent` container in the `jager-query` pod was overwritten with another namespace URL in {product-title} 4.13. This was caused by a bug in the sidecar injection code in the `jaeger-operator`, causing nondeterministic `jaeger-agent` injection. With this update, the Operator prioritizes the Jaeger instance from the same namespace as the target deployment. (link:https://issues.redhat.com/browse/TRACING-3722[TRACING-3722])
 
-[id="distributed-tracing-rn_3-1_jaeger-release-notes_known-issues"]
+[id="distributed-tracing-rn_3-1_jaeger-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -109,13 +287,13 @@ ifndef::openshift-rosa[]
 * Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
 endif::openshift-rosa[]
 
-[id="distr-tracing-rn_3.0"]
+[id="distr-tracing-rn_3.0_{context}"]
 == Release notes for {DTProductName} 3.0
 
-[id="distributed-tracing-rn_3-0_component-versions"]
+[id="distributed-tracing-rn_3-0_component-versions_{context}"]
 === Component versions in the {DTProductName} 3.0
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -128,17 +306,17 @@ endif::openshift-rosa[]
 |===
 
 // Jaeger section
-[id="distributed-tracing-rn_3-0_jaeger-release-notes"]
+[id="distributed-tracing-rn_3-0_jaeger-release-notes_{context}"]
 === {JaegerName}
 
-[id="distributed-tracing-rn_3-0_jaeger-release-notes_deprecated-functionality"]
+[id="distributed-tracing-rn_3-0_jaeger-release-notes_deprecated-functionality_{context}"]
 ==== Deprecated functionality
 
 In the {DTProductName} 3.0, Jaeger and support for Elasticsearch are deprecated, and both are planned to be removed in a future release. Red Hat will provide critical and above CVE bug fixes and support for these components during the current release lifecycle, but these components will no longer receive feature enhancements.
 
 In the {DTProductName} 3.0, Tempo provided by the {TempoOperator} and the OpenTelemetry Collector provided by the {OTELName} are the preferred Operators for distributed tracing collection and storage. The OpenTelemetry and Tempo distributed tracing stack is to be adopted by all users because this will be the stack that will be enhanced going forward.
 
-[id="distributed-tracing-rn_3-0_jaeger-release-notes_new-features-and-enhancements"]
+[id="distributed-tracing-rn_3-0_jaeger-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 
 This update introduces the following enhancements for the {JaegerShortName}:
@@ -146,14 +324,14 @@ This update introduces the following enhancements for the {JaegerShortName}:
 * Support for the ARM architecture.
 * Support for cluster-wide proxy environments.
 
-[id="distributed-tracing-rn_3-0_jaeger-release-notes_bug-fixes"]
+[id="distributed-tracing-rn_3-0_jaeger-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 This update introduces the following bug fix for the {JaegerShortName}:
 
 * Before this update, the {JaegerName} Operator used other images than `relatedImages`. This caused the *ImagePullBackOff* error in disconnected network environments when launching the `jaeger` pod because the `oc adm catalog mirror` command mirrors images specified in `relatedImages`. This update provides support for disconnected environments when using the `oc adm catalog mirror` CLI command. (link:https://issues.redhat.com/browse/TRACING-3546[TRACING-3546])
 
-[id="distributed-tracing-rn_3-0_jaeger-release-notes_known-issues"]
+[id="distributed-tracing-rn_3-0_jaeger-release-notes_known-issues_{context}"]
 ==== Known issues
 
 There is currently a known issue:
@@ -167,10 +345,10 @@ ifndef::openshift-rosa[]
 endif::openshift-rosa[]
 
 // Tempo section
-[id="distributed-tracing-rn_3-0_tempo-release-notes"]
+[id="distributed-tracing-rn_3-0_tempo-release-notes_{context}"]
 === {TempoName}
 
-[id="distributed-tracing-rn_3-0_tempo-release-notes_new-features-and-enhancements"]
+[id="distributed-tracing-rn_3-0_tempo-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 
 This update introduces the following enhancements for the {TempoShortName}:
@@ -178,7 +356,7 @@ This update introduces the following enhancements for the {TempoShortName}:
 * Support for the ARM architecture.
 * Support for span request count, duration, and error count (RED) metrics. The metrics can be visualized in the Jaeger console deployed as part of Tempo or in the web console in the *Observe* menu.
 
-[id="distributed-tracing-rn_3-0_tempo-release-notes_bug-fixes"]
+[id="distributed-tracing-rn_3-0_tempo-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 This update introduces the following bug fixes for the {TempoShortName}:
@@ -187,7 +365,7 @@ This update introduces the following bug fixes for the {TempoShortName}:
 * Before this update, when mirroring the {DTProductName} Operator images to a mirror registry for use in a disconnected cluster, the related Operator images for `tempo`, `tempo-gateway`, `opa-openshift`, and `tempo-query` were not mirrored. This update fixes support for disconnected environments when using the `oc adm catalog mirror` CLI command. (link:https://issues.redhat.com/browse/TRACING-3523[TRACING-3523])
 * Before this update, the query frontend service of the {DTProductName} was using internal mTLS when gateway was not deployed. This caused endpoint failure errors. This update fixes mTLS when Gateway is not deployed. (link:https://issues.redhat.com/browse/TRACING-3510[TRACING-3510])
 
-[id="distributed-tracing-rn_3-0_tempo-release-notes_known-issues"]
+[id="distributed-tracing-rn_3-0_tempo-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -196,13 +374,13 @@ There are currently known issues:
 * Currently, when used with the {TempoOperator}, the Jaeger UI only displays services that have sent traces in the last 15 minutes. For services that did not send traces in the last 15 minutes, traces are still stored but not displayed in the Jaeger UI. (link:https://issues.redhat.com/browse/TRACING-3139[TRACING-3139])
 * Currently, the {TempoShortName} fails on the {ibm-z-title} (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
 
-[id="distr-tracing-rn_2-9-2"]
+[id="distr-tracing-rn_2-9-2_{context}"]
 == Release notes for {DTProductName} 2.9.2
 
-[id="distr-tracing-rn_2-9-2_component-versions"]
+[id="distr-tracing-rn_2-9-2_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.9.2
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -218,10 +396,10 @@ There are currently known issues:
 
 This release fixes link:https://bugzilla.redhat.com/show_bug.cgi?id=2246470[CVE-2023-46234].
 
-[id="distr-tracing-rn_2-9-2_jaeger-release-notes"]
+[id="distr-tracing-rn_2-9-2_jaeger-release-notes_{context}"]
 === {JaegerName}
 
-[id="distr-tracing-rn_2-9-2_jaeger-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9-2_jaeger-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -233,13 +411,13 @@ ifndef::openshift-rosa[]
 * The streaming deployment via AMQ/Kafka is unsupported on the {ibm-z-title} and {ibm-power-title} architectures.
 endif::openshift-rosa[]
 
-[id="distr-tracing-rn_2-9-2_tempo-release-notes"]
+[id="distr-tracing-rn_2-9-2_tempo-release-notes_{context}"]
 === {TempoName}
 
 :FeatureName: The {TempoName}
 include::snippets/technology-preview.adoc[leveloffset=+1]
 
-[id="distr-tracing-rn_2-9-2_tempo-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9-2_tempo-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -314,13 +492,13 @@ mirror:
   - name: registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:0da43034f440b8258a48a0697ba643b5643d48b615cdb882ac7f4f1f80aad08e
 ----
 
-[id="distr-tracing-rn_2-9-1"]
+[id="distr-tracing-rn_2-9-1_{context}"]
 == Release notes for {DTProductName} 2.9.1
 
-[id="distr-tracing-rn_2-9-1_component-versions"]
+[id="distr-tracing-rn_2-9-1_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.9.1
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -336,10 +514,10 @@ mirror:
 
 This release fixes link:https://access.redhat.com/security/cve/cve-2023-44487[CVE-2023-44487].
 
-[id="distr-tracing-rn_2-9-1_jaeger-release-notes"]
+[id="distr-tracing-rn_2-9-1_jaeger-release-notes_{context}"]
 === {JaegerName}
 
-[id="distr-tracing-rn_2-9-1_jaeger-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9-1_jaeger-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -351,13 +529,13 @@ ifndef::openshift-rosa[]
 * The streaming deployment via AMQ/Kafka is unsupported on the {ibm-z-title} and {ibm-power-title} architectures.
 endif::openshift-rosa[]
 
-[id="distr-tracing-rn_2-9-1_tempo-release-notes"]
+[id="distr-tracing-rn_2-9-1_tempo-release-notes_{context}"]
 === {TempoName}
 
 :FeatureName: The {TempoName}
 include::snippets/technology-preview.adoc[leveloffset=+1]
 
-[id="distr-tracing-rn_2-9-1_tempo-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9-1_tempo-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -431,13 +609,13 @@ mirror:
   - name: registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:0da43034f440b8258a48a0697ba643b5643d48b615cdb882ac7f4f1f80aad08e
 ----
 
-[id="distr-tracing-rn_2-9"]
+[id="distr-tracing-rn_2-9_{context}"]
 == Release notes for {DTProductName} 2.9
 
-[id="distr-tracing-rn_2-9_component-versions"]
+[id="distr-tracing-rn_2-9_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.9
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -449,22 +627,22 @@ mirror:
 |2.1.1
 |===
 
-[id="distr-tracing-rn_2-9_jaeger-release-notes"]
+[id="distr-tracing-rn_2-9_jaeger-release-notes_{context}"]
 === {JaegerName}
 
 ////
-[id="distr-tracing-rn_2-9_jaeger-release-notes_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-9_jaeger-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 * None.
 ////
 
 ////
-[id="technology-preview-features_jaeger-release-notes_distributed-tracing-rn-2-9"]
+[id="technology-preview-features_jaeger-release-notes_distributed-tracing-rn-2-9_{context}"]
 ==== Technology Preview features
 None.
 ////
 
-[id="distr-tracing-rn_2-9_jaeger-release-notes_bug-fixes"]
+[id="distr-tracing-rn_2-9_jaeger-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 * Before this update, connection was refused due to a missing gRPC port on the `jaeger-query` deployment. This issue resulted in `transport: Error while dialing: dial tcp :16685: connect: connection refused` error message. With this update, the Jaeger Query gRPC port (16685) is successfully exposed on the Jaeger Query service. (link:https://issues.redhat.com/browse/TRACING-3322[TRACING-3322])
@@ -475,7 +653,7 @@ None.
 
 * Before this update, the Jaeger Operator pod restarted with the default memory value due to the `reason: OOMKilled` error message. With this update, this issue is fixed by removing the resource limits. (link:https://issues.redhat.com/browse/TRACING-3173[TRACING-3173])
 
-[id="distr-tracing-rn_2-9_jaeger-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9_jaeger-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -487,13 +665,13 @@ ifndef::openshift-rosa[]
 * The streaming deployment via AMQ/Kafka is unsupported on the {ibm-z-title} and {ibm-power-title} architectures.
 endif::openshift-rosa[]
 
-[id="distr-tracing-rn_2-9_tempo-release-notes"]
+[id="distr-tracing-rn_2-9_tempo-release-notes_{context}"]
 === {TempoName}
 
 :FeatureName: The {TempoName}
 include::snippets/technology-preview.adoc[leveloffset=+1]
 
-[id="distr-tracing-rn_2-9_tempo-release-notes_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-9_tempo-release-notes_new-features-and-enhancements_{context}"]
 ==== New features and enhancements
 
 This release introduces the following enhancements for the {TempoShortName}:
@@ -511,12 +689,12 @@ This release introduces the following enhancements for the {TempoShortName}:
 * Support multitenancy without Gateway authentication and authorization.
 
 ////
-[id="distributed-tracing-rn_2-9_tempo-release-notes_technology-preview-features"]
+[id="distributed-tracing-rn_2-9_tempo-release-notes_technology-preview-features_{context}"]
 === Technology Preview features
 None.
 ////
 
-[id="distr-tracing-rn_2-9_tempo-release-notes_bug-fixes"]
+[id="distr-tracing-rn_2-9_tempo-release-notes_bug-fixes_{context}"]
 ==== Bug fixes
 
 * Before this update, the {TempoOperator} was not compatible with disconnected environments. With this update, the {TempoOperator} supports disconnected environments. (link:https://issues.redhat.com/browse/TRACING-3145[TRACING-3145])
@@ -525,7 +703,7 @@ None.
 
 * Before this update, the resource limits from the {TempoOperator} caused error messages such as `reason: OOMKilled`. With this update, the resource limits for the {TempoOperator} are removed to avoid such errors. (link:https://issues.redhat.com/browse/TRACING-3204[TRACING-3204])
 
-[id="distr-tracing-rn_2-9_tempo-release-notes_known-issues"]
+[id="distr-tracing-rn_2-9_tempo-release-notes_known-issues_{context}"]
 ==== Known issues
 
 //There is currently a known issue:
@@ -600,13 +778,13 @@ mirror:
   - name: registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:0da43034f440b8258a48a0697ba643b5643d48b615cdb882ac7f4f1f80aad08e
 ----
 
-[id="distr-tracing-rn_2-8"]
+[id="distr-tracing-rn_2-8_{context}"]
 == Release notes for {DTProductName} 2.8
 
-[id="distr-tracing-rn_2-8_component-versions"]
+[id="distr-tracing-rn_2-8_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.8
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -618,7 +796,7 @@ mirror:
 |0.1.0
 |===
 
-[id="distr-tracing-rn_2-8_technology-preview-features"]
+[id="distr-tracing-rn_2-8_technology-preview-features_{context}"]
 === Technology Preview features
 
 This release introduces support for the {TempoName} as a link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview] feature for {DTProductName}.
@@ -641,18 +819,18 @@ Expanded support for the {TempoOperator} is planned for future releases of the {
 Possible additional features might include support for TLS authentication, multitenancy, and multiple clusters.
 For more information about the {TempoOperator}, see the link:https://tempo-operator.netlify.app[Tempo community documentation].
 
-[id="distr-tracing-rn_2-8_bug-fixes"]
+[id="distr-tracing-rn_2-8_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-7"]
+[id="distr-tracing-rn_2-7_{context}"]
 == Release notes for {DTProductName} 2.7
 
-[id="distr-tracing-rn_2-7_component-versions"]
+[id="distr-tracing-rn_2-7_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.7
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -660,18 +838,18 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.39
 |===
 
-[id="distr-tracing-rn_2-7_bug-fixes"]
+[id="distr-tracing-rn_2-7_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-6"]
+[id="distr-tracing-rn_2-6_{context}"]
 == Release notes for {DTProductName} 2.6
 
-[id="distr-tracing-rn_2-6_component-versions"]
+[id="distr-tracing-rn_2-6_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.6
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -679,18 +857,18 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.38
 |===
 
-[id="distr-tracing-rn_2-6_bug-fixes"]
+[id="distr-tracing-rn_2-6_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-5"]
+[id="distr-tracing-rn_2-5_{context}"]
 == Release notes for {DTProductName} 2.5
 
-[id="distr-tracing-rn_2-5_component-versions"]
+[id="distr-tracing-rn_2-5_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.5
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -698,7 +876,7 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.36
 |===
 
-[id="distr-tracing-rn_2-5_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-5_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This release introduces support for ingesting OpenTelemetry protocol (OTLP) to the {JaegerName} Operator.
@@ -709,18 +887,18 @@ The Operator now automatically enables the OTLP ports:
 
 This release also adds support for collecting Kubernetes resource attributes to the {OTELName} Operator.
 
-[id="distr-tracing-rn_2-5_bug-fixes"]
+[id="distr-tracing-rn_2-5_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-4"]
+[id="distr-tracing-rn_2-4_{context}"]
 == Release notes for {DTProductName} 2.4
 
-[id="distr-tracing-rn_2-4_component-versions"]
+[id="distr-tracing-rn_2-4_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.4
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -728,7 +906,7 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.34.1
 |===
 
-[id="distr-tracing-rn_2-4_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-4_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This release adds support for auto-provisioning certificates using the {es-op}.
@@ -740,23 +918,23 @@ Self-provisioning by using the {JaegerName} Operator to call the {es-op} during
 When upgrading to the {DTProductName} 2.4, the Operator recreates the Elasticsearch instance, which might take five to ten minutes. Distributed tracing will be down and unavailable for that period.
 ====
 
-[id="distr-tracing-rn_2-4_technology-preview-features"]
+[id="distr-tracing-rn_2-4_technology-preview-features_{context}"]
 === Technology Preview features
 
 Creating the Elasticsearch instance and certificates first and then configuring the {JaegerShortName} to use the certificate is a link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview] for this release.
 
-[id="distr-tracing-rn_2-4_bug-fixes"]
+[id="distr-tracing-rn_2-4_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-3"]
+[id="distr-tracing-rn_2-3_{context}"]
 == Release notes for {DTProductName} 2.3
 
-[id="distr-tracing-rn_2-3_component-versions_2-3-1"]
+[id="distr-tracing-rn_2-3_component-versions_2-3-1_{context}"]
 === Component versions in the {DTProductName} 2.3.1
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -764,10 +942,10 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.30.2
 |===
 
-[id="distr-tracing-rn_2-3_component-versions_2-3-0"]
+[id="distr-tracing-rn_2-3_component-versions_2-3-0_{context}"]
 === Component versions in the {DTProductName} 2.3.0
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -775,36 +953,36 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.30.1
 |===
 
-[id="distr-tracing-rn_2-3_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-3_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 With this release, the {JaegerName} Operator is now installed to the `openshift-distributed-tracing` namespace by default. Before this update, the default installation had been in the `openshift-operators` namespace.
 
-[id="distr-tracing-rn_2-3_bug-fixes"]
+[id="distr-tracing-rn_2-3_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-2"]
+[id="distr-tracing-rn_2-2_{context}"]
 == Release notes for {DTProductName} 2.2
 
-[id="distr-tracing-rn_2-2_technology-preview-features"]
+[id="distr-tracing-rn_2-2_technology-preview-features_{context}"]
 === Technology Preview features
 
 The unsupported OpenTelemetry Collector components included in the 2.1 release are removed.
 
-[id="distr-tracing-rn_2-2_bug-fixes"]
+[id="distr-tracing-rn_2-2_bug-fixes_{context}"]
 === Bug fixes
 
 This release of the {DTProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-1"]
+[id="distr-tracing-rn_2-1_{context}"]
 == Release notes for {DTProductName} 2.1
 
-[id="distr-tracing-rn_2-1_component-versions"]
+[id="distr-tracing-rn_2-1_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.1
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -812,7 +990,7 @@ This release of the {DTProductName} addresses Common Vulnerabilities and Exposur
 |1.29.1
 |===
 
-[id="distr-tracing-rn_2-1_technology-preview-features"]
+[id="distr-tracing-rn_2-1_technology-preview-features_{context}"]
 === Technology Preview features
 
 * This release introduces a breaking change to how to configure certificates in the OpenTelemetry custom resource file. With this update, the `ca_file` moves under `tls` in the custom resource, as shown in the following examples.
@@ -844,18 +1022,18 @@ spec:
           ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
 ----
 
-[id="distr-tracing-rn_2-1_bug-fixes"]
+[id="distr-tracing-rn_2-1_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="distr-tracing-rn_2-0"]
+[id="distr-tracing-rn_2-0_{context}"]
 == Release notes for {DTProductName} 2.0
 
-[id="distr-tracing-rn_2-0_component-versions"]
+[id="distr-tracing-rn_2-0_component-versions_{context}"]
 === Component versions in the {DTProductName} 2.0
 
-[options="header"]
+[options="header_{context}"]
 |===
 |Operator |Component |Version
 |{JaegerName}
@@ -863,7 +1041,7 @@ This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes
 |1.28.0
 |===
 
-[id="distr-tracing-rn_2-0_new-features-and-enhancements"]
+[id="distr-tracing-rn_2-0_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This release introduces the following new features and enhancements:
@@ -879,12 +1057,12 @@ Channels for individual releases are no longer supported.
 
 * Includes rolling updates to the documentation to support the name change and new features.
 
-[id="distr-tracing-rn_2-0_technology-preview-features"]
+[id="distr-tracing-rn_2-0_technology-preview-features_{context}"]
 === Technology Preview features
 
 This release adds the {OTELName} as a link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview], which you install using the {OTELName} Operator. {OTELName} is based on the link:https://opentelemetry.io/[OpenTelemetry] APIs and instrumentation. The {OTELName} includes the OpenTelemetry Operator and Collector. You can use the Collector to receive traces in the OpenTelemetry or Jaeger protocol and send the trace data to the {DTProductName}. Other capabilities of the Collector are not supported at this time. The OpenTelemetry Collector allows developers to instrument their code with vendor agnostic APIs, avoiding vendor lock-in and enabling a growing ecosystem of observability tooling.
 
-[id="distr-tracing-rn_2-0_bug-fixes"]
+[id="distr-tracing-rn_2-0_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
index ca3f3be753df..56b2f35879d9 100644
--- a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+++ b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
@@ -6,19 +6,60 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Installing the {TempoShortName} involves the following steps:
+Installing the {TempoShortName} requires the {TempoOperator} and choosing which type of deployment is best for your use case:
 
-. Setting up supported object storage.
-. Installing the {TempoOperator}.
-. Creating a secret for the object storage credentials.
-. Creating a namespace for a TempoStack instance.
-. Creating a `TempoStack` custom resource to deploy at least one TempoStack instance.
+* For microservices mode, deploy a TempoStack instance in a dedicated OpenShift project.
+* For monolithic mode, deploy a TempoMonolithic instance in a dedicated OpenShift project.
 
-include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1]
+[IMPORTANT]
+====
+Using object storage requires setting up a supported object store and creating a secret for the object store credentials before deploying a TempoStack or TempoMonolithic instance.
+====
+
+[id="installing-the-tempo-operator"]
+== Installing the {TempoOperator}
+
+You can install the {TempoOperator} by using the web console or the command line.
+
+include::modules/distr-tracing-tempo-install-web-console.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-install-cli.adoc[leveloffset=+2]
+
+[id="installing-a-tempostack-instance"]
+== Installing a TempoStack instance
+
+You can install a TempoStack instance by using the web console or the command line.
+
+include::modules/distr-tracing-tempo-install-tempostack-web-console.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-install-tempostack-cli.adoc[leveloffset=+2]
 
-include::modules/distr-tracing-tempo-install-web-console.adoc[leveloffset=+1]
+[id="installing-a-tempomonolithic-instance"]
+== Installing a TempoMonolithic instance
 
-include::modules/distr-tracing-tempo-install-cli.adoc[leveloffset=+1]
+:FeatureName: The TempoMonolithic instance
+include::snippets/technology-preview.adoc[]
+
+You can install a TempoMonolithic instance by using the web console or the command line.
+
+The `TempoMonolithic` custom resource (CR) creates a Tempo deployment in monolithic mode.
+All components of the Tempo deployment, such as the compactor, distributor, ingester, querier, and query frontend, are contained in a single container.
+
+A TempoMonolithic instance supports storing traces in in-memory storage, a persistent volume, or object storage.
+
+Tempo deployment in monolithic mode is preferred for a small deployment, demonstration, testing, and as a migration path of the {JaegerName} all-in-one deployment.
+
+[NOTE]
+====
+The monolithic deployment of Tempo does not scale horizontally.
+If you require horizontal scaling, use the `TempoStack` CR for a Tempo deployment in microservices mode.
+====
+
+include::modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 [id="additional-resources_dist-tracing-tempo-installing"]
diff --git a/observability/logging/cluster-logging-deploying.adoc b/observability/logging/cluster-logging-deploying.adoc
index 0c8f3cd62850..e23fdea91c96 100644
--- a/observability/logging/cluster-logging-deploying.adoc
+++ b/observability/logging/cluster-logging-deploying.adoc
@@ -52,15 +52,15 @@ include::modules/cluster-logging-deploy-multitenant.adoc[leveloffset=+2]
 .Additional resources
 
 ifdef::openshift-enterprise,openshift-origin[]
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider]
 * xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
-* xref:../../networking/openshift_network_security/ovn-k-network-policy.adoc#ovn-k-network-policy[About OVN-Kubernetes network policy]
+* xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#ovn-k-network-policy[About OVN-Kubernetes network policy]
 * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN default CNI network provider]
 * xref:../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
 endif::[]
 ifdef::openshift-rosa,openshift-dedicated[]
-* link:https://docs.openshift.com/container-platform/latest/networking/openshift_network_security/about-network-policy.html[About network policy]
+* link:https://docs.openshift.com/container-platform/latest/networking/network_security/about-network-policy.html[About network policy]
 * link:https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/about-openshift-sdn.html[About the OpenShift SDN default CNI network provider]
 * link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.html[About the OVN-Kubernetes default Container Network Interface (CNI) network provider]
 endif::[]
diff --git a/observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc b/observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc
index 2fbd114221f0..456ccd3f1f4e 100644
--- a/observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc
+++ b/observability/logging/log_collection_forwarding/configuring-log-forwarding.adoc
@@ -37,10 +37,10 @@ include::modules/logging-audit-log-filtering.adoc[leveloffset=+1]
 .Additional resources
 
 ifdef::openshift-enterprise,openshift-origin[]
-* xref:../../../networking/ovn_kubernetes_network_provider/logging-network-policy.adoc#logging-network-policy[Logging for egress firewall and network policy rules]
+* xref:../../../networking/network_security/logging-network-security.adoc#logging-network-security[Logging network policy events][Logging for egress firewall and network policy rules]
 endif::[]
 ifdef::openshift-rosa,openshift-dedicated[]
-* link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/logging-network-policy.html#logging-network-policy[Logging for egress firewall and network policy rules]
+* link:https://docs.openshift.com/container-platform/latest/networking/ovn_kubernetes_network_provider/logging-network-security.html#logging-network-security[Logging for egress firewall and network policy rules]
 endif::[]
 
 include::modules/cluster-logging-collector-log-forward-loki.adoc[leveloffset=+1]
diff --git a/observability/logging/logging_alerts/default-logging-alerts.adoc b/observability/logging/logging_alerts/default-logging-alerts.adoc
index a7077f517327..68c6fbce9ccb 100644
--- a/observability/logging/logging_alerts/default-logging-alerts.adoc
+++ b/observability/logging/logging_alerts/default-logging-alerts.adoc
@@ -11,6 +11,7 @@ Logging alerts are installed as part of the {clo} installation. Alerts depend on
 Default logging alerts are sent to the {product-title} monitoring stack Alertmanager in the `openshift-monitoring` namespace, unless you have disabled the local Alertmanager instance.
 
 include::modules/monitoring-accessing-the-alerting-ui.adoc[leveloffset=+1]
+include::modules/logging-collector-alerts.adoc[leveloffset=+1]
 include::modules/logging-vector-collector-alerts.adoc[leveloffset=+1]
 include::modules/logging-fluentd-collector-alerts.adoc[leveloffset=+1]
 include::modules/cluster-logging-elasticsearch-rules.adoc[leveloffset=+1]
diff --git a/observability/logging/logging_release_notes/logging-5-9-release-notes.adoc b/observability/logging/logging_release_notes/logging-5-9-release-notes.adoc
index 071aafadda66..268de051fb3b 100644
--- a/observability/logging/logging_release_notes/logging-5-9-release-notes.adoc
+++ b/observability/logging/logging_release_notes/logging-5-9-release-notes.adoc
@@ -10,6 +10,8 @@ include::snippets/logging-compatibility-snip.adoc[]
 
 include::snippets/logging-stable-updates-snip.adoc[]
 
+include::modules/logging-release-notes-5-9-3.adoc[leveloffset=+1]
+
 include::modules/logging-release-notes-5-9-2.adoc[leveloffset=+1]
 
 include::modules/logging-release-notes-5-9-1.adoc[leveloffset=+1]
diff --git a/observability/monitoring/config-map-reference-for-the-cluster-monitoring-operator.adoc b/observability/monitoring/config-map-reference-for-the-cluster-monitoring-operator.adoc
index 27c35feb3188..36092e7247ee 100644
--- a/observability/monitoring/config-map-reference-for-the-cluster-monitoring-operator.adoc
+++ b/observability/monitoring/config-map-reference-for-the-cluster-monitoring-operator.adoc
@@ -142,8 +142,6 @@ The `ClusterMonitoringConfiguration` resource defines settings that customize th
 
 |enableUserWorkload|*bool|`UserWorkloadEnabled` is a Boolean flag that enables monitoring for user-defined projects.
 
-|k8sPrometheusAdapter|*link:#k8sprometheusadapter[K8sPrometheusAdapter]|`K8sPrometheusAdapter` defines settings for the Prometheus Adapter component.
-
 |kubeStateMetrics|*link:#kubestatemetricsconfig[KubeStateMetricsConfig]|`KubeStateMetricsConfig` defines settings for the `kube-state-metrics` agent.
 
 |metricsServer|*link:#metricsserverconfig[MetricsServerConfig]|`MetricsServer` defines settings for the Metrics Server component.
@@ -166,52 +164,6 @@ The `ClusterMonitoringConfiguration` resource defines settings that customize th
 
 |===
 
-== DedicatedServiceMonitors
-
-=== Description
-
-[IMPORTANT]
-====
-This setting is deprecated and is planned to be removed in a future {product-title} version.
-In the current version, this setting still exists but has no effect.
-====
-
-You can use the `DedicatedServiceMonitors` resource to configure dedicated Service Monitors for the Prometheus Adapter
-
-Appears in: link:#k8sprometheusadapter[K8sPrometheusAdapter]
-
-[options="header"]
-|===
-| Property | Type | Description
-|enabled|bool|When `enabled` is set to `true`, the Cluster Monitoring Operator (CMO) deploys a dedicated Service Monitor that exposes the kubelet `/metrics/resource` endpoint. This Service Monitor sets `honorTimestamps: true` and only keeps metrics that are relevant for the pod resource queries of Prometheus Adapter. Additionally, Prometheus Adapter is configured to use these dedicated metrics. Overall, this feature improves the consistency of Prometheus Adapter-based CPU usage measurements used by, for example, the `oc adm top pod` command or the Horizontal Pod Autoscaler.
-
-|===
-
-== K8sPrometheusAdapter
-
-=== Description
-
-The `K8sPrometheusAdapter` resource defines settings for the Prometheus Adapter component.
-
-Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
-
-[options="header"]
-|===
-| Property | Type | Description
-|audit|*Audit|Defines the audit configuration used by the Prometheus Adapter instance. Possible profile values are: `metadata`, `request`, `requestresponse`, and `none`. The default value is `metadata`.
-
-|nodeSelector|map[string]string|Defines the nodes on which the pods are scheduled.
-
-|resources|*v1.ResourceRequirements|Defines resource requests and limits for the `PrometheusAdapter` container.
-
-|tolerations|[]v1.Toleration|Defines tolerations for the pods.
-
-|topologySpreadConstraints|[]v1.TopologySpreadConstraint|Defines a pod's topology spread constraints.
-
-|dedicatedServiceMonitors|*link:#dedicatedservicemonitors[DedicatedServiceMonitors]|Defines dedicated service monitors.
-
-|===
-
 == KubeStateMetricsConfig
 
 === Description
@@ -237,16 +189,15 @@ Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
 
 === Description
 
-:FeatureName: Metrics Server
-include::snippets/technology-preview.adoc[leveloffset=+1]
-
-The `MetricsServerConfig` resource defines settings for the Metrics Server component. Note that this setting only applies when the `TechPreviewNoUpgrade` feature gate is enabled.
+The `MetricsServerConfig` resource defines settings for the Metrics Server component.
 
 Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
 
 [options="header"]
 |===
 | Property | Type | Description
+|audit|*Audit|Defines the audit configuration used by the Metrics Server instance. Possible profile values are `Metadata`, `Request`, `RequestResponse`, and `None`. The default value is `Metadata`.
+
 |nodeSelector|map[string]string|Defines the nodes on which the pods are scheduled.
 
 |tolerations|[]v1.Toleration|Defines tolerations for the pods.
@@ -257,24 +208,6 @@ Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
 
 |===
 
-== PrometheusOperatorAdmissionWebhookConfig
-
-=== Description
-
-The `PrometheusOperatorAdmissionWebhookConfig` resource defines settings for the admission webhook workload for Prometheus Operator.
-
-Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
-
-[options="header"]
-|===
-| Property | Type | Description
-
-|resources|*v1.ResourceRequirements|Defines resource requests and limits for the `prometheus-operator-admission-webhook` container.
-
-|topologySpreadConstraints|[]v1.TopologySpreadConstraint|Defines a pod's topology spread constraints.
-
-|===
-
 == MonitoringPluginConfig
 
 === Description
@@ -573,6 +506,24 @@ link:#userworkloadconfiguration[UserWorkloadConfiguration]
 
 |===
 
+== PrometheusOperatorAdmissionWebhookConfig
+
+=== Description
+
+The `PrometheusOperatorAdmissionWebhookConfig` resource defines settings for the admission webhook workload for Prometheus Operator.
+
+Appears in: link:#clustermonitoringconfiguration[ClusterMonitoringConfiguration]
+
+[options="header"]
+|===
+| Property | Type | Description
+
+|resources|*v1.ResourceRequirements|Defines resource requests and limits for the `prometheus-operator-admission-webhook` container.
+
+|topologySpreadConstraints|[]v1.TopologySpreadConstraint|Defines a pod's topology spread constraints.
+
+|===
+
 == PrometheusRestrictedConfig
 
 === Description
diff --git a/observability/monitoring/configuring-the-monitoring-stack.adoc b/observability/monitoring/configuring-the-monitoring-stack.adoc
index ff0dc9bd330c..c1e672f96844 100644
--- a/observability/monitoring/configuring-the-monitoring-stack.adoc
+++ b/observability/monitoring/configuring-the-monitoring-stack.adoc
@@ -157,16 +157,19 @@ You can configure these limits and requests for core platform monitoring compone
 include::modules/monitoring-about-specifying-limits-and-requests-for-monitoring-components.adoc[leveloffset=+2]
 include::modules/monitoring-specifying-limits-and-requests-for-monitoring-components.adoc[leveloffset=+2]
 
-[role="_additional-resources"]
-.Additional resources
-* link:https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits[Kubernetes requests and limits documentation]
-
 // Configuring persistent storage
 include::modules/monitoring-configuring-persistent-storage.adoc[leveloffset=+1]
-include::modules/monitoring-configuring-a-local-persistent-volume-claim.adoc[leveloffset=+2]
+include::modules/monitoring-configuring-a-persistent-volume-claim.adoc[leveloffset=+2]
+
 ifndef::openshift-dedicated,openshift-rosa[]
-include::modules/monitoring-resizing-a-persistent-storage-volume.adoc[leveloffset=+2]
+include::modules/monitoring-resizing-a-persistent-volume.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../scalability_and_performance/recommended-performance-scale-practices/recommended-infrastructure-practices.adoc#prometheus-database-storage-requirements_recommended-infrastructure-practices[Prometheus database storage requirements]
+* xref:../../storage/expanding-persistent-volumes.adoc#expanding-pvc-filesystem_expanding-persistent-volumes[Expanding persistent volume claims (PVCs) with a file system]
 endif::openshift-dedicated,openshift-rosa[]
+
 include::modules/monitoring-modifying-retention-time-and-size-for-prometheus-metrics-data.adoc[leveloffset=+2]
 include::modules/monitoring-modifying-the-retention-time-for-thanos-ruler-metrics-data.adoc[leveloffset=+2]
 
@@ -178,7 +181,6 @@ ifndef::openshift-dedicated,openshift-rosa[]
 * xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Recommended configurable storage technology]
 * xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Understanding persistent storage]
 * xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
-* xref:../../storage/persistent_storage/persistent_storage_local/persistent-storage-local.adoc#persistent-storage-using-local-volume[Configure local persistent storage]
 * xref:../../observability/monitoring/enabling-monitoring-for-user-defined-projects.adoc#enabling-monitoring-for-user-defined-projects[Enabling monitoring for user-defined projects]
 endif::openshift-dedicated,openshift-rosa[]
 ifdef::openshift-dedicated,openshift-rosa[]
@@ -301,13 +303,10 @@ include::modules/monitoring-enabling-query-logging-for-thanos-querier.adoc[level
 * See xref:../../observability/monitoring/configuring-the-monitoring-stack.adoc#preparing-to-configure-the-monitoring-stack[Preparing to configure the monitoring stack] for steps to create monitoring config maps.
 endif::openshift-dedicated,openshift-rosa[]
 
-// Setting audit log levels for the Prometheus Adapter
-ifndef::openshift-dedicated,openshift-rosa[]
-include::modules/monitoring-setting-audit-log-levels-for-the-prometheus-adapter.adoc[leveloffset=+1]
-
 [role="_additional-resources"]
 .Additional resources
 
+ifndef::openshift-dedicated,openshift-rosa[]
 * See xref:../../observability/monitoring/configuring-the-monitoring-stack.adoc#preparing-to-configure-the-monitoring-stack[Preparing to configure the monitoring stack] for steps to create monitoring config maps.
 endif::openshift-dedicated,openshift-rosa[]
 
diff --git a/observability/monitoring/managing-metrics.adoc b/observability/monitoring/managing-metrics.adoc
index b7d4556e8886..d258deedc0da 100644
--- a/observability/monitoring/managing-metrics.adoc
+++ b/observability/monitoring/managing-metrics.adoc
@@ -21,6 +21,7 @@ include::modules/monitoring-understanding-metrics.adoc[leveloffset=+1]
 include::modules/monitoring-setting-up-metrics-collection-for-user-defined-projects.adoc[leveloffset=+1]
 include::modules/monitoring-deploying-a-sample-service.adoc[leveloffset=+2]
 include::modules/monitoring-specifying-how-a-service-is-monitored.adoc[leveloffset=+2]
+include::modules/monitoring-example-service-endpoint-authentication-settings.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
diff --git a/observability/monitoring/monitoring-overview.adoc b/observability/monitoring/monitoring-overview.adoc
index 2b9780fbc779..57a4d9fdaff1 100644
--- a/observability/monitoring/monitoring-overview.adoc
+++ b/observability/monitoring/monitoring-overview.adoc
@@ -33,6 +33,10 @@ ifndef::openshift-dedicated,openshift-rosa[]
 include::modules/monitoring-default-monitoring-components.adoc[leveloffset=+2]
 endif::openshift-dedicated,openshift-rosa[]
 include::modules/monitoring-default-monitoring-targets.adoc[leveloffset=+2]
+[role="_additional-resources"]
+.Additional resources
+* xref:../../observability/monitoring/managing-metrics.adoc#getting-detailed-information-about-a-target_managing-metrics[Getting detailed information about a metrics target]
+
 include::modules/monitoring-components-for-monitoring-user-defined-projects.adoc[leveloffset=+2]
 include::modules/monitoring-targets-for-user-defined-projects.adoc[leveloffset=+2]
 include::modules/monitoring-common-terms.adoc[leveloffset=+1]
diff --git a/observability/network_observability/flowmetric-api.adoc b/observability/network_observability/flowmetric-api.adoc
new file mode 100644
index 000000000000..bac57727dce3
--- /dev/null
+++ b/observability/network_observability/flowmetric-api.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="flowmetric-api"]
+= FlowMetric configuration parameters
+include::_attributes/common-attributes.adoc[]
+:context: network_observability
+
+toc::[]
+
+`FlowMetric` is the API allowing to create custom metrics from the collected flow logs.
+
+include::modules/network-observability-flowmetric-api-specifications.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/observability/network_observability/metrics-alerts-dashboards.adoc b/observability/network_observability/metrics-alerts-dashboards.adoc
index e5061a1d54b9..119281744ef8 100644
--- a/observability/network_observability/metrics-alerts-dashboards.adoc
+++ b/observability/network_observability/metrics-alerts-dashboards.adoc
@@ -9,9 +9,19 @@ toc::[]
 The Network Observability Operator uses the `flowlogs-pipeline` to generate metrics from flow logs. You can utilize these metrics by setting custom alerts and viewing dashboards.
 
 include::modules/network-observability-viewing-dashboards.adoc[leveloffset=+1]
-include::modules/network-observability-metrics.adoc[leveloffset=+1]
+include::modules/network-observability-predefined-metrics.adoc[leveloffset=+1]
+include::modules/network-observability-metrics-names.adoc[leveloffset=+1]
 include::modules/network-observability-includelist-example.adoc[leveloffset=+1]
+include::modules/network-observability-custom-metrics.adoc[leveloffset=+1]
+include::modules/network-observability-configuring-custom-metrics.adoc[leveloffset=+1]
+
+[IMPORTANT]
+====
+High cardinality can affect the memory usage of Prometheus. You can check whether specific labels have high cardinality in the xref:../../observability/network_observability/json-flows-format-reference.adocl#network-observability-flows-format_json_reference[Network Flows format reference].
+====
+include::modules/network-observability-flowmetrics-charts.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* For more information about creating alerts that you can see on the dashboard, see xref:../../observability/monitoring/managing-alerts.adoc#creating-alerting-rules-for-user-defined-projects_managing-alerts[Creating alerting rules for user-defined projects].
+* xref:../../observability/monitoring/managing-alerts.adoc#creating-alerting-rules-for-user-defined-projects_managing-alerts[Creating alerting rules for user-defined projects].
+* xref:../../support/troubleshooting/investigating-monitoring-issues.adoc#determining-why-prometheus-is-consuming-disk-space_investigating-monitoring-issues[Troubleshooting high cardinality metrics- Determining why Prometheus is consuming a lot of disk space]
diff --git a/observability/network_observability/netobserv_cli/_attributes b/observability/network_observability/netobserv_cli/_attributes
new file mode 120000
index 000000000000..bf7c2529fdb4
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/_attributes
@@ -0,0 +1 @@
+../../../_attributes/
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/images b/observability/network_observability/netobserv_cli/images
new file mode 120000
index 000000000000..4399cbb3c0f3
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/images
@@ -0,0 +1 @@
+../../../images/
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/modules b/observability/network_observability/netobserv_cli/modules
new file mode 120000
index 000000000000..7e8b50bee77a
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/modules
@@ -0,0 +1 @@
+../../../modules/
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/netobserv-cli-install.adoc b/observability/network_observability/netobserv_cli/netobserv-cli-install.adoc
new file mode 100644
index 000000000000..0630c1f99933
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/netobserv-cli-install.adoc
@@ -0,0 +1,20 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="netobserv-cli-install"]
+= Installing the Network Observability CLI
+include::_attributes/common-attributes.adoc[]
+:context: netobserv-cli-install
+
+toc::[]
+
+The Network Observability CLI (`oc netobserv`) is deployed separately from the Network Observability Operator. The CLI is available as an {oc-first} plugin. It provides a lightweight way to quickly debug and troubleshoot with network observability.
+
+:FeatureName: Network Observability CLI (`oc netobserv`)
+include::snippets/technology-preview.adoc[]
+
+include::modules/network-observability-netobserv-cli-about.adoc[leveloffset=+1]
+include::modules/network-observability-netobserv-cli-install.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../../cli_reference/openshift_cli/extending-cli-plugins.adoc#cli-installing-plugins_cli-extend-plugins[Installing and using CLI plugins]
+* xref:../../../cli_reference/openshift_cli/managing-cli-plugins-krew.adoc#cli-krew-install-plugin_managing-cli-plugins-krew[Installing a CLI plugin with Krew]
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/netobserv-cli-reference.adoc b/observability/network_observability/netobserv_cli/netobserv-cli-reference.adoc
new file mode 100644
index 000000000000..937200e52743
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/netobserv-cli-reference.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="netobserv-cli-reference"]
+= Network Observability CLI (oc netobserv) reference
+include::_attributes/common-attributes.adoc[]
+:context: netobserv-cli-reference
+
+toc::[]
+
+The Network Observability CLI (`oc netobserv`) has most features and filtering options that are available for the Network Observability Operator. You can pass command line arguments to enable features or filtering options.
+
+include::modules/network-observability-netobserv-cli-reference.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/netobserv-cli-using.adoc b/observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
new file mode 100644
index 000000000000..aeb965e36d97
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/netobserv-cli-using.adoc
@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="netobserv-cli-using"]
+= Using the Network Observability CLI
+include::_attributes/common-attributes.adoc[]
+:context: netobserv-cli-using
+
+toc::[]
+
+You can visualize and filter the flows and packets data directly in the terminal to see specific usage, such as identifying who is using a specific port. The Network Observability CLI collects flows as JSON and database files or packets as a PCAP file, which you can use with third-party tools.
+
+include::modules/network-observability-cli-capturing-flows.adoc[leveloffset=+1]
+include::modules/network-observability-cli-capturing-packets.adoc[leveloffset=+1]
+include::modules/network-observability-netobserv-cli-cleaning.adoc[leveloffset=+1]
+
+[role=_additional_resources]
+.Additional resources
+* xref:../../../observability/network_observability/netobserv_cli/netobserv-cli-reference.adoc#network-observability-netobserv-cli-reference_netobserv-cli-reference[Network Observability CLI reference]
\ No newline at end of file
diff --git a/observability/network_observability/netobserv_cli/snippets b/observability/network_observability/netobserv_cli/snippets
new file mode 120000
index 000000000000..ce62fd7c41e2
--- /dev/null
+++ b/observability/network_observability/netobserv_cli/snippets
@@ -0,0 +1 @@
+../../../snippets/
\ No newline at end of file
diff --git a/observability/network_observability/network-observability-network-policy.adoc b/observability/network_observability/network-observability-network-policy.adoc
index 04f4e4d5e70f..29115db5c759 100644
--- a/observability/network_observability/network-observability-network-policy.adoc
+++ b/observability/network_observability/network-observability-network-policy.adoc
@@ -13,4 +13,4 @@ include::modules/network-observability-sample-network-policy-YAML.adoc[leveloffs
 
 [role="_additional-resources"]
 .Additional resources
-xref:../../networking/openshift_network_security/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI]
\ No newline at end of file
+xref:../../networking/network_security/network_policy/creating-network-policy.adoc#nw-networkpolicy-object_creating-network-policy[Creating a network policy using the CLI]
\ No newline at end of file
diff --git a/observability/network_observability/network-observability-operator-monitoring.adoc b/observability/network_observability/network-observability-operator-monitoring.adoc
index 6392ee42f82e..9c9219106ace 100644
--- a/observability/network_observability/network-observability-operator-monitoring.adoc
+++ b/observability/network_observability/network-observability-operator-monitoring.adoc
@@ -8,10 +8,12 @@ toc::[]
 
 You can use the web console to monitor alerts related to the health of the Network Observability Operator.
 
-
+include::modules/network-observability-health-dashboard-overview.adoc[leveloffset=+1]
+include::modules/network-observability-health-alerts-overview.adoc[leveloffset=+1]
 include::modules/network-observability-viewing-alerts.adoc[leveloffset=+1]
 include::modules/network-observability-disabling-health-alerts.adoc[leveloffset=+2]
 include::modules/network-observability-rate-limit-alert.adoc[leveloffset=+1]
+include::modules/network-observability-ebpf-agent-alert.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
diff --git a/observability/network_observability/network-observability-operator-release-notes.adoc b/observability/network_observability/network-observability-operator-release-notes.adoc
index a32195272a3c..89cce990e0f6 100644
--- a/observability/network_observability/network-observability-operator-release-notes.adoc
+++ b/observability/network_observability/network-observability-operator-release-notes.adoc
@@ -13,6 +13,73 @@ These release notes track the development of the Network Observability Operator
 
 For an overview of the Network Observability Operator, see xref:../../observability/network_observability/network-observability-overview.adoc#dependency-network-observability[About Network Observability Operator].
 
+[id="network-observability-operator-release-notes-1-6_{context}"]
+== Network Observability Operator 1.6.0
+The following advisory is available for the Network Observability Operator 1.6.0:
+
+* link:https://access.redhat.com/errata/RHSA-2024:3868[Network Observability Operator 1.6.0]
+
+[id="network-observability-operator-1.6.0-features-enhancements_{context}"]
+=== New features and enhancements
+
+[id="network-observability-lokiless-enhancements-1.6_{context}"]
+==== Enhanced use of Network Observability Operator without Loki
+You can now use Prometheus metrics and rely less on Loki for storage when using the Network Observability Operator. For more information, see xref:../../observability/network_observability/installing-operators.adoc#network-observability-without-loki_network_observability[Network Observability without Loki].
+
+[id="network-observability-custom-metrics-1.6_{context}"]
+==== Custom metrics API
+You can create custom metrics out of flowlogs data by using the `FlowMetrics` API. Flowlogs data can be used with Prometheus labels to customize cluster information on your dashboards. You can add custom labels for any subnet that you want to identify in your flows and metrics. This enhancement can also be used to more easily identify external traffic by using the new labels `SrcSubnetLabel` and `DstSubnetLabel`, which exists both in flow logs and in metrics. Those fields are empty when there is external traffic, which gives a way to identify it. For more information, see xref:../../observability/network_observability/metrics-alerts-dashboards.adoc#network-observability-custom-metrics_metrics-dashboards-alerts[Custom metrics] and xref:../../observability/network_observability/flowmetric-api.adoc#flowmetric-flows-netobserv-io-v1alpha1[FlowMetric API reference].
+
+[id="network-observability-eBPF-performance-enhancements-1.6_{context}"]
+==== eBPF performance enhancements
+Experience improved performances of the eBPF agent, in terms of CPU and memory, with the following updates: 
+
+* The eBPF agent now uses TCX webhooks instead of TC.
+* The *NetObserv / Health* dashboard has a new section that shows eBPF metrics.
+** Based on the new eBPF metrics, an alert notifies you when the eBPF agent is dropping flows.
+* Loki storage demand decreases significantly now that duplicated flows are removed. Instead of having multiple, individual duplicated flows per network interface, there is one de-duplicated flow with a list of related network interfaces.
+
+[IMPORTANT]
+====
+With the duplicated flows update, the *Interface* and *Interface Direction* fields in the *Network Traffic* table are renamed to *Interfaces* and *Interface Directions*, so any bookmarked *Quick filter* queries using these fields need to be updated to `interfaces` and `ifdirections`. 
+====
+
+For more information, see xref:../../observability/network_observability/network-observability-operator-monitoring.adoc#network-observability-netobserv-dashboard-ebpf-agent-alerts_network_observability[Using the eBPF agent alert] 
+and xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-quickfilternw-observe-network-traffic[Quick filters].
+
+
+[id="network-observability-ebpf-collection-filtering-1.6_{context}"]
+==== eBPF collection rule-based filtering
+You can use rule-based filtering to reduce the volume of created flows. When this option is enabled, the *Netobserv / Health* dashboard for eBPF agent statistics has the *Filtered flows rate* view. For more information, see xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-ebpf-flow-rule-filter_nw-observe-network-traffic[eBPF flow rule filter].
+
+[id="network-observability-technology-preview-1.6_{context}"]
+=== Technology Preview features
+Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:
+
+link:https://access.redhat.com/support/offerings/techpreview[Technology Preview Features Support Scope]
+
+[id="network-observability-cli-1.6_{context}"]
+==== Network Observability CLI
+You can debug and troubleshoot network traffic issues without needing to install the Network Observability Operator by using the Network Observability CLI. Capture and visualize flow and packet data in real-time with no persistent storage requirement during the capture. For more information, see xref:../../observability/network_observability/netobserv_cli/netobserv-cli-install.adoc#network-observability-netoberv-cli-about_netobserv-cli-install[Network Observability CLI] and link:https://access.redhat.com/errata/RHEA-2024:3869[Network Observability CLI 1.6.0]
+
+[id="network-observability-operator-1.6.0-bug-fixes_{context}"]
+=== Bug fixes
+* Previously, a dead link to the OpenShift containter platform documentation was displayed in the Operator Lifecycle Manager (OLM) form for the `FlowMetrics` API creation. Now the link has been updated to point to a valid page. (link:https://issues.redhat.com/browse/NETOBSERV-1607[*NETOBSERV-1607*])
+* Previously, the Network Observability Operator description in the Operator Hub displayed a broken link to the documentation. With this fix, this link is restored. (link:https://issues.redhat.com/browse/NETOBSERV-1544[*NETOBSERV-1544*])
+* Previously, if Loki was disabled and the Loki `Mode` was set to `LokiStack`, or if Loki manual TLS configuration was configured, the Network Observability Operator still tried to read the Loki CA certificates. With this fix, when Loki is disabled, the Loki certificates are not read, even if there are settings in the Loki configuration. (link:https://issues.redhat.com/browse/NETOBSERV-1647[*NETOBSERV-1647*])
+* Previously, the `oc` `must-gather` plugin for the Network Observability Operator was only working on the `amd64` architecture and failing on all others because the plugin was using `amd64` for the `oc` binary. Now, the Network Observability Operator `oc` `must-gather` plugin collects logs on any architecture platform.
+* Previously, when filtering on IP addresses using `not equal to`, the Network Observability Operator would return a request error.
+Now, the IP filtering works in both `equal` and `not equal to` cases for IP addresses and ranges. (link:https://issues.redhat.com/browse/NETOBSERV-1630[*NETOBSERV-1630*])
+* Previously, when a user was not an admin, the error messages were not consistent with the selected tab of the *Network Traffic* view in the web console. Now, the `user not admin` error displays on any tab with improved display.(link:https://issues.redhat.com/browse/NETOBSERV-1621[*NETOBSERV-1621*])
+
+[id="network-observability-operator-1.6.0-known-issues_{context}"]
+=== Known issues
+* When the eBPF agent `PacketDrop` feature is enabled, and sampling is configured to a value greater than `1`, reported dropped bytes and dropped packets ignore the sampling configuration. While this is done on purpose to not miss any drops, a side effect is that the reported proportion of drops versus non-drops becomes biased. For example, at a very high sampling rate, such as `1:1000`, it is likely that almost all the traffic appears to be dropped when observed from the console plugin. (link:https://issues.redhat.com/browse/NETOBSERV-1676[*NETOBSERV-1676*])
+* In the *Manage panels* pop-up window in the *Overview* tab, filtering on *total*, *bar*, *donut*, or *line* does not show any result. (link:https://issues.redhat.com/browse/NETOBSERV-1540[*NETOBSERV-1540*])
+* The SR-IOV secondary interface is not detected if the interface was created first and then the eBPF agent was deployed. It is only detected if the agent was deployed first and then the SR-IOV interface is created. (link:https://issues.redhat.com/browse/NETOBSERV-1697[*NETOBSERV-1697*])
+* When Loki is disabled, the *Topology* view in the OpenShift web console always shows the *Cluster* and *Zone* aggregation options in the slider beside the network topology diagram, even when the related features are not enabled. There is no specific workaround, besides ignoring these slider options. (link:https://issues.redhat.com/browse/NETOBSERV-1705[*NETOBSERV-1705*])
+* When Loki is disabled, and the OpenShift web console first loads, it might display an error: `Request failed with status code 400 Loki is disabled`. As a workaround, you can continue switching content on the *Network Traffic* page, such as clicking between the *Topology* and the *Overview* tabs. The error should disappear. (link:https://issues.redhat.com/browse/NETOBSERV-1706[*NETOBSERV-1706*])
+
 [id="network-observability-operator-release-notes-1-5"]
 == Network Observability Operator 1.5.0
 The following advisory is available for the Network Observability Operator 1.5.0:
@@ -90,7 +157,7 @@ With the `FlowCollector` `v1beta2` API update, you can configure the `spec.loki.
 * Previously, the Operator bundle did not display some of the supported features by CSV annotations as expected, such as `features.operators.openshift.io/...`
 With this fix, these annotations are set in the CSV as expected. (link:https://issues.redhat.com/browse/NETOBSERV-1305[*NETOBSERV-1305*])
 * Previously, the `FlowCollector` status sometimes oscillated between `DeploymentInProgress` and `Ready` states during reconciliation.
-With this fix, the status only becomes `Ready` when all the underlying components are fully ready.(link:https://issues.redhat.com/browse/NETOBSERV-1293[NETOBSERV-1293])
+With this fix, the status only becomes `Ready` when all of the underlying components are fully ready. (link:https://issues.redhat.com/browse/NETOBSERV-1293[*NETOBSERV-1293*])
 
 [id="network-observability-operator-1.5.0-known-issue"]
 === Known issues
@@ -307,7 +374,7 @@ The subscription of an installed Operator specifies an update channel that track
 
 [id="health-alerts-feature-1.2"]
 ==== Network Observability health alerts
-* The Network Observability Operator now creates automatic alerts if the `flowlogs-pipeline` is dropping flows because of errors at the write stage or if the Loki ingestion rate limit has been reached. For more information, see xref:../../observability/network_observability/network-observability-operator-monitoring.adoc#network-observability-alert-dashboard_network_observability[Viewing health information].
+* The Network Observability Operator now creates automatic alerts if the `flowlogs-pipeline` is dropping flows because of errors at the write stage or if the Loki ingestion rate limit has been reached. For more information, see xref:../../observability/network_observability/network-observability-operator-monitoring.adoc#network-observability-health-dashboard-overview_network_observability[Health dashboards].
 
 [id="network-observability-operator-1.2.0-bug-fixes"]
 === Bug fixes
diff --git a/observability/network_observability/network-observability-overview.adoc b/observability/network_observability/network-observability-overview.adoc
index 2fed3d7e5be7..deedcd424f16 100644
--- a/observability/network_observability/network-observability-overview.adoc
+++ b/observability/network_observability/network-observability-overview.adoc
@@ -6,19 +6,18 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Red Hat offers cluster administrators the Network Observability Operator to observe the network traffic for {product-title} clusters. The Network Observability Operator uses the eBPF technology to create network flows. The network flows are then enriched with {product-title} information and stored in Loki. You can view and analyze the stored network flows information in the {product-title} console for further insight and troubleshooting.
+Red Hat offers cluster administrators the Network Observability Operator to observe the network traffic for {product-title} clusters. The Network Observability Operator uses the eBPF technology to create network flows. The network flows are then enriched with {product-title} information. They are available as Prometheus metrics or as logs in Loki. You can view and analyze the stored network flows information in the {product-title} console for further insight and troubleshooting.
 
 [id="dependency-network-observability"]
 == Optional dependencies of the Network Observability Operator
 
-* {loki-op}: Loki is the backend that is used to store all collected flows. It is recommended to install Loki to use with the Network Observability Operator. You can choose to use xref:../network_observability/installing-operators.adoc#network-observability-without-loki_network_observability[Network Observability without Loki], but there are some considerations for doing this, as described in the linked section. If you choose to install Loki, it is recommended to use the {loki-op}, as it is supported by Red Hat.
-* Grafana Operator: You can install Grafana for creating custom dashboards and querying capabilities, by using an open source product, such as the Grafana Operator. Red Hat does not support the Grafana Operator.
+* {loki-op}: Loki is the backend that can be used to store all collected flows with a maximal level of details. You can choose to use xref:../network_observability/installing-operators.adoc#network-observability-without-loki_network_observability[Network Observability without Loki], but there are some considerations for doing this, as described in the linked section. If you choose to install Loki, it is recommended to use the {loki-op}, which is supported by Red Hat.
 * AMQ Streams Operator: Kafka provides scalability, resiliency and high availability in the {product-title} cluster for large scale deployments. If you choose to use Kafka, it is recommended to use the AMQ Streams Operator, because it is supported by Red Hat.
 
 [id="network-observability-operator"]
 == Network Observability Operator
 
-The Network Observability Operator provides the Flow Collector API custom resource definition. A Flow Collector instance is created during installation and enables configuration of network flow collection. The Flow Collector instance deploys pods and services that form a monitoring pipeline where network flows are then collected and enriched with the Kubernetes metadata before storing in Loki. The eBPF agent, which is deployed as a `daemonset` object, creates the network flows.
+The Network Observability Operator provides the Flow Collector API custom resource definition. A Flow Collector instance is a cluster-scoped resource that enables configuration of network flow collection. The Flow Collector instance deploys pods and services that form a monitoring pipeline where network flows are then collected and enriched with the Kubernetes metadata before storing in Loki or generating Prometheus metrics. The eBPF agent, which is deployed as a `daemonset` object, creates the network flows.
 
 [id="no-console-integration"]
 == {product-title} console integration
@@ -28,17 +27,21 @@ The Network Observability Operator provides the Flow Collector API custom resour
 [id="network-observability-dashboards"]
 === Network Observability metrics dashboards
 
-On the *Overview* tab in the {product-title} console, you can view the overall aggregated metrics of the network traffic flow on the cluster. You can choose to display the information by node, namespace, owner, pod, zone, and service. Filters and display options can further refine the metrics. For more information, see xref:../network_observability/observing-network-traffic.adoc#network-observability-overview_nw-observe-network-traffic[Observing the network traffic from the Overview view].
+On the *Overview* tab in the {product-title} console, you can view the overall aggregated metrics of the network traffic flow on the cluster. You can choose to display the information by zone, node, namespace, owner, pod, and service. Filters and display options can further refine the metrics. For more information, see xref:../network_observability/observing-network-traffic.adoc#network-observability-overview_nw-observe-network-traffic[Observing the network traffic from the Overview view].
 
-In *Observe* -> *Dashboards*, the *Netobserv* dashboard provides a quick overview of the network flows in your {product-title} cluster. The *Netobserv/Health* dashboard provides metrics about the health of the Operator. For more information, see xref:../network_observability/metrics-alerts-dashboards.adoc#network-observability-metrics_metrics-dashboards-alerts[Network Observability Metrics] and xref:../network_observability/network-observability-operator-monitoring.adoc#network-observability-alert-dashboard_network_observability[Viewing health information].
+In *Observe* -> *Dashboards*, the *Netobserv* dashboards provide a quick overview of the network flows in your {product-title} cluster. The *Netobserv/Health* dashboard provides metrics about the health of the Operator. For more information, see xref:../network_observability/metrics-alerts-dashboards.adoc#network-observability-metrics_metrics-dashboards-alerts[Network Observability Metrics] and xref:../network_observability/network-observability-operator-monitoring.adoc#network-observability-health-dashboard-overview_network_observability[Viewing health information].
 
 
 [id="network-observability-topology-views"]
 === Network Observability topology views
 
-The {product-title} console offers the *Topology* tab which displays a graphical representation of the network flows and the amount of traffic. The topology view represents traffic between the {product-title} components as a network graph. You can refine the graph by using the filters and display options. You can access the information for node, namespace, owner, pod, and service.
+The {product-title} console offers the *Topology* tab which displays a graphical representation of the network flows and the amount of traffic. The topology view represents traffic between the {product-title} components as a network graph. You can refine the graph by using the filters and display options. You can access the information for zone, node, namespace, owner, pod, and service.
 
 [id="traffic-flow-tables"]
 === Traffic flow tables
 
 The traffic flow table view provides a view for raw flows, non aggregated filtering options, and configurable columns. The {product-title} console offers the *Traffic flows* tab which displays the data of the network flows and the amount of traffic.
+
+[id="network-observability-cli"]
+== Network Observability CLI
+You can quickly debug and troubleshoot networking issues with Network Observability by using the Network Observability CLI (`oc netobserv`). The Network Observability CLI is a flow and packet visualization tool that relies on eBPF agents to stream collected data to an ephemeral collector pod. It requires no persistent storage during the capture. After the run, the output is transferred to your local machine. This enables quick, live insight into packets and flow data without installing the Network Observability Operator.  
\ No newline at end of file
diff --git a/observability/network_observability/network-observability-scheduling-resources.adoc b/observability/network_observability/network-observability-scheduling-resources.adoc
new file mode 100644
index 000000000000..452a8ab0312e
--- /dev/null
+++ b/observability/network_observability/network-observability-scheduling-resources.adoc
@@ -0,0 +1,19 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="network-observability-scheduling-resources"]
+= Scheduling resources
+include::_attributes/common-attributes.adoc[]
+:context: network_observability_scheduling
+
+Taints and tolerations allow the node to control which pods should (or should not) be scheduled on them. 
+
+A node selector specifies a map of key/value pairs that are defined using custom labels on nodes and selectors specified in pods.
+
+For the pod to be eligible to run on a node, the pod must have the same key/value node selector as the label on the node.
+
+include::modules/network-observability-nodes-taints-tolerations.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations]
+* link:https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/[Assign Pods to Nodes] (Kubernetes documentation)
+* link:https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass[Pod Priority and Preemption] (Kubernetes documentation)
\ No newline at end of file
diff --git a/observability/network_observability/observing-network-traffic.adoc b/observability/network_observability/observing-network-traffic.adoc
index 6c4268c3876d..362559bfefa5 100644
--- a/observability/network_observability/observing-network-traffic.adoc
+++ b/observability/network_observability/observing-network-traffic.adoc
@@ -32,6 +32,15 @@ include::modules/network-observability-RTT-overview.adoc[leveloffset=+2]
 .Additional resources
 * xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-RTT_nw-observe-network-traffic[Working with RTT tracing]
 
+include::modules/network-observability-ebpf-rule-flow-filter.adoc[leveloffset=+2]
+include::modules/network-observability-flow-filter-parameters.adoc[leveloffset=+3]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../observability/network_observability/observing-network-traffic.adoc#network-observability-filtering-ebpf-rule_nw-observe-network-traffic[Filtering eBPF flow data with rules]
+* xref:../../observability/network_observability/metrics-alerts-dashboards.adoc#network-observability-metrics_metrics-dashboards-alerts[Network Observability metrics]
+* xref:../../observability/network_observability/network-observability-operator-monitoring.adoc#network-observability-health-dashboard-overview_network_observability[Health dashboards]
+
 //Traffic flows
 include::modules/network-observability-trafficflow.adoc[leveloffset=+1]
 include::modules/network-observability-working-with-trafficflow.adoc[leveloffset=+2]
@@ -42,6 +51,7 @@ include::modules/network-observability-dns-tracking.adoc[leveloffset=+2]
 include::modules/network-observability-RTT.adoc[leveloffset=+2]
 include::modules/network-observability-histogram-trafficflow.adoc[leveloffset=+2]
 include::modules/network-observability-working-with-zones.adoc[leveloffset=+2]
+include::modules/network-observability-filtering-ebpf-rule.adoc[leveloffset=+2]
 
 //Topology
 include::modules/network-observability-topology.adoc[leveloffset=+1]
diff --git a/observability/otel/otel-collector/_attributes b/observability/otel/otel-collector/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/observability/otel/otel-collector/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/observability/otel/otel-collector/images b/observability/otel/otel-collector/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/observability/otel/otel-collector/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/observability/otel/otel-collector/modules b/observability/otel/otel-collector/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/observability/otel/otel-collector/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/observability/otel/otel-collector/otel-collector-connectors.adoc b/observability/otel/otel-collector/otel-collector-connectors.adoc
new file mode 100644
index 000000000000..5c4f2d3e6578
--- /dev/null
+++ b/observability/otel/otel-collector/otel-collector-connectors.adoc
@@ -0,0 +1,80 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-connectors"]
+= Connectors
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-connectors
+
+toc::[]
+
+A connector connects two pipelines. It consumes data as an exporter at the end of one pipeline and emits data as a receiver at the start of another pipeline. It can consume and emit data of the same or different data type. It can generate and emit data to summarize the consumed data, or it can merely replicate or route data.
+
+[id="forward-connector_{context}"]
+== Forward Connector
+
+The Forward Connector merges two pipelines of the same type.
+
+:FeatureName: The Forward Connector
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Forward Connector
+[source,yaml]
+----
+# ...
+receivers:
+  otlp:
+    protocols:
+      grpc:
+  jaeger:
+    protocols:
+      grpc:
+processors:
+  batch:
+exporters:
+  otlp:
+    endpoint: tempo-simplest-distributor:4317
+    tls:
+      insecure: true
+connectors:
+  forward:
+service:
+  pipelines:
+    traces/regiona:
+      receivers: [otlp]
+      processors: []
+      exporters: [forward]
+    traces/regionb:
+      receivers: [jaeger]
+      processors: []
+      exporters: [forward]
+    traces:
+      receivers: [forward]
+      processors: [batch]
+      exporters: [otlp]
+# ...
+----
+
+[id="spanmetrics-connector_{context}"]
+== Spanmetrics Connector
+
+The Spanmetrics Connector aggregates Request, Error, and Duration (R.E.D) OpenTelemetry metrics from span data.
+
+:FeatureName: The Spanmetrics Connector
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Spanmetrics Connector
+[source,yaml]
+----
+# ...
+  config: |
+    connectors:
+      spanmetrics:
+        metrics_flush_interval: 15s # <1>
+    service:
+      pipelines:
+        traces:
+          exporters: [spanmetrics]
+        metrics:
+          receivers: [spanmetrics]
+# ...
+----
+<1> Defines the flush interval of the generated metrics. Defaults to `15s`.
diff --git a/observability/otel/otel-collector/otel-collector-exporters.adoc b/observability/otel/otel-collector/otel-collector-exporters.adoc
new file mode 100644
index 000000000000..5702823682b6
--- /dev/null
+++ b/observability/otel/otel-collector/otel-collector-exporters.adoc
@@ -0,0 +1,232 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-exporters"]
+= Exporters
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-exporters
+
+toc::[]
+
+Exporters send data to one or more back ends or destinations. An exporter can be push or pull based. By default, no exporters are configured. One or more exporters must be configured. Exporters can support one or more data sources. Exporters might be used with their default settings, but many exporters require configuration to specify at least the destination and security settings.
+
+[id="otlp-exporter_{context}"]
+== OTLP Exporter
+
+The OTLP gRPC Exporter exports traces and metrics by using the OpenTelemetry protocol (OTLP).
+
+.OpenTelemetry Collector custom resource with an enabled OTLP Exporter
+[source,yaml]
+----
+# ...
+  config: |
+    exporters:
+      otlp:
+        endpoint: tempo-ingester:4317 # <1>
+        tls: # <2>
+          ca_file: ca.pem
+          cert_file: cert.pem
+          key_file: key.pem
+          insecure: false # <3>
+          insecure_skip_verify: false # # <4>
+          reload_interval: 1h # <5>
+          server_name_override: <name> # <6>
+        headers: # <7>
+          X-Scope-OrgID: "dev"
+    service:
+      pipelines:
+        traces:
+          exporters: [otlp]
+        metrics:
+          exporters: [otlp]
+# ...
+----
+<1> The OTLP gRPC endpoint. If the `+https://+` scheme is used, then client transport security is enabled and overrides the `insecure` setting in the `tls`.
+<2> The client-side TLS configuration. Defines paths to TLS certificates.
+<3> Disables client transport security when set to `true`. The default value is `false` by default.
+<4> Skips verifying the certificate when set to `true`. The default value is `false`.
+<5> Specifies the time interval at which the certificate is reloaded. If the value is not set, the certificate is never reloaded. The `reload_interval` accepts a string containing valid units of time such as `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
+<6> Overrides the virtual host name of authority such as the authority header field in requests. You can use this for testing.
+<7> Headers are sent for every request performed during an established connection.
+
+[id="otlp-http-exporter_{context}"]
+== OTLP HTTP Exporter
+
+The OTLP HTTP Exporter exports traces and metrics by using the OpenTelemetry protocol (OTLP).
+
+.OpenTelemetry Collector custom resource with an enabled OTLP Exporter
+[source,yaml]
+----
+# ...
+  config: |
+    exporters:
+      otlphttp:
+        endpoint: http://tempo-ingester:4318 # <1>
+        tls: # <2>
+        headers: # <3>
+          X-Scope-OrgID: "dev"
+        disable_keep_alives: false <4>
+
+    service:
+      pipelines:
+        traces:
+          exporters: [otlphttp]
+        metrics:
+          exporters: [otlphttp]
+# ...
+----
+<1> The OTLP HTTP endpoint. If the `+https://+` scheme is used, then client transport security is enabled and overrides the `insecure` setting in the `tls`.
+<2> The client side TLS configuration. Defines paths to TLS certificates.
+<3> Headers are sent in every HTTP request.
+<4> If true, disables HTTP keep-alives. It will only use the connection to the server for a single HTTP request.
+
+[id="debug-exporter_{context}"]
+== Debug Exporter
+
+The Debug Exporter prints traces and metrics to the standard output.
+
+.OpenTelemetry Collector custom resource with an enabled Debug Exporter
+[source,yaml]
+----
+# ...
+  config: |
+    exporters:
+      debug:
+        verbosity: detailed # <1>
+    service:
+      pipelines:
+        traces:
+          exporters: [logging]
+        metrics:
+          exporters: [logging]
+# ...
+----
+<1> Verbosity of the debug export: `detailed` or `normal` or `basic`. When set to `detailed`, pipeline data is verbosely logged. Defaults to `normal`.
+
+[id="load-balancing-exporter_{context}"]
+== Load Balancing Exporter
+
+The Load Balancing Exporter consistently exports spans, metrics, and logs according to the `routing_key` configuration.
+
+:FeatureName: The Load Balancing Exporter
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+.OpenTelemetry Collector custom resource with an enabled Load Balancing Exporter
+[source,yaml]
+----
+# ...
+  config: |
+    exporters:
+      loadbalancing:
+        routing_key: "service" # <1>
+        protocol:
+          otlp: # <2>
+            timeout: 1s
+        resolver: # <3>
+          static: # <4>
+            hostnames:
+            - backend-1:4317
+            - backend-2:4317
+          dns: # <5>
+            hostname: otelcol-headless.observability.svc.cluster.local
+          k8s: # <6>
+            service: lb-svc.kube-public
+            ports:
+              - 15317
+              - 16317
+# ...
+----
+<1> The `routing_key: service` exports spans for the same service name to the same Collector instance to provide accurate aggregation. The `routing_key: traceID` exports spans based on their `traceID`. The implicit default is `traceID` based routing.
+<2> The OTLP is the only supported load-balancing protocol. All options of the OTLP exporter are supported.
+<3> You can configure only one resolver.
+<4> The static resolver distributes the load across the listed endpoints.
+<5> You can use the DNS resolver only with a Kubernetes headless service.
+<6> The Kubernetes resolver is recommended.
+
+[id="prometheus-exporter_{context}"]
+== Prometheus Exporter
+
+The Prometheus Exporter exports metrics in the Prometheus or OpenMetrics formats.
+
+:FeatureName: The Prometheus Exporter
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Prometheus Exporter
+[source,yaml]
+----
+# ...
+  ports:
+  - name: promexporter # <1>
+    port: 8889
+    protocol: TCP
+  config: |
+    exporters:
+      prometheus:
+        endpoint: 0.0.0.0:8889 # <2>
+        tls: # <3>
+          ca_file: ca.pem
+          cert_file: cert.pem
+          key_file: key.pem
+        namespace: prefix # <4>
+        const_labels: # <5>
+          label1: value1
+        enable_open_metrics: true # <6>
+        resource_to_telemetry_conversion: # <7>
+          enabled: true
+        metric_expiration: 180m # <8>
+        add_metric_suffixes: false # <9>
+    service:
+      pipelines:
+        metrics:
+          exporters: [prometheus]
+# ...
+----
+<1> Exposes the Prometheus port from the Collector pod and service. You can enable scraping of metrics by Prometheus by using the port name in `ServiceMonitor` or `PodMonitor` custom resource.
+<2> The network endpoint where the metrics are exposed.
+<3> The server-side TLS configuration. Defines paths to TLS certificates.
+<4> If set, exports metrics under the provided value. No default.
+<5> Key-value pair labels that are applied for every exported metric. No default.
+<6> If `true`, metrics are exported using the OpenMetrics format. Exemplars are only exported in the OpenMetrics format and only for histogram and monotonic sum metrics such as `counter`. Disabled by default.
+<7> If `enabled` is `true`, all the resource attributes are converted to metric labels by default. Disabled by default.
+<8> Defines how long metrics are exposed without updates. The default is `5m`.
+<9> Adds the metrics types and units suffixes. Must be disabled if the monitor tab in Jaeger console is enabled. The default is `true`.
+
+[id="kafka-exporter_{context}"]
+== Kafka Exporter
+
+The Kafka Exporter exports logs, metrics, and traces to Kafka. This exporter uses a synchronous producer that blocks and does not batch messages. You must use it with batch and queued retry processors for higher throughput and resiliency.
+
+:FeatureName: The Kafka Exporter
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Kafka Exporter
+[source,yaml]
+----
+# ...
+  config: |
+    exporters:
+      kafka:
+        brokers: ["localhost:9092"] # <1>
+        protocol_version: 2.0.0 # <2>
+        topic: otlp_spans # <3>
+        auth:
+          plain_text: # <4>
+            username: example
+            password: example
+          tls: # <5>
+            ca_file: ca.pem
+            cert_file: cert.pem
+            key_file: key.pem
+            insecure: false # <6>
+            server_name_override: kafka.example.corp # <7>
+    service:
+      pipelines:
+        traces:
+          exporters: [kafka]
+# ...
+----
+<1> The list of Kafka brokers. The default is `+localhost:9092+`.
+<2> The Kafka protocol version. For example, `+2.0.0+`. This is a required field.
+<3> The name of the Kafka topic to read from. The following are the defaults: `+otlp_spans+` for traces, `+otlp_metrics+` for metrics, `+otlp_logs+` for logs.
+<4> The plain text authentication configuration. If omitted, plain text authentication is disabled.
+<5> The client-side TLS configuration. Defines paths to the TLS certificates. If omitted, TLS authentication is disabled.
+<6> Disables verifying the server's certificate chain and host name. The default is `+false+`.
+<7> ServerName indicates the name of the server requested by the client to support virtual hosting.
diff --git a/observability/otel/otel-collector/otel-collector-extensions.adoc b/observability/otel/otel-collector/otel-collector-extensions.adoc
new file mode 100644
index 000000000000..a3df12449e4f
--- /dev/null
+++ b/observability/otel/otel-collector/otel-collector-extensions.adoc
@@ -0,0 +1,458 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-extensions"]
+= Extensions
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-extensions
+
+toc::[]
+
+Extensions add capabilities to the Collector. For example, authentication can be added to the receivers and exporters automatically.
+
+[id="bearertokenauth-extension_{context}"]
+== BearerTokenAuth Extension
+
+The BearerTokenAuth Extension is an authenticator for receivers and exporters that are based on the HTTP and the gRPC protocol.
+You can use the OpenTelemetry Collector custom resource to configure client authentication and server authentication for the BearerTokenAuth Extension on the receiver and exporter side.
+This extension supports traces, metrics, and logs.
+
+:FeatureName: The BearerTokenAuth Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with client and server authentication configured for the BearerTokenAuth Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      bearertokenauth:
+        scheme: "Bearer" # <1>
+        token: "<token>" # <2>
+        filename: "<token_file>" # <3>
+
+    receivers:
+      otlp:
+        protocols:
+          http:
+            auth:
+              authenticator: bearertokenauth # <4>
+    exporters:
+      otlp:
+        auth:
+          authenticator: bearertokenauth # <5>
+
+    service:
+      extensions: [bearertokenauth]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> You can configure the BearerTokenAuth Extension to send a custom `scheme`. The default is `Bearer`.
+<2> You can add the BearerTokenAuth Extension token as metadata to identify a message.
+<3> Path to a file that contains an authorization token that is transmitted with every message.
+<4> You can assign the authenticator configuration to an OTLP Receiver.
+<5> You can assign the authenticator configuration to an OTLP Exporter.
+
+[id="oauth2client-extension_{context}"]
+== OAuth2Client Extension
+
+The OAuth2Client Extension is an authenticator for exporters that are based on the HTTP and the gRPC protocol.
+Client authentication for the OAuth2Client Extension is configured in a separate section in the OpenTelemetry Collector custom resource.
+This extension supports traces, metrics, and logs.
+
+:FeatureName: The OAuth2Client Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with client authentication configured for the OAuth2Client Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      oauth2client:
+        client_id: <client_id> # <1>
+        client_secret: <client_secret> # <2>
+        endpoint_params: # <3>
+          audience: <audience>
+        token_url: https://example.com/oauth2/default/v1/token # <4>
+        scopes: ["api.metrics"] # <5>
+        # tls settings for the token client
+        tls: # <6>
+          insecure: true # <7>
+          ca_file: /var/lib/mycert.pem # <8>
+          cert_file: <cert_file> # <9>
+          key_file: <key_file> # <10>
+        timeout: 2s # <11>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+
+    exporters:
+      otlp:
+        auth:
+          authenticator: oauth2client # <12>
+
+    service:
+      extensions: [oauth2client]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> Client identifier, which is provided by the identity provider.
+<2> Confidential key used to authenticate the client to the identity provider.
+<3> Further metadata, in the key-value pair format, which is transferred during authentication. For example, `audience` specifies the intended audience for the access token, indicating the recipient of the token.
+<4> The URL of the OAuth2 token endpoint, where the Collector requests access tokens.
+<5> The scopes define the specific permissions or access levels requested by the client.
+<6> The Transport Layer Security (TLS) settings for the token client, which is used to establish a secure connection when requesting tokens.
+<7> When set to `true`, configures the Collector to use an insecure or non-verified TLS connection to call the configured token endpoint.
+<8> The path to a Certificate Authority (CA) file that is used to verify the server's certificate during the TLS handshake.
+<9> The path to the client certificate file that the client must use to authenticate itself to the OAuth2 server if required.
+<10> The path to the client's private key file that is used with the client certificate if needed for authentication.
+<11> Sets a timeout for the token client's request.
+<12> You can assign the authenticator configuration to an OTLP exporter.
+
+[id="filestorage-extension_{context}"]
+== File Storage Extension
+
+The File Storage Extension supports traces, metrics, and logs. This extension can persist the state to the local file system. This extension persists the sending queue for the OTLP exporters that are based on the HTTP and the gRPC protocols. This extension requires the read and write access to a directory. This extension can use a default directory, but the default directory must already exist.
+
+:FeatureName: The File Storage Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with a configured File Storage Extension that persists an OTLP sending queue
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      file_storage/all_settings:
+        directory: /var/lib/otelcol/mydir # <1>
+        timeout: 1s # <2>
+        compaction:
+          on_start: true # <3>
+          directory: /tmp/ # <4>
+          max_transaction_size: 65_536 # <5>
+        fsync: false # <6>
+
+    exporters:
+      otlp:
+        sending_queue:
+          storage: file_storage/all_settings
+
+    service:
+      extensions: [file_storage/all_settings]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> Specifies the directory in which the telemetry data is stored.
+<2> Specifies the timeout time interval for opening the stored files.
+<3> Starts compaction when the Collector starts. If omitted, the default is `+false+`.
+<4> Specifies the directory in which the compactor stores the telemetry data.
+<5> Defines the maximum size of the compaction transaction. To ignore the transaction size, set to zero. If omitted, the default is `+65536+` bytes.
+<6> When set, forces the database to perform an `fsync` call after each write operation. This helps to ensure database integrity if there is an interruption to the database process, but at the cost of performance.
+
+[id="oidcauth-extension_{context}"]
+== OIDC Auth Extension
+
+The OIDC Auth Extension authenticates incoming requests to receivers by using the OpenID Connect (OIDC) protocol.
+It validates the ID token in the authorization header against the issuer and updates the authentication context of the incoming request.
+
+:FeatureName: The OIDC Auth Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the configured OIDC Auth Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      oidc:
+        attribute: authorization # <1>
+        issuer_url: https://example.com/auth/realms/opentelemetry # <2>
+        issuer_ca_path: /var/run/tls/issuer.pem # <3>
+        audience: otel-collector # <4>
+        username_claim: email # <5>
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            auth:
+              authenticator: oidc
+    exporters:
+      otlp:
+        endpoint: <endpoint>
+    service:
+      extensions: [oidc]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> The name of the header that contains the ID token. The default name is `authorization`.
+<2> The base URL of the OIDC provider.
+<3> Optional: The path to the issuer's CA certificate.
+<4> The audience for the token.
+<5> The name of the claim that contains the username. The default name is `sub`.
+
+[id="jaegerremotesampling-extension_{context}"]
+== Jaeger Remote Sampling Extension
+
+The Jaeger Remote Sampling Extension enables serving sampling strategies after Jaeger's remote sampling API. You can configure this extension to proxy requests to a backing remote sampling server such as a Jaeger collector down the pipeline or to a static JSON file from the local file system.
+
+:FeatureName: The Jaeger Remote Sampling Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with a configured Jaeger Remote Sampling Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      jaegerremotesampling:
+        source:
+          reload_interval: 30s # <1>
+          remote:
+            endpoint: jaeger-collector:14250 # <2>
+          file: /etc/otelcol/sampling_strategies.json # <3>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+
+    exporters:
+      otlp:
+
+    service:
+      extensions: [jaegerremotesampling]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> The time interval at which the sampling configuration is updated.
+<2> The endpoint for reaching the Jaeger remote sampling strategy provider.
+<3> The path to a local file that contains a sampling strategy configuration in the JSON format.
+
+.Example of a Jaeger Remote Sampling strategy file
+[source,json]
+----
+{
+  "service_strategies": [
+    {
+      "service": "foo",
+      "type": "probabilistic",
+      "param": 0.8,
+      "operation_strategies": [
+        {
+          "operation": "op1",
+          "type": "probabilistic",
+          "param": 0.2
+        },
+        {
+          "operation": "op2",
+          "type": "probabilistic",
+          "param": 0.4
+        }
+      ]
+    },
+    {
+      "service": "bar",
+      "type": "ratelimiting",
+      "param": 5
+    }
+  ],
+  "default_strategy": {
+    "type": "probabilistic",
+    "param": 0.5,
+    "operation_strategies": [
+      {
+        "operation": "/health",
+        "type": "probabilistic",
+        "param": 0.0
+      },
+      {
+        "operation": "/metrics",
+        "type": "probabilistic",
+        "param": 0.0
+      }
+    ]
+  }
+}
+----
+
+[id="pprof-extension_{context}"]
+== Performance Profiler Extension
+
+The Performance Profiler Extension enables the Go `net/http/pprof` endpoint. Developers use this extension to collect performance profiles and investigate issues with the service.
+
+:FeatureName: The Performance Profiler Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the configured Performance Profiler Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      pprof:
+        endpoint: localhost:1777 # <1>
+        block_profile_fraction: 0 # <2>
+        mutex_profile_fraction: 0 # <3>
+        save_to_file: test.pprof # <4>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+
+    exporters:
+      otlp:
+
+    service:
+      extensions: [pprof]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> The endpoint at which this extension listens. Use `localhost:` to make it available only locally or `":"` to make it available on all network interfaces. The default value is `localhost:1777`.
+<2> Sets a fraction of blocking events to be profiled. To disable profiling, set this to `0` or a negative integer. See the link:https://golang.org/pkg/runtime/#SetBlockProfileRate[documentation] for the `runtime` package. The default value is `0`.
+<3> Set a fraction of mutex contention events to be profiled. To disable profiling, set this to `0` or a negative integer. See the link:https://golang.org/pkg/runtime/#SetMutexProfileFraction[documentation] for the `runtime` package. The default value is `0`.
+<4> The name of the file in which the CPU profile is to be saved. Profiling starts when the Collector starts. Profiling is saved to the file when the Collector is terminated.
+
+[id="healthcheck-extension_{context}"]
+== Health Check Extension
+
+The Health Check Extension provides an HTTP URL for checking the status of the OpenTelemetry Collector. You can use this extension as a liveness and readiness probe on OpenShift.
+
+:FeatureName: The Health Check Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the configured Health Check Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      health_check:
+        endpoint: "0.0.0.0:13133" # <1>
+        tls: # <2>
+          ca_file: "/path/to/ca.crt"
+          cert_file: "/path/to/cert.crt"
+          key_file: "/path/to/key.key"
+        path: "/health/status" # <3>
+        check_collector_pipeline: # <4>
+          enabled: true # <5>
+          interval: "5m" # <6>
+          exporter_failure_threshold: 5 # <7>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+
+    exporters:
+      otlp:
+
+    service:
+      extensions: [health_check]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> The target IP address for publishing the health check status. The default is `0.0.0.0:13133`.
+<2> The TLS server-side configuration. Defines paths to TLS certificates. If omitted, the TLS is disabled.
+<3> The path for the health check server. The default is `/`.
+<4> Settings for the Collector pipeline health check.
+<5> Enables the Collector pipeline health check. The default is `false`.
+<6> The time interval for checking the number of failures. The default is `5m`.
+<7> The threshold of multiple failures until which a container is still marked as healthy. The default is `5`.
+
+[id="memory-ballast-extension_{context}"]
+== Memory Ballast Extension
+
+The Memory Ballast Extension enables applications to configure memory ballast for the process.
+
+:FeatureName: The Memory Ballast Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the configured Memory Ballast Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      memory_ballast:
+        size_mib: 64 # <1>
+        size_in_percentage: 20 # <2>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+
+    exporters:
+      otlp:
+
+    service:
+      extensions: [memory_ballast]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+<1> Sets the memory ballast size in MiB. Takes priority over the `size_in_percentage` if both are specified.
+<2> Sets the memory ballast as a percentage, `1`-`100`, of the total memory. Supports containerized and physical host environments.
+
+
+[id="zpages-extension_{context}"]
+== zPages Extension
+
+The zPages Extension provides an HTTP endpoint for extensions that serve zPages. At the endpoint, this extension serves live data for debugging instrumented components. All core exporters and receivers provide some zPages instrumentation.
+
+zPages are useful for in-process diagnostics without having to depend on a back end to examine traces or metrics.
+
+:FeatureName: The zPages Extension
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the configured zPages Extension
+[source,yaml]
+----
+# ...
+  config: |
+    extensions:
+      zpages:
+        endpoint: "localhost:55679" # <1>
+
+    receivers:
+      otlp:
+        protocols:
+          http: {}
+    exporters:
+      otlp:
+
+    service:
+      extensions: [zpages]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [otlp]
+# ...
+----
+
+<1> Specifies the HTTP endpoint that serves zPages. Use `localhost:` to make it available only locally, or `":"` to make it available on all network interfaces. The default is `localhost:55679`.
diff --git a/observability/otel/otel-collector/otel-collector-processors.adoc b/observability/otel/otel-collector/otel-collector-processors.adoc
new file mode 100644
index 000000000000..c00f419a7461
--- /dev/null
+++ b/observability/otel/otel-collector/otel-collector-processors.adoc
@@ -0,0 +1,432 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-processors"]
+= Processors
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-processors
+
+toc::[]
+
+Processors process the data between it is received and exported. Processors are optional. By default, no processors are enabled. Processors must be enabled for every data source. Not all processors support all data sources. Depending on the data source, multiple processors might be enabled. Note that the order of processors matters.
+
+[id="batch-processor_{context}"]
+== Batch Processor
+
+The Batch Processor batches traces and metrics to reduce the number of outgoing connections needed to transfer the telemetry information.
+
+.Example of the OpenTelemetry Collector custom resource when using the Batch Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      batch:
+        timeout: 5s
+        send_batch_max_size: 10000
+    service:
+      pipelines:
+        traces:
+          processors: [batch]
+        metrics:
+          processors: [batch]
+# ...
+----
+
+.Parameters used by the Batch Processor
+[options="header"]
+[cols="a,a,a"]
+|===
+|Parameter |Description |Default
+
+|`timeout`
+|Sends the batch after a specific time duration and irrespective of the batch size.
+|`200ms`
+
+|`send_batch_size`
+|Sends the batch of telemetry data after the specified number of spans or metrics.
+|`8192`
+
+|`send_batch_max_size`
+|The maximum allowable size of the batch. Must be equal or greater than the `send_batch_size`.
+|`0`
+
+|`metadata_keys`
+|When activated, a batcher instance is created for each unique set of values found in the `client.Metadata`.
+|`[]`
+
+|`metadata_cardinality_limit`
+|When the `metadata_keys` are populated, this configuration restricts the number of distinct metadata key-value combinations processed throughout the duration of the process.
+|`1000`
+|===
+
+[id="memorylimiter-processor_{context}"]
+== Memory Limiter Processor
+
+The Memory Limiter Processor periodically checks the Collector's memory usage and pauses data processing when the soft memory limit is reached. This processor supports traces, metrics, and logs. The preceding component, which is typically a receiver, is expected to retry sending the same data and may apply a backpressure to the incoming data. When memory usage exceeds the hard limit, the Memory Limiter Processor forces garbage collection to run.
+
+.Example of the OpenTelemetry Collector custom resource when using the Memory Limiter Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      memory_limiter:
+        check_interval: 1s
+        limit_mib: 4000
+        spike_limit_mib: 800
+    service:
+      pipelines:
+        traces:
+          processors: [batch]
+        metrics:
+          processors: [batch]
+# ...
+----
+
+.Parameters used by the Memory Limiter Processor
+[options="header"]
+[cols="a,a,a"]
+|===
+|Parameter |Description |Default
+
+|`check_interval`
+|Time between memory usage measurements. The optimal value is `1s`. For spiky traffic patterns, you can decrease the `check_interval` or increase the `spike_limit_mib`.
+|`0s`
+
+|`limit_mib`
+|The hard limit, which is the maximum amount of memory in MiB allocated on the heap. Typically, the total memory usage of the OpenTelemetry Collector is about 50 MiB greater than this value.
+|`0`
+
+|`spike_limit_mib`
+|Spike limit, which is the maximum expected spike of memory usage in MiB. The optimal value is approximately 20% of `limit_mib`. To calculate the soft limit, subtract the `spike_limit_mib` from the `limit_mib`.
+|20% of `limit_mib`
+
+|`limit_percentage`
+|Same as the `limit_mib` but expressed as a percentage of the total available memory. The `limit_mib` setting takes precedence over this setting.
+|`0`
+
+|`spike_limit_percentage`
+|Same as the `spike_limit_mib` but expressed as a percentage of the total available memory. Intended to be used with the `limit_percentage` setting.
+|`0`
+
+|===
+
+[id="resource-detection-processor_{context}"]
+== Resource Detection Processor
+
+The Resource Detection Processor identifies host resource details in alignment with OpenTelemetry's resource semantic standards. Using the detected information, this processor can add or replace the resource values in telemetry data. This processor supports traces and metrics. You can use this processor with multiple detectors such as the Docket metadata detector or the `OTEL_RESOURCE_ATTRIBUTES` environment variable detector.
+
+:FeatureName: The Resource Detection Processor
+include::snippets/technology-preview.adoc[]
+
+.{product-title} permissions required for the Resource Detection Processor
+[source,yaml]
+----
+kind: ClusterRole
+metadata:
+  name: otel-collector
+rules:
+- apiGroups: ["config.openshift.io"]
+  resources: ["infrastructures", "infrastructures/status"]
+  verbs: ["get", "watch", "list"]
+# ...
+----
+
+.OpenTelemetry Collector using the Resource Detection Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      resourcedetection:
+        detectors: [openshift]
+        override: true
+    service:
+      pipelines:
+        traces:
+          processors: [resourcedetection]
+        metrics:
+          processors: [resourcedetection]
+# ...
+----
+
+.OpenTelemetry Collector using the Resource Detection Processor with an environment variable detector
+[source,yaml]
+----
+# ...
+  config: |
+    processors:
+      resourcedetection/env:
+        detectors: [env] # <1>
+        timeout: 2s
+        override: false
+# ...
+----
+<1> Specifies which detector to use. In this example, the environment detector is specified.
+
+[id="attributes-processor_{context}"]
+== Attributes Processor
+
+The Attributes Processor can modify attributes of a span, log, or metric. You can configure this processor to filter and match input data and include or exclude such data for specific actions.
+
+:FeatureName: The Attributes Processor
+include::snippets/technology-preview.adoc[]
+
+This processor operates on a list of actions, executing them in the order specified in the configuration. The following actions are supported:
+
+Insert:: Inserts a new attribute into the input data when the specified key does not already exist.
+
+Update:: Updates an attribute in the input data if the key already exists.
+
+Upsert:: Combines the insert and update actions: Inserts a new attribute if the key does not exist yet. Updates the attribute if the key already exists.
+
+Delete:: Removes an attribute from the input data.
+
+Hash:: Hashes an existing attribute value as SHA1.
+
+Extract:: Extracts values by using a regular expression rule from the input key to the target keys defined in the rule. If a target key already exists, it is overridden similarly to the Span Processor's `to_attributes` setting with the existing attribute as the source.
+
+Convert:: Converts an existing attribute to a specified type.
+
+.OpenTelemetry Collector using the Attributes Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processors:
+      attributes/example:
+        actions:
+          - key: db.table
+            action: delete
+          - key: redacted_span
+            value: true
+            action: upsert
+          - key: copy_key
+            from_attribute: key_original
+            action: update
+          - key: account_id
+            value: 2245
+            action: insert
+          - key: account_password
+            action: delete
+          - key: account_email
+            action: hash
+          - key: http.status_code
+            action: convert
+            converted_type: int
+# ...
+----
+
+[id="resource-processor_{context}"]
+== Resource Processor
+
+The Resource Processor applies changes to the resource attributes. This processor supports traces, metrics, and logs.
+
+:FeatureName: The Resource Processor
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector using the Resource Detection Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      attributes:
+      - key: cloud.availability_zone
+        value: "zone-1"
+        action: upsert
+      - key: k8s.cluster.name
+        from_attribute: k8s-cluster
+        action: insert
+      - key: redundant-attribute
+        action: delete
+# ...
+----
+
+Attributes represent the actions that are applied to the resource attributes, such as delete the attribute, insert the attribute, or upsert the attribute.
+
+[id="span-processor_{context}"]
+== Span Processor
+
+The Span Processor modifies the span name based on its attributes or extracts the span attributes from the span name. This processor can also change the span status and include or exclude spans. This processor supports traces.
+
+Span renaming requires specifying attributes for the new name by using the `from_attributes` configuration.
+
+:FeatureName: The Span Processor
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector using the Span Processor for renaming a span
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      span:
+        name:
+          from_attributes: [<key1>, <key2>, ...] # <1>
+          separator: <value> # <2>
+# ...
+----
+<1> Defines the keys to form the new span name.
+<2> An optional separator.
+
+You can use this processor to extract attributes from the span name.
+
+.OpenTelemetry Collector using the Span Processor for extracting attributes from a span name
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      span/to_attributes:
+        name:
+          to_attributes:
+            rules:
+              - ^\/api\/v1\/document\/(?P<documentId>.*)\/update$ # <1>
+# ...
+----
+<1> This rule defines how the extraction is to be executed. You can define more rules: for example, in this case, if the regular expression matches the name, a `documentID` attibute is created. In this example, if the input span name is `/api/v1/document/12345678/update`, this results in the `/api/v1/document/{documentId}/update` output span name, and a new `"documentId"="12345678"` attribute is added to the span.
+
+You can have the span status modified.
+
+.OpenTelemetry Collector using the Span Processor for status change
+[source,yaml]
+----
+# ...
+  config: |
+    processor:
+      span/set_status:
+        status:
+          code: Error
+          description: "<error_description>"
+# ...
+----
+
+[id="kubernetes-attributes-processor_{context}"]
+== Kubernetes Attributes Processor
+
+The Kubernetes Attributes Processor enables automatic configuration of spans, metrics, and log resource attributes by using the Kubernetes metadata.
+This processor supports traces, metrics, and logs.
+This processor automatically identifies the Kubernetes resources, extracts the metadata from them, and incorporates this extracted metadata as resource attributes into relevant spans, metrics, and logs. It utilizes the Kubernetes API to discover all pods operating within a cluster, maintaining records of their IP addresses, pod UIDs, and other relevant metadata. 
+
+:FeatureName: The Kubernetes Attributes Processor
+include::snippets/technology-preview.adoc[]
+
+.Minimum {product-title} permissions required for the Kubernetes Attributes Processor
+[source,yaml]
+----
+kind: ClusterRole
+metadata:
+  name: otel-collector
+rules:
+  - apiGroups: ['']
+    resources: ['pods', 'namespaces']
+    verbs: ['get', 'watch', 'list']
+# ...
+----
+
+.OpenTelemetry Collector using the Kubernetes Attributes Processor
+[source,yaml]
+----
+# ...
+  config: |
+    processors:
+         k8sattributes:
+             filter:
+                 node_from_env_var: KUBE_NODE_NAME
+# ...
+----
+
+[id="filter-processor_{context}"]
+== Filter Processor
+
+The Filter Processor leverages the OpenTelemetry Transformation Language to establish criteria for discarding telemetry data. If any of these conditions are satisfied, the telemetry data are discarded. You can combine the conditions by using the logical OR operator. This processor supports traces, metrics, and logs.
+
+:FeatureName: The Filter Processor
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled OTLP Exporter
+[source,yaml]
+----
+# ...
+config: |
+  processors:
+    filter/ottl:
+      error_mode: ignore # <1>
+      traces:
+        span:
+          - 'attributes["container.name"] == "app_container_1"' # <2>
+          - 'resource.attributes["host.name"] == "localhost"' # <3>
+# ...
+----
+<1> Defines the error mode. When set to `ignore`, ignores errors returned by conditions. When set to `propagate`, returns the error up the pipeline. An error causes the payload to be dropped from the Collector.
+<2> Filters the spans that have the `container.name == app_container_1` attribute.
+<3> Filters the spans that have the `host.name == localhost` resource attribute.
+
+[id="routing-processor_{context}"]
+== Routing Processor
+
+The Routing Processor routes logs, metrics, or traces to specific exporters. This processor can read a header from an incoming gRPC or plain HTTP request or read a resource attribute, and then direct the trace information to relevant exporters according to the read value.
+
+:FeatureName: The Routing Processor
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled OTLP Exporter
+[source,yaml]
+----
+# ...
+config: |
+  processors:
+    routing:
+      from_attribute: X-Tenant # <1>
+      default_exporters: # <2>
+      - jaeger
+      table: # <3>
+      - value: acme
+        exporters: [jaeger/acme]
+  exporters:
+    jaeger:
+      endpoint: localhost:14250
+    jaeger/acme:
+      endpoint: localhost:24250
+# ...
+----
+<1> The HTTP header name for the lookup value when performing the route.
+<2> The default exporter when the attribute value is not present in the table in the next section.
+<3> The table that defines which values are to be routed to which exporters.
+
+You can optionally create an `attribute_source` configuration, which defines where to look for the attribute in `from_attribute`. The allowed value is `context` to search the context, which includes the HTTP headers, or `resource` to search the resource attributes.
+
+[id="cumulativetodelta-processor_{context}"]
+== Cumulative to Delta Processor
+
+This processor converts monotonic, cumulative-sum, and histogram metrics to monotonic delta metrics.
+
+You can filter metrics by using the `include:` or `exclude:` fields and specifying the `strict` or `regexp` metric name matching.
+
+This processor does not convert non-monotonic sums and exponential histograms.
+
+:FeatureName: The Cumulative to Delta Processor
+include::snippets/technology-preview.adoc[]
+
+.Example of an OpenTelemetry Collector custom resource with an enabled Cumulative to Delta Processor
+[source,yaml]
+----
+# ...
+config: |
+  processors:
+    cumulativetodelta:
+      include: # <1>
+        match_type: strict # <2>
+        metrics: # <3>
+        - <metric_1_name>
+        - <metric_2_name>
+      exclude: # <4>
+        match_type: regexp
+        metrics:
+        - "<regular_expression_for_metric_names>"
+# ...
+----
+<1> Optional: Configures which metrics to include. When omitted, all metrics, except for those listed in the `exclude` field, are converted to delta metrics.
+<2> Defines a value provided in the `metrics` field as a `strict` exact match or `regexp` regular expression.
+<3> Lists the metric names, which are exact matches or matches for regular expressions, of the metrics to be converted to delta metrics. If a metric matches both the `include` and `exclude` filters, the `exclude` filter takes precedence.
+<4> Optional: Configures which metrics to exclude. When omitted, no metrics are excluded from conversion to delta metrics.
diff --git a/observability/otel/otel-collector/otel-collector-receivers.adoc b/observability/otel/otel-collector/otel-collector-receivers.adoc
new file mode 100644
index 000000000000..2d212d9a30e9
--- /dev/null
+++ b/observability/otel/otel-collector/otel-collector-receivers.adoc
@@ -0,0 +1,825 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-receivers"]
+= Receivers
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-receivers
+
+toc::[]
+
+Receivers get data into the Collector. A receiver can be push or pull based. Generally, a receiver accepts data in a specified format, translates it into the internal format, and passes it to processors and exporters defined in the applicable pipelines. By default, no receivers are configured. One or more receivers must be configured. Receivers may support one or more data sources.
+
+[id="otlp-receiver_{context}"]
+== OTLP Receiver
+
+The OTLP Receiver ingests traces, metrics, and logs by using the OpenTelemetry Protocol (OTLP).
+The OTLP Receiver ingests traces and metrics using the OpenTelemetry protocol (OTLP).
+
+.OpenTelemetry Collector custom resource with an enabled OTLP Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:4317 # <1>
+            tls: # <2>
+              ca_file: ca.pem
+              cert_file: cert.pem
+              key_file: key.pem
+              client_ca_file: client.pem # <3>
+              reload_interval: 1h # <4>
+          http:
+            endpoint: 0.0.0.0:4318 # <5>
+            tls: # <6>
+
+    service:
+      pipelines:
+        traces:
+          receivers: [otlp]
+        metrics:
+          receivers: [otlp]
+# ...
+----
+<1> The OTLP gRPC endpoint. If omitted, the default `+0.0.0.0:4317+` is used.
+<2> The server-side TLS configuration. Defines paths to TLS certificates. If omitted, the TLS is disabled.
+<3> The path to the TLS certificate at which the server verifies a client certificate. This sets the value of `ClientCAs` and `ClientAuth` to `RequireAndVerifyClientCert` in the `TLSConfig`. For more information, see the link:https://godoc.org/crypto/tls#Config[`Config` of the Golang TLS package].
+<4> Specifies the time interval at which the certificate is reloaded. If the value is not set, the certificate is never reloaded. The `reload_interval` field accepts a string containing valid units of time such as `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
+<5> The OTLP HTTP endpoint. The default value is `+0.0.0.0:4318+`.
+<6> The server-side TLS configuration. For more information, see the `grpc` protocol configuration section.
+
+[id="jaeger-receiver_{context}"]
+== Jaeger Receiver
+
+The Jaeger Receiver ingests traces in the Jaeger formats.
+
+.OpenTelemetry Collector custom resource with an enabled Jaeger Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+      jaeger:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:14250 # <1>
+          thrift_http:
+            endpoint: 0.0.0.0:14268 # <2>
+          thrift_compact:
+            endpoint: 0.0.0.0:6831 # <3>
+          thrift_binary:
+            endpoint: 0.0.0.0:6832 # <4>
+          tls: # <5>
+
+    service:
+      pipelines:
+        traces:
+          receivers: [jaeger]
+# ...
+----
+<1> The Jaeger gRPC endpoint. If omitted, the default `+0.0.0.0:14250+` is used.
+<2> The Jaeger Thrift HTTP endpoint. If omitted, the default `+0.0.0.0:14268+` is used.
+<3> The Jaeger Thrift Compact endpoint. If omitted, the default `+0.0.0.0:6831+` is used.
+<4> The Jaeger Thrift Binary endpoint. If omitted, the default `+0.0.0.0:6832+` is used.
+<5> The  server-side TLS configuration. See the OTLP Receiver configuration section for more details.
+
+[id="hostmetrics-receiver_{context}"]
+== Host Metrics Receiver
+
+The Host Metrics Receiver ingests metrics in the OTLP format.
+
+:FeatureName: The Host Metrics Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Host Metrics Receiver
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: otel-hostfs-daemonset
+  namespace: <namespace>
+# ...
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: true
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: null
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+groups: []
+metadata:
+  name: otel-hostmetrics
+readOnlyRootFilesystem: true
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:<namespace>:otel-hostfs-daemonset
+volumes:
+- configMap
+- emptyDir
+- hostPath
+- projected
+# ...
+---
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otel
+  namespace: <namespace>
+spec:
+  serviceAccount: otel-hostfs-daemonset
+  mode: daemonset
+  volumeMounts:
+    - mountPath: /hostfs
+      name: host
+      readOnly: true
+  volumes:
+    - hostPath:
+        path: /
+      name: host
+  config: |
+    receivers:
+      hostmetrics:
+        collection_interval: 10s # <1>
+        initial_delay: 1s # <2>
+        root_path: / # <3>
+        scrapers: # <4>
+          cpu:
+          memory:
+          disk:
+    service:
+      pipelines:
+        metrics:
+          receivers: [hostmetrics]
+# ...
+----
+<1> Sets the time interval for host metrics collection. If omitted, the default value is `+1m+`.
+<2> Sets the initial time delay for host metrics collection. If omitted, the default value is `+1s+`.
+<3> Configures the `root_path` so that the Host Metrics Receiver knows where the root filesystem is. If running multiple instances of the Host Metrics Receiver, set the same `root_path` value for each instance.
+<4> Lists the enabled host metrics scrapers. Available scrapers are `cpu`, `disk`, `load`, `filesystem`, `memory`, `network`, `paging`, `processes`, and `process`.
+
+[id="k8sobjectsreceiver-receiver_{context}"]
+== Kubernetes Objects Receiver
+
+The Kubernetes Objects Receiver pulls or watches objects to be collected from the Kubernetes API server.
+This receiver watches primarily Kubernetes events, but it can collect any type of Kubernetes objects.
+This receiver gathers telemetry for the cluster as a whole, so only one instance of this receiver suffices for collecting all the data.
+
+:FeatureName: The Kubernetes Objects Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Kubernetes Objects Receiver
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: otel-k8sobj
+  namespace: <namespace>
+# ...
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otel-k8sobj
+  namespace: <namespace>
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "events.k8s.io"
+  resources:
+  - events
+  verbs:
+  - watch
+  - list
+# ...
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: otel-k8sobj
+subjects:
+  - kind: ServiceAccount
+    name: otel-k8sobj
+    namespace: <namespace>
+roleRef:
+  kind: ClusterRole
+  name: otel-k8sobj
+  apiGroup: rbac.authorization.k8s.io
+# ...
+---
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otel-k8s-obj
+  namespace: <namespace>
+spec:
+  serviceAccount: otel-k8sobj
+  image: ghcr.io/os-observability/redhat-opentelemetry-collector/redhat-opentelemetry-collector:main
+  mode: deployment
+  config: |
+    receivers:
+      k8sobjects:
+        auth_type: serviceAccount
+        objects:
+          - name: pods # <1>
+            mode: pull # <2>
+            interval: 30s # <3>
+            label_selector: # <4>
+            field_selector: # <5>
+            namespaces: [<namespace>,...] # <6>
+          - name: events
+            mode: watch
+    exporters:
+      debug:
+    service:
+      pipelines:
+        logs:
+          receivers: [k8sobjects]
+          exporters: [debug]
+# ...
+----
+<1> The Resource name that this receiver observes: for example, `pods`, `deployments`, or `events`.
+<2> The observation mode that this receiver uses: `pull` or `watch`.
+<3> Only applicable to the pull mode. The request interval for pulling an object. If omitted, the default value is `+1h+`.
+<4> The label selector to define targets.
+<5> The field selector to filter targets.
+<6> The list of namespaces to collect events from. If omitted, the default value is `+all+`.
+
+[id="kubeletstats-receiver_{context}"]
+== Kubelet Stats Receiver
+
+The Kubelet Stats Receiver extracts metrics related to nodes, pods, containers, and volumes from the kubelet's API server. These metrics are then channeled through the metrics-processing pipeline for additional analysis.
+
+:FeatureName: The Kubelet Stats Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Kubelet Stats Receiver
+[source,yaml]
+----
+# ...
+config: |
+  receivers:
+    kubeletstats:
+      collection_interval: 20s
+      auth_type: "serviceAccount"
+      endpoint: "https://${env:K8S_NODE_NAME}:10250"
+      insecure_skip_verify: true
+  service:
+    pipelines:
+      metrics:
+        receivers: [kubeletstats]
+env:
+  - name: K8S_NODE_NAME # <1>
+    valueFrom:
+      fieldRef:
+        fieldPath: spec.nodeName
+# ...
+----
+<1> Sets the `K8S_NODE_NAME` to authenticate to the API.
+
+The Kubelet Stats Receiver requires additional permissions for the service account used for running the OpenTelemetry Collector.
+
+.Permissions required by the service account
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otel-collector
+rules:
+  - apiGroups: ['']
+    resources: ['nodes/stats']
+    verbs: ['get', 'watch', 'list']
+  - apiGroups: [""]
+    resources: ["nodes/proxy"] # <1>
+    verbs: ["get"]
+# ...
+----
+<1> The permissions required when using the `extra_metadata_labels` or `request_utilization` or `limit_utilization` metrics.
+
+[id="prometheus-receiver_{context}"]
+== Prometheus Receiver
+
+The Prometheus Receiver scrapes the metrics endpoints.
+
+:FeatureName: The Prometheus Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with an enabled Prometheus Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+        prometheus:
+          config:
+            scrape_configs: # <1>
+              - job_name: 'my-app'  # <2>
+                scrape_interval: 5s # <3>
+                static_configs:
+                  - targets: ['my-app.example.svc.cluster.local:8888'] # <4>
+    service:
+      pipelines:
+        metrics:
+          receivers: [prometheus]
+# ...
+----
+<1> Scrapes configurations using the Prometheus format.
+<2> The Prometheus job name.
+<3> The lnterval for scraping the metrics data. Accepts time units. The default value is `1m`.
+<4> The targets at which the metrics are exposed. This example scrapes the metrics from a `my-app` application in the `example` project.
+
+[id="zipkin-receiver_{context}"]
+== Zipkin Receiver
+
+The Zipkin Receiver ingests traces in the Zipkin v1 and v2 formats.
+
+.OpenTelemetry Collector custom resource with the enabled Zipkin Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+      zipkin:
+        endpoint: 0.0.0.0:9411 # <1>
+        tls: # <2>
+    service:
+      pipelines:
+        traces:
+          receivers: [zipkin]
+# ...
+----
+<1> The Zipkin HTTP endpoint. If omitted, the default `+0.0.0.0:9411+` is used.
+<2> The server-side TLS configuration. See the OTLP Receiver configuration section for more details.
+
+[id="kafka-receiver_{context}"]
+== Kafka Receiver
+
+The Kafka Receiver receives traces, metrics, and logs from Kafka in the OTLP format.
+
+:FeatureName: The Kafka Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the enabled Kafka Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+      kafka:
+        brokers: ["localhost:9092"] # <1>
+        protocol_version: 2.0.0 # <2>
+        topic: otlp_spans # <3>
+        auth:
+          plain_text: # <4>
+            username: example
+            password: example
+          tls: # <5>
+            ca_file: ca.pem
+            cert_file: cert.pem
+            key_file: key.pem
+            insecure: false # <6>
+            server_name_override: kafka.example.corp # <7>
+    service:
+      pipelines:
+        traces:
+          receivers: [kafka]
+# ...
+----
+<1> The list of Kafka brokers. The default is `+localhost:9092+`.
+<2> The Kafka protocol version. For example, `+2.0.0+`. This is a required field.
+<3> The name of the Kafka topic to read from. The default is `+otlp_spans+`.
+<4> The plain text authentication configuration. If omitted, plain text authentication is disabled.
+<5> The client-side TLS configuration. Defines paths to the TLS certificates. If omitted, TLS authentication is disabled.
+<6> Disables verifying the server's certificate chain and host name. The default is `+false+`.
+<7> ServerName indicates the name of the server requested by the client to support virtual hosting.
+
+[id="k8scluster-receiver_{context}"]
+== Kubernetes Cluster Receiver
+
+The Kubernetes Cluster Receiver gathers cluster metrics and entity events from the Kubernetes API server. It uses the Kubernetes API to receive information about updates. Authentication for this receiver is only supported through service accounts.
+
+:FeatureName: The Kubernetes Cluster Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the enabled Kubernetes Cluster Receiver
+[source,yaml]
+----
+# ...
+  receivers:
+    k8s_cluster:
+      distribution: openshift
+      collection_interval: 10s
+  exporters:
+    debug:
+  service:
+    pipelines:
+      metrics:
+        receivers: [k8s_cluster]
+        exporters: [debug]
+      logs/entity_events:
+        receivers: [k8s_cluster]
+        exporters: [debug]
+# ...
+----
+
+This receiver requires a configured service account, RBAC rules for the cluster role, and the cluster role binding that binds the RBAC with the service account.
+
+.`ServiceAccount` object
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: otelcontribcol
+  name: otelcontribcol
+# ...
+----
+
+.RBAC rules for the `ClusterRole` object
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otelcontribcol
+  labels:
+    app: otelcontribcol
+rules:
+- apiGroups:
+  - quota.openshift.io
+  resources:
+  - clusterresourcequotas
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - namespaces
+  - namespaces/status
+  - nodes
+  - nodes/spec
+  - pods
+  - pods/status
+  - replicationcontrollers
+  - replicationcontrollers/status
+  - resourcequotas
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+    - autoscaling
+  resources:
+    - horizontalpodautoscalers
+  verbs:
+    - get
+    - list
+    - watch
+# ...
+----
+
+.`ClusterRoleBinding` object
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: otelcontribcol
+  labels:
+    app: otelcontribcol
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: otelcontribcol
+subjects:
+- kind: ServiceAccount
+  name: otelcontribcol
+  namespace: default
+# ...
+----
+
+[id="opencensus-receiver_{context}"]
+== OpenCensus Receiver
+
+The OpenCensus Receiver provides backwards compatibility with the OpenCensus project for easier migration of instrumented codebases. It receives metrics and traces in the OpenCensus format via gRPC or HTTP and Json.
+
+.OpenTelemetry Collector custom resource with the enabled OpenCensus Receiver
+[source,yaml]
+----
+# ...
+  config: |
+    receivers:
+      opencensus:
+        endpoint: 0.0.0.0:9411 # <1>
+        tls: # <2>
+        cors_allowed_origins: # <3>
+          - https://*.<example>.com
+    service:
+      pipelines:
+        traces:
+          receivers: [opencensus]
+# ...
+----
+<1> The OpenCensus endpoint. If omitted, the default is `+0.0.0.0:55678+`.
+<2> The server-side TLS configuration. See the OTLP Receiver configuration section for more details.
+<3> You can also use the HTTP JSON endpoint to optionally configure CORS, which is enabled by specifying a list of allowed CORS origins in this field.
+Wildcards with `+*+` are accepted under the `cors_allowed_origins`.
+To match any origin, enter only `+*+`.
+
+[id="filelog-receiver_{context}"]
+== Filelog Receiver
+
+The Filelog Receiver tails and parses logs from files.
+
+:FeatureName: The Filelog Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the enabled Filelog Receiver that tails a text file
+[source,yaml]
+----
+# ...
+receivers:
+  filelog:
+    include: [ /simple.log ] # <1>
+    operators: # <2>
+      - type: regex_parser
+        regex: '^(?P<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) (?P<sev>[A-Z]*) (?P<msg>.*)$'
+        timestamp:
+          parse_from: attributes.time
+          layout: '%Y-%m-%d %H:%M:%S'
+        severity:
+          parse_from: attributes.sev
+# ...
+----
+<1> A list of file glob patterns that match the file paths to be read.
+<2> An array of Operators. Each Operator performs a simple task such as parsing a timestamp or JSON. To process logs into a desired format, chain the Operators together.
+
+[id="journald-receiver_{context}"]
+== Journald Receiver
+
+The Journald Receiver parses *journald* events from the *systemd* journal and sends them as logs.
+
+:FeatureName: The Journald Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenTelemetry Collector custom resource with the enabled Journald Receiver
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: otel-journald
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/audit: "privileged"
+    pod-security.kubernetes.io/warn: "privileged"
+# ...
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: otel-journald
+# ...
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: otel-journald-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+- kind: ServiceAccount
+  name: privileged-sa
+  namespace: otel-journald
+# ...
+---
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otel-journald-logs
+  namespace: otel-journald
+spec:
+  mode: daemonset
+  serviceAccount: privileged-sa
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - CHOWN
+      - DAC_OVERRIDE
+      - FOWNER
+      - FSETID
+      - KILL
+      - NET_BIND_SERVICE
+      - SETGID
+      - SETPCAP
+      - SETUID
+    readOnlyRootFilesystem: true
+    seLinuxOptions:
+      type: spc_t
+    seccompProfile:
+      type: RuntimeDefault
+  config: |
+    receivers:
+      journald:
+        files: /var/log/journal/*/*
+        priority: info # <1>
+        units: # <2>
+          - kubelet
+          - crio
+          - init.scope
+          - dnsmasq
+        all: true # <3>
+        retry_on_failure:
+          enabled: true # <4>
+          initial_interval: 1s # <5>
+          max_interval: 30s # <6>
+          max_elapsed_time: 5m # <7>
+    processors:
+    exporters:
+      debug:
+        verbosity: detailed
+    service:
+      pipelines:
+        logs:
+          receivers: [journald]
+          exporters: [debug]
+  volumeMounts:
+  - name: journal-logs
+    mountPath: /var/log/journal/
+    readOnly: true
+  volumes:
+  - name: journal-logs
+    hostPath:
+      path: /var/log/journal
+  tolerations:
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+    effect: NoSchedule
+# ...
+----
+<1> Filters output by message priorities or priority ranges. The default value is `info`.
+<2> Lists the units to read entries from. If empty, entries are read from all units.
+<3> Includes very long logs and logs with unprintable characters. The default value is `false`.
+<4> If set to `true`, the receiver pauses reading a file and attempts to resend the current batch of logs when encountering an error from downstream components. The default value is `false`.
+<5> The time interval to wait after the first failure before retrying. The default value is `1s`. The units are `ms`, `s`, `m`, `h`.
+<6> The upper bound for the retry backoff interval. When this value is reached, the time interval between consecutive retry attempts remains constant at this value. The default value is `30s`. The supported units are `ms`, `s`, `m`, `h`.
+<7> The maximum time interval, including retry attempts, for attempting to send a logs batch to a downstream consumer. When this value is reached, the data are discarded. If the set value is `0`, retrying never stops. The default value is `5m`. The supported units are `ms`, `s`, `m`, `h`.
+
+[id="kubernetesevents-receiver_{context}"]
+== Kubernetes Events Receiver
+
+The Kubernetes Events Receiver collects events from the Kubernetes API server. The collected events are converted into logs.
+
+:FeatureName: The Kubernetes Events Receiver
+include::snippets/technology-preview.adoc[]
+
+.OpenShift Container Platform permissions required for the Kubernetes Events Receiver
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otel-collector
+  labels:
+    app: otel-collector
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - namespaces
+  - namespaces/status
+  - nodes
+  - nodes/spec
+  - pods
+  - pods/status
+  - replicationcontrollers
+  - replicationcontrollers/status
+  - resourcequotas
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+    - autoscaling
+  resources:
+    - horizontalpodautoscalers
+  verbs:
+    - get
+    - list
+    - watch
+# ...
+----
+
+.OpenTelemetry Collector custom resource with the enabled Kubernetes Event Receiver
+[source,yaml]
+----
+# ...
+  serviceAccount: otel-collector # <1>
+  config: |
+    receivers:
+      k8s_events:
+        namespaces: [project1, project2] # <2>
+    service:
+      pipelines:
+        logs:
+          receivers: [k8s_events]
+# ...
+----
+<1> The service account of the Collector that has the required ClusterRole `otel-collector` RBAC.
+<2> The list of namespaces to collect events from. The default value is empty, which means that all namespaces are collected.
diff --git a/modules/otel-config-target-allocator.adoc b/observability/otel/otel-collector/otel-collector-target-allocator.adoc
similarity index 71%
rename from modules/otel-config-target-allocator.adoc
rename to observability/otel/otel-collector/otel-collector-target-allocator.adoc
index 471ac3af2482..25bca34e2e19 100644
--- a/modules/otel-config-target-allocator.adoc
+++ b/observability/otel/otel-collector/otel-collector-target-allocator.adoc
@@ -1,17 +1,17 @@
-// Module included in the following assemblies:
-//
-// * observability/otel/otel-configuration-of-collector.adoc
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-collector-target-allocator"]
+= Target Allocator
+include::_attributes/common-attributes.adoc[]
+:context: otel-collector-target-allocator
 
-:_mod-docs-content-type: REFERENCE
-[id="otel-config-target-allocator_{context}"]
-= Target allocator
+toc::[]
 
-:FeatureName: The target allocator
-include::snippets/technology-preview.adoc[]
+The Target Allocator is an optional component of the OpenTelemetry Operator that shards scrape targets across the deployed fleet of OpenTelemetry Collector instances. The Target Allocator integrates with the Prometheus `PodMonitor` and `ServiceMonitor` custom resources (CR). When the Target Allocator is enabled, the OpenTelemetry Operator adds the `http_sd_config` field to the enabled `prometheus` receiver that connects to the Target Allocator service.
 
-The target allocator is an optional component of the OpenTelemetry Operator that shards scrape targets across the deployed fleet of OpenTelemetry Collector instances. The target allocator integrates with the Prometheus `PodMonitor` and `ServiceMonitor` custom resources (CR). When the target allocator is enabled, the OpenTelemetry Operator adds the `http_sd_config` field to the enabled `prometheus` receiver that connects to the target allocator service.
+:FeatureName: The Target Allocator
+include::snippets/technology-preview.adoc[]
 
-.Example OpenTelemetryCollector CR with the enabled target allocator
+.Example OpenTelemetryCollector CR with the enabled Target Allocator
 [source,yaml]
 ----
 apiVersion: opentelemetry.io/v1alpha1
@@ -38,25 +38,26 @@ spec:
           scrape_configs: []
     processors:
     exporters:
-      debug:
+      debug: {}
     service:
       pipelines:
         metrics:
           receivers: [prometheus]
           processors: []
           exporters: [debug]
+# ...
 ----
-<1> When the target allocator is enabled, the deployment mode must be set to `statefulset`.
-<2> Enables the target allocator. Defaults to `false`.
-<3> The service account name of the target allocator deployment. The service account needs to have RBAC to get the `ServiceMonitor`, `PodMonitor` custom resources, and other objects from the cluster to properly set labels on scraped metrics. The default service name is `<collector_name>-targetallocator`.
+<1> When the Target Allocator is enabled, the deployment mode must be set to `statefulset`.
+<2> Enables the Target Allocator. Defaults to `false`.
+<3> The service account name of the Target Allocator deployment. The service account needs to have RBAC to get the `ServiceMonitor`, `PodMonitor` custom resources, and other objects from the cluster to properly set labels on scraped metrics. The default service name is `<collector_name>-targetallocator`.
 <4> Enables integration with the Prometheus `PodMonitor` and `ServiceMonitor` custom resources.
 <5> Label selector for the Prometheus `ServiceMonitor` custom resources. When left empty, enables all service monitors.
 <6> Label selector for the Prometheus `PodMonitor` custom resources. When left empty, enables all pod monitors.
 <7> Prometheus receiver with the minimal, empty `scrape_config: []` configuration option.
 
-The target allocator deployment uses the Kubernetes API to get relevant objects from the cluster, so it requires a custom RBAC configuration.
+The Target Allocator deployment uses the Kubernetes API to get relevant objects from the cluster, so it requires a custom RBAC configuration.
 
-.RBAC configuration for the target allocator service account
+.RBAC configuration for the Target Allocator service account
 [source,yaml]
 ----
 apiVersion: rbac.authorization.k8s.io/v1
@@ -91,6 +92,7 @@ subjects:
   - kind: ServiceAccount
     name: otel-targetallocator # <1>
     namespace: observability # <2>
+# ...
 ----
-<1> The name of the target allocator service account mane.
-<2> The namespace of the target allocator service account.
+<1> The name of the Target Allocator service account mane.
+<2> The namespace of the Target Allocator service account.
diff --git a/observability/otel/otel-collector/snippets b/observability/otel/otel-collector/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/observability/otel/otel-collector/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/observability/otel/otel-config-multicluster.adoc b/observability/otel/otel-config-multicluster.adoc
index d66a19674846..735a1c34d5e2 100644
--- a/observability/otel/otel-config-multicluster.adoc
+++ b/observability/otel/otel-config-multicluster.adoc
@@ -171,19 +171,19 @@ spec:
     receivers:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
       opencensus:
       otlp:
         protocols:
-          grpc:
-          http:
-      zipkin:
+          grpc: {}
+          http: {}
+      zipkin: {}
     processors:
-      batch:
-      k8sattributes:
+      batch: {}
+      k8sattributes: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
@@ -240,7 +240,7 @@ spec:
               key_file: /certs/server.key
               client_ca_file: /certs/ca.crt
     exporters:
-      logging:
+      logging: {}
       otlp:
         endpoint: "tempo-<simplest>-distributor:4317" # <2>
         tls:
diff --git a/observability/otel/otel-configuration-of-otel-collector.adoc b/observability/otel/otel-configuration-of-otel-collector.adoc
index 1b859d992407..468c0b301467 100644
--- a/observability/otel/otel-configuration-of-otel-collector.adoc
+++ b/observability/otel/otel-configuration-of-otel-collector.adoc
@@ -9,5 +9,4 @@ toc::[]
 The {OTELName} Operator uses a custom resource definition (CRD) file that defines the architecture and configuration settings to be used when creating and deploying the {OTELShortName} resources. You can install the default configuration or modify the file.
 
 include::modules/otel-collector-config-options.adoc[leveloffset=+1]
-include::modules/otel-collector-components.adoc[leveloffset=+1]
-include::modules/otel-config-target-allocator.adoc[leveloffset=+1]
+include::modules/otel-creating-required-RBAC-resources-automatically.adoc[leveloffset=+1]
diff --git a/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc b/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc
new file mode 100644
index 000000000000..7c36bb042a5f
--- /dev/null
+++ b/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc
@@ -0,0 +1,31 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="otel-configuring-metrics-for-monitoring-stack"]
+= Configuring metrics for the monitoring stack
+include::_attributes/common-attributes.adoc[]
+:context: otel-configuring-metrics-for-monitoring-stack
+
+toc::[]
+
+As a cluster administrator, you can configure the OpenTelemetry Collector custom resource (CR) to perform the following tasks:
+
+* Create a Prometheus `ServiceMonitor` CR for scraping the Collector’s pipeline metrics and the enabled Prometheus exporters.
+
+* Configure the Prometheus receiver to scrape metrics from the in-cluster monitoring stack.
+
+include::modules/otel-config-send-metrics-monitoring-stack.adoc[leveloffset=+1]
+include::modules/otel-config-receive-metrics-monitoring-stack.adoc[leveloffset=+1]
+
+[id="additional-resources_otel-configuring-metrics-for-monitoring-stack"]
+== Additional resources
+
+// * xref:../monitoring/accessing-third-party-monitoring-apis.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus[Querying metrics by using the federation endpoint for Prometheus]
+
+//* xref:../monitoring/accessing-third-party-monitoring-apis.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus_accessing-third-party-monitoring-apis[Querying metrics by using the federation endpoint for Prometheus]
+
+//* xref:../monitoring/accessing-third-party-monitoring-apis.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus[Querying metrics by using the federation endpoint for Prometheus]
+
+//* xref:../monitoring/accessing-third-party-monitoring-apis.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus_accessing-monitoring-apis-by-using-the-cli[Querying metrics by using the federation endpoint for Prometheus]
+
+//* xref:../monitoring/accessing-third-party-monitoring-apis.adoc#accessing-third-party-monitoring-apis_monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus[Querying metrics by using the federation endpoint for Prometheus]
+
+* xref:../monitoring/accessing-third-party-monitoring-apis.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus_accessing-monitoring-apis-by-using-the-cli[Querying metrics by using the federation endpoint for Prometheus]
diff --git a/observability/otel/otel-forwarding.adoc b/observability/otel/otel-forwarding.adoc
index 9f528f827e78..d5b0eb837a74 100644
--- a/observability/otel/otel-forwarding.adoc
+++ b/observability/otel/otel-forwarding.adoc
@@ -79,19 +79,19 @@ spec:
     receivers:
       jaeger:
         protocols:
-          grpc:
-          thrift_binary:
-          thrift_compact:
-          thrift_http:
-      opencensus:
+          grpc: {}
+          thrift_binary: {}
+          thrift_compact: {}
+          thrift_http: {}
+      opencensus: {}
       otlp:
         protocols:
-          grpc:
-          http:
-      zipkin:
+          grpc: {}
+          http: {}
+      zipkin: {}
     processors:
-      batch:
-      k8sattributes:
+      batch: {}
+      k8sattributes: {}
       memory_limiter:
         check_interval: 1s
         limit_percentage: 50
diff --git a/observability/otel/otel_rn/otel-rn-3-1-1.adoc b/observability/otel/otel_rn/otel-rn-3-1-1.adoc
deleted file mode 100644
index 3aca5652fabf..000000000000
--- a/observability/otel/otel_rn/otel-rn-3-1-1.adoc
+++ /dev/null
@@ -1,20 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-include::_attributes/common-attributes.adoc[]
-[id="otel-rn-3-1-1"]
-= Release notes for {OTELName} 3.1.1
-:context: otel-rn-3-1-1
-
-toc::[]
-
-include::modules/otel-product-overview.adoc[leveloffset=+1]
-
-The {OTELName} is provided through the {OTELOperator}.
-
-[id="otel-rn_3-1-1_cves"]
-== CVEs
-
-This release fixes link:https://access.redhat.com/security/cve/cve-2023-39326[CVE-2023-39326].
-
-include::modules/support.adoc[leveloffset=+1]
-
-include::modules/making-open-source-more-inclusive.adoc[leveloffset=+1]
diff --git a/observability/otel/otel_rn/otel-rn-3-2-1.adoc b/observability/otel/otel_rn/otel-rn-3-2-1.adoc
new file mode 100644
index 000000000000..b48d4ce6ef80
--- /dev/null
+++ b/observability/otel/otel_rn/otel-rn-3-2-1.adoc
@@ -0,0 +1,74 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+[id="otel-rn-3-2-1"]
+= Release notes for {OTELName} 3.2.1
+:context: otel-rn-3-2-1
+
+toc::[]
+
+include::modules/otel-product-overview.adoc[leveloffset=+1]
+
+The {OTELName} is provided through the {OTELOperator}.
+
+[id="otel-rn_3-2-1_cves_{context}"]
+== CVEs
+
+This release fixes the following CVEs:
+
+* link:https://access.redhat.com/security/cve/CVE-2024-25062/[CVE-2024-25062]
+* link:https://opentelemetry.io/blog/2024/cve-2024-36129/[Upstream CVE-2024-36129]
+
+////
+[id="otel-rn_3-2-1_technology-preview-features_{context}"]
+== Technology Preview features
+
+This update introduces the following Technology Preview features:
+
+* 
+
+:FeatureName: Each of these features
+include::snippets/technology-preview.adoc[leveloffset=+1]
+////
+
+[id="otel-rn_3-2-1_new-features-and-enhancements_{context}"]
+== New features and enhancements
+
+This update introduces the following enhancement:
+
+* {OTELName} 3.2.1 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.102.1.
+
+////
+[id="otel-rn_3-2-1_jaeger-release-notes_deprecated-functionality_{context}"]
+== Deprecated functionality
+
+In the {OTELName} 3.2.1, ...
+////
+
+////
+[id="otel-rn_3-2-1_removal-notice_{context}"]
+== Removal notice
+
+In the {OTELName} 3.2.1, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+////
+[id="otel-rn_3-2-1_bug-fixes_{context}"]
+== Bug fixes
+
+This update introduces the following bug fix:
+
+* Before this update, the checkbox to enable Operator monitoring was not available in the web console when installing the {OTELOperator}. As a result, a *ServiceMonitor* resource was not created in the `openshift-opentelemetry-operator` namespace. With this update, the checkbox appears for the {OTELOperator} in the web console so that Operator monitoring can be enabled during installation. (link:https://issues.redhat.com/browse/TRACING-3761[TRACING-3761])
+////
+
+////
+[id="otel-rn_3-2-1_known-issues_{context}"]
+== Known issues
+
+There are currently known issues:
+
+* ???
+////
+
+include::modules/support.adoc[leveloffset=+1]
+
+include::modules/making-open-source-more-inclusive.adoc[leveloffset=+1]
diff --git a/observability/otel/otel_rn/otel-rn-past-releases.adoc b/observability/otel/otel_rn/otel-rn-past-releases.adoc
index 9f0b35bdcfd0..defb5ffc6fad 100644
--- a/observability/otel/otel_rn/otel-rn-past-releases.adoc
+++ b/observability/otel/otel_rn/otel-rn-past-releases.adoc
@@ -8,12 +8,90 @@ toc::[]
 
 include::modules/otel-product-overview.adoc[leveloffset=+1]
 
-[id="otel-rn-3-1"]
+[id="otel-rn-3-2_{context}"]
+== Release notes for {OTELName} 3.2
+
+The {OTELName} is provided through the {OTELOperator}.
+
+////
+[id="otel-rn_3-2_cves_{context}"]
+=== CVEs
+
+This release fixes link:https://access.redhat.com/security/cve/cve-202?-?????[CVE-202?-?????].
+////
+
+[id="otel-rn_3-2_technology-preview-features_{context}"]
+=== Technology Preview features
+
+This update introduces the following Technology Preview features:
+
+* Host Metrics Receiver
+* OIDC Auth Extension
+* Kubernetes Cluster Receiver
+* Kubernetes Events Receiver
+* Kubernetes Objects Receiver
+* Load-Balancing Exporter
+* Kubelet Stats Receiver
+* Cumulative to Delta Processor
+* Forward Connector
+* Journald Receiver
+* Filelog Receiver
+* File Storage Extension
+
+:FeatureName: Each of these features
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+[id="otel-rn_3-2_new-features-and-enhancements_{context}"]
+=== New features and enhancements
+
+This update introduces the following enhancement:
+
+* {OTELName} 3.2 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.100.0.
+
+[id="otel-rn_3-2_jaeger-release-notes_deprecated-functionality_{context}"]
+=== Deprecated functionality
+
+In {OTELName} 3.2, use of empty values and `null` keywords in the OpenTelemetry Collector custom resource is deprecated and planned to be unsupported in a future release. Red Hat will provide bug fixes and support for this syntax during the current release lifecycle, but this syntax will become unsupported. As an alternative to empty values and `null` keywords, you can update the OpenTelemetry Collector custom resource to contain empty JSON objects as open-closed braces `{}` instead.
+
+////
+[id="otel-rn_3-2_removal-notice_{context}"]
+=== Removal notice
+
+In the {OTELName} 3.2, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+[id="otel-rn_3-2_bug-fixes_{context}"]
+=== Bug fixes
+
+This update introduces the following bug fix:
+
+* Before this update, the checkbox to enable Operator monitoring was not available in the web console when installing the {OTELOperator}. As a result, a *ServiceMonitor* resource was not created in the `openshift-opentelemetry-operator` namespace. With this update, the checkbox appears for the {OTELOperator} in the web console so that Operator monitoring can be enabled during installation. (link:https://issues.redhat.com/browse/TRACING-3761[TRACING-3761])
+
+////
+[id="otel-rn_3-2_known-issues_{context}"]
+=== Known issues
+
+There are currently known issues:
+
+* ???
+////
+
+[id="otel-rn-3-1-1_{context}"]
+== Release notes for {OTELName} 3.1.1
+
+The {OTELName} is provided through the {OTELOperator}.
+
+[id="otel-rn_3-1-1_cves_{context}"]
+=== CVEs
+
+This release fixes link:https://access.redhat.com/security/cve/cve-2023-39326[CVE-2023-39326].
+
+[id="otel-rn-3-1_{context}"]
 == Release notes for {OTELName} 3.1
 
 The {OTELName} is provided through the {OTELOperator}.
 
-[id="otel-rn_3-1_technology-preview-features"]
+[id="otel-rn_3-1_technology-preview-features_{context}"]
 === Technology Preview features
 
 This update introduces the following Technology Preview feature:
@@ -27,7 +105,7 @@ This update introduces the following Technology Preview feature:
 :FeatureName: The target allocator
 include::snippets/technology-preview.adoc[leveloffset=+1]
 
-[id="otel-rn_3-1_new-features-and-enhancements"]
+[id="otel-rn_3-1_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 //plural: `enhancements:`
@@ -36,29 +114,29 @@ This update introduces the following enhancement:
 * {OTELName} 3.1 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.93.0.
 
 ////
-[id="otel-rn_3-1_removal-notice"]
+[id="otel-rn_3-1_removal-notice_{context}"]
 ==== Removal notice
 *
 ////
 
 ////
-[id="otel-rn_3-1_bug-fixes"]
+[id="otel-rn_3-1_bug-fixes_{context}"]
 ==== Bug fixes
 This update introduces the following bug fixes:
 * Fixed support for ...
 ////
 
 ////
-[id="otel-rn_3-1_known-issues"]
+[id="otel-rn_3-1_known-issues_{context}"]
 ==== Known issues
 //There is currently a known issue:
 //There are currently known issues:
 ////
 
-[id="otel-rn_3-0"]
+[id="otel-rn_3-0_{context}"]
 == Release notes for {OTELName} 3.0
 
-[id="otel-rn_3-0_new-features-and-enhancements"]
+[id="otel-rn_3-0_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This update introduces the following enhancements:
@@ -72,25 +150,25 @@ This update introduces the following enhancements:
 * The {OTELOperator} creates the Prometheus `ServiceMonitor` custom resource if the Prometheus exporter is enabled.
 * The Operator enables the `Instrumentation` custom resource that allows injecting upstream OpenTelemetry auto-instrumentation libraries.
 
-[id="otel-rn_3-0_removal-notice"]
+[id="otel-rn_3-0_removal-notice_{context}"]
 === Removal notice
 
 In {OTELName} 3.0, the Jaeger exporter has been removed. Bug fixes and support are provided only through the end of the 2.9 lifecycle. As an alternative to the Jaeger exporter for sending data to the Jaeger collector, you can use the OTLP exporter instead.
 
-[id="otel-rn_3-0_bug-fixes"]
+[id="otel-rn_3-0_bug-fixes_{context}"]
 === Bug fixes
 
 This update introduces the following bug fixes:
 
 * Fixed support for disconnected environments when using the `oc adm catalog mirror` CLI command.
 
-[id="otel-rn_3-0_known-issues"]
+[id="otel-rn_3-0_known-issues_{context}"]
 === Known issues
 
 There is currently a known issue:
 //There are currently known issues:
 
-* Curently, the cluster monitoring of the {OTELOperator} is disabled due to a bug (link:https://issues.redhat.com/browse/TRACING-3761[TRACING-3761]). The bug is preventing the cluster monitoring from scraping metrics from the {OTELOperator} due to a missing label `openshift.io/cluster-monitoring=true` that is required for the cluster monitoring and service monitor object.
+* Currently, the cluster monitoring of the {OTELOperator} is disabled due to a bug (link:https://issues.redhat.com/browse/TRACING-3761[TRACING-3761]). The bug is preventing the cluster monitoring from scraping metrics from the {OTELOperator} due to a missing label `openshift.io/cluster-monitoring=true` that is required for the cluster monitoring and service monitor object.
 +
 .Workaround
 +
@@ -158,7 +236,7 @@ subjects:
   namespace: openshift-monitoring
 ----
 
-[id="otel-rn_2-9-2"]
+[id="otel-rn_2-9-2_{context}"]
 == Release notes for {OTELName} 2.9.2
 
 :FeatureName: The {OTELName}
@@ -166,12 +244,12 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.9.2 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.81.0.
 
-[id="otel-rn_2-9-2_cves"]
+[id="otel-rn_2-9-2_cves_{context}"]
 === CVEs
 
 * This release fixes link:https://bugzilla.redhat.com/show_bug.cgi?id=2246470[CVE-2023-46234].
 
-[id="otel-rn_2-9-2_known-issues"]
+[id="otel-rn_2-9-2_known-issues_{context}"]
 === Known issues
 
 There is currently a known issue:
@@ -179,7 +257,7 @@ There is currently a known issue:
 
 * Currently, you must manually set link:https://operatorframework.io/operator-capabilities/[Operator maturity] to Level IV, Deep Insights. (link:https://issues.redhat.com/browse/TRACING-3431[TRACING-3431])
 
-[id="otel-rn_2-9-1"]
+[id="otel-rn_2-9-1_{context}"]
 == Release notes for {OTELName} 2.9.1
 
 :FeatureName: The {OTELName}
@@ -187,12 +265,12 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.9.1 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.81.0.
 
-[id="otel-rn_2-9-1_cves"]
+[id="otel-rn_2-9-1_cves_{context}"]
 === CVEs
 
 * This release fixes link:https://access.redhat.com/security/cve/cve-2023-44487[CVE-2023-44487].
 
-[id="otel-rn_2-9-1_known-issues"]
+[id="otel-rn_2-9-1_known-issues_{context}"]
 === Known issues
 
 There is currently a known issue:
@@ -200,7 +278,7 @@ There is currently a known issue:
 
 * Currently, you must manually set link:https://operatorframework.io/operator-capabilities/[Operator maturity] to Level IV, Deep Insights. (link:https://issues.redhat.com/browse/TRACING-3431[TRACING-3431])
 
-[id="otel-rn_2-9"]
+[id="otel-rn_2-9_{context}"]
 == Release notes for {OTELName} 2.9
 
 :FeatureName: The {OTELName}
@@ -208,7 +286,7 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.9 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.81.0.
 
-[id="otel-rn_2-9_new-features-and-enhancements"]
+[id="otel-rn_2-9_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This release introduces the following enhancements for the {OTELShortName}:
@@ -224,18 +302,18 @@ This release introduces the following enhancements for the {OTELShortName}:
 * Support the `managed` and `unmanaged` states in the `OpenTelemetryCollector` custom resouce.
 
 ////
-[id="otel-rn_2-9_technology-preview-features"]
+[id="otel-rn_2-9_technology-preview-features_{context}"]
 ==== Technology Preview features
 None.
 ////
 
 ////
-[id="otel-rn_2-9_bug-fixes"]
+[id="otel-rn_2-9_bug-fixes_{context}"]
 ==== Bug fixes
 None.
 ////
 
-[id="otel-rn_2-9_known-issues"]
+[id="otel-rn_2-9_known-issues_{context}"]
 === Known issues
 
 There is currently a known issue:
@@ -243,7 +321,7 @@ There is currently a known issue:
 
 * Currently, you must manually set link:https://operatorframework.io/operator-capabilities/[Operator maturity] to Level IV, Deep Insights. (link:https://issues.redhat.com/browse/TRACING-3431[TRACING-3431])
 
-[id="otel-rn_2-8"]
+[id="otel-rn_2-8_{context}"]
 == Release notes for {OTELName} 2.8
 
 :FeatureName: The {OTELName}
@@ -251,18 +329,18 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.8 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.74.0.
 
-[id="otel-rn_2-8_bug-fixes"]
+[id="otel-rn_2-8_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
 ////
-[id="otel-rn_2-8_known-issues"]
+[id="otel-rn_2-8_known-issues_{context}"]
 == Known issues
 None.
 ////
 
-[id="otel-rn_2-7"]
+[id="otel-rn_2-7_{context}"]
 == Release notes for {OTELName} 2.7
 
 :FeatureName: The {OTELName}
@@ -270,12 +348,12 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.7 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.63.1.
 
-[id="otel-rn_2-7_bug-fixes"]
+[id="otel-rn_2-7_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="otel-rn_2-6"]
+[id="otel-rn_2-6_{context}"]
 == Release notes for {OTELName} 2.6
 
 :FeatureName: The {OTELName}
@@ -283,12 +361,12 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.6 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.60.
 
-[id="otel-rn_2-6_bug-fixes"]
+[id="otel-rn_2-6_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="otel-rn_2-5"]
+[id="otel-rn_2-5_{context}"]
 == Release notes for {OTELName} 2.5
 
 :FeatureName: The {OTELName}
@@ -296,19 +374,19 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.5 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.56.
 
-[id="otel-rn_2-5_new-features-and-enhancements"]
+[id="otel-rn_2-5_new-features-and-enhancements_{context}"]
 === New features and enhancements
 
 This update introduces the following enhancement:
 
 * Support for collecting Kubernetes resource attributes to the {OTELName} Operator.
 
-[id="otel-rn_2-5_bug-fixes"]
+[id="otel-rn_2-5_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
-[id="otel-rn_2-4"]
+[id="otel-rn_2-4_{context}"]
 == Release notes for {OTELName} 2.4
 
 :FeatureName: The {OTELName}
@@ -316,18 +394,18 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.4 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.49.
 
-[id="otel-rn_2-4_bug-fixes"]
+[id="otel-rn_2-4_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
 ////
-[id="otel-rn_2-4_known-issues"]
+[id="otel-rn_2-4_known-issues_{context}"]
 === Known issues
 None.
 ////
 
-[id="otel-rn_2-3"]
+[id="otel-rn_2-3_{context}"]
 == Release notes for {OTELName} 2.3
 
 :FeatureName: The {OTELName}
@@ -337,18 +415,18 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.3.0 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.44.0.
 
-[id="otel-rn_2-3_bug-fixes"]
+[id="otel-rn_2-3_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
 ////
-[id="otel-rn_2-3_known-issues"]
+[id="otel-rn_2-3_known-issues_{context}"]
 === Known issues
 None.
 ////
 
-[id="otel-rn_2-2"]
+[id="otel-rn_2-2_{context}"]
 == Release notes for {OTELName} 2.2
 
 :FeatureName: The {OTELName}
@@ -356,23 +434,23 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.2 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.42.0.
 
-[id="otel-rn_2-2_technology-preview-features"]
+[id="otel-rn_2-2_technology-preview-features_{context}"]
 === Technology Preview features
 
 The unsupported OpenTelemetry Collector components included in the 2.1 release are removed.
 
-[id="otel-rn_2-2_bug-fixes"]
+[id="otel-rn_2-2_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
 ////
-[id="otel-rn_2-2_known-issues"]
+[id="otel-rn_2-2_known-issues_{context}"]
 === Known issues
 None.
 ////
 
-[id="otel-rn_2-1"]
+[id="otel-rn_2-1_{context}"]
 == Release notes for {OTELName} 2.1
 
 :FeatureName: The {OTELName}
@@ -380,7 +458,7 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 {OTELName} 2.1 is based on the open source link:https://opentelemetry.io/[OpenTelemetry] release 0.41.1.
 
-[id="otel-rn_2-1_technology-preview-features"]
+[id="otel-rn_2-1_technology-preview-features_{context}"]
 === Technology Preview features
 
 This release introduces a breaking change to how to configure certificates in the OpenTelemetry custom resource file. With this update, the `ca_file` moves under `tls` in the custom resource, as shown in the following examples.
@@ -412,18 +490,18 @@ spec:
           ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
 ----
 
-[id="otel-rn_2-1_bug-fixes"]
+[id="otel-rn_2-1_bug-fixes_{context}"]
 === Bug fixes
 
 This release addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.
 
 ////
-[id="otel-rn_2-1_known-issues"]
+[id="otel-rn_2-1_known-issues_{context}"]
 === Known issues
 None.
 ////
 
-[id="otel-rn_2-0"]
+[id="otel-rn_2-0_{context}"]
 == Release notes for {OTELName} 2.0
 
 :FeatureName: The {OTELName}
@@ -434,7 +512,7 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 This release adds the {OTELName} as a link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview], which you install using the {OTELName} Operator. {OTELName} is based on the link:https://opentelemetry.io/[OpenTelemetry] APIs and instrumentation. The {OTELName} includes the OpenTelemetry Operator and Collector. You can use the Collector to receive traces in the OpenTelemetry or Jaeger protocol and send the trace data to the {OTELName}. Other capabilities of the Collector are not supported at this time. The OpenTelemetry Collector allows developers to instrument their code with vendor agnostic APIs, avoiding vendor lock-in and enabling a growing ecosystem of observability tooling.
 
 ////
-[id="otel-rn_2-0_known-issues"]
+[id="otel-rn_2-0_known-issues_{context}"]
 === Known issues
 None.
 ////
diff --git a/observability/power_monitoring/configuring-power-monitoring.adoc b/observability/power_monitoring/configuring-power-monitoring.adoc
index 545604f1f31c..732e032cb292 100644
--- a/observability/power_monitoring/configuring-power-monitoring.adoc
+++ b/observability/power_monitoring/configuring-power-monitoring.adoc
@@ -14,3 +14,5 @@ The `{PM-kepler}` resource is a Kubernetes custom resource definition (CRD) that
 include::modules/power-monitoring-kepler-configuration.adoc[leveloffset=+1]
 
 include::modules/power-monitoring-monitoring-kepler-status.adoc[leveloffset=+1]
+
+include::modules/power-monitoring-configuring-kepler-redfish.adoc[leveloffset=+1]
diff --git a/openshift_images/configuring-samples-operator.adoc b/openshift_images/configuring-samples-operator.adoc
index 9416855d47df..6df75cc56011 100644
--- a/openshift_images/configuring-samples-operator.adoc
+++ b/openshift_images/configuring-samples-operator.adoc
@@ -23,15 +23,9 @@ The Cluster Samples Operator, which operates in the `openshift` namespace, insta
 endif::openshift-rosa,openshift-dedicated[]
 
 [IMPORTANT]
-.Cluster Samples Operator is being downsized  
+.The Cluster Samples Operator is being deprecated  
 ====
-* Starting from {product-title} 4.13, Cluster Samples Operator is downsized. Cluster Samples Operator will stop providing the following updates for non-Source-to-Image (Non-S2I) image streams and templates:
-- new image streams and templates
-- updates to the existing image streams and templates unless it is a CVE update
-
-* Cluster Samples Operator will provide support for Non-S2I image streams and templates as per the link:https://access.redhat.com/support/policy/updates/openshift#dates[{product-title} lifecycle policy dates and support guidelines].
-
-* Cluster Samples Operator will continue to support the S2I builder image streams and templates and accept the updates. S2I image streams and templates include:
+* Starting from {product-title} 4.16, the Cluster Samples Operator is deprecated. No new templates, samples, or non-Source-to-Image (Non-S2I) image streams will be added to the Cluster Samples Operator. However, the existing S2I builder image streams and templates will continue to receive updates until the Cluster Samples Operator is removed in a future release. S2I image streams and templates include:
 - Ruby
 - Python
 - Node.js
@@ -45,7 +39,7 @@ endif::openshift-rosa,openshift-dedicated[]
 - .NET
 - Go
 
-* Starting from {product-title} 4.16, Cluster Samples Operator will stop managing non-S2I image streams and templates. You can contact the image stream or template owner for any requirements and future plans. In addition, refer to the link:https://github.com/openshift/library/blob/master/official.yaml[list of the repositories hosting the image stream or templates].
+* The Cluster Samples Operator will stop managing and providing support to the non-S2I samples (image streams and templates). You can contact the image stream or template owner for any requirements and future plans. In addition, refer to the link:https://github.com/openshift/library/blob/master/official.yaml[list of the repositories hosting the image stream or templates].
 ====
 
 include::modules/samples-operator-overview.adoc[leveloffset=+1]
diff --git a/operators/admin/olm-managing-po.adoc b/operators/admin/olm-managing-po.adoc
deleted file mode 100644
index a9f17134d25c..000000000000
--- a/operators/admin/olm-managing-po.adoc
+++ /dev/null
@@ -1,55 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="olm-managing-po"]
-= Managing platform Operators (Technology Preview)
-include::_attributes/common-attributes.adoc[]
-:context: olm-managing-po
-
-toc::[]
-
-A platform Operator is an OLM-based Operator that can be installed during or after an OpenShift Container Platform cluster's Day 0 operations and participates in the cluster's lifecycle. As a cluster administrator, you can manage platform Operators by using the `PlatformOperator` API.
-
-:FeatureName: The platform Operator type
-include::snippets/technology-preview.adoc[]
-
-include::modules/arch-platform-operators.adoc[leveloffset=+1]
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../operators/understanding/olm-packaging-format.adoc#olm-rukpak-about_olm-packaging-format[RukPak component and packaging format]
-* xref:../../installing/cluster-capabilities.adoc#cluster-capabilities[Cluster capabilities]
-
-include::modules/olm-po-techpreview.adoc[leveloffset=+2]
-
-[id="prerequisites_olm-managing-po"]
-== Prerequisites
-
-- Access to an {product-title} cluster using an account with `cluster-admin` permissions.
-- The `TechPreviewNoUpgrades` feature set enabled on the cluster.
-+
-[WARNING]
-====
-Enabling the `TechPreviewNoUpgrade` feature set cannot be undone and prevents minor version updates. These feature sets are not recommended on production clusters.
-====
-- Only the `redhat-operators` catalog source enabled on the cluster. This is a restriction during the Technology Preview release.
-- The `oc` command installed on your workstation.
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
-* xref:../../operators/admin/olm-managing-custom-catalogs.adoc#olm-restricted-networks-operatorhub_olm-managing-custom-catalogs[Disabling the default OperatorHub catalog sources]
-
-include::modules/olm-installing-po-during.adoc[leveloffset=+1]
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../installing/installing-preparing.adoc#installing-preparing[Selecting a cluster installation method and preparing it for users]
-* xref:../../operators/admin/olm-managing-po.adoc#olm-po-techpreview_olm-managing-po[Technology Preview restrictions for platform Operators]
-
-include::modules/olm-installing-po-after.adoc[leveloffset=+1]
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../operators/admin/olm-managing-po.adoc#olm-po-techpreview_olm-managing-po[Technology Preview restrictions for platform Operators]
-
-include::modules/olm-deleting-po.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/operators/olm_v1/arch/olmv1-components.adoc b/operators/olm_v1/arch/olmv1-components.adoc
index dab015326d2a..0d8317b170db 100644
--- a/operators/olm_v1/arch/olmv1-components.adoc
+++ b/operators/olm_v1/arch/olmv1-components.adoc
@@ -11,10 +11,10 @@ include::snippets/technology-preview.adoc[]
 
 {olmv1-first} comprises the following component projects:
 
-Operator Controller:: xref:../../../operators/olm_v1/arch/olmv1-operator-controller.adoc#olmv1-operator-controller[Operator Controller] is the central component of {olmv1} that extends Kubernetes with an API through which users can install and manage the lifecycle of Operators and extensions. It consumes information from each of the following components.
+Operator Controller:: xref:../../../operators/olm_v1/arch/olmv1-operator-controller.adoc#olmv1-operator-controller[Operator Controller] is the central component of {olmv1} that extends Kubernetes with an API through which users can install and manage the lifecycle of Operators and extensions. It consumes information from catalogd.
 
 RukPak:: xref:../../../operators/olm_v1/arch/olmv1-rukpak.adoc#olmv1-rukpak[RukPak] is a pluggable solution for packaging and distributing cloud-native content. It supports advanced strategies for installation, updates, and policy.
 +
 RukPak provides a content ecosystem for installing a variety of artifacts on a Kubernetes cluster. Artifact examples include Git repositories, Helm charts, and OLM bundles. RukPak can then manage, scale, and upgrade these artifacts in a safe way to enable powerful cluster extensions.
 
-Catalogd:: xref:../../../operators/olm_v1/arch/olmv1-catalogd.adoc#olmv1-catalogd[Catalogd] is a Kubernetes extension that unpacks file-based catalog (FBC) content packaged and shipped in container images for consumption by on-cluster clients. As a component of the {olmv1} microservices architecture, catalogd hosts metadata for Kubernetes extensions packaged by the authors of the extensions, and as a result helps users discover installable content.
\ No newline at end of file
+Catalogd:: xref:../../../operators/olm_v1/arch/olmv1-catalogd.adoc#olmv1-catalogd[Catalogd] is a Kubernetes extension that unpacks file-based catalog (FBC) content packaged and shipped in container images for consumption by on-cluster clients. As a component of the {olmv1} microservices architecture, catalogd hosts metadata for Kubernetes extensions packaged by the authors of the extensions, and as a result helps users discover installable content.
diff --git a/operators/olm_v1/arch/olmv1-dependency.adoc b/operators/olm_v1/arch/olmv1-dependency.adoc
index d22382ba7bf6..bfd803a4b62c 100644
--- a/operators/olm_v1/arch/olmv1-dependency.adoc
+++ b/operators/olm_v1/arch/olmv1-dependency.adoc
@@ -6,9 +6,9 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-{olmv1-first} uses a dependency manager for resolving constraints over catalogs of RukPak bundles.
+{olmv1-first} uses a dependency manager for resolving constraints over catalogs of bundles.
 
 :FeatureName: {olmv1}
 include::snippets/technology-preview.adoc[]
 
-include::modules/olmv1-dependency-concepts.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/olmv1-dependency-concepts.adoc[leveloffset=+1]
diff --git a/operators/olm_v1/arch/olmv1-operator-controller.adoc b/operators/olm_v1/arch/olmv1-operator-controller.adoc
index eaef47c665c3..3d17717f136b 100644
--- a/operators/olm_v1/arch/olmv1-operator-controller.adoc
+++ b/operators/olm_v1/arch/olmv1-operator-controller.adoc
@@ -6,15 +6,15 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Operator Controller is the central component of {olmv1-first} and consumes the other {olmv1} components, RukPak and catalogd. It extends Kubernetes with an API through which users can install Operators and extensions.
+Operator Controller is the central component of {olmv1-first} and consumes the other {olmv1} component, catalogd. It extends Kubernetes with an API through which users can install Operators and extensions.
 
 :FeatureName: {olmv1}
 include::snippets/technology-preview.adoc[]
 
-include::modules/olmv1-operator-api.adoc[leveloffset=+1]
+include::modules/olmv1-clusterextension-api.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
 * xref:../../../operators/understanding/olm/olm-colocation.adoc#olm-colocation[Operator Lifecycle Manager (OLM) -> Multitenancy and Operator colocation]
 
-include::modules/olmv1-about-target-versions.adoc[leveloffset=+2]
\ No newline at end of file
+include::modules/olmv1-about-target-versions.adoc[leveloffset=+2]
diff --git a/operators/olm_v1/arch/olmv1-rukpak.adoc b/operators/olm_v1/arch/olmv1-rukpak.adoc
index bc455af6a68a..1160dbcd5a17 100644
--- a/operators/olm_v1/arch/olmv1-rukpak.adoc
+++ b/operators/olm_v1/arch/olmv1-rukpak.adoc
@@ -16,8 +16,8 @@ include::modules/olm-rukpak-provisioner.adoc[leveloffset=+1]
 
 include::modules/olm-rukpak-bundle.adoc[leveloffset=+1]
 include::modules/olm-rukpak-bundle-immutability.adoc[leveloffset=+2]
-include::modules/olm-rukpak-plain-bundle.adoc[leveloffset=+2]
 include::modules/olm-rukpak-registry-bundle.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 
diff --git a/operators/olm_v1/index.adoc b/operators/olm_v1/index.adoc
index b57a37841ac7..cc577992e847 100644
--- a/operators/olm_v1/index.adoc
+++ b/operators/olm_v1/index.adoc
@@ -6,34 +6,41 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Operator Lifecycle Manager (OLM) has been included with {product-title} 4 since its initial release. {product-title} 4.14 introduces components for a next-generation iteration of OLM as a Technology Preview feature, known during this phase as _{olmv1}_. This updated framework evolves many of the concepts that have been part of previous versions of OLM and adds new capabilities.
+{olm-first} has been included with {product-title} 4 since its initial release. {product-title} 4.16 includes components for a next-generation iteration of {olm} as a Technology Preview feature, known during this phase as _{olmv1}_. This updated framework evolves many of the concepts that have been part of previous versions of {olm} and adds new capabilities.
 
 :FeatureName: {olmv1}
 include::snippets/technology-preview.adoc[]
 
-During this Technology Preview phase of {olmv1} in {product-title} 4.14, administrators can explore the following features:
+[id="olmv1-highlights_{context}"]
+== Highlights
+
+During this Technology Preview phase of {olmv1} in {product-title} 4.16, administrators can explore the following highlights:
 
 Fully declarative model that supports GitOps workflows::
-{olmv1} simplifies Operator management through two key APIs:
+{olmv1} simplifies extension management through two key APIs:
 +
 --
-* A new `Operator` API, provided as `operator.operators.operatorframework.io` by the new Operator Controller component, streamlines management of installed Operators by consolidating user-facing APIs into a single object. This empowers administrators and SREs to automate processes and define desired states by using GitOps principles.
-* The `Catalog` API, provided by the new catalogd component, serves as the foundation for {olmv1}, unpacking catalogs for on-cluster clients so that users can discover installable content, such as Operators and Kubernetes extensions. This provides increased visibility into all available Operator bundle versions, including their details, channels, and update edges.
+* A new `ClusterExtension` API streamlines management of installed extensions, which includes Operators via the `registry+v1` bundle format, by consolidating user-facing APIs into a single object. This API, provided as `clusterextension.olm.operatorframework.io` by the new Operator Controller component, empowers administrators and SREs to automate processes and define desired states by using GitOps principles.
++
+[NOTE]
+====
+Earlier Technology Preview phases of {olmv1} introduced a new `Operator` API; this API is renamed `ClusterExtension` in {product-title} 4.16 to address the following:
+
+* More accurately reflects the simplified functionality of extending a cluster's capabilities
+* Better represents a more flexible packaging format
+* `Cluster` prefix clearly indicates that `ClusterExtension` objects are cluster-scoped, a change from {olmv0} where Operators could be either namespace-scoped or cluster-scoped
+====
+* The `Catalog` API, provided by the new catalogd component, serves as the foundation for {olmv1}, unpacking catalogs for on-cluster clients so that users can discover installable content, such as Kubernetes extensions and Operators. This provides increased visibility into all available Operator bundle versions, including their details, channels, and update edges.
 --
 +
 For more information, see xref:../../operators/olm_v1/arch/olmv1-operator-controller.adoc#olmv1-operator-controller[Operator Controller] and xref:../../operators/olm_v1/arch/olmv1-catalogd.adoc#olmv1-catalogd[Catalogd].
 
-Improved control over Operator updates::
-With improved insight into catalog content, administrators can specify target versions for installation and updates. This grants administrators more control over the target version of Operator updates. For more information, see xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-updating-an-operator_olmv1-installing-operator[Updating an Operator].
+Improved control over extension updates::
+With improved insight into catalog content, administrators can specify target versions for installation and updates. This grants administrators more control over the target version of extension updates. For more information, see xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-updating-an-operator_olmv1-installing-operator[Updating an cluster extension].
 
-Flexible Operator packaging format::
-Administrators can use file-based catalogs to install and manage the following types of content:
-+
---
-* OLM-based Operators, similar to the existing OLM experience
-* _Plain bundles_, which are static collections of arbitrary Kubernetes manifests
---
+Flexible extension packaging format::
+Administrators can use file-based catalogs to install and manage extensions, such as {olm}-based Operators, similar to the {olmv0} experience.
 +
-In addition, bundle size is no longer constrained by the etcd value size limit. For more information, see xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-installing-an-operator-from-a-catalog[Installing an Operator from a catalog] and xref:../../operators/olm_v1/olmv1-managing-plain-bundles.adoc#olmv1-managing-plain-bundles[Managing plain bundles].
+In addition, bundle size is no longer constrained by the etcd value size limit. For more information, see xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-installing-an-operator-from-a-catalog[Installing an Operator from a catalog].
 
-include::modules/olmv1-about-purpose.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/olmv1-about-purpose.adoc[leveloffset=+1]
diff --git a/operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc b/operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
index 07b429930ece..219b264327a0 100644
--- a/operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
+++ b/operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
@@ -13,7 +13,7 @@ In the current Technology Preview release of {olmv1-first}, you manage catalogs
 :FeatureName: {olmv1}
 include::snippets/technology-preview.adoc[]
 
-[id="prerequisites_olmv1-installing-an-operator-from-a-catalog"]
+[id="prerequisites_{context}"]
 == Prerequisites
 
 * Access to an {product-title} cluster using an account with `cluster-admin` permissions
@@ -21,7 +21,7 @@ include::snippets/technology-preview.adoc[]
 --
 include::snippets/olmv1-cli-only.adoc[]
 --
-* The `TechPreviewNoUpgrades` feature set enabled on the cluster
+* The `TechPreviewNoUpgrade` feature set enabled on the cluster
 +
 [WARNING]
 ====
@@ -69,11 +69,45 @@ include::modules/olmv1-updating-an-operator.adoc[leveloffset=+1]
 * xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-about-target-versions_olmv1-installing-operator[Example custom resources (CRs) that specify a target version]
 * xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-version-range-comparisons_olmv1-installing-operator[Version comparison strings]
 
-include::modules/olmv1-semver-support.adoc[leveloffset=+2]
+[id="upgrade-constraint-semantics_{context}"]
+== Upgrade constraint semantics
+
+When determining upgrade edges for an installed cluster extension, {olmv1-first} supports {olmv0} semantics starting in {product-title} 4.16. This support follows the behavior from {olmv0}, including `replaces`, `skips`, and `skipRange` directives, with a few noted differences.
+
+By supporting {olmv0} semantics, {olmv1} now honors the upgrade graph from catalogs accurately.
+
+.Differences from original {olmv0} implementation
+
+* If there are multiple possible successors, {olmv1} behavior differs in the following ways:
+** In {olmv0}, the successor closest to the channel head is chosen.
+** In {olmv1}, the successor with the highest semantic version (semver) is chosen.
+
+* Consider the following set of file-based catalog (FBC) channel entries:
++
+[source,yaml]
+----
+# ...
+- name: example.v3.0.0
+  skips: ["example.v2.0.0"]
+- name: example.v2.0.0
+  skipRange: >=1.0.0 <2.0.0
+----
++
+If `1.0.0` is installed, {olmv1} behavior differs in the following ways:
++
+--
+** {olmv0-caps} will not see an upgrade edge to `v2.0.0` because `v2.0.0` is skipped and not on the `replaces` chain.
+** {olmv1} will see the upgrade edge because {olmv1} does not have a concept of a `replaces` chain. {olmv1} finds all entries that have a `replace`, `skip`, or `skipRange` value that covers the currently installed version.
+--
+
+[NOTE]
+====
+Support for semantic versioning (semver) upgrade constraints was introduced in {product-title} 4.15 but disabled in 4.16 in favor of {olmv0} semantics during this Technology Preview phase.
+====
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc#olmv1-forcing-an-update-or-rollback_olmv1-installing-operator[Forcing an update or rollback]
+* xref:../../operators/understanding/olm/olm-workflow.adoc#olm-upgrades_olm-workflow[{olmv0-caps} upgrade semantics]
 
 include::modules/olmv1-version-range-support.adoc[leveloffset=+2]
 
diff --git a/operators/operator_sdk/ansible/osdk-ansible-cr-status.adoc b/operators/operator_sdk/ansible/osdk-ansible-cr-status.adoc
index 33116265974a..de952fad9ee2 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-cr-status.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-cr-status.adoc
@@ -6,5 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-ansible-cr-status-about.adoc[leveloffset=+1]
 include::modules/osdk-ansible-cr-status-manual.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/ansible/osdk-ansible-inside-operator.adoc b/operators/operator_sdk/ansible/osdk-ansible-inside-operator.adoc
index f7cccfb93b60..dff4c10ee12e 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-inside-operator.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-inside-operator.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 After you are familiar with xref:../../../operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc#osdk-ansible-k8s-collection[using the Kubernetes Collection for Ansible locally], you can trigger the same Ansible logic inside of an Operator when a custom resource (CR) changes. This example maps an Ansible role to a specific Kubernetes resource that the Operator watches. This mapping is done in the `watches.yaml` file.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-ansible-custom-resource-files.adoc[leveloffset=+1]
 include::modules/osdk-ansible-inside-operator-local.adoc[leveloffset=+1]
 include::modules/osdk-run-deployment.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc b/operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc
index 5d982029a900..98c112a9ad82 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 To manage the lifecycle of your application on Kubernetes using Ansible, you can use the link:https://galaxy.ansible.com/community/kubernetes[Kubernetes Collection for Ansible]. This collection of Ansible modules allows a developer to either leverage their existing Kubernetes resource files written in YAML or express the lifecycle management in native Ansible.
 
+include::snippets/osdk-deprecation.adoc[]
+
 One of the biggest benefits of using Ansible in conjunction with existing Kubernetes resource files is the ability to use Jinja templating so that you can customize resources with the simplicity of a few variables in Ansible.
 
 This section goes into detail on usage of the Kubernetes Collection. To get started, install the collection on your local workstation and test it using a playbook before moving on to using it within an Operator.
diff --git a/operators/operator_sdk/ansible/osdk-ansible-project-layout.adoc b/operators/operator_sdk/ansible/osdk-ansible-project-layout.adoc
index 5d0b2fa85a58..dcfa17ee5cf8 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-project-layout.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-project-layout.adoc
@@ -8,4 +8,6 @@ toc::[]
 
 The `operator-sdk` CLI can generate, or _scaffold_, a number of packages and files for each Operator project.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-ansible-project-layout.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/ansible/osdk-ansible-quickstart.adoc b/operators/operator_sdk/ansible/osdk-ansible-quickstart.adoc
index 2553e4c76cba..1e65c2a2fce0 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-quickstart.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-quickstart.adoc
@@ -10,6 +10,8 @@ toc::[]
 
 The Operator SDK includes options for generating an Operator project that leverages existing Ansible playbooks and modules to deploy Kubernetes resources as a unified application, without having to write any Go code.
 
+include::snippets/osdk-deprecation.adoc[]
+
 To demonstrate the basics of setting up and running an link:https://docs.ansible.com/ansible/latest/index.html[Ansible]-based Operator using tools and libraries provided by the Operator SDK, Operator developers can build an example Ansible-based Operator for Memcached, a distributed key-value store, and deploy it to a cluster.
 
 include::modules/osdk-common-prereqs.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/ansible/osdk-ansible-support.adoc b/operators/operator_sdk/ansible/osdk-ansible-support.adoc
index 7712f2c7e44c..80aa84d3cdaa 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-support.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-support.adoc
@@ -6,6 +6,8 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-ansible-custom-resource-files.adoc[leveloffset=+1]
 include::modules/osdk-ansible-watches-file.adoc[leveloffset=+1]
 include::modules/osdk-ansible-extra-variables.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/ansible/osdk-ansible-tutorial.adoc b/operators/operator_sdk/ansible/osdk-ansible-tutorial.adoc
index cab6cc814b2a..e30868ead3c0 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-tutorial.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-tutorial.adoc
@@ -12,6 +12,8 @@ Operator developers can take advantage of link:https://docs.ansible.com/ansible/
 * Ensure that the deployment size is the same as specified by the `Memcached` custom resource (CR) spec
 * Update the `Memcached` CR status using the status writer with the names of the `memcached` pods
 
+include::snippets/osdk-deprecation.adoc[]
+
 This process is accomplished by using two centerpieces of the Operator Framework:
 
 Operator SDK:: The `operator-sdk` CLI tool and `controller-runtime` library API
diff --git a/operators/operator_sdk/ansible/osdk-ansible-updating-projects.adoc b/operators/operator_sdk/ansible/osdk-ansible-updating-projects.adoc
index ccc7034f2472..615af794fa62 100644
--- a/operators/operator_sdk/ansible/osdk-ansible-updating-projects.adoc
+++ b/operators/operator_sdk/ansible/osdk-ansible-updating-projects.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 {product-title} {product-version} supports Operator SDK {osdk_ver}. If you already have the {osdk_ver_n1} CLI installed on your workstation, you can update the CLI to {osdk_ver} by xref:../../../operators/operator_sdk/osdk-installing-cli.adoc#osdk-installing-cli[installing the latest version].
 
+include::snippets/osdk-deprecation.adoc[]
+
 However, to ensure your existing Operator projects maintain compatibility with Operator SDK {osdk_ver}, update steps are required for the associated breaking changes introduced since {osdk_ver_n1}. You must perform the update steps manually in any of your Operator projects that were previously created or maintained with {osdk_ver_n1}.
 
 include::modules/osdk-updating-128-to-131.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/golang/osdk-golang-project-layout.adoc b/operators/operator_sdk/golang/osdk-golang-project-layout.adoc
index d321b4f74485..d0cff91bceac 100644
--- a/operators/operator_sdk/golang/osdk-golang-project-layout.adoc
+++ b/operators/operator_sdk/golang/osdk-golang-project-layout.adoc
@@ -8,4 +8,6 @@ toc::[]
 
 The `operator-sdk` CLI can generate, or _scaffold_, a number of packages and files for each Operator project.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-golang-project-layout.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/golang/osdk-golang-quickstart.adoc b/operators/operator_sdk/golang/osdk-golang-quickstart.adoc
index 6008241317e3..04a0c32dc5f8 100644
--- a/operators/operator_sdk/golang/osdk-golang-quickstart.adoc
+++ b/operators/operator_sdk/golang/osdk-golang-quickstart.adoc
@@ -10,6 +10,8 @@ toc::[]
 
 To demonstrate the basics of setting up and running a Go-based Operator using tools and libraries provided by the Operator SDK, Operator developers can build an example Go-based Operator for Memcached, a distributed key-value store, and deploy it to a cluster.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-common-prereqs.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/operators/operator_sdk/golang/osdk-golang-tutorial.adoc b/operators/operator_sdk/golang/osdk-golang-tutorial.adoc
index 665b82489762..c2928008367f 100644
--- a/operators/operator_sdk/golang/osdk-golang-tutorial.adoc
+++ b/operators/operator_sdk/golang/osdk-golang-tutorial.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 Operator developers can take advantage of Go programming language support in the Operator SDK to build an example Go-based Operator for Memcached, a distributed key-value store, and manage its lifecycle.
 
+include::snippets/osdk-deprecation.adoc[]
+
 This process is accomplished using two centerpieces of the Operator Framework:
 
 Operator SDK:: The `operator-sdk` CLI tool and `controller-runtime` library API
@@ -89,4 +91,4 @@ ifndef::openshift-dedicated,openshift-rosa[]
 endif::openshift-dedicated,openshift-rosa[]
 ifdef::openshift-dedicated,openshift-rosa[]
 * If a xref:../../../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[cluster-wide egress proxy is configured], administrators with the `dedicated-admin` role can xref:../../../operators/admin/olm-configuring-proxy-support.adoc#olm-configuring-proxy-support[override the proxy settings or inject a custom CA certificate] for specific Operators running on Operator Lifecycle Manager (OLM).
-endif::openshift-dedicated,openshift-rosa[]
\ No newline at end of file
+endif::openshift-dedicated,openshift-rosa[]
diff --git a/operators/operator_sdk/golang/osdk-golang-updating-projects.adoc b/operators/operator_sdk/golang/osdk-golang-updating-projects.adoc
index 38136a10623c..c30d0cff6d58 100644
--- a/operators/operator_sdk/golang/osdk-golang-updating-projects.adoc
+++ b/operators/operator_sdk/golang/osdk-golang-updating-projects.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 {product-title} {product-version} supports Operator SDK {osdk_ver}. If you already have the {osdk_ver_n1} CLI installed on your workstation, you can update the CLI to {osdk_ver} by xref:../../../operators/operator_sdk/osdk-installing-cli.adoc#osdk-installing-cli[installing the latest version].
 
+include::snippets/osdk-deprecation.adoc[]
+
 However, to ensure your existing Operator projects maintain compatibility with Operator SDK {osdk_ver}, update steps are required for the associated breaking changes introduced since {osdk_ver_n1}. You must perform the update steps manually in any of your Operator projects that were previously created or maintained with {osdk_ver_n1}.
 
 include::modules/osdk-updating-128-to-131.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-helm-project-layout.adoc b/operators/operator_sdk/helm/osdk-helm-project-layout.adoc
index 176de5250416..4fe0b7d1738b 100644
--- a/operators/operator_sdk/helm/osdk-helm-project-layout.adoc
+++ b/operators/operator_sdk/helm/osdk-helm-project-layout.adoc
@@ -8,4 +8,6 @@ toc::[]
 
 The `operator-sdk` CLI can generate, or _scaffold_, a number of packages and files for each Operator project.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-helm-project-layout.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-helm-quickstart.adoc b/operators/operator_sdk/helm/osdk-helm-quickstart.adoc
index c3079d50eec3..e00197d69b30 100644
--- a/operators/operator_sdk/helm/osdk-helm-quickstart.adoc
+++ b/operators/operator_sdk/helm/osdk-helm-quickstart.adoc
@@ -10,6 +10,8 @@ toc::[]
 
 The Operator SDK includes options for generating an Operator project that leverages existing link:https://helm.sh/docs/[Helm] charts to deploy Kubernetes resources as a unified application, without having to write any Go code.
 
+include::snippets/osdk-deprecation.adoc[]
+
 To demonstrate the basics of setting up and running an link:https://helm.sh/docs/[Helm]-based Operator using tools and libraries provided by the Operator SDK, Operator developers can build an example Helm-based Operator for Nginx and deploy it to a cluster.
 
 include::modules/osdk-common-prereqs.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-helm-support.adoc b/operators/operator_sdk/helm/osdk-helm-support.adoc
index 40497bc0d170..2b3eacc0f3c4 100644
--- a/operators/operator_sdk/helm/osdk-helm-support.adoc
+++ b/operators/operator_sdk/helm/osdk-helm-support.adoc
@@ -6,4 +6,6 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-helm-charts.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-helm-tutorial.adoc b/operators/operator_sdk/helm/osdk-helm-tutorial.adoc
index f21851892ce2..71c14c118794 100644
--- a/operators/operator_sdk/helm/osdk-helm-tutorial.adoc
+++ b/operators/operator_sdk/helm/osdk-helm-tutorial.adoc
@@ -12,6 +12,8 @@ Operator developers can take advantage of link:https://helm.sh/docs/[Helm] suppo
 * Ensure that the deployment size is the same as specified by the `Nginx` custom resource (CR) spec
 * Update the `Nginx` CR status using the status writer with the names of the `nginx` pods
 
+include::snippets/osdk-deprecation.adoc[]
+
 This process is accomplished using two centerpieces of the Operator Framework:
 
 Operator SDK:: The `operator-sdk` CLI tool and `controller-runtime` library API
diff --git a/operators/operator_sdk/helm/osdk-helm-updating-projects.adoc b/operators/operator_sdk/helm/osdk-helm-updating-projects.adoc
index 76b6ae088dc9..a670cf0c3aa4 100644
--- a/operators/operator_sdk/helm/osdk-helm-updating-projects.adoc
+++ b/operators/operator_sdk/helm/osdk-helm-updating-projects.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 {product-title} {product-version} supports Operator SDK {osdk_ver}. If you already have the {osdk_ver_n1} CLI installed on your workstation, you can update the CLI to {osdk_ver} by xref:../../../operators/operator_sdk/osdk-installing-cli.adoc#osdk-installing-cli[installing the latest version].
 
+include::snippets/osdk-deprecation.adoc[]
+
 However, to ensure your existing Operator projects maintain compatibility with Operator SDK {osdk_ver}, update steps are required for the associated breaking changes introduced since {osdk_ver_n1}. You must perform the update steps manually in any of your Operator projects that were previously created or maintained with {osdk_ver_n1}.
 
 include::modules/osdk-updating-128-to-131.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-hybrid-helm-updating-projects.adoc b/operators/operator_sdk/helm/osdk-hybrid-helm-updating-projects.adoc
index a0811c91292e..18edc17e6901 100644
--- a/operators/operator_sdk/helm/osdk-hybrid-helm-updating-projects.adoc
+++ b/operators/operator_sdk/helm/osdk-hybrid-helm-updating-projects.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 {product-title} {product-version} supports Operator SDK {osdk_ver}. If you already have the {osdk_ver_n1} CLI installed on your workstation, you can update the CLI to {osdk_ver} by xref:../../../operators/operator_sdk/osdk-installing-cli.adoc#osdk-installing-cli[installing the latest version].
 
+include::snippets/osdk-deprecation.adoc[]
+
 However, to ensure your existing Operator projects maintain compatibility with Operator SDK {osdk_ver}, update steps are required for the associated breaking changes introduced since {osdk_ver_n1}. You must perform the update steps manually in any of your Operator projects that were previously created or maintained with {osdk_ver_n1}.
 
 include::modules/osdk-updating-128-to-131.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/helm/osdk-hybrid-helm.adoc b/operators/operator_sdk/helm/osdk-hybrid-helm.adoc
index fb2ccfe7c752..8335c5637581 100644
--- a/operators/operator_sdk/helm/osdk-hybrid-helm.adoc
+++ b/operators/operator_sdk/helm/osdk-hybrid-helm.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 The standard Helm-based Operator support in the Operator SDK has limited functionality compared to the Go-based and Ansible-based Operator support that has reached the Auto Pilot capability (level V) in the xref:../../../operators/understanding/olm-what-operators-are.adoc#olm-maturity-model_olm-what-operators-are[Operator maturity model].
 
+include::snippets/osdk-deprecation.adoc[]
+
 The Hybrid Helm Operator enhances the existing Helm-based support's abilities through Go APIs. With this hybrid approach of Helm and Go, the Operator SDK enables Operator authors to use the following process:
 
 * Generate a default structure for, or _scaffold_, a Go API in the same project as Helm.
diff --git a/operators/operator_sdk/java/osdk-java-project-layout.adoc b/operators/operator_sdk/java/osdk-java-project-layout.adoc
index 98a08ecdb711..433c6f07c81e 100644
--- a/operators/operator_sdk/java/osdk-java-project-layout.adoc
+++ b/operators/operator_sdk/java/osdk-java-project-layout.adoc
@@ -10,4 +10,6 @@ toc::[]
 
 The `operator-sdk` CLI can generate, or _scaffold_, a number of packages and files for each Operator project.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-java-project-layout.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/java/osdk-java-quickstart.adoc b/operators/operator_sdk/java/osdk-java-quickstart.adoc
index eb18008a3953..177e97b05dd2 100644
--- a/operators/operator_sdk/java/osdk-java-quickstart.adoc
+++ b/operators/operator_sdk/java/osdk-java-quickstart.adoc
@@ -12,6 +12,8 @@ toc::[]
 
 To demonstrate the basics of setting up and running a Java-based Operator using tools and libraries provided by the Operator SDK, Operator developers can build an example Java-based Operator for Memcached, a distributed key-value store, and deploy it to a cluster.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-common-prereqs.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/operators/operator_sdk/java/osdk-java-tutorial.adoc b/operators/operator_sdk/java/osdk-java-tutorial.adoc
index 943ae42f23a7..12eecea2a4fb 100644
--- a/operators/operator_sdk/java/osdk-java-tutorial.adoc
+++ b/operators/operator_sdk/java/osdk-java-tutorial.adoc
@@ -12,6 +12,8 @@ toc::[]
 
 Operator developers can take advantage of Java programming language support in the Operator SDK to build an example Java-based Operator for Memcached, a distributed key-value store, and manage its lifecycle.
 
+include::snippets/osdk-deprecation.adoc[]
+
 This process is accomplished using two centerpieces of the Operator Framework:
 
 Operator SDK:: The `operator-sdk` CLI tool and `java-operator-sdk` library API
diff --git a/operators/operator_sdk/java/osdk-java-updating-projects.adoc b/operators/operator_sdk/java/osdk-java-updating-projects.adoc
index c402228c172a..da55a3d98481 100644
--- a/operators/operator_sdk/java/osdk-java-updating-projects.adoc
+++ b/operators/operator_sdk/java/osdk-java-updating-projects.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 {product-title} {product-version} supports Operator SDK {osdk_ver}. If you already have the {osdk_ver_n1} CLI installed on your workstation, you can update the CLI to {osdk_ver} by xref:../../../operators/operator_sdk/osdk-installing-cli.adoc#osdk-installing-cli[installing the latest version].
 
+include::snippets/osdk-deprecation.adoc[]
+
 However, to ensure your existing Operator projects maintain compatibility with Operator SDK {osdk_ver}, update steps are required for the associated breaking changes introduced since {osdk_ver_n1}. You must perform the update steps manually in any of your Operator projects that were previously created or maintained with {osdk_ver_n1}.
 
 include::modules/osdk-updating-128-to-131.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-about.adoc b/operators/operator_sdk/osdk-about.adoc
index aa99faaaa698..239054f93a7c 100644
--- a/operators/operator_sdk/osdk-about.adoc
+++ b/operators/operator_sdk/osdk-about.adoc
@@ -12,6 +12,8 @@ Operators make it easy to manage complex, stateful applications on top of Kubern
 
 The Operator SDK, a component of the Operator Framework, provides a command-line interface (CLI) tool that Operator developers can use to build, test, and deploy an Operator.
 
+include::snippets/osdk-deprecation.adoc[]
+
 **Why use the Operator SDK?**
 
 The Operator SDK simplifies this process of building Kubernetes-native applications, which can require deep, application-specific operational knowledge. The Operator SDK not only lowers that barrier, but it also helps reduce the amount of boilerplate code required for many common management capabilities, such as metering or monitoring.
diff --git a/operators/operator_sdk/osdk-bundle-validate.adoc b/operators/operator_sdk/osdk-bundle-validate.adoc
index 253e1a96afd0..7d4a67bd11ca 100644
--- a/operators/operator_sdk/osdk-bundle-validate.adoc
+++ b/operators/operator_sdk/osdk-bundle-validate.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 As an Operator author, you can run the `bundle validate` command in the Operator SDK to validate the content and format of an Operator bundle. You can run the command on a remote Operator bundle image or a local Operator bundle directory.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-bundle-validate-about.adoc[leveloffset=+1]
 include::modules/osdk-bundle-validate-tests.adoc[leveloffset=+1]
 
diff --git a/operators/operator_sdk/osdk-cli-ref.adoc b/operators/operator_sdk/osdk-cli-ref.adoc
index 7d533e226497..b6c1ecac088e 100644
--- a/operators/operator_sdk/osdk-cli-ref.adoc
+++ b/operators/operator_sdk/osdk-cli-ref.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 The Operator SDK command-line interface (CLI) is a development kit designed to make writing Operators easier.
 
+include::snippets/osdk-deprecation.adoc[]
+
 .Operator SDK CLI syntax
 [source,terminal]
 ----
diff --git a/operators/operator_sdk/osdk-complying-with-psa.adoc b/operators/operator_sdk/osdk-complying-with-psa.adoc
index 4dc444d69e48..9e80f34132b3 100644
--- a/operators/operator_sdk/osdk-complying-with-psa.adoc
+++ b/operators/operator_sdk/osdk-complying-with-psa.adoc
@@ -16,6 +16,8 @@ If your Operator project does not require escalated permissions to run, you can
 
 For more information, see xref:../../authentication/understanding-and-managing-pod-security-admission.adoc#understanding-and-managing-pod-security-admission[Understanding and managing pod security admission].
 
+include::snippets/osdk-deprecation.adoc[]
+
 // About pod security admission
 include::modules/security-context-constraints-psa-about.adoc[leveloffset=+1]
 
diff --git a/operators/operator_sdk/osdk-generating-csvs.adoc b/operators/operator_sdk/osdk-generating-csvs.adoc
index 919d072d9e59..e8a24c2e3001 100644
--- a/operators/operator_sdk/osdk-generating-csvs.adoc
+++ b/operators/operator_sdk/osdk-generating-csvs.adoc
@@ -10,6 +10,8 @@ A _cluster service version_ (CSV), defined by a `ClusterServiceVersion` object,
 
 The Operator SDK includes the CSV generator to generate a CSV for the current Operator project, customized using information contained in YAML manifests and Operator source files.
 
+include::snippets/osdk-deprecation.adoc[]
+
 A CSV-generating command removes the responsibility of Operator authors having in-depth OLM knowledge in order for their Operator to interact with OLM or publish metadata to the Catalog Registry. Further, because the CSV spec will likely change over time as new Kubernetes and OLM features are implemented, the Operator SDK is equipped to easily extend its update system to handle new CSV features going forward.
 
 include::modules/osdk-how-csv-gen-works.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-ha-sno.adoc b/operators/operator_sdk/osdk-ha-sno.adoc
index dee40594aed1..68ac8ed76148 100644
--- a/operators/operator_sdk/osdk-ha-sno.adoc
+++ b/operators/operator_sdk/osdk-ha-sno.adoc
@@ -16,5 +16,7 @@ An OpenShift Container Platform cluster can be configured in high-availability (
 
 By accessing the cluster high-availability mode API provided in {product-title}, Operator authors can use the Operator SDK to enable their Operator to detect a cluster's infrastructure topology, either HA or non-HA mode. Custom Operator logic can be developed that uses the detected cluster topology to automatically switch the resource requirements, both for the Operator and for any Operands or workloads it manages, to a profile that best fits the topology.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-ha-sno-api.adoc[leveloffset=+1]
 include::modules/osdk-ha-sno-api-examples.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-installing-cli.adoc b/operators/operator_sdk/osdk-installing-cli.adoc
index 750c90a37a00..d0bfb4742cb1 100644
--- a/operators/operator_sdk/osdk-installing-cli.adoc
+++ b/operators/operator_sdk/osdk-installing-cli.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 The Operator SDK provides a command-line interface (CLI) tool that Operator developers can use to build, test, and deploy an Operator. You can install the Operator SDK CLI on your workstation so that you are prepared to start authoring your own Operators.
 
+include::snippets/osdk-deprecation.adoc[]
+
 ifndef::openshift-dedicated,openshift-rosa[]
 Operator authors with cluster administrator access to a Kubernetes-based cluster, such as {product-title},
 endif::openshift-dedicated,openshift-rosa[]
diff --git a/operators/operator_sdk/osdk-leader-election.adoc b/operators/operator_sdk/osdk-leader-election.adoc
index 12ef828f292f..e34681b25a39 100644
--- a/operators/operator_sdk/osdk-leader-election.adoc
+++ b/operators/operator_sdk/osdk-leader-election.adoc
@@ -16,4 +16,6 @@ Leader-with-lease:: The leader pod periodically renews the leader lease and give
 
 By default, the Operator SDK enables the Leader-for-life implementation. Consult the related Go documentation for both approaches to consider the trade-offs that make sense for your use case.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-leader-election-types.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-migrating-to-v0-1-0.adoc b/operators/operator_sdk/osdk-migrating-to-v0-1-0.adoc
index 600052d55803..fe1a1fddba6c 100644
--- a/operators/operator_sdk/osdk-migrating-to-v0-1-0.adoc
+++ b/operators/operator_sdk/osdk-migrating-to-v0-1-0.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 This guide describes how to migrate an Operator project built using Operator SDK v0.0.x to the project structure required by link:https://github.com/operator-framework/operator-sdk/releases[Operator SDK v0.1.0].
 
+include::snippets/osdk-deprecation.adoc[]
+
 The recommended method for migrating your project is to:
 
 . Initialize a new v0.1.0 project.
diff --git a/operators/operator_sdk/osdk-monitoring-prometheus.adoc b/operators/operator_sdk/osdk-monitoring-prometheus.adoc
index d37509cc8bd7..83f6efb33cc5 100644
--- a/operators/operator_sdk/osdk-monitoring-prometheus.adoc
+++ b/operators/operator_sdk/osdk-monitoring-prometheus.adoc
@@ -11,6 +11,8 @@ toc::[]
 ifndef::openshift-dedicated,openshift-rosa[]
 This guide describes the built-in monitoring support provided by the Operator SDK using the Prometheus Operator and details usage for authors of Go-based and Ansible-based Operators.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-monitoring-prometheus-operator-support.adoc[leveloffset=+1]
 include::modules/osdk-monitoring-custom-metrics.adoc[leveloffset=+1]
 include::modules/osdk-ansible-metrics.adoc[leveloffset=+1]
@@ -20,6 +22,8 @@ ifdef::openshift-dedicated,openshift-rosa[]
 // Since OSD/ROSA dedicated-admins can't do the procedures in this assembly, point to the OCP docs.
 The Operator SDK provides built-in monitoring support using the Prometheus Operator, which you can use to expose custom metrics for your Operator.
 
+include::snippets/osdk-deprecation.adoc[]
+
 [WARNING]
 ====
 By default, {product-title} provides a Prometheus Operator in the `openshift-user-workload-monitoring` project. You should use this Prometheus instance to monitor user workloads in {product-title}.
diff --git a/operators/operator_sdk/osdk-multi-arch-support.adoc b/operators/operator_sdk/osdk-multi-arch-support.adoc
index a3bcc1174b86..74d1baad7e56 100644
--- a/operators/operator_sdk/osdk-multi-arch-support.adoc
+++ b/operators/operator_sdk/osdk-multi-arch-support.adoc
@@ -13,6 +13,8 @@ Perform the following actions to ensure your Operator project can run on multipl
 * Build a manifest list that specifies the platforms that your Operator supports.
 * Set your Operator's node affinity to support multi-architecture compute machines.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-multi-arch-building-images.adoc[leveloffset=+1]
 include::modules/osdk-multi-arch-node-affinity.adoc[leveloffset=+1]
 
diff --git a/operators/operator_sdk/osdk-pkgman-to-bundle.adoc b/operators/operator_sdk/osdk-pkgman-to-bundle.adoc
index b3ae5cf86c53..bdf25f2c2f98 100644
--- a/operators/operator_sdk/osdk-pkgman-to-bundle.adoc
+++ b/operators/operator_sdk/osdk-pkgman-to-bundle.adoc
@@ -9,6 +9,8 @@ toc::[]
 Support for the legacy _package manifest format_ for Operators is removed in {product-title} 4.8 and later. If you have an Operator project that was initially created using the package manifest format, you can use the Operator SDK to migrate the project to the bundle format. The bundle format is the preferred packaging format for Operator Lifecycle Manager (OLM) starting in {product-title} 4.6.
 //Consider updating this during the 4.10 to 4.11 version scrub.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-about-pkg-format-migration.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
diff --git a/operators/operator_sdk/osdk-pruning-utility.adoc b/operators/operator_sdk/osdk-pruning-utility.adoc
index a970e0f2b7fc..430f33f94067 100644
--- a/operators/operator_sdk/osdk-pruning-utility.adoc
+++ b/operators/operator_sdk/osdk-pruning-utility.adoc
@@ -8,5 +8,7 @@ toc::[]
 
 The `operator-lib` pruning utility lets Go-based Operators clean up, or prune, objects when they are no longer needed. Operator authors can also use the utility to create custom hooks and strategies.
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-pruning-utility-about.adoc[leveloffset=+1]
 include::modules/osdk-pruning-utility-config.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-scorecard.adoc b/operators/operator_sdk/osdk-scorecard.adoc
index 4cdffb81d297..e9a40e31f8f4 100644
--- a/operators/operator_sdk/osdk-scorecard.adoc
+++ b/operators/operator_sdk/osdk-scorecard.adoc
@@ -11,6 +11,8 @@ As an Operator author, you can use the scorecard tool in the Operator SDK to do
 * Validate that your Operator project is free of syntax errors and packaged correctly
 * Review suggestions about ways you can improve your Operator
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-scorecard-about.adoc[leveloffset=+1]
 include::modules/osdk-scorecard-config.adoc[leveloffset=+1]
 include::modules/osdk-scorecard-tests.adoc[leveloffset=+1]
diff --git a/operators/operator_sdk/osdk-working-bundle-images.adoc b/operators/operator_sdk/osdk-working-bundle-images.adoc
index b804f2d24adb..ae75ca8fe437 100644
--- a/operators/operator_sdk/osdk-working-bundle-images.adoc
+++ b/operators/operator_sdk/osdk-working-bundle-images.adoc
@@ -8,6 +8,8 @@ toc::[]
 
 You can use the Operator SDK to package, deploy, and upgrade Operators in the bundle format for use on Operator Lifecycle Manager (OLM).
 
+include::snippets/osdk-deprecation.adoc[]
+
 include::modules/osdk-bundle-operator.adoc[leveloffset=+1]
 include::modules/osdk-deploy-olm.adoc[leveloffset=+1]
 
diff --git a/operators/understanding/olm-packaging-format.adoc b/operators/understanding/olm-packaging-format.adoc
index e4e47667a077..0ecdb1a6b8d3 100644
--- a/operators/understanding/olm-packaging-format.adoc
+++ b/operators/understanding/olm-packaging-format.adoc
@@ -79,13 +79,10 @@ include::modules/olm-rukpak-about.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../operators/admin/olm-managing-po.adoc#olm-managing-po[Managing platform Operators]
-* xref:../../operators/admin/olm-managing-po.adoc#olm-po-techpreview_olm-managing-po[Technology Preview restrictions for platform Operators]
 * xref:../../operators/olm_v1/index.adoc#olmv1-about[About Operator Lifecycle Manager 1.0 (Technology Preview)]
 
 include::modules/olm-rukpak-bundle.adoc[leveloffset=+2]
 include::modules/olm-rukpak-bundle-immutability.adoc[leveloffset=+3]
-include::modules/olm-rukpak-plain-bundle.adoc[leveloffset=+3]
 include::modules/olm-rukpak-registry-bundle.adoc[leveloffset=+3]
 [role="_additional-resources"]
 .Additional resources
diff --git a/post_installation_configuration/bare-metal-configuration.adoc b/post_installation_configuration/bare-metal-configuration.adoc
index 4d2d2ba28474..cca6bc9b672e 100644
--- a/post_installation_configuration/bare-metal-configuration.adoc
+++ b/post_installation_configuration/bare-metal-configuration.adoc
@@ -12,6 +12,9 @@ include::modules/bmo-about-the-bare-metal-operator.adoc[leveloffset=+1]
 include::modules/con_bmo-bare-metal-operator-architecture.adoc[leveloffset=+2]
 include::modules/bmo-about-the-baremetalhost-resource.adoc[leveloffset=+1]
 include::modules/bmo-getting-the-baremetalhost-resource.adoc[leveloffset=+1]
+include::modules/bmo-editing-a-baremetalhost-resource.adoc[leveloffset=+1]
+
+include::modules/bmo-attaching-a-non-bootable-iso-to-a-bare-metal-node.adoc[leveloffset=+1]
 
 include::modules/bmo-about-the-hostfirmwaresettings-resource.adoc[leveloffset=+1]
 include::modules/bmo-getting-the-hostfirmwaresettings-resource.adoc[leveloffset=+1]
@@ -20,3 +23,7 @@ include::modules/bmo-verifying-the-hostfirmware-settings-resource-is-valid.adoc[
 
 include::modules/bmo-about-the-firmwareschema-resource.adoc[leveloffset=+1]
 include::modules/bmo-getting-the-firmwareschema-resource.adoc[leveloffset=+1]
+
+include::modules/bmo-about-the-hostfirmwarecomponents-resource.adoc[leveloffset=+1]
+include::modules/bmo-getting-the-hostfirmwarecomponents-resource.adoc[leveloffset=+1]
+include::modules/bmo-editing-the-hostfirmwarecomponents-resource.adoc[leveloffset=+1]
diff --git a/post_installation_configuration/changing-cloud-credentials-configuration.adoc b/post_installation_configuration/changing-cloud-credentials-configuration.adoc
new file mode 100644
index 000000000000..e5fc30fecb1e
--- /dev/null
+++ b/post_installation_configuration/changing-cloud-credentials-configuration.adoc
@@ -0,0 +1,67 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: changing-cloud-credentials-configuration
+[id="changing-cloud-credentials-configuration"]
+= Changing the cloud provider credentials configuration
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+For supported configurations, you can change how {product-title} authenticates with your cloud provider.
+
+To determine which cloud credentials strategy your cluster uses, see xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#cco-determine-mode_about-cloud-credential-operator[Determining the Cloud Credential Operator mode].
+
+[id="post-install-rotate-remove-cloud-creds_{context}"]
+== Rotating or removing cloud provider credentials
+
+After installing {product-title}, some organizations require the rotation or removal of the cloud provider credentials that were used during the initial installation.
+
+To allow the cluster to use the new credentials, you must update the secrets that the xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cloud Credential Operator (CCO)] uses to manage cloud provider credentials.
+
+[id="ccoctl-rotate-remove-cloud-creds_{context}"]
+=== Rotating cloud provider credentials with the Cloud Credential Operator utility
+
+// Right now only IBM can do this, but it makes sense to set this up so that other clouds can be added.
+The Cloud Credential Operator (CCO) utility `ccoctl` supports updating secrets for clusters installed on {ibm-cloud-name}.
+
+//Rotating IBM Cloud credentials with ccoctl
+include::modules/refreshing-service-ids-ibm-cloud.adoc[leveloffset=+3]
+
+//Rotating cloud provider credentials manually
+include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../storage/container_storage_interface/persistent-storage-csi-vsphere.adoc#persistent-storage-csi-vsphere[vSphere CSI Driver Operator]
+
+//Removing cloud provider credentials manually
+include::modules/manually-removing-cloud-creds.adoc[leveloffset=+2]
+
+//These additional resources are for the "Rotating or removing cloud provider credentials" section, do not separate them from that content.
+[role="_additional-resources"]
+.Additional resources
+* xref:../authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc#admin-credentials-root-secret-formats_cco-mode-passthrough[Admin credentials root secret format]
+
+[id="post-install-enable-token-auth_{context}"]
+== Enabling token-based authentication
+//Today, just Entra. But this should be a section that anticipates the addition of AWS STS and GCP WID.
+
+After installing an {azure-first} {product-title} cluster, you can enable {entra-first} to use short-term credentials.
+
+//Configuring the Cloud Credential Operator utility
+include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2]
+
+//Enabling {entra-first} on an existing cluster
+include::modules/enabling-entra-workload-id-existing-cluster.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-azure_cco-short-term-creds[Microsoft Entra Workload ID]
+* xref:../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring an Azure cluster to use short-term credentials]
+
+//Verifying the credentials configuration
+include::modules/cco-ccoctl-install-verifying.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator]
\ No newline at end of file
diff --git a/post_installation_configuration/cluster-tasks.adoc b/post_installation_configuration/cluster-tasks.adoc
index 682b17fa7ff1..6e88329a482d 100644
--- a/post_installation_configuration/cluster-tasks.adoc
+++ b/post_installation_configuration/cluster-tasks.adoc
@@ -685,38 +685,6 @@ include::modules/pod-disruption-eviction-policy.adoc[leveloffset=+2]
 * xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
 * link:https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy[Unhealthy Pod Eviction Policy] in the Kubernetes documentation
 
-[id="post-install-rotate-remove-cloud-creds"]
-== Rotating or removing cloud provider credentials
-
-After installing {product-title}, some organizations require the rotation or removal of the cloud provider credentials that were used during the initial installation.
-
-To allow the cluster to use the new credentials, you must update the secrets that the xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cloud Credential Operator (CCO)] uses to manage cloud provider credentials.
-
-[id="ccoctl-rotate-remove-cloud-creds"]
-=== Rotating cloud provider credentials with the Cloud Credential Operator utility
-
-// Right now only IBM can do this, but it makes sense to set this up so that other clouds can be added.
-The Cloud Credential Operator (CCO) utility `ccoctl` supports updating secrets for clusters installed on {ibm-cloud-name}.
-
-//Rotating IBM Cloud credentials with ccoctl
-include::modules/refreshing-service-ids-ibm-cloud.adoc[leveloffset=+3]
-
-//Rotating cloud provider credentials manually
-include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../storage/container_storage_interface/persistent-storage-csi-vsphere.adoc[vSphere CSI Driver Operator]
-
-//Removing cloud provider credentials manually
-include::modules/manually-removing-cloud-creds.adoc[leveloffset=+2]
-
-//These additional resources are for the "Rotating or removing cloud provider credentials" section, do not separate them from that content.
-[role="_additional-resources"]
-.Additional resources
-* xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator]
-* xref:../authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc#admin-credentials-root-secret-formats_cco-mode-passthrough[Admin credentials root secret format]
-
 [id="post-install-must-gather-disconnected"]
 == Configuring image streams for a disconnected cluster
 
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-aws.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-aws.adoc
index dbe3241ebd34..7260ae25928b 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-aws.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-aws.adoc
@@ -6,7 +6,11 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-To create an AWS cluster with multi-architecture compute machines, you must first create a single-architecture AWS installer-provisioned cluster with the multi-architecture installer binary. For more information on AWS installations, refer to xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a cluster on AWS with customizations]. You can then add a ARM64 compute machine set to your AWS cluster.
+To create an AWS cluster with multi-architecture compute machines, you must first create a single-architecture AWS installer-provisioned cluster with the multi-architecture installer binary. For more information on AWS installations, see xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a cluster on AWS with customizations]. 
+
+You can also migrate your current cluster with single-architecture compute machines to a cluster with multi-architecture compute machines. For more information, see xref:../../updating/updating_a_cluster/migrating-to-multi-payload.adoc#migrating-to-multi-payload[Migrating to a cluster with multi-architecture compute machines].
+
+After creating a multi-architecture cluster, you can add nodes with different architectures to the cluster. 
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
 
@@ -14,5 +18,8 @@ include::modules/multi-architecture-modify-machine-set-aws.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
+
 * xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installation-aws-arm-tested-machine-types_installing-aws-customizations[Tested instance types for AWS 64-bit ARM]
 
+* xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator]
+
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-azure.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-azure.adoc
index 8f193d3af1fe..7a20c1a36fce 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-azure.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-azure.adoc
@@ -6,16 +6,22 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-To deploy an Azure cluster with multi-architecture compute machines, you must first create a single-architecture Azure installer-provisioned cluster that uses the multi-architecture installer binary. For more information on Azure installations, see xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Installing a cluster on Azure with customizations]. You can then add an ARM64 compute machine set to your cluster to create a cluster with multi-architecture compute machines.
+To deploy an Azure cluster with multi-architecture compute machines, you must first create a single-architecture Azure installer-provisioned cluster that uses the multi-architecture installer binary. For more information on Azure installations, see xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Installing a cluster on Azure with customizations]. 
 
-The following procedures explain how to generate an ARM64 boot image and create an Azure compute machine set that uses the ARM64 boot image. This adds ARM64 compute nodes to your cluster and deploys the amount of ARM64 virtual machines (VM) that you need.
+You can also migrate your current cluster with single-architecture compute machines to a cluster with multi-architecture compute machines. For more information, see xref:../../updating/updating_a_cluster/migrating-to-multi-payload.adoc#migrating-to-multi-payload[Migrating to a cluster with multi-architecture compute machines].
+
+After creating a multi-architecture cluster, you can add nodes with different architectures to the cluster. 
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
 
 include::modules/multi-architecture-creating-arm64-bootimage.adoc[leveloffset=+1]
 
+include::modules/multi-architecture-creating-x86_64-bootimage.adoc[leveloffset=+1]
+
 include::modules/multi-architecture-modify-machine-set.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#creating-machineset-azure[Creating a compute machine set on Azure]
\ No newline at end of file
+* xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#creating-machineset-azure[Creating a compute machine set on Azure]
+
+* xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator]
\ No newline at end of file
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-bare-metal.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-bare-metal.adoc
index bf9bbcacf0d2..4655fde7fbe8 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-bare-metal.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-bare-metal.adoc
@@ -6,15 +6,25 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-To create a cluster with multi-architecture compute machines on bare metal (`x86_64`), {ibm-power-name} (`ppc64le`), or {ibm-z-name} (`s390x`) you must have an existing single-architecture cluster on one of these platforms. Follow the installations procedures for your platform:
+To create a cluster with multi-architecture compute machines on bare metal (`x86_64` or `aarch64`), {ibm-power-name} (`ppc64le`), or {ibm-z-name} (`s390x`) you must have an existing single-architecture cluster on one of these platforms. Follow the installations procedures for your platform:
 
 * xref:../../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[Installing a user provisioned cluster on bare metal]. You can then add 64-bit ARM compute machines to your {product-title} cluster on bare metal.
 * xref:../../installing/installing_ibm_power/preparing-to-install-on-ibm-power.adoc#preparing-to-install-on-ibm-power[Installing a cluster on {ibm-power-name}]. You can then add `x86_64` compute machines to your {product-title} cluster on {ibm-power-name}.
 * xref:../../installing/installing_ibm_z/preparing-to-install-on-ibm-z.adoc#preparing-to-install-on-ibm-z[Installing a cluster on {ibm-z-name} and {ibm-linuxone-name}]. You can then add `x86_64` compute machines to your {product-title} cluster on {ibm-z-name} and {ibm-linuxone-name}.
 
+[IMPORTANT]
+====
+The bare metal installer-provisioned infrastructure and the Bare Metal Operator do not support adding secondary architecture nodes during the initial cluster setup. You can add secondary architecture nodes manually only after the initial cluster setup.
+====
+
 Before you can add additional compute nodes to your cluster, you must upgrade your cluster to one that uses the multi-architecture payload. For more information on migrating to the multi-architecture payload, see xref:../../updating/updating_a_cluster/migrating-to-multi-payload.adoc#migrating-to-multi-payload[Migrating to a cluster with multi-architecture compute machines].
 
-The following procedures explain how to create a {op-system} compute machine using an ISO image or network PXE booting. This will allow you to add additional nodes to your cluster and deploy a cluster with multi-architecture compute machines.
+The following procedures explain how to create a {op-system} compute machine using an ISO image or network PXE booting. This allows you to add additional nodes to your cluster and deploy a cluster with multi-architecture compute machines.
+
+[NOTE]
+====
+Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` object. For more information, see xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator].
+====
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
 
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-gcp.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-gcp.adoc
index 9f245a080a85..0fcbbb778fd8 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-gcp.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-gcp.adoc
@@ -6,11 +6,15 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-To create a Google Cloud Platform (GCP) cluster with multi-architecture compute machines, you must first create a single-architecture GCP installer-provisioned cluster with the multi-architecture installer binary. For more information on AWS installations, refer to xref:../../installing/installing_gcp/installing-gcp-customizations.adoc[Installing a cluster on GCP with customizations]. You can then add ARM64 compute machines sets to your GCP cluster.
+To create a Google Cloud Platform (GCP) cluster with multi-architecture compute machines, you must first create a single-architecture GCP installer-provisioned cluster with the multi-architecture installer binary. For more information on AWS installations, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc[Installing a cluster on GCP with customizations]. 
+
+You can also migrate your current cluster with single-architecture compute machines to a cluster with multi-architecture compute machines. For more information, see xref:../../updating/updating_a_cluster/migrating-to-multi-payload.adoc#migrating-to-multi-payload[Migrating to a cluster with multi-architecture compute machines].
+
+After creating a multi-architecture cluster, you can add nodes with different architectures to the cluster.
 
 [NOTE]
 ====
-Secure booting is currently not supported on ARM64 machines for GCP
+Secure booting is currently not supported on 64-bit ARM machines for GCP
 ====
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
@@ -19,4 +23,6 @@ include::modules/multi-architecture-modify-machine-set-gcp.adoc[leveloffset=+1]
 
 .Additional resources
 
-* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installation-gcp-tested-machine-types-arm_installing-gcp-customizations[Tested instance types for GCP on 64-bit ARM infrastructures]
\ No newline at end of file
+* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installation-gcp-tested-machine-types-arm_installing-gcp-customizations[Tested instance types for GCP on 64-bit ARM infrastructures]
+
+* xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator]
\ No newline at end of file
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-power.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-power.adoc
index aa04ae163944..32517a97a2ff 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-power.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-power.adoc
@@ -15,12 +15,13 @@ Before you can add `ppc64le` nodes to your cluster, you must upgrade your cluste
 
 The following procedures explain how to create a {op-system} compute machine using an ISO image or network PXE booting. This will allow you to add `ppc64le` nodes to your cluster and deploy a cluster with multi-architecture compute machines.
 
-[NOTE]
-====
 To create an {ibm-power-name} (`ppc64le`) cluster with multi-architecture compute machines on `x86_64`, follow the instructions for
 xref:../../installing/installing_ibm_power/preparing-to-install-on-ibm-power.adoc#preparing-to-install-on-ibm-power[Installing a cluster on {ibm-power-name}]. You can then add `x86_64` compute machines as described in xref:./creating-multi-arch-compute-nodes-bare-metal.adoc#creating-multi-arch-compute-nodes-bare-metal[Creating a cluster with multi-architecture compute machines on bare metal, {ibm-power-title}, or {ibm-z-title}].
-====
 
+[NOTE]
+====
+Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` object. For more information, see xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator].
+====
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
 
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-kvm.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-kvm.adoc
index db7bd393ad34..6e18e7f139d1 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-kvm.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-kvm.adoc
@@ -12,10 +12,12 @@ Before you can add `s390x` nodes to your cluster, you must upgrade your cluster
 
 The following procedures explain how to create a {op-system} compute machine using a {op-system-base} KVM instance. This will allow you to add `s390x` nodes to your cluster and deploy a cluster with multi-architecture compute machines.
 
-[NOTE]
-====
 To create an {ibm-z-name} or {ibm-linuxone-name} (`s390x`) cluster with multi-architecture compute machines on `x86_64`, follow the instructions for
 xref:../../installing/installing_ibm_z/preparing-to-install-on-ibm-z.adoc#preparing-to-install-on-ibm-z[Installing a cluster on {ibm-z-name} and {ibm-linuxone-name}]. You can then add `x86_64` compute machines as described in xref:./creating-multi-arch-compute-nodes-bare-metal.adoc#creating-multi-arch-compute-nodes-bare-metal[Creating a cluster with multi-architecture compute machines on bare metal, {ibm-power-title}, or {ibm-z-title}].
+
+[NOTE]
+====
+Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` object. For more information, see xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator].
 ====
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-lpar.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-lpar.adoc
new file mode 100644
index 000000000000..1f14102109e9
--- /dev/null
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z-lpar.adoc
@@ -0,0 +1,25 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: creating-multi-arch-compute-nodes-ibm-z-lpar
+include::_attributes/common-attributes.adoc[]
+[id="creating-multi-arch-compute-nodes-ibm-z-lpar"]
+= Creating a cluster with multi-architecture compute machines on {ibm-z-title} and {ibm-linuxone-title} in an LPAR
+
+toc::[]
+
+To create a cluster with multi-architecture compute machines on {ibm-z-name} and {ibm-linuxone-name} (`s390x`) in an LPAR, you must have an existing single-architecture `x86_64` cluster. You can then add `s390x` compute machines to your {product-title} cluster.
+
+Before you can add `s390x` nodes to your cluster, you must upgrade your cluster to one that uses the multi-architecture payload. For more information on migrating to the multi-architecture payload, see xref:../../updating/updating_a_cluster/migrating-to-multi-payload.adoc#migrating-to-multi-payload[Migrating to a cluster with multi-architecture compute machines].
+
+The following procedures explain how to create a {op-system} compute machine using an LPAR instance. This will allow you to add `s390x` nodes to your cluster and deploy a cluster with multi-architecture compute machines.
+
+[NOTE]
+====
+To create an {ibm-z-name} or {ibm-linuxone-name} (`s390x`) cluster with multi-architecture compute machines on `x86_64`, follow the instructions for
+xref:../../installing/installing_ibm_z/preparing-to-install-on-ibm-z.adoc#preparing-to-install-on-ibm-z[Installing a cluster on {ibm-z-name} and {ibm-linuxone-name}]. You can then add `x86_64` compute machines as described in xref:./creating-multi-arch-compute-nodes-bare-metal.adoc#creating-multi-arch-compute-nodes-bare-metal[Creating a cluster with multi-architecture compute machines on bare metal, {ibm-power-title}, or {ibm-z-title}].
+====
+
+include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
+
+include::modules/machine-user-infra-machines-ibm-z.adoc[leveloffset=+1]
+
+include::modules/installation-approve-csrs.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z.adoc
index 6aaa8b504db7..3105d358058f 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-ibm-z.adoc
@@ -12,10 +12,12 @@ Before you can add `s390x` nodes to your cluster, you must upgrade your cluster
 
 The following procedures explain how to create a {op-system} compute machine using a z/VM instance. This will allow you to add `s390x` nodes to your cluster and deploy a cluster with multi-architecture compute machines.
 
-[NOTE]
-====
 To create an {ibm-z-name} or {ibm-linuxone-name} (`s390x`) cluster with multi-architecture compute machines on `x86_64`, follow the instructions for
 xref:../../installing/installing_ibm_z/preparing-to-install-on-ibm-z.adoc#preparing-to-install-on-ibm-z[Installing a cluster on {ibm-z-name} and {ibm-linuxone-name}]. You can then add `x86_64` compute machines as described in xref:./creating-multi-arch-compute-nodes-bare-metal.adoc#creating-multi-arch-compute-nodes-bare-metal[Creating a cluster with multi-architecture compute machines on bare metal, {ibm-power-title}, or {ibm-z-title}].
+
+[NOTE]
+====
+Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` object. For more information, see xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator].
 ====
 
 include::modules/multi-architecture-verifying-cluster-compatibility.adoc[leveloffset=+1]
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-compute-managing.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-compute-managing.adoc
index f0e3e4b8446c..d251bc7ba5b2 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-compute-managing.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-compute-managing.adoc
@@ -1,7 +1,7 @@
 :_mod-docs-content-type: ASSEMBLY
 :context: multi-architecture-compute-managing
 [id="multi-architecture-compute-managing"]
-= Managing your cluster with multi-architecture compute machines
+= Managing a cluster with multi-architecture compute machines
 include::_attributes/common-attributes.adoc[]
 
 toc::[]
@@ -10,7 +10,9 @@ toc::[]
 
 Deploying a workload on a cluster with compute nodes of different architectures requires attention and monitoring of your cluster. There might be further actions you need to take in order to successfully place pods in the nodes of your cluster.
 
-For more detailed information on node affinity, scheduling, taints and tolerlations, see the following documentatinon:
+You can use the Multiarch Tuning Operator to enable architecture-aware scheduling of workloads on clusters with multi-architecture compute machines. The Multiarch Tuning Operator implements additional scheduler predicates in the pods specifications based on the architectures that the pods can support at creation time. For more information, see xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator]. 
+
+For more information on node affinity, scheduling, taints and tolerlations, see the following documentation:
 
 * xref:../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations[Controlling pod placement using node taints].
 
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc
index 7d7f7be6f2df..88a301caecb9 100644
--- a/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-An {product-title} cluster with multi-architecture compute machines is a cluster that supports compute machines with different architectures. Clusters with multi-architecture compute machines are available only on Amazon Web Services (AWS) or Microsoft Azure installer-provisioned infrastructures and bare metal, {ibm-power-name}, and {ibm-z-name} user-provisioned infrastructures with 64-bit x86 control plane machines.
+An {product-title} cluster with multi-architecture compute machines is a cluster that supports compute machines with different architectures. 
 
 [NOTE]
 ====
@@ -33,29 +33,29 @@ To create a cluster with multi-architecture compute machines with different inst
 |Microsoft Azure
 |
 |&#10003;
-|`x86_64`
-|`aarch64`
+|`aarch64` or `x86_64` 
+|`aarch64`, `x86_64`
 
 |xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-aws.adoc#creating-multi-arch-compute-nodes-aws[Creating a cluster with multi-architecture compute machines on AWS]
 |Amazon Web Services (AWS)
 |
 |&#10003;
-|`x86_64`
-|`aarch64`
+|`aarch64` or `x86_64` 
+|`aarch64`, `x86_64`
 
 |xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-gcp.adoc#creating-multi-arch-compute-nodes-gcp[Creating a cluster with multi-architecture compute machines on GCP]
 |Google Cloud Platform (GCP)
 |
 |&#10003;
-|`x86_64`
-|`aarch64`
+|`aarch64` or `x86_64` 
+|`aarch64`, `x86_64`
 
 .3+|xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/creating-multi-arch-compute-nodes-bare-metal.adoc#creating-multi-arch-compute-nodes-bare-metal[Creating a cluster with multi-architecture compute machines on bare metal, {ibm-power-title}, or {ibm-z-title}]
 |Bare metal
 |&#10003;
 |
-|`x86_64`
-|`aarch64`
+|`aarch64` or `x86_64` 
+|`aarch64`, `x86_64`
 
 |{ibm-power-title}
 |&#10003;
diff --git a/post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc b/post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc
new file mode 100644
index 000000000000..b4d4923e6d97
--- /dev/null
+++ b/post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc
@@ -0,0 +1,61 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: multiarch-tuning-operator
+[id="multiarch-tuning-operator"]
+= Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+[IMPORTANT]
+====
+The Multiarch Tuning Operator is a Technology Preview feature only. Technology Preview features are not supported with Red{nbsp}Hat production service level agreements (SLAs) and might not be functionally complete. Red{nbsp}Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
+For more information about the support scope of Red{nbsp}Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
+====
+
+The Multiarch Tuning Operator enhances the operational experience within multi-architecture clusters, and single-architecture clusters that are migrating to a multi-architecture compute configuration.
+
+This Operator implements the `clusterpodplacementconfigs` custom resource (CR) to support architecture-aware workload scheduling.
+
+To enable architecture-aware workload scheduling, you must create the `ClusterPodPlacementConfig` object. When you create the `ClusterPodPlacementConfig` object, this Operator deploys an operand.
+
+When a pod is created, the operand performs the following actions: 
+
+. Add the `multiarch.openshift.io/scheduling-gate` scheduling gate that prevents the scheduling of the pod.
+. Compute a scheduling predicate that includes the supported architecture values for the `kubernetes.io/arch` label. 
+. Integrate the scheduling predicate as a `nodeAffinity` requirement in the pod specification.
+. Remove the scheduling gate from the pod.
+
+When the operand removes the scheduling gate, the pod enters the scheduling cycle. The workload is then scheduled on nodes based on the supported architectures.
+
+[IMPORTANT]
+====
+The Technology Preview version of the Multiarch Tuning Operator does not support clusters with restricted network scenarios.
+====
+
+//Installing Multiarch Tuning Operator
+include::modules/multi-arch-installing-using-cli.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operator-from-operatorhub-using-cli_olm-installing-operators-in-namespace[Installing from OperatorHub using the CLI]
+
+include::modules/multi-arch-installing-using-web-console.adoc[leveloffset=+1]
+
+//Creating the pod placement config object
+include::modules/multi-arch-creating-podplacment-config.adoc[leveloffset=+1]
+
+include::modules/multi-arch-creating-podplacment-config-using-cli.adoc[leveloffset=+2]
+
+include::modules/multi-arch-creating-podplacment-config-using-web-console.adoc[leveloffset=+2]
+
+//Deleting the pod placement config object
+
+include::modules/multi-arch-deleting-podplacment-config-using-cli.adoc[leveloffset=+1]
+
+include::modules/multi-arch-deleting-podplacment-config-using-web-console.adoc[leveloffset=+1]
+
+//Uninstalling Multiarch Tuning Operator
+include::modules/multi-arch-uninstalling-using-cli.adoc[leveloffset=+1]
+
+include::modules/multi-arch-uninstalling-using-web-console.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/post_installation_configuration/ibmz-post-install.adoc b/post_installation_configuration/ibmz-post-install.adoc
index f1a0ebed43b2..02aad96ca52b 100644
--- a/post_installation_configuration/ibmz-post-install.adoc
+++ b/post_installation_configuration/ibmz-post-install.adoc
@@ -23,7 +23,7 @@ The procedures described here apply only to z/VM installations. If you have inst
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../post_installation_configuration/machine-configuration-tasks.adoc#post-install-machine-configuration-tasks[Postinstallation machine configuration tasks]
+* xref:../machine_configuration/index.adoc#machine-config-overview[Machine configuration overview]
 
 include::modules/ibmz-configure-devices-mco.adoc[leveloffset=+1]
 
diff --git a/post_installation_configuration/index.adoc b/post_installation_configuration/index.adoc
index ed94df34f1a3..5e70df5d924f 100644
--- a/post_installation_configuration/index.adoc
+++ b/post_installation_configuration/index.adoc
@@ -24,7 +24,7 @@ You can perform the post-installation configuration tasks to configure your envi
 
 The following lists details these configurations:
 
-* xref:../post_installation_configuration/machine-configuration-tasks.adoc#post-install-machine-configuration-tasks[Configure operating system features]: The Machine Config Operator (MCO) manages `MachineConfig` objects. By using the MCO, you can configure nodes and custom resources.
+* xref:../machine_configuration/index.adoc#machine-config-overview[Configure operating system features]: The Machine Config Operator (MCO) manages `MachineConfig` objects. By using the MCO, you can configure nodes and custom resources.
 
 * xref:../post_installation_configuration/bare-metal-configuration.adoc#post-install-bare-metal-configuration[Configure bare metal nodes]: You can use the Bare Metal Operator (BMO) to manage bare metal hosts. The BMO can complete the following operations:
 
diff --git a/post_installation_configuration/machine-configuration-tasks.adoc b/post_installation_configuration/machine-configuration-tasks.adoc
index 401186f69c13..afe674fb3ae0 100644
--- a/post_installation_configuration/machine-configuration-tasks.adoc
+++ b/post_installation_configuration/machine-configuration-tasks.adoc
@@ -24,11 +24,37 @@ Previously, NetworkManager stored new network configurations to `/etc/sysconfig/
 
 include::modules/machine-config-operator.adoc[leveloffset=+2]
 include::modules/machine-config-overview.adoc[leveloffset=+2]
+
+.Additional resources
+
+* xref:../machine_configuration/machine-config-node-disruption.adoc#machine-config-node-disruption[Understanding node restart behaviors after machine config changes]
+
 include::modules/machine-config-drift-detection.adoc[leveloffset=+2]
 include::modules/checking-mco-status.adoc[leveloffset=+2]
 include::modules/checking-mco-node-status.adoc[leveloffset=+2]
 include::modules/checking-mco-status-certs.adoc[leveloffset=+2]
 
+include::modules/mco-update-boot-images.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+
+include::modules/mco-update-boot-images-disable.adoc[leveloffset=+2]
+
+include::modules/machine-config-node-disruption.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../architecture/control-plane.adoc#about-machine-config-operator_control-plane[About the Machine Config Operator]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+
 [id="using-machineconfigs-to-change-machines"]
 == Using MachineConfig objects to configure nodes
 
@@ -36,7 +62,7 @@ You can use the tasks in this section to create `MachineConfig` objects that mod
 
 {product-title} supports link:https://coreos.github.io/ignition/configuration-v3_2/[Ignition specification version 3.2]. All new machine configs you create going forward should be based on Ignition specification version 3.2. If you are upgrading your {product-title} cluster, any existing Ignition specification version 2.x machine configs will be translated automatically to specification version 3.2.
 
-There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called _configuration drift_. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node `degraded` until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see xref:../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-drift-detection_post-install-machine-configuration-tasks[Understanding configuration drift detection].
+There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called _configuration drift_. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node `degraded` until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see xref:../machine_configuration/index.adoc#machine-config-drift-detection_machine-config-overview[Understanding configuration drift detection].
 
 [TIP]
 ====
diff --git a/post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc b/post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc
index 437bc6d47563..6b97cfce72cb 100644
--- a/post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc
+++ b/post_installation_configuration/post-install-vsphere-zones-regions-configuration.adoc
@@ -1,7 +1,7 @@
 :_mod-docs-content-type: ASSEMBLY
 :context: post-install-vsphere-zones-regions-configuration
 [id="post-install-vsphere-zones-regions-configuration"]
-=  Multiple regions and zones configuration for a cluster on {vmw-short}
+=  Multiple regions and zones configuration for a cluster on VMware vSphere
 include::_attributes/common-attributes.adoc[]
 
 toc::[]
diff --git a/post_installation_configuration/preparing-for-users.adoc b/post_installation_configuration/preparing-for-users.adoc
index eef3771944c7..f9b72134923e 100644
--- a/post_installation_configuration/preparing-for-users.adoc
+++ b/post_installation_configuration/preparing-for-users.adoc
@@ -114,6 +114,10 @@ include::modules/rbac-cluster-role-binding-commands.adoc[leveloffset=+2]
 include::modules/rbac-creating-cluster-admin.adoc[leveloffset=+2]
 endif::[]
 
+include::modules/unauthenticated-users-cluster-role-binding-con.adoc[leveloffset=+2]
+
+include::modules/unauthenticated-users-cluster-role-binding.adoc[leveloffset=+2]
+
 include::modules/authentication-kubeadmin.adoc[leveloffset=+1]
 
 include::modules/authentication-remove-kubeadmin.adoc[leveloffset=+2]
diff --git a/registry/configuring_registry_storage/configuring-registry-storage-osp.adoc b/registry/configuring_registry_storage/configuring-registry-storage-osp.adoc
index 6a55d46c73b5..a218e11c838a 100644
--- a/registry/configuring_registry_storage/configuring-registry-storage-osp.adoc
+++ b/registry/configuring_registry_storage/configuring-registry-storage-osp.adoc
@@ -1,7 +1,7 @@
 :_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
 [id="configuring-registry-storage-openstack"]
 = Configuring the registry for {rh-openstack}
-include::_attributes/common-attributes.adoc[]
 :context: configuring-registry-storage-openstack
 
 toc::[]
diff --git a/rest_api/config_apis/network-config-openshift-io-v1.adoc b/rest_api/config_apis/network-config-openshift-io-v1.adoc
index 20751b0ed5de..c967d7712119 100644
--- a/rest_api/config_apis/network-config-openshift-io-v1.adoc
+++ b/rest_api/config_apis/network-config-openshift-io-v1.adoc
@@ -78,6 +78,11 @@ Type::
 | `object`
 | externalIP defines configuration for controllers that affect Service.ExternalIP. If nil, then ExternalIP is not allowed to be set.
 
+| `networkDiagnostics`
+| `object`
+| networkDiagnostics defines network diagnostics configuration. 
+ Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. If networkDiagnostics is not specified or is empty, and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, the network diagnostics feature will be disabled.
+
 | `networkType`
 | `string`
 | NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). This should match a value that the cluster-network-operator understands, or else no networking will be installed. Currently supported values are: - OpenShiftSDN This field is immutable after installation.
@@ -181,6 +186,210 @@ Type::
 | `array (string)`
 | rejectedCIDRs is the list of disallowed CIDRs. These take precedence over allowedCIDRs.
 
+|===
+=== .spec.networkDiagnostics
+Description::
++
+--
+networkDiagnostics defines network diagnostics configuration. 
+ Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. If networkDiagnostics is not specified or is empty, and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, the network diagnostics feature will be disabled.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `mode`
+| `string`
+| mode controls the network diagnostics mode 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is All.
+
+| `sourcePlacement`
+| `object`
+| sourcePlacement controls the scheduling of network diagnostics source deployment 
+ See NetworkDiagnosticsSourcePlacement for more details about default values.
+
+| `targetPlacement`
+| `object`
+| targetPlacement controls the scheduling of network diagnostics target daemonset 
+ See NetworkDiagnosticsTargetPlacement for more details about default values.
+
+|===
+=== .spec.networkDiagnostics.sourcePlacement
+Description::
++
+--
+sourcePlacement controls the scheduling of network diagnostics source deployment 
+ See NetworkDiagnosticsSourcePlacement for more details about default values.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `nodeSelector`
+| `object (string)`
+| nodeSelector is the node selector applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `kubernetes.io/os: linux`.
+
+| `tolerations`
+| `array`
+| tolerations is a list of tolerations applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is an empty list.
+
+| `tolerations[]`
+| `object`
+| The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+
+|===
+=== .spec.networkDiagnostics.sourcePlacement.tolerations
+Description::
++
+--
+tolerations is a list of tolerations applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is an empty list.
+--
+
+Type::
+  `array`
+
+
+
+
+=== .spec.networkDiagnostics.sourcePlacement.tolerations[]
+Description::
++
+--
+The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `effect`
+| `string`
+| Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+
+| `key`
+| `string`
+| Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+
+| `operator`
+| `string`
+| Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+
+| `tolerationSeconds`
+| `integer`
+| TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+
+| `value`
+| `string`
+| Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+
+|===
+=== .spec.networkDiagnostics.targetPlacement
+Description::
++
+--
+targetPlacement controls the scheduling of network diagnostics target daemonset 
+ See NetworkDiagnosticsTargetPlacement for more details about default values.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `nodeSelector`
+| `object (string)`
+| nodeSelector is the node selector applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `kubernetes.io/os: linux`.
+
+| `tolerations`
+| `array`
+| tolerations is a list of tolerations applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `- operator: "Exists"` which means that all taints are tolerated.
+
+| `tolerations[]`
+| `object`
+| The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+
+|===
+=== .spec.networkDiagnostics.targetPlacement.tolerations
+Description::
++
+--
+tolerations is a list of tolerations applied to network diagnostics components 
+ When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is `- operator: "Exists"` which means that all taints are tolerated.
+--
+
+Type::
+  `array`
+
+
+
+
+=== .spec.networkDiagnostics.targetPlacement.tolerations[]
+Description::
++
+--
+The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+--
+
+Type::
+  `object`
+
+
+
+
+[cols="1,1,1",options="header"]
+|===
+| Property | Type | Description
+
+| `effect`
+| `string`
+| Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+
+| `key`
+| `string`
+| Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+
+| `operator`
+| `string`
+| Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+
+| `tolerationSeconds`
+| `integer`
+| TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+
+| `value`
+| `string`
+| Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+
 |===
 === .status
 Description::
diff --git a/rest_api/network_apis/adminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc b/rest_api/network_apis/adminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
index f508d7c8c562..48547c269d7b 100644
--- a/rest_api/network_apis/adminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
+++ b/rest_api/network_apis/adminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
@@ -123,6 +123,7 @@ Support: Core
 | `subject`
 | `object`
 | Subject defines the pods to which this AdminNetworkPolicy applies.
+Note that host-networked pods are not included in subject selection.
 
 
 Support: Core
@@ -1467,6 +1468,7 @@ Description::
 +
 --
 Subject defines the pods to which this AdminNetworkPolicy applies.
+Note that host-networked pods are not included in subject selection.
 
 
 Support: Core
diff --git a/rest_api/network_apis/baselineadminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc b/rest_api/network_apis/baselineadminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
index 28665befbb55..46fad3a8f2be 100644
--- a/rest_api/network_apis/baselineadminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
+++ b/rest_api/network_apis/baselineadminnetworkpolicy-policy-networking-k8s-io-v1alpha1.adoc
@@ -113,6 +113,7 @@ Subject field.
 | `subject`
 | `object`
 | Subject defines the pods to which this BaselineAdminNetworkPolicy applies.
+Note that host-networked pods are not included in subject selection.
 
 
 Support: Core
@@ -1445,6 +1446,7 @@ Description::
 +
 --
 Subject defines the pods to which this BaselineAdminNetworkPolicy applies.
+Note that host-networked pods are not included in subject selection.
 
 
 Support: Core
diff --git a/rest_api/network_apis/egressfirewall-k8s-ovn-org-v1.adoc b/rest_api/network_apis/egressfirewall-k8s-ovn-org-v1.adoc
index fbbcda972635..eed85ba92baf 100644
--- a/rest_api/network_apis/egressfirewall-k8s-ovn-org-v1.adoc
+++ b/rest_api/network_apis/egressfirewall-k8s-ovn-org-v1.adoc
@@ -191,7 +191,7 @@ Type::
 
 | `dnsName`
 | `string`
-| dnsName is the domain name to allow/deny traffic to. If this is set, cidrSelector and nodeSelector must be unset.
+| dnsName is the domain name to allow/deny traffic to. If this is set, cidrSelector and nodeSelector must be unset. For a wildcard DNS name, the '*' will match only one label. Additionally, only a single '*' can be used at the beginning of the wildcard DNS name. For example, '*.example.com' will match 'sub1.example.com' but won't match 'sub2.sub1.example.com'
 
 | `nodeSelector`
 | `object`
diff --git a/rest_api/operator_apis/config-imageregistry-operator-openshift-io-v1.adoc b/rest_api/operator_apis/config-imageregistry-operator-openshift-io-v1.adoc
index b3a3abc9caac..2e0da69a124e 100644
--- a/rest_api/operator_apis/config-imageregistry-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/config-imageregistry-operator-openshift-io-v1.adoc
@@ -660,7 +660,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -679,7 +687,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -861,7 +869,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -880,7 +896,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -1125,7 +1141,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -1144,7 +1168,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -1326,7 +1350,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -1345,7 +1377,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -2541,6 +2573,8 @@ OperatorCondition is just the standard condition fields.
 Type::
   `object`
 
+Required::
+  - `type`
 
 
 
diff --git a/rest_api/operator_apis/dns-operator-openshift-io-v1.adoc b/rest_api/operator_apis/dns-operator-openshift-io-v1.adoc
index 48f25182c66d..238614bf2857 100644
--- a/rest_api/operator_apis/dns-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/dns-operator-openshift-io-v1.adoc
@@ -429,7 +429,7 @@ Type::
 | `upstreams[]`
 | `object`
 | Upstream can either be of type SystemResolvConf, or of type Network. 
- * For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. * For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
+ - For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. - For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
 
 |===
 === .spec.upstreamResolvers.transportConfig
@@ -533,7 +533,7 @@ Description::
 +
 --
 Upstream can either be of type SystemResolvConf, or of type Network. 
- * For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. * For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
+ - For an Upstream of type SystemResolvConf, no further fields are necessary: The upstream will be configured to use /etc/resolv.conf. - For an Upstream of type Network, a NetworkResolver field needs to be defined with an IP address or IP:port if the upstream listens on a port other than 53.
 --
 
 Type::
@@ -630,6 +630,8 @@ OperatorCondition is just the standard condition fields.
 Type::
   `object`
 
+Required::
+  - `type`
 
 
 
diff --git a/rest_api/operator_apis/etcd-operator-openshift-io-v1.adoc b/rest_api/operator_apis/etcd-operator-openshift-io-v1.adoc
index 75cef7a7358a..279387d0c94b 100644
--- a/rest_api/operator_apis/etcd-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/etcd-operator-openshift-io-v1.adoc
@@ -66,6 +66,10 @@ Type::
 |===
 | Property | Type | Description
 
+| `controlPlaneHardwareSpeed`
+| `string`
+| HardwareSpeed allows user to change the etcd tuning profile which configures the latency parameters for heartbeat interval and leader election timeouts allowing the cluster to tolerate longer round-trip-times between etcd members. Valid values are "", "Standard" and "Slower". "" means no opinion and the platform is left to choose a reasonable default which is subject to change without notice.
+
 | `failedRevisionLimit`
 | `integer`
 | failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api -1 = unlimited, 0 or unset = 5 (default)
diff --git a/rest_api/operator_apis/imagepruner-imageregistry-operator-openshift-io-v1.adoc b/rest_api/operator_apis/imagepruner-imageregistry-operator-openshift-io-v1.adoc
index 94c63b5ce9d6..34c7d8707a13 100644
--- a/rest_api/operator_apis/imagepruner-imageregistry-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/imagepruner-imageregistry-operator-openshift-io-v1.adoc
@@ -617,7 +617,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -636,7 +644,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -818,7 +826,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -837,7 +853,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -1082,7 +1098,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -1101,7 +1125,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -1283,7 +1307,15 @@ Required::
 
 | `labelSelector`
 | `object`
-| A label query over a set of resources, in this case pods.
+| A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+
+| `matchLabelKeys`
+| `array (string)`
+| MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+
+| `mismatchLabelKeys`
+| `array (string)`
+| MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
 
 | `namespaceSelector`
 | `object`
@@ -1302,7 +1334,7 @@ Required::
 Description::
 +
 --
-A label query over a set of resources, in this case pods.
+A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
 --
 
 Type::
@@ -1629,6 +1661,8 @@ OperatorCondition is just the standard condition fields.
 Type::
   `object`
 
+Required::
+  - `type`
 
 
 
diff --git a/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.adoc b/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.adoc
index b7a959474223..58408bf0ecd0 100644
--- a/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.adoc
@@ -190,6 +190,8 @@ OperatorCondition is just the standard condition fields.
 Type::
   `object`
 
+Required::
+  - `type`
 
 
 
@@ -296,6 +298,8 @@ NodeStatus provides information about the current state of a particular node man
 Type::
   `object`
 
+Required::
+  - `nodeName`
 
 
 
diff --git a/rest_api/operator_apis/network-operator-openshift-io-v1.adoc b/rest_api/operator_apis/network-operator-openshift-io-v1.adoc
index f39ac3b3db63..14f019248479 100644
--- a/rest_api/operator_apis/network-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/network-operator-openshift-io-v1.adoc
@@ -760,7 +760,7 @@ Type::
 Description::
 +
 --
-ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
+ipv4 allows users to configure IP settings for IPv4 connections. When omitted, this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
 --
 
 Type::
diff --git a/rest_api/operator_apis/openshiftcontrollermanager-operator-openshift-io-v1.adoc b/rest_api/operator_apis/openshiftcontrollermanager-operator-openshift-io-v1.adoc
index 8686c65cb1ad..3237234835e4 100644
--- a/rest_api/operator_apis/openshiftcontrollermanager-operator-openshift-io-v1.adoc
+++ b/rest_api/operator_apis/openshiftcontrollermanager-operator-openshift-io-v1.adoc
@@ -158,6 +158,8 @@ OperatorCondition is just the standard condition fields.
 Type::
   `object`
 
+Required::
+  - `type`
 
 
 
diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc
index 26a0afbc2e5a..c36e6b7b7959 100644
--- a/rosa_architecture/rosa-sts-about-iam-resources.adoc
+++ b/rosa_architecture/rosa-sts-about-iam-resources.adoc
@@ -35,8 +35,8 @@ If you only use the ROSA CLI (`rosa`), then you do not need to create these IAM
 
 These AWS IAM roles are as follows:
 
-* The ROSA user role is an AWS role used by Red Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red Hat installer account.
-* An `ocm-role` resource grants the required permissions for installation of ROSA clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red Hat installer account as well.
+* The ROSA user role is an AWS role used by Red{nbsp}Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red{nbsp}Hat installer account.
+* An `ocm-role` resource grants the required permissions for installation of ROSA clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red{nbsp}Hat installer account as well.
 +
 [NOTE]
 ====
@@ -76,14 +76,21 @@ include::modules/rosa-sts-account-wide-roles-and-policies.adoc[leveloffset=+1]
 * For a definition of OpenShift major, minor, and patch versions, see xref:../rosa_architecture/rosa_policy_service_definition/rosa-life-cycle.adoc#rosa-life-cycle-definitions_rosa-life-cycle[the {product-title} update life cycle].
 
 include::modules/rosa-sts-account-wide-role-and-policy-commands.adoc[leveloffset=+2]
+include::modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities] (AWS documentation).
+* For more information about creating the required account-wide STS roles and policies see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-sts-creating-a-cluster-quickly[Creating the account-wide STS roles and policies].
+
 include::modules/rosa-sts-operator-roles.adoc[leveloffset=+1]
 include::modules/rosa-sts-operator-role-commands.adoc[leveloffset=+2]
 include::modules/rosa-sts-about-operator-role-prefixes.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-
-* For steps to create the cluster-specific Operator IAM roles using a custom prefix, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using {cluster-manager}].
+ For steps to create the cluster-specific Operator IAM roles using a custom prefix, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using {cluster-manager}].
 
 [id="rosa-sts-oidc-provider-requirements-for-operators_{context}"]
 == Open ID Connect (OIDC) requirements for Operator authentication
@@ -98,4 +105,6 @@ include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+3]
 [discrete]
 include::modules/rosa-sts-byo-oidc-options.adoc[leveloffset=+3]
 
-include::modules/rosa-aws-scp.adoc[leveloffset=+1]
\ No newline at end of file
+include::modules/rosa-aws-scp.adoc[leveloffset=+1]
+
+include::modules/rosa-aws-customer-managed-policies.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/rosa_architecture/rosa-understanding.adoc b/rosa_architecture/rosa-understanding.adoc
index 3975607096c1..c159dfb2fa2c 100644
--- a/rosa_architecture/rosa-understanding.adoc
+++ b/rosa_architecture/rosa-understanding.adoc
@@ -14,10 +14,10 @@ ROSA is a fully-managed, turnkey application platform that allows you to focus o
 
 You subscribe to the service directly from your AWS account. After you create clusters, you can operate your clusters with the OpenShift web console, the ROSA CLI, or through {cluster-manager-first}.
 
-You receive OpenShift updates with new feature releases and a shared, common source for alignment with OpenShift Container Platform. ROSA supports the same versions of OpenShift as Red Hat OpenShift Dedicated and OpenShift Container Platform to achieve version consistency.
+You receive OpenShift updates with new feature releases and a shared, common source for alignment with OpenShift Container Platform. ROSA supports the same versions of OpenShift as Red{nbsp}Hat OpenShift Dedicated and OpenShift Container Platform to achieve version consistency.
 
 image::291_OpenShift_on_AWS_Intro_1122_docs.png[{product-title}]
-For additional information about ROSA installation, see link:https://www.redhat.com/en/products/interactive-walkthrough/install-rosa[Installing Red Hat OpenShift Service on AWS (ROSA) interactive walkthrough].
+For additional information about ROSA installation, see link:https://www.redhat.com/en/products/interactive-walkthrough/install-rosa[Installing Red{nbsp}Hat OpenShift Service on AWS (ROSA) interactive walkthrough].
 
 //[id="rosa-understanding-credential-modes_{context}"]
 //== Credential modes
@@ -48,20 +48,12 @@ For additional information about ROSA installation, see link:https://www.redhat.
 
 //This mode makes use of a pre-created IAM user with `AdministratorAccess` within the account that has proper permissions to create other roles and resources as needed. Using this account the service creates all the necessary resources that are needed for the cluster.
 
-[id="rosa-understanding-billing-pricing_{context}"]
-== Billing and pricing
-
-ROSA is billed directly to your AWS account. ROSA pricing can be consumption based, with annual commitments or three-year commitments for greater discounting. The total cost of ROSA consists of two components:
-
-* ROSA service fees
-* AWS infrastructure fees
-
-Visit the link:https://aws.amazon.com/rosa/pricing/[AWS pricing page] for more details.
+include::modules/rosa-sdpolicy-am-billing.adoc[leveloffset=+1] 
 
 [id="rosa-understanding-getting-started_{context}"]
 == Getting started
 
-To get started with deploying your cluster, ensure your AWS account has met the prerequisites, you have a Red Hat account ready, and follow the procedures outlined in xref:../rosa_getting_started/rosa-getting-started.adoc#rosa-getting-started[Getting started with {product-title}].
+To get started with deploying your cluster, ensure your AWS account has met the prerequisites, you have a Red{nbsp}Hat account ready, and follow the procedures outlined in xref:../rosa_getting_started/rosa-getting-started.adoc#rosa-getting-started[Getting started with {product-title}].
 
 [discrete]
 [role="_additional-resources"]
diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc
index 1362d7dddef0..fe6fa375d266 100644
--- a/rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc
+++ b/rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc
@@ -21,7 +21,7 @@ include::modules/rosa-sdpolicy-am-compute.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional Resources
 
-* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-red-hat-operator_rosa-service-definition[Red Hat Operator Support]
+* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-red-hat-operator_rosa-service-definition[Red{nbsp}Hat Operator Support]
 
 include::modules/rosa-sdpolicy-am-aws-compute-types.adoc[leveloffset=+2]
 
@@ -35,7 +35,7 @@ include::modules/rosa-sdpolicy-am-regions-az.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional Resources
 
-* link:https://docs.aws.amazon.com/general/latest/gr/rosa.html[Red Hat OpenShift Service on AWS endpoints and quotas]
+* link:https://docs.aws.amazon.com/general/latest/gr/rosa.html[Red{nbsp}Hat OpenShift Service on AWS endpoints and quotas]
 
 include::modules/rosa-sdpolicy-am-local-zones.adoc[leveloffset=+2]
 include::modules/rosa-sdpolicy-am-sla.adoc[leveloffset=+2]
diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
index f2dfbd990fe7..746b8fa4dcf1 100644
--- a/rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
+++ b/rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc
@@ -6,17 +6,17 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-This document details the Red Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed {product-title} (ROSA).
+This document details the Red{nbsp}Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed {product-title} (ROSA).
 
 .Acronyms and terms
 
 * *AWS* - Amazon Web Services
-* *CEE* - Customer Experience and Engagement (Red Hat Support)
+* *CEE* - Customer Experience and Engagement (Red{nbsp}Hat Support)
 * *CI/CD* - Continuous Integration / Continuous Delivery
 * *CVE* - Common Vulnerabilities and Exposures
 * *PVs* - Persistent Volumes
 * *ROSA* - {product-title}
-* *SRE* - Red Hat Site Reliability Engineering
+* *SRE* - Red{nbsp}Hat Site Reliability Engineering
 * *VPC* - Virtual Private Cloud
 
 include::modules/rosa-policy-security-regulation-compliance.adoc[leveloffset=+1]
@@ -24,7 +24,7 @@ include::modules/rosa-policy-security-regulation-compliance.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* See link:https://access.redhat.com/articles/5528091[Red Hat Subprocessor List] for information on SRE residency.
+* See link:https://access.redhat.com/articles/5528091[Red{nbsp}Hat Subprocessor List] for information on SRE residency.
 
 * For more information about customer or shared responsibilities, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibilities_rosa-policy-responsibility-matrix[ROSA Responsibilities] document.
 
diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
index 6c82e769732c..552fc7b0e42f 100644
--- a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
+++ b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc
@@ -2,11 +2,11 @@
 include::_attributes/attributes-openshift-dedicated.adoc[]
 :context: rosa-policy-responsibility-matrix
 [id="rosa-policy-responsibility-matrix"]
-= Overview of responsibilities for Red Hat OpenShift Service on AWS
+= Overview of responsibilities for Red{nbsp}Hat OpenShift Service on AWS
 
 toc::[]
 
-This documentation outlines Red Hat, Amazon Web Services (AWS), and customer responsibilities for the {product-title} (ROSA) managed service.
+This documentation outlines Red{nbsp}Hat, Amazon Web Services (AWS), and customer responsibilities for the {product-title} (ROSA) managed service.
 
 include::modules/rosa-policy-responsibilities.adoc[leveloffset=+1]
 include::modules/rosa-policy-shared-responsibility.adoc[leveloffset=+1]
@@ -34,4 +34,4 @@ include::modules/rosa-policy-customer-responsibility.adoc[leveloffset=+1]
 [role="_additional-resources"]
 == Additional resources
 
-* For more information about Red Hat site reliability engineering (SRE) teams access, see xref:../../rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc#rosa-policy-identity-access-management_rosa-sre-access[Identity and access management].
+* For more information about Red{nbsp}Hat site reliability engineering (SRE) teams access, see xref:../../rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc#rosa-policy-identity-access-management_rosa-sre-access[Identity and access management].
diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc
index eec7b7b91827..5c6bee07b0f6 100644
--- a/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc
+++ b/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc
@@ -21,7 +21,7 @@ include::modules/rosa-sdpolicy-am-compute.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional Resources
 
-* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-red-hat-operator_rosa-service-definition[Red Hat Operator Support]
+* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-red-hat-operator_rosa-service-definition[Red{nbsp}Hat Operator Support]
 * xref:../../rosa_cluster_admin/rosa-configuring-pid-limits.adoc#rosa-configuring-pid-limits[Configuring PID limits]
 
 include::modules/rosa-sdpolicy-am-aws-compute-types.adoc[leveloffset=+2]
@@ -36,7 +36,7 @@ include::modules/rosa-sdpolicy-am-regions-az.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional Resources
 
-* link:https://docs.aws.amazon.com/general/latest/gr/rosa.html[Red Hat OpenShift Service on AWS endpoints and quotas]
+* link:https://docs.aws.amazon.com/general/latest/gr/rosa.html[Red{nbsp}Hat OpenShift Service on AWS endpoints and quotas]
 
 include::modules/rosa-sdpolicy-am-local-zones.adoc[leveloffset=+2]
 include::modules/rosa-sdpolicy-am-sla.adoc[leveloffset=+2]
diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc
index 4f34fa260365..096dd2e916ea 100644
--- a/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc
+++ b/rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc
@@ -4,15 +4,15 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 [id="rosa-sre-access"]
 = SRE and service account access
 
-Red Hat site reliability engineering (SRE) access to {product-title} (ROSA) clusters is outlined through identity and access management.
+Red{nbsp}Hat site reliability engineering (SRE) access to {product-title} (ROSA) clusters is outlined through identity and access management.
 
 [id="rosa-policy-identity-access-management_{context}"]
 == Identity and access management
-Most access by Red Hat SRE teams is done by using cluster Operators through automated configuration management.
+Most access by Red{nbsp}Hat SRE teams is done by using cluster Operators through automated configuration management.
 
 [id="subprocessors_{context}"]
 .Subprocessors
-For a list of the available subprocessors, see the link:https://access.redhat.com/articles/5528091[Red Hat Subprocessor List] on the Red Hat Customer Portal.
+For a list of the available subprocessors, see the link:https://access.redhat.com/articles/5528091[Red{nbsp}Hat Subprocessor List] on the Red{nbsp}Hat Customer Portal.
 
 include::modules/sre-cluster-access.adoc[leveloffset=+1]
 include::modules/rosa-red-hat-support-access.adoc[leveloffset=+1]
diff --git a/rosa_backing_up_and_restoring_applications/backing-up-applications.adoc b/rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
index 4e1eeb097fa3..828e9b36ea9e 100644
--- a/rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
+++ b/rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can employ OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. Before installing OADP, you must set up role and policy credentials for OADP so that it can use the AWS API.
+You can employ OpenShift API for Data Protection (OADP) with Red{nbsp}Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. Before installing OADP, you must set up role and policy credentials for OADP so that it can use the AWS API.
 
 This is a two stage process:
 
diff --git a/rosa_cluster_admin/rosa-configuring-pid-limits.adoc b/rosa_cluster_admin/rosa-configuring-pid-limits.adoc
index 3bf64e3286dc..3958dc3f1846 100644
--- a/rosa_cluster_admin/rosa-configuring-pid-limits.adoc
+++ b/rosa_cluster_admin/rosa-configuring-pid-limits.adoc
@@ -23,8 +23,8 @@ In {product-title} 4.11 and later, by default, a pod can have a maximum of 4,096
 
 {product-title} clusters running versions earlier than 4.11 use a default PID limit of `1024`.
 
-:FeatureName: Configuring the maximum number of PIDs
-include::snippets/rosa-classic-support.adoc[]
+//Commenting out until this is confirmed a technology preview.
+//:FeatureName: Configuring the maximum number of PIDs
 
 // Understanding process ID limits
 include::modules/sd-understanding-process-id-limits.adoc[leveloffset=+1]
@@ -32,6 +32,7 @@ include::modules/sd-understanding-process-id-limits.adoc[leveloffset=+1]
 // Risks of setting higher process ID limits
 include::modules/risks-setting-higher-process-id-limits.adoc[leveloffset=+1]
 
+//TODO OSDOCS-10439: Confirm these links work when HCP docs are published separately.
 [role="_additional-resources"]
 .Additional resources
 
@@ -41,5 +42,24 @@ include::modules/risks-setting-higher-process-id-limits.adoc[leveloffset=+1]
 
 * xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability]
 
-// Setting a higher pid limit on an existing cluster
-include::modules/setting-higher-pid-limit-on-existing-cluster.adoc[leveloffset=+1]
+//TODO OSDOCS-10439: Add conditions back in and remove variant based headings when HCP docs are published separately
+// Setting or removing a higher pid limit on existing clusters
+//ifdef::openshift-rosa-classic[]
+[id="rosa-classic-configuring-pid-limits"]
+== Configuring PID limits on ROSA Classic clusters
+
+include::modules/setting-higher-pid-limit-on-existing-cluster.adoc[leveloffset=+2]
+
+include::modules/removing-custom-config-from-cluster.adoc[leveloffset=+2]
+//endif::openshift-rosa-classic[]
+
+
+//TODO OSDOCS-10439: Add conditions back in and remove variant based headings when HCP docs are published separately
+//ifdef::openshift-rosa-hcp[]
+[id="rosa-hcp-configuring-pid-limits"]
+== Configuring PID limits on ROSA with HCP clusters
+
+include::modules/setting-higher-pid-limit-on-machinepool.adoc[leveloffset=+2]
+
+include::modules/removing-custom-config-from-machinepool.adoc[leveloffset=+2]
+//endif::openshift-rosa-hcp[]
diff --git a/rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc b/rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc
index a765ea36347c..76306b2736ba 100644
--- a/rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc
+++ b/rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc
@@ -53,6 +53,8 @@ include::modules/rosa-adding-node-labels.adoc[leveloffset=+2]
 
 // include::modules/rosa-imds-machine-pools-ui.adoc[leveloffset=+2]
 // include::modules/rosa-imds-machine-pools-cli.adoc[leveloffset=+2]
+include::modules/rosa-adding-tags.adoc[leveloffset=+1]
+include::modules/rosa-adding-tags-cli.adoc[leveloffset=+2]
 include::modules/rosa-adding-taints.adoc[leveloffset=+1]
 include::modules/rosa-adding-taints-ocm.adoc[leveloffset=+2]
 include::modules/rosa-adding-taints-cli.adoc[leveloffset=+2]
diff --git a/rosa_cluster_admin/rosa_nodes/rosa-nodes-about-autoscaling-nodes.adoc b/rosa_cluster_admin/rosa_nodes/rosa-nodes-about-autoscaling-nodes.adoc
index 540466bf7c25..6b090287695d 100644
--- a/rosa_cluster_admin/rosa_nodes/rosa-nodes-about-autoscaling-nodes.adoc
+++ b/rosa_cluster_admin/rosa_nodes/rosa-nodes-about-autoscaling-nodes.adoc
@@ -8,7 +8,7 @@ toc::[]
 ifdef::openshift-dedicated[]
 [IMPORTANT]
 ====
-Autoscaling is available only on clusters that were purchased through the Red Hat Marketplace.
+Autoscaling is available only on clusters that were purchased through the Red{nbsp}Hat Marketplace.
 ====
 endif::[]
 
diff --git a/rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.adoc b/rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.adoc
index 32d4f4caccab..5d92a8e1a041 100644
--- a/rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.adoc
+++ b/rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.adoc
@@ -57,6 +57,9 @@ You can override this default setting and create a machine pool in a Single-AZ o
 Similarly, deleting a machine pool will delete it from all zones.
 Due to this multiplicative effect, using machine pools in Multi-AZ cluster can consume more of your project's quota for a specific region when creating machine pools.
 
+// ROSA HCP content applies to the following subsection 
+include::modules/machine-pools-hcp.adoc[leveloffset=+1]
+
 == Additional resources
 ifdef::openshift-rosa[]
 * xref:../../rosa_cluster_admin/rosa_nodes/rosa-managing-worker-nodes.adoc#rosa-managing-worker-nodes[Managing compute nodes]
diff --git a/rosa_getting_started/rosa-quickstart-guide-ui.adoc b/rosa_getting_started/rosa-quickstart-guide-ui.adoc
index 33fdbd8dd003..75609595c95a 100644
--- a/rosa_getting_started/rosa-quickstart-guide-ui.adoc
+++ b/rosa_getting_started/rosa-quickstart-guide-ui.adoc
@@ -8,7 +8,7 @@ toc::[]
 
 [NOTE]
 ====
-If you are looking for a comprehensive getting started guide for {product-title} (ROSA), see xref:../rosa_getting_started/rosa-getting-started.adoc#rosa-getting-started[Comprehensive guide to getting started with {product-title}]. For additional information on ROSA installation, see link:https://www.redhat.com/en/products/interactive-walkthrough/install-rosa[Installing Red Hat OpenShift Service on AWS (ROSA) interactive walkthrough].
+If you are looking for a comprehensive getting started guide for {product-title} (ROSA), see xref:../rosa_getting_started/rosa-getting-started.adoc#rosa-getting-started[Comprehensive guide to getting started with {product-title}]. For additional information on ROSA installation, see link:https://www.redhat.com/en/products/interactive-walkthrough/install-rosa[Installing Red{nbsp}Hat OpenShift Service on AWS (ROSA) interactive walkthrough].
 ====
 
 Follow this guide to quickly create a {product-title} (ROSA) cluster using {cluster-manager-first} on the {hybrid-console-url}, grant user access, deploy your first application, and learn how to revoke user access and delete your cluster.
@@ -47,13 +47,13 @@ include::modules/rosa-getting-started-install-configure-cli-tools.adoc[leveloffs
 [id="rosa-quickstart-creating-a-cluster"]
 == Creating a ROSA cluster with AWS STS using the default auto mode
 
-{cluster-manager-first} is a managed service on the {hybrid-console-url} where you can install, modify, operate, and upgrade your Red Hat OpenShift clusters. This service allows you to work with all of your organization’s clusters from a single dashboard.
+{cluster-manager-first} is a managed service on the {hybrid-console-url} where you can install, modify, operate, and upgrade your Red{nbsp}Hat OpenShift clusters. This service allows you to work with all of your organization’s clusters from a single dashboard.
 The procedures in this document use the `auto` modes in {cluster-manager} to immediately create the required Identity and Access Management (IAM) resources using the current AWS account. The required resources include the account-wide IAM roles and policies, cluster-specific Operator roles and policies, and OpenID Connect (OIDC) identity provider.
 
 //This content is pulled from rosa-sts-creating-a-cluster-quickly-ocm.adoc
 When using the {cluster-manager} {hybrid-console-second} to create a {product-title} (ROSA) cluster that uses the STS, you can select the default options to create the cluster quickly.
 
-Before you can use the {cluster-manager} {hybrid-console-second} to deploy ROSA with STS clusters, you must associate your AWS account with your Red Hat organization and create the required account-wide STS roles and policies.
+Before you can use the {cluster-manager} {hybrid-console-second} to deploy ROSA with STS clusters, you must associate your AWS account with your Red{nbsp}Hat organization and create the required account-wide STS roles and policies.
 
 
 //This content is pulled from rosa-sts-overview-of-the-default-cluster-specifications.adoc
diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
index 34964925bbd6..7500edab247c 100644
--- a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
+++ b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
@@ -25,4 +25,4 @@ xref:../rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.a
 * xref:../rosa_getting_started/rosa-sts-getting-started-workflow.adoc#rosa-sts-overview-of-the-deployment-workflow[Overview of the ROSA with STS deployment workflow]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc#rosa-sts-deleting-cluster[Deleting a ROSA cluster]
 * xref:../architecture/rosa-architecture-models.adoc#rosa-architecture-models[ROSA architecture models]
-* xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installing[Troubleshooting Red Hat OpenShift Service on AWS installations]
+* xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installing[Troubleshooting Red{nbsp}Hat OpenShift Service on AWS installations]
diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc
index c29507a60e46..5ec520756741 100644
--- a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc
+++ b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc
@@ -81,4 +81,4 @@ include::modules/creating-cluster-with-aws-kms-key.adoc[leveloffset=+2]
 * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
 * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers].
 * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
-* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
+* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc
index a23a63a1af5f..d7df21044d93 100644
--- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc
+++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc
@@ -26,7 +26,7 @@ include::snippets/imp-rosa-hcp-no-shared-vpc-support.adoc[leveloffset=+0]
 
 .Additional resources
 
-For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red Hat OpenShift Service on AWS".
+For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red{nbsp}Hat OpenShift Service on AWS".
 
 [id="rosa-hcp-external-auth-prereqs"]
 == {hcp-title} Prerequisites
@@ -81,4 +81,4 @@ include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-c
 * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
 * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
 * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
-* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
+* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
index 870587d92ba0..d70ef04831ee 100644
--- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
+++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
@@ -34,7 +34,7 @@ include::snippets/imp-rosa-hcp-no-shared-vpc-support.adoc[leveloffset=+0]
 [role="_additional-resources"]
 .Additional resources
 
-For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red Hat OpenShift Service on AWS".
+For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red{nbsp}Hat OpenShift Service on AWS".
 
 [discrete]
 [id="hcp-considerations_{context}"]
@@ -56,7 +56,7 @@ include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[le
 //[role="_additional-resources"]
 //.Additional resources
 //
-//* For detailed steps to create and link the {cluster-manager} and user IAM roles, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-associating-your-aws-account_rosa-sts-creating-a-cluster-quickly[Associating your AWS account with your Red Hat organization].
+//* For detailed steps to create and link the {cluster-manager} and user IAM roles, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-associating-your-aws-account_rosa-sts-creating-a-cluster-quickly[Associating your AWS account with your Red{nbsp}Hat organization].
 //
 //include::modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc[leveloffset=+1]
 //include::modules/rosa-sts-associating-your-aws-account.adoc[leveloffset=+2]
@@ -138,4 +138,4 @@ include::modules/rosa-hcp-sts-creating-a-cluster-cli.adoc[leveloffset=+1]
 * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
 * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
 * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
-* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
+* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
diff --git a/rosa_hcp/terraform/_attributes b/rosa_hcp/terraform/_attributes
new file mode 120000
index 000000000000..20cc1dcb77bf
--- /dev/null
+++ b/rosa_hcp/terraform/_attributes
@@ -0,0 +1 @@
+../../_attributes/
\ No newline at end of file
diff --git a/rosa_hcp/terraform/images b/rosa_hcp/terraform/images
new file mode 120000
index 000000000000..847b03ed0541
--- /dev/null
+++ b/rosa_hcp/terraform/images
@@ -0,0 +1 @@
+../../images/
\ No newline at end of file
diff --git a/rosa_hcp/terraform/modules b/rosa_hcp/terraform/modules
new file mode 120000
index 000000000000..36719b9de743
--- /dev/null
+++ b/rosa_hcp/terraform/modules
@@ -0,0 +1 @@
+../../modules/
\ No newline at end of file
diff --git a/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
new file mode 100644
index 000000000000..7e88a8e30598
--- /dev/null
+++ b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
@@ -0,0 +1,33 @@
+:_content-type: ASSEMBLY
+[id="rosa-hcp-creating-a-cluster-quickly-terraform"]
+= Creating a default ROSA cluster using Terraform
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-hcp-creating-a-cluster-quickly-terraform
+
+toc::[]
+
+Create a {product-title} (ROSA) cluster quickly by using a Terraform cluster template that is configured with the default cluster options.
+
+The cluster creation process described below uses a Terraform configuration that prepares a {hcp-title} cluster with the following resources:
+
+* An OIDC provider with a managed `oidc-config` configuration
+* Prerequisite IAM Operator roles with associated AWS Managed ROSA Policies
+* IAM account roles with associated AWS Managed ROSA Policies
+* All other AWS resources required to create a ROSA with STS cluster
+
+include::modules/rosa-terraform-overview.adoc[leveloffset=+1]
+include::modules/rosa-sts-terraform-prerequisites.adoc[leveloffset=+1]
+[discrete]
+include::modules/rosa-sts-terraform-considerations.adoc[leveloffset=+1]
+
+include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1]
+
+[id="rosa-hcp-creating-a-cluster-quickly-terraform-procedure"]
+== Creating a default ROSA cluster using Terraform
+
+The cluster creation process outlined below shows how to use Terraform to create your account-wide IAM roles and a ROSA cluster with a managed OIDC configuration.
+
+include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2]
+include::modules/rosa-hcp-cluster-terraform-file-creation.adoc[leveloffset=+2]
+include::modules/rosa-sts-cluster-terraform-execute.adoc[leveloffset=+2]
+include::modules/rosa-sts-cluster-terraform-destroy.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-with-customizations-terraform.adoc b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-with-customizations-terraform.adoc
similarity index 93%
rename from rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-with-customizations-terraform.adoc
rename to rosa_hcp/terraform/rosa-hcp-creating-a-cluster-with-customizations-terraform.adoc
index ed71e554a1f2..c15fa360a3ce 100644
--- a/rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-with-customizations-terraform.adoc
+++ b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-with-customizations-terraform.adoc
@@ -1,8 +1,8 @@
 :_mod-docs-content-type: ASSEMBLY
-[id="rosa-sts-creating-a-cluster-with-customizations-terraform"]
+[id="rosa-sts-creating-a-cluster-with-customizations-terraform-hcp"]
 = Customizing a ROSA cluster with Terraform
 include::_attributes/attributes-openshift-dedicated.adoc[]
-:context: rosa-sts-creating-a-cluster-with-customizations-terraform
+:context: rosa-sts-creating-a-cluster-with-customizations-terraform-hcp
 
 toc::[]
 
@@ -17,12 +17,12 @@ This guide assumes a basic understanding of ROSA. See the additional resources f
 
 * You have generated and stored an link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token].
 * You have an AWS account with the correct permissions.
-* You completed the xref:../../rosa_planning/rosa-cloud-expert-prereq-checklist.adoc[Prerequisites checklist for deploying ROSA using STS]
-* You completed the setup steps in xref:../../rosa_planning/rosa-understanding-terraform.adoc[Preparing Terraform to install ROSA clusters]
-* You have installed link:https://developer.hashicorp.com/terraform/install[the `terraform` CLI tool].
+* You completed the xref:../../rosa_planning/rosa-cloud-expert-prereq-checklist.adoc#rosa-cloud-expert-prereq-checklist[Prerequisites checklist for deploying ROSA using STS].
+* You completed the setup steps in xref:../../rosa_planning/rosa-understanding-terraform.adoc[Preparing Terraform to install ROSA clusters].
+* You have installed the link:https://developer.hashicorp.com/terraform/install[`terraform` CLI tool].
 
-[id="rosa-sts-creating-a-cluster-with-customizations-terraform-creating"]
-== Creating a ROSA Classic cluster using Terraform
+[id="rosa-sts-creating-a-cluster-with-customizations-terraform-creating-hcp"]
+== Creating a {hcp-title} cluster using Terraform
 
 The cluster creation process outlined below shows how to use Terraform to create your account-wide IAM roles and a default ROSA cluster with a managed OIDC configuration.
 
@@ -32,9 +32,9 @@ You edit the default `main.tf`, `variables.tf`, and `terraform.tfvars` files to
 ====
 
 include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2]
-include::modules/rosa-sts-cluster-terraform-file-creation.adoc[leveloffset=+2]
+include::modules/rosa-hcp-cluster-terraform-file-creation.adoc[leveloffset=+2]
 
-[id="rosa-sts-creating-a-cluster-with-customizations-terraform-customizing"]
+[id="rosa-sts-creating-a-cluster-with-customizations-terraform-customizing-hcp"]
 == Terraform customization options
 
 The following sections detail individual customizations you can add to your `main.tf`, `variables.tf`, and `terraform.tfvars` files.
diff --git a/rosa_hcp/terraform/snippets b/rosa_hcp/terraform/snippets
new file mode 120000
index 000000000000..5a3f5add140e
--- /dev/null
+++ b/rosa_hcp/terraform/snippets
@@ -0,0 +1 @@
+../../snippets/
\ No newline at end of file
diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
index c90006ae9d65..b606b3eece49 100644
--- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
+++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
@@ -28,7 +28,7 @@ include::modules/rosa-sts-understanding-aws-account-association.adoc[leveloffset
 [role="_additional-resources"]
 .Additional resources
 
-* For detailed steps to create and link the {cluster-manager} and user IAM roles, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-associating-your-aws-account_rosa-sts-creating-a-cluster-quickly[Associating your AWS account with your Red Hat organization].
+* For detailed steps to create and link the {cluster-manager} and user IAM roles, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-associating-your-aws-account_rosa-sts-creating-a-cluster-quickly[Associating your AWS account with your Red{nbsp}Hat organization].
 
 include::modules/osd-aws-vpc-required-resources.adoc[leveloffset=+1]
 
@@ -62,4 +62,4 @@ include::modules/rosa-sts-creating-a-cluster-quickly-cli.adoc[leveloffset=+1]
 * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
 * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
 * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations].
-* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
\ No newline at end of file
+* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
\ No newline at end of file
diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
index 47a35f713016..64cf0b3e12ea 100644
--- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
+++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
@@ -69,4 +69,4 @@ include::modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc[levelo
 * For more information about etcd encryption, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition].
 * For information about configuring a proxy with ROSA, see xref:../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy].
 * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-cluster-deployments[Troubleshooting cluster deployments].
-* For steps to contact Red Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
+* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
index 08475bece2ff..8df128a343cc 100644
--- a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
+++ b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
@@ -7,7 +7,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-{product-title} (ROSA) provides a model that allows Red Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.
+{product-title} (ROSA) provides a model that allows Red{nbsp}Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.
 
 You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements].
 
@@ -33,5 +33,5 @@ include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+1]
 [role="_additional-resources"]
 == Additional resources
 * xref:../../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability]
-* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters]
+* xref:../../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red{nbsp}Hat OpenShift Service on AWS clusters]
 * xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]
diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-private-cluster.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-private-cluster.adoc
index 0ba5ee329d53..5703bd861c4e 100644
--- a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-private-cluster.adoc
+++ b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-private-cluster.adoc
@@ -14,7 +14,7 @@ Privacy settings can be configured during cluster creation or after a cluster is
 ////
 [NOTE]
 ====
-Red Hat Service Reliability Engineers (SREs) can access a public or private cluster through the `cloud-ingress-operator` and existing ElasticSearch Load Balancer or Amazon S3 framework. SREs can access clusters through a secure endpoint to perform maintenance and service tasks.
+Red{nbsp}Hat Service Reliability Engineers (SREs) can access a public or private cluster through the `cloud-ingress-operator` and existing ElasticSearch Load Balancer or Amazon S3 framework. SREs can access clusters through a secure endpoint to perform maintenance and service tasks.
 ====
 ////
 include::modules/rosa-enable-private-cluster-new.adoc[leveloffset=+1]
diff --git a/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc b/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
new file mode 100644
index 000000000000..df7b8f11fdac
--- /dev/null
+++ b/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
@@ -0,0 +1,32 @@
+:_content-type: ASSEMBLY
+[id="rosa-classic-creating-a-cluster-quickly-terraform"]
+= Creating a default ROSA (classic architecture) cluster using Terraform
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-classic-creating-a-cluster-quickly-terraform
+
+toc::[]
+
+Create a {rosa-classic-first} cluster quickly by using a Terraform cluster template that is configured with the default cluster options.
+
+The cluster creation process described below uses a Terraform configuration that prepares a {rosa-classic} AWS Security Token Service (STS) cluster with the following resources:
+
+* An OIDC provider with a managed `oidc-config` configuration
+* Prerequisite IAM Operator roles with associated AWS Managed ROSA Policies
+* IAM account roles with associated AWS Managed ROSA Policies
+* All other AWS resources required to create a ROSA with STS cluster
+
+include::modules/rosa-terraform-overview.adoc[leveloffset=+1]
+include::modules/rosa-sts-terraform-prerequisites.adoc[leveloffset=+1]
+[discrete]
+include::modules/rosa-sts-terraform-considerations.adoc[leveloffset=+1]
+include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1]
+
+[id="rosa-classic-creating-a-cluster-quickly-terraform-procedure"]
+== Creating a default {rosa-classic} cluster using Terraform
+
+The cluster creation process outlined below shows how to use Terraform to create your account-wide IAM roles and a {rosa-classic} cluster with a managed OIDC configuration.
+
+include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2]
+include::modules/rosa-classic-cluster-terraform-file-creation.adoc[leveloffset=+2]
+include::modules/rosa-sts-cluster-terraform-execute.adoc[leveloffset=+2]
+include::modules/rosa-sts-cluster-terraform-destroy.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-with-customizations-terraform.adoc b/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-with-customizations-terraform.adoc
new file mode 100644
index 000000000000..d506765e24a3
--- /dev/null
+++ b/rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-with-customizations-terraform.adoc
@@ -0,0 +1,72 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-classic-creating-a-cluster-with-customizations-terraform-classic"]
+= Customizing a ROSA cluster with Terraform
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-classic-creating-a-cluster-with-customizations-terraform-classic
+
+toc::[]
+
+You can use Terraform to create a customized {product-title} (ROSA) cluster by using Terraform to customize the cluster's details.
+
+[NOTE]
+====
+This guide assumes a basic understanding of ROSA. See the "Additional resources" for conceptual information about ROSA clusters.
+====
+
+.Prerequisites
+
+* You have generated and stored an link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token].
+* You have an AWS account with the correct permissions.
+* You completed the xref:../../rosa_planning/rosa-cloud-expert-prereq-checklist.adoc[Prerequisites checklist for deploying ROSA using STS]
+* You completed the setup steps in xref:../../rosa_planning/rosa-understanding-terraform.adoc[Preparing Terraform to install ROSA clusters]
+* You have installed the link:https://developer.hashicorp.com/terraform/install[the `terraform` CLI tool].
+
+[id="rosa-classic-creating-a-cluster-with-customizations-terraform-creating"]
+== Creating a ROSA Classic cluster using Terraform
+
+The following cluster creation process shows how to use Terraform to create your account-wide IAM roles and a default ROSA cluster with a managed OIDC configuration.
+
+[NOTE]
+====
+You edit the default `main.tf`, `variables.tf`, and `terraform.tfvars` files to customize a cluster. Cluster customizations must be performed before you create a cluster. To customize, copy the default Terraform file from the procedure below and make the desired changes.
+====
+
+include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2]
+include::modules/rosa-classic-cluster-terraform-file-creation.adoc[leveloffset=+2]
+
+[id="rosa-classic-creating-a-cluster-with-customizations-terraform-customizing"]
+== Terraform customization options
+
+The following sections detail individual customizations you can add to your `main.tf`, `variables.tf`, and `terraform.tfvars` files.
+
+include::modules/rosa-cluster-cluster-role-name-change.adoc[leveloffset=+2]
+include::modules/rosa-cluster-enable-autoscaling-terraform.adoc[leveloffset=+2]
+include::modules/rosa-sts-cluster-terraform-execute.adoc[leveloffset=+1]
+include::modules/rosa-sts-cluster-terraform-destroy.adoc[leveloffset=+1]
+
+[id="next-steps_{context}"]
+== Next steps
+
+* xref:../../rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Accessing a ROSA cluster]
+
+[role="_additional-resources"]
+[id="additional-resources_rosa-classic-creating-a-cluster-with-customizations-terraform"]
+== Additional resources
+
+* For information about the managing objects with the CLI, see the xref:../../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-cluster-command_rosa-managing-objects-cli[create cluster] section.
+* For information about the security groups, see xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups] in the AWS documentation.
+* For details on creating account-wide roles, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies-creation-methods_rosa-sts-about-iam-resources[Methods of account-wide role creation].
+* For detailed steps to create and link the {cluster-manager} and user IAM roles, see xref:../../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using OpenShift Cluster Manager].
+* For the steps to specify custom ARN paths for IAM resources when you create {product-title} clusters, see xref:../../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
+* For more information about the default components required for an AWS cluster, see link:https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html[Default VPCs] in the AWS documentation.
+* For instructions on creating a VPC in the AWS console, see link:https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html[Create a VPC] in the AWS documentation.
+* For more information on configuring a ROSA cluster within a shared virtual private cloud (VPC), see xref:../../rosa_install_access_delete_clusters/rosa-shared-vpc-config.adoc#rosa-shared-vpc-config[Configuring a shared VPC for ROSA clusters].
+* For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS].
+* For details about optionally setting an Operator role name prefix, see xref:../../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
+* For an overview of the options that are presented when you create the AWS IAM resources and clusters by using interactive mode, see xref:../../rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc#rosa-sts-interactive-mode-reference[Interactive cluster creation mode reference].
+* For information about the prerequisites to installing ROSA with STS, see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
+* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
+* For more information about etcd encryption, see the xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition].
+* For information about configuring a proxy with ROSA, see xref:../../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy].
+* For more information about troubleshooting ROSA cluster installations, see xref:../../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-cluster-deployments[Troubleshooting cluster deployments].
+* For steps to contact Red Hat Support for assistance, see xref:../../support/getting-support.adoc#getting-support[Getting support for Red Hat OpenShift Service on AWS].
diff --git a/rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-quickly-terraform.adoc b/rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-quickly-terraform.adoc
deleted file mode 100644
index 702f2da0e0dc..000000000000
--- a/rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-quickly-terraform.adoc
+++ /dev/null
@@ -1,41 +0,0 @@
-:_content-type: ASSEMBLY
-[id="rosa-sts-creating-a-cluster-quickly-terraform"]
-= Creating a default ROSA Classic cluster using Terraform
-include::_attributes/attributes-openshift-dedicated.adoc[]
-:context: rosa-sts-creating-a-cluster-quickly-terraform
-
-toc::[]
-
-Quickly create a {product-title} (ROSA) cluster quickly by using a Terraform cluster template that is configured with the default cluster options.
-
-[NOTE]
-====
-* For a quickstart guide for ROSA, see xref:../../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-quickstart-guide-ui[{product-title} quickstart guide].
-* To install ROSA clusters with the default options by using the CLI or {cluster-manager-url}, see xref:../../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly-ocm_rosa-sts-creating-a-cluster-quickly[Creating a ROSA cluster with STS using the default options].
-* For steps to deploy a ROSA cluster by using `manual` mode or with customizations, see xref:../../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a ROSA cluster with STS using customizations].
-====
-
-The cluster creation process described below uses a Terraform configuration that prepares a ROSA Classic AWS Security Token Service (STS) cluster with the following resources:
-
-* An OIDC provider with a managed `oidc-config`
-* Prerequisite Operator roles with policies
-* IAM account roles with policies
-* All other AWS resources required to create a ROSA with STS cluster
-
-[id="next-steps_{context}"]
-.Prerequisites
-
-* You have completed the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc[Detailed requirements for deploying ROSA using STS].
-* You have completed the xref:../../rosa_planning/rosa-understanding-terraform.adoc#rosa-sts-terraform-prerequisites_rosa-understanding-terraform[Prerequisites for Terraform].
-
-include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1]
-
-[id="rosa-sts-creating-a-cluster-quickly-terraform-procedure"]
-== Creating a default ROSA cluster using Terraform
-
-The cluster creation process outlined below shows how to use Terraform to create your account-wide IAM roles and a ROSA cluster with a managed OIDC configuration.
-
-include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2]
-include::modules/rosa-sts-cluster-terraform-file-creation.adoc[leveloffset=+2]
-include::modules/rosa-sts-cluster-terraform-execute.adoc[leveloffset=+2]
-include::modules/rosa-sts-cluster-terraform-destroy.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc
index 0d310d289632..0b1f62366613 100644
--- a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc
+++ b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc
@@ -87,14 +87,14 @@ $ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
 $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
 ----
 
-=== Red Hat account
+=== Red{nbsp}Hat account
 
 * Create a link:https://console.redhat.com/[{hybrid-console}]  account if you have not already.
 
 === ROSA CLI (`rosa`)
 
 . Enable ROSA from your AWS account on the link:https://console.aws.amazon.com/rosa/[AWS console] if you have not already.
-. Install the CLI from xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.html[Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa] or from the OpenShift console link:https://console.redhat.com/openshift/downloads#tool-rosa[AWS console].
+. Install the CLI from xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.html[Installing the Red{nbsp}Hat OpenShift Service on AWS (ROSA) CLI, rosa] or from the OpenShift console link:https://console.redhat.com/openshift/downloads#tool-rosa[AWS console].
 . Enter `rosa login` in a terminal, and this will prompt you to go to the link:https://console.redhat.com/openshift/token/rosa[token page] through the console:
 +
 [source,terminal]
@@ -102,7 +102,7 @@ $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.am
 $ rosa login
 ----
 +
-. Log in with your Red Hat account credentials.
+. Log in with your Red{nbsp}Hat account credentials.
 . Click the *Load token* button.
 . Copy the token and paste it back into the CLI prompt and press *enter*.
 +
diff --git a/rosa_planning/rosa-sts-aws-prereqs.adoc b/rosa_planning/rosa-sts-aws-prereqs.adoc
index 599ab45d40ac..8a74d616a9be 100644
--- a/rosa_planning/rosa-sts-aws-prereqs.adoc
+++ b/rosa_planning/rosa-sts-aws-prereqs.adoc
@@ -6,7 +6,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-{product-title} (ROSA) provides a model that allows Red Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.
+{product-title} (ROSA) provides a model that allows Red{nbsp}Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.
 
 include::snippets/rosa-sts.adoc[]
 
@@ -61,9 +61,9 @@ include::modules/rosa-requirements-deploying-in-opt-in-regions.adoc[leveloffset=
 include::modules/rosa-setting-the-aws-security-token-version.adoc[leveloffset=+2]
 
 [id="rosa-sts-policy-iam_{context}"]
-== Red Hat managed IAM references for AWS
+== Red{nbsp}Hat managed IAM references for AWS
 
-With the STS deployment model, Red Hat is no longer responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles.
+With the STS deployment model, Red{nbsp}Hat is no longer responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles.
 
 * To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. See xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[OpenShift Cluster Manager IAM role resources].
 * If you have a single cluster, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference].
@@ -90,6 +90,6 @@ include::modules/rosa-hcp-firewall-prerequisites.adoc[leveloffset=+2]
 [role="_additional-resources"]
 [id="additional-resources_aws-prerequisites_{context}"]
 == Additional resources
-* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters]
+* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red{nbsp}Hat OpenShift Service on AWS clusters]
 * xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications]
 * xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types]
diff --git a/rosa_planning/rosa-sts-ocm-role.adoc b/rosa_planning/rosa-sts-ocm-role.adoc
index b15473ae00b8..2f7326cfe3ce 100644
--- a/rosa_planning/rosa-sts-ocm-role.adoc
+++ b/rosa_planning/rosa-sts-ocm-role.adoc
@@ -8,7 +8,7 @@ toc::[]
 
 {product-title} (ROSA) web UI requires that you have specific permissions on your AWS account that create a trust relationship to provide the end-user experience at {cluster-manager-url} and for the `rosa` command line interface (CLI).
 
-This trust relationship is achieved through the creation and association of the `ocm-role` AWS IAM role. This role has a trust policy with the AWS installer that links your Red Hat account to your AWS account. In addition, you also need a `user-role` AWS IAM role for each web UI user, which serves to identify these users. This `user-role` AWS IAM role has no permissions.
+This trust relationship is achieved through the creation and association of the `ocm-role` AWS IAM role. This role has a trust policy with the AWS installer that links your Red{nbsp}Hat account to your AWS account. In addition, you also need a `user-role` AWS IAM role for each web UI user, which serves to identify these users. This `user-role` AWS IAM role has no permissions.
 
 The AWS IAM roles required to use {cluster-manager} are:
 
@@ -60,8 +60,11 @@ If you unlink or delete your `user-role` IAM role prior to deleting your cluster
 include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+1]
 include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+2]
 include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+2]
+include::modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 == Additional resources
-* See xref:../support/troubleshooting/rosa-troubleshooting-iam-resources.adoc#rosa-sts-ocm-roles-and-permissions-troubleshooting[Troubleshooting IAM roles]
+* See link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities] (AWS documentation).
+* See xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-sts-creating-a-cluster-quickly[Creating the account-wide STS roles and policies].
+* See xref:../support/troubleshooting/rosa-troubleshooting-iam-resources.adoc#rosa-sts-ocm-roles-and-permissions-troubleshooting[Troubleshooting IAM roles].
 * See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies[Account-wide IAM role and policy reference] for a list of IAM roles needed for cluster creation.
\ No newline at end of file
diff --git a/rosa_planning/rosa-understanding-terraform.adoc b/rosa_planning/rosa-understanding-terraform.adoc
index eef9faebe064..6410fe2dd8a2 100644
--- a/rosa_planning/rosa-understanding-terraform.adoc
+++ b/rosa_planning/rosa-understanding-terraform.adoc
@@ -20,14 +20,13 @@ include::modules/rosa-sts-terraform-considerations.adoc[leveloffset=+1]
 * See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc[About IAM resources for ROSA clusters that use STS] for information about the AWS account roles.
 * See xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc[Getting started with the ROSA CLI] for information about installing the ROSA CLI.
 * See Hashicorp's link:https://developer.hashicorp.com/terraform[Terraform documentation] for a comprehensive guide to Terraform.
-* See this xref:../rosa_planning/rosa-understanding-terraform.adoc#sd-terraform-account-roles_rosa-understanding-terraform[Terraform example] to create your account-wide IAM roles.
-
-include::modules/rosa-sts-account-roles-terraform.adoc[leveloffset=+1]
 
 [id="next-steps_rosa-understanding-terraform"]
 == Next steps
 
 * xref:../rosa_planning/rosa-planning-environment.adoc#rosa-planning-environment[Planning your environment]
+* xref:../rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc#rosa-classic-creating-a-cluster-quickly-terraform[Creating a default ROSA (classic architecture) cluster using Terraform]
+* Creating a default ROSA cluster using Terraform
 
 [role="_additional-resources"]
 [id="additional-resources_rosa-understanding-terraform"]
diff --git a/rosa_release_notes/rosa-release-notes.adoc b/rosa_release_notes/rosa-release-notes.adoc
index c23701b6e7f4..71e8a27df54d 100644
--- a/rosa_release_notes/rosa-release-notes.adoc
+++ b/rosa_release_notes/rosa-release-notes.adoc
@@ -6,9 +6,9 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-{product-title} (ROSA) is a fully-managed, turnkey application platform that allows you to focus on delivering value to your customers by building and deploying applications. Red Hat and AWS site reliability engineering (SRE) experts manage the underlying platform so you do not have to worry about the complexity of infrastructure management. ROSA provides seamless integration with a wide range of AWS compute, database, analytics, machine learning, networking, mobile, and other services to further accelerate the building and delivering of differentiating experiences to your customers.
+{product-title} (ROSA) is a fully-managed, turnkey application platform that allows you to focus on delivering value to your customers by building and deploying applications. Red{nbsp}Hat and AWS site reliability engineering (SRE) experts manage the underlying platform so you do not have to worry about the complexity of infrastructure management. ROSA provides seamless integration with a wide range of AWS compute, database, analytics, machine learning, networking, mobile, and other services to further accelerate the building and delivering of differentiating experiences to your customers.
 
-{product-title} clusters are available on the link:https://console.redhat.com/openshift[Hybrid Cloud Console]. With the Red Hat OpenShift Cluster Manager application for ROSA, you can deploy {product-title} clusters to either on-premises or cloud environments.
+{product-title} clusters are available on the link:https://console.redhat.com/openshift[Hybrid Cloud Console]. With the Red{nbsp}Hat OpenShift Cluster Manager application for ROSA, you can deploy {product-title} clusters to either on-premises or cloud environments.
 
 [id="rosa-new-changes-and-updates_{context}"]
 == New changes and updates
@@ -16,9 +16,11 @@ toc::[]
 [id="rosa-q2-2024_{context}"]
 === Q2 2024
 
-* **Cluster delete protection.** You can now enable the cluster delete protection option, which helps to prevent you from accidentally deleting a cluster. For more information on using the cluster delete protection option with the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-edit-cluster_rosa-managing-objects-cli[edit cluster]. For more information on using the cluster delete protection option in the UI, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-using-defaults-ocm_rosa-sts-creating-a-cluster-quickly[Creating a cluster with the default options using OpenShift Cluster Manager].
+* **ROSA CLI update.** The ROSA CLI (`rosa`) was updated to a new version. For information about what has changed in this release, see the link:https://github.com/openshift/rosa/releases/tag/v1.2.41[ROSA CLI release notes]. For more information about the ROSA CLI (`rosa`), see xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc#rosa-about_rosa-getting-started-cli[About the ROSA CLI].
+
+* **Permission boundaries for the installer role policy.** You can apply a policy as a _permissions boundary_ on the ROSA installer role. The combination of policy and boundary policy limits the maximum permissions for the Amazon Web Services(AWS) Identity and Access Management (IAM) entity role. ROSA includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported. For more information, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-aws-requirements-attaching-boundary-policy_rosa-sts-about-iam-resources[Permission boundaries for the installer role]. This is applicable only to Red{nbsp}Hat OpenShift Service on AWS (classic architecture).
 
-* **ROSA CLI update.** The ROSA CLI (`rosa`) was updated to a new version. For information about what has changed in this release, see the link:https://github.com/openshift/rosa/releases/tag/v1.2.39[ROSA CLI release notes]. For more information about the ROSA CLI (`rosa`), see xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc#rosa-about_rosa-getting-started-cli[About the ROSA CLI].
+* **Cluster delete protection.** You can now enable the cluster delete protection option, which helps to prevent you from accidentally deleting a cluster. For more information on using the cluster delete protection option with the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-edit-cluster_rosa-managing-objects-cli[edit cluster]. For more information on using the cluster delete protection option in the UI, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-using-defaults-ocm_rosa-sts-creating-a-cluster-quickly[Creating a cluster with the default options using OpenShift Cluster Manager].
 
 * **{hcp-title} regions added.** {hcp-title-first} is now available in the following regions:
 +
@@ -114,7 +116,7 @@ For more information on region availabilities, see xref:../rosa_architecture/ros
 
 * **Documentation update.** The CLI Tools section was added to the ROSA documentation and includes more detailed information to help you fully use all of the supported CLI tools. The ROSA CLI section can now be found nested inside the CLI Tools heading. For more information, see xref:../cli_reference/index.adoc[CLI tools overview].
 
-* **Documentation update.** The Monitoring section in the documentation was expanded and now includes more detailed information to help you conveniently manage your ROSA clusters. For more information, see xref:../observability/monitoring/monitoring-overview.adoc#about-openshift-monitoring[About Red Hat OpenShift Service on AWS monitoring].
+* **Documentation update.** The Monitoring section in the documentation was expanded and now includes more detailed information to help you conveniently manage your ROSA clusters. For more information, see xref:../observability/monitoring/monitoring-overview.adoc#about-openshift-monitoring[About Red{nbsp}Hat OpenShift Service on AWS monitoring].
 
 [id="rosa-q2-2023_{context}"]
 === Q2 2023
@@ -134,7 +136,8 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
 
 [id="rosa-known-issues_{context}"]
 == Known issues
-* The OpenShift Cluster Manager roles (`ocm-role`) and user roles (`user-role`) that are key to the ROSA provisioning wizard might get enabled accidentally in your Red Hat organization by another user. However, this behavior does not affect the usability.
+* If you configure your cluster using external OIDC configuration and set the `--user-auth` flag to `disabled`, the console pods might enter a crash loop. (link:https://issues.redhat.com/browse/OCPBUGS-29510[*OCPBUGS-29510*])
+* The OpenShift Cluster Manager roles (`ocm-role`) and user roles (`user-role`) that are key to the ROSA provisioning wizard might get enabled accidentally in your Red{nbsp}Hat organization by another user. However, this behavior does not affect the usability.
 * The `htpasswd` identity provider does not function as expected in all scenarios against the `rosa create admin` function.
 
 include::modules/rosa-update-cli-tool.adoc[]
diff --git a/scalability_and_performance/control-plane-latency-recommendations-for-reliable-clusters.adoc b/scalability_and_performance/control-plane-latency-recommendations-for-reliable-clusters.adoc
new file mode 100644
index 000000000000..d08c8084a515
--- /dev/null
+++ b/scalability_and_performance/control-plane-latency-recommendations-for-reliable-clusters.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="control-plane-latency-recommendations-for-reliable-clusters"]
+= Control Plane latency recommendations for reliable clusters
+include::_attributes/common-attributes.adoc[]
+:context: control-plane-latency-recommendations-for-reliable-clusters
+
+toc::[]
+
+This topic provides recommended Control Plane latency for reliable clusters.
+
+include::modules/control-plane-latency.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/scalability_and_performance/recommended-performance-scale-practices/recommended-etcd-practices.adoc b/scalability_and_performance/recommended-performance-scale-practices/recommended-etcd-practices.adoc
index 1d16d2ec08dd..fbe455580b8a 100644
--- a/scalability_and_performance/recommended-performance-scale-practices/recommended-etcd-practices.adoc
+++ b/scalability_and_performance/recommended-performance-scale-practices/recommended-etcd-practices.adoc
@@ -27,4 +27,6 @@ include::modules/etcd-tuning-parameters.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-about_nodes-cluster-enabling[Understanding feature gates]
\ No newline at end of file
+xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-about_nodes-cluster-enabling[Understanding feature gates]
+
+include::modules/etcd-increase-db.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/scripts/ocpdocs/_previewpage b/scripts/ocpdocs/_previewpage
index 75951574d617..7d273474d1b3 100644
--- a/scripts/ocpdocs/_previewpage
+++ b/scripts/ocpdocs/_previewpage
@@ -204,6 +204,23 @@
               </p>
             </div>
           </div>
+          <div class="col-sm-6 text-center">
+            <h2>OpenShift Lightspeed</h2>
+            <div class="list-group">
+              <p>
+                <a
+                  role="button"
+                  class="btn btn-primary"
+                  href="/openshift-lightspeed/latest/welcome/index.html"
+                >
+                  <i class="fa fa-arrow-circle-o-right"></i> Lightspeed</a
+                >
+              </p>
+              <p class="list-group-item-text">
+                OpenShift Lightspeed documentation.
+              </p>
+            </div>
+          </div>
         </div>
       </div>
     </div>
diff --git a/security/certificate_types_descriptions/etcd-certificates.adoc b/security/certificate_types_descriptions/etcd-certificates.adoc
index 268ed00dd495..d97fe43d38aa 100644
--- a/security/certificate_types_descriptions/etcd-certificates.adoc
+++ b/security/certificate_types_descriptions/etcd-certificates.adoc
@@ -14,13 +14,20 @@ etcd certificates are signed by the etcd-signer; they come from a certificate au
 
 The CA certificates are valid for 10 years. The peer, client, and server certificates are valid for three years.
 
+include::modules/rotating-certificate-authority.adoc[leveloffset=+1]
+include::modules/etcd-cert-alerts-metrics-signer.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../../security/certificate_types_descriptions/etcd-certificates.adoc#rotating-certificate-authority_cert-types-etcd-certificates[Rotating the etcd certificate]
+
 == Management
 
 These certificates are only managed by the system and are automatically rotated.
 
 == Services
 
-etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. The following certificates are generated and used by etcd and other processes that communicate with etcd:
+etcd certificates are used for encrypted communication between etcd member peers and encrypted client traffic. The following certificates are generated and used by etcd and other processes that communicate with etcd:
 
 * Peer certificates: Used for communication between etcd members.
 * Client certificates: Used for encrypted server-client communication. Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (`etcd-client`, `etcd-metric-client`, `etcd-metric-signer`, and `etcd-signer`) are added to the `openshift-config`, `openshift-monitoring`, and `openshift-kube-apiserver` namespaces.
diff --git a/security/certificate_types_descriptions/machine-config-operator-certificates.adoc b/security/certificate_types_descriptions/machine-config-operator-certificates.adoc
index 6ec727423c6a..70e9a69890e9 100644
--- a/security/certificate_types_descriptions/machine-config-operator-certificates.adoc
+++ b/security/certificate_types_descriptions/machine-config-operator-certificates.adoc
@@ -25,7 +25,7 @@ include::snippets/mcs-endpoint-limitation.adoc[]
 
 .Additional resources
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Understanding the Machine Config Operator].
+* xref:../../machine_configuration/index.adoc#machine-config-operator_machine-config-overview[Machine Config Operator].
 
 * xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin].
 
diff --git a/security/compliance_operator/co-management/compliance-operator-installation.adoc b/security/compliance_operator/co-management/compliance-operator-installation.adoc
index 97c53b9e46ee..f3bb95957219 100644
--- a/security/compliance_operator/co-management/compliance-operator-installation.adoc
+++ b/security/compliance_operator/co-management/compliance-operator-installation.adoc
@@ -10,7 +10,7 @@ Before you can use the Compliance Operator, you must ensure it is deployed in th
 
 [IMPORTANT]
 ====
-The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Microsoft Azure Red Hat OpenShift. For more information, see the link:https://access.redhat.com/solutions/6983418[Red Hat Knowledgebase Solution #6983418].
+The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red{nbsp}Hat OpenShift Service on AWS Classic, and Microsoft Azure Red{nbsp}Hat OpenShift. For more information, see the Knowledgebase article link:https://access.redhat.com/solutions/6983418[Compliance Operator reports incorrect results on Managed Services].
 ====
 
 include::modules/compliance-operator-console-installation.adoc[leveloffset=+1]
@@ -24,6 +24,8 @@ You can create a custom SCC for the Compliance Operator scanner pod service acco
 
 include::modules/compliance-operator-cli-installation.adoc[leveloffset=+1]
 
+include::modules/compliance-operator-rosa-installation.adoc[leveloffset=+1]
+
 [IMPORTANT]
 ====
 If the `restricted` Security Context Constraints (SCC) have been modified to contain the `system:authenticated` group or has added `requiredDropCapabilities`, the Compliance Operator may not function properly due to permissions issues.
diff --git a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
index 710ff5b44088..07601787871f 100644
--- a/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
+++ b/security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc
@@ -18,7 +18,7 @@ authorized auditor to achieve compliance with a standard.
 
 [IMPORTANT]
 ====
-The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Azure Red Hat OpenShift. For more information, see the link:https://access.redhat.com/solutions/6983418[Red Hat Knowledgebase Solution #6983418].
+The Compliance Operator might report incorrect results on some managed platforms, such as OpenShift Dedicated and Azure Red Hat OpenShift. For more information, see the link:https://access.redhat.com/solutions/6983418[Red Hat Knowledgebase Solution #6983418].
 ====
 
 include::modules/compliance-supported-profiles.adoc[leveloffset=+1]
diff --git a/security/compliance_operator/compliance-operator-release-notes.adoc b/security/compliance_operator/compliance-operator-release-notes.adoc
index a1e6e5f02acd..7cfd9e9561a5 100644
--- a/security/compliance_operator/compliance-operator-release-notes.adoc
+++ b/security/compliance_operator/compliance-operator-release-notes.adoc
@@ -15,6 +15,29 @@ For an overview of the Compliance Operator, see xref:../../security/compliance_o
 
 To access the latest release, see xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#olm-preparing-upgrade_compliance-operator-updating[Updating the Compliance Operator].
 
+[id="compliance-operator-release-notes-1-5-0_{context}"]
+== OpenShift Compliance Operator 1.5.0
+
+The following advisory is available for the OpenShift Compliance Operator 1.5.0:
+
+* link:https://access.redhat.com/errata/RHBA-2024:3533[RHBA-2024:3533 - OpenShift Compliance Operator 1.5.0 bug fix and enhancement update]
+
+[id="compliance-operator-1-5-0-new-features-and-enhancements_{context}"]
+=== New features and enhancements
+
+* With this update, the Compliance Operator provides a unique profile ID for easier programmatic use.  (link:https://issues.redhat.com/browse/CMP-2450[*CMP-2450*])
+
+* With this release, the Compliance Operator is now tested and supported on the ROSA HCP environment. The Compliance Operator loads only Node profiles when running on ROSA HCP. This is because a Red{nbsp}Hat managed platform restricts access to the control plane, which makes Platform profiles irrelevant to the operator's function.(link:https://issues.redhat.com/browse/CMP-2581[*CMP-2581*])
+
+[id="compliance-operator-1-5-0-bug-fixes_{context}"]
+=== Bug fixes
+
+* CVE-2024-2961 is resolved in the Compliance Operator 1.5.0 release. (link:https://access.redhat.com/security/cve/CVE-2024-2961[*CVE-2024-2961*])
+
+* Previously, for ROSA HCP systems, profile listings were incorrect. This update allows the Compliance Operator to provide correct profile output. (link:https://issues.redhat.com/browse/OCPBUGS-34535[*OCPBUGS-34535*])
+
+* With this release, namespaces can be excluded from the `ocp4-configure-network-policies-namespaces` check by setting the `ocp4-var-network-policies-namespaces-exempt-regex` variable in the tailored profile. (link:https://issues.redhat.com/browse/cmp-2543[*CMP-2543*])
+
 [id="compliance-operator-release-notes-1-4-1"]
 == OpenShift Compliance Operator 1.4.1
 
@@ -108,10 +131,9 @@ This update addresses a CVE in an underlying dependency.
 
 * You can install and use the Compliance Operator in an {product-title} cluster running in FIPS mode.
 +
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
-====
+--
+include::snippets/fips-snippet.adoc[]
+--
 
 [id="compliance-operator-1-3-1-known-issue"]
 === Known issue
diff --git a/security/container_security/security-container-signature.adoc b/security/container_security/security-container-signature.adoc
index d5f9937e864c..7556bf20be2f 100644
--- a/security/container_security/security-container-signature.adoc
+++ b/security/container_security/security-container-signature.adoc
@@ -33,4 +33,4 @@ include::modules/containers-signature-verify-skopeo.adoc[leveloffset=+2]
 [id="additional-resources_security-container-signature"]
 [role="_additional-resources"]
 == Additional resources
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine Config Overview]
+* xref:../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
diff --git a/security/container_security/security-network.adoc b/security/container_security/security-network.adoc
index 4c786c049989..1470c3b846e1 100644
--- a/security/container_security/security-network.adoc
+++ b/security/container_security/security-network.adoc
@@ -21,7 +21,7 @@ include::modules/security-network-policies.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy]
 
 // Multiple pod networks
 include::modules/security-network-multiple-pod.adoc[leveloffset=+1]
diff --git a/security/file_integrity_operator/file-integrity-operator-release-notes.adoc b/security/file_integrity_operator/file-integrity-operator-release-notes.adoc
index fd4019ae59f9..c84594829d4f 100644
--- a/security/file_integrity_operator/file-integrity-operator-release-notes.adoc
+++ b/security/file_integrity_operator/file-integrity-operator-release-notes.adoc
@@ -15,6 +15,18 @@ For an overview of the File Integrity Operator, see xref:../../security/file_int
 
 To access the latest release, see xref:../../security/file_integrity_operator/file-integrity-operator-updating.adoc#olm-preparing-upgrade_file-integrity-operator-updating[Updating the File Integrity Operator].
 
+[id="file-integrity-operator-release-notes-1-3-4"]
+== OpenShift File Integrity Operator 1.3.4
+
+The following advisory is available for the OpenShift File Integrity Operator 1.3.4:
+
+* link:https://access.redhat.com/errata/RHBA-2024:2946[RHBA-2024:2946 OpenShift File Integrity Operator Bug Fix and Enhancement Update]
+
+[id="file-integrity-operator-1-3-4-bug-fixes"]
+=== Bug fixes
+
+Previously, File Integrity Operator would issue a `NodeHasIntegrityFailure` alert due to multus certificate rotation. With this release, the alert and failing status are now correctly triggered. (link:https://issues.redhat.com/browse/OCPBUGS-31257[*OCPBUGS-31257*])
+
 [id="file-integrity-operator-release-notes-1-3-3"]
 == OpenShift File Integrity Operator 1.3.3
 
@@ -28,11 +40,10 @@ This update addresses a CVE in an underlying dependency.
 === New features and enhancements
 
 * You can install and use the File Integrity Operator in an {product-title} cluster running in FIPS mode.
-
-[IMPORTANT]
-====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see (link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode])
-====
++
+--
+include::snippets/fips-snippet.adoc[]
+--
 
 [id="file-integrity-operator-1-3-3-bug-fixes"]
 === Bug fixes
diff --git a/security/seccomp-profiles.adoc b/security/seccomp-profiles.adoc
index 72f85eb5a516..1eca1b46bd36 100644
--- a/security/seccomp-profiles.adoc
+++ b/security/seccomp-profiles.adoc
@@ -52,4 +52,4 @@ The custom SCC must have the appropriate priority to be automatically assigned t
 [role="_additional-resources"]
 == Additional resources
 * xref:../authentication/managing-security-context-constraints.adoc[Managing security context constraints]
-* xref:../post_installation_configuration/machine-configuration-tasks.adoc[Postinstallation machine configuration tasks]
+* xref:../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
diff --git a/service_mesh/v2x/ossm-traffic-manage.adoc b/service_mesh/v2x/ossm-traffic-manage.adoc
index c3847515570b..e360bccafea9 100644
--- a/service_mesh/v2x/ossm-traffic-manage.adoc
+++ b/service_mesh/v2x/ossm-traffic-manage.adoc
@@ -19,6 +19,13 @@ endif::openshift-rosa,openshift-dedicated[]
 
 include::modules/ossm-routing-ingress.adoc[leveloffset=+2]
 
+ifdef::openshift-enterprise[]
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../networking/configuring-node-port-service-range.adoc#configuring-node-port-service-range[Configuring the node port service range]
+endif::[]
+
 include::modules/ossm-routing-gateways.adoc[leveloffset=+2]
 
 [id="ossm-auto-route_{context}"]
diff --git a/snippets/about-multiarch-tuning-operator.adoc b/snippets/about-multiarch-tuning-operator.adoc
new file mode 100644
index 000000000000..b196ca636b53
--- /dev/null
+++ b/snippets/about-multiarch-tuning-operator.adoc
@@ -0,0 +1,12 @@
+// Snippet included in the following modules
+
+// * post_installation_configuration/cluster-tasks.adoc/multi-architecture-modify-machine-set-aws.adoc
+// * post_installation_configuration/cluster-tasks.adoc/multi-architecture-modify-machine-set-gcp.adoc
+// * post_installation_configuration/cluster-tasks.adoc/multi-architecture-modify-machine-set.adoc
+
+:_mod-docs-content-type: SNIPPET
+
+[NOTE]
+====
+Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` custom resource. For more information, see "Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator".
+====
diff --git a/snippets/capabilities-table.adoc b/snippets/capabilities-table.adoc
index 502228066832..b9bfa78fc74f 100644
--- a/snippets/capabilities-table.adoc
+++ b/snippets/capabilities-table.adoc
@@ -25,6 +25,9 @@ The following table describes the `baselineCapabilitySet` values.
 |`v4.15`
 |Specify this option when you want to enable the default capabilities for {product-title} 4.15. By specifying `v4.15`, capabilities that are introduced in newer versions of {product-title} are not enabled. The default capabilities in {product-title} 4.15 are `baremetal`, `MachineAPI`, `marketplace`, `OperatorLifecycleManager`, `openshift-samples`, `Console`, `Insights`, `Storage`, `CSISnapshot`, `NodeTuning`, `ImageRegistry`, `Build`, `CloudCredential`, and `DeploymentConfig`.
 
+|`v4.16`
+|Specify this option when you want to enable the default capabilities for {product-title} 4.16. By specifying `v4.16`, capabilities that are introduced in newer versions of {product-title} are not enabled. The default capabilities in {product-title} 4.16 are `baremetal`, `MachineAPI`, `marketplace`, `OperatorLifecycleManager`, `openshift-samples`, `Console`, `Insights`, `Storage`, `CSISnapshot`, `NodeTuning`, `ImageRegistry`, `Build`, `CloudCredential`, `DeploymentConfig`, and `CloudControllerManager`.
+
 |`None`
 |Specify when the other sets are too large, and you do not need any capabilities or want to fine-tune via `additionalEnabledCapabilities`.
 
diff --git a/snippets/custom-dns-server.adoc b/snippets/custom-dns-server.adoc
index dbf46f6ff394..273de3e758f4 100644
--- a/snippets/custom-dns-server.adoc
+++ b/snippets/custom-dns-server.adoc
@@ -3,7 +3,6 @@
 // * modules/installation-custom-aws-vpc.adoc
 // * modules/installation-about-custom-azure-vnet.adoc
 // * modules/installation-custom-gcp-vpc.adoc
-// * modules/installation-custom-alibaba-vpc.adoc
 // * modules/installation-ibm-power-vs.adoc
 
 :_mod-docs-content-type: SNIPPET
diff --git a/snippets/distr-tracing-tempo-required-secret-parameters.adoc b/snippets/distr-tracing-tempo-required-secret-parameters.adoc
index dd3712b459a5..2656b961d5bc 100644
--- a/snippets/distr-tracing-tempo-required-secret-parameters.adoc
+++ b/snippets/distr-tracing-tempo-required-secret-parameters.adoc
@@ -5,6 +5,7 @@
 
 :_mod-docs-content-type: SNIPPET
 
+[id="required_secret_parameters_{context}"]
 .Required secret parameters
 [cols="25h,~"]
 |===
@@ -12,7 +13,7 @@
 
 //source: https://github.com/grafana/tempo-operator/blob/main/docs/tempostack/object_storage.md
 
-|link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/[Red Hat OpenShift Data Foundation]
+|link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/[{odf-full}]
 |
 `name: tempostack-dev-odf # example`
 
diff --git a/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc b/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc
new file mode 100644
index 000000000000..6fd6b0216318
--- /dev/null
+++ b/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc
@@ -0,0 +1,32 @@
+// :_mod-docs-content-type: SNIPPET
+// Text snippet included in the following modules:
+//
+// * modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc
+// * modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc
+The following `TempoMonolithic` CR creates a TempoMonolithic deployment with trace ingestion over OTLP/gRPC and OTLP/HTTP, storing traces in a supported type of storage and exposing Jaeger UI via a route:
++
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: <metadata_name>
+  namespace: <project_of_tempomonolithic_instance>
+spec:
+  storage:
+    traces:
+      backend: <supported_storage_type> # <1>
+      size: <value>Gi # <2>
+      s3: # <3>
+        secret: <secret_name> # <4>
+  jaegerui:
+    enabled: true # <5>
+    route:
+      enabled: true # <6>
+----
+<1> Type of storage for storing traces: in-memory storage, a persistent volume, or object storage. The value for the `tmpfs` in-memory storage is `memory`. The value for a persistent volume is `pv`. The accepted values for object storage are `s3`, `gcs`, or `azure`, depending on the used object store type.
+<2> Memory size: For in-memory storage, this means the size of the `tmpfs` volume, where the default is `2Gi`. For a persistent volume, this means the size of the persistent volume claim, where the default is `10Gi`. For object storage, this means the size of the persistent volume claim for the Tempo WAL, where the default is `10Gi`.
+<3> Optional: For object storage, the type of object storage. The accepted values are `s3`, `gcs`, and `azure`, depending on the used object store type.
+<4> Optional: For object storage, the value of the `name` in the `metadata` of the storage secret. The storage secret must be in the same namespace as the TempoMonolithic instance and contain the fields specified in "Table 1. Required secret parameters" in the section "Object storage setup".
+<5> Enables the Jaeger UI.
+<6> Enables creation of a route for the Jaeger UI.
diff --git a/snippets/fips-snippet.adoc b/snippets/fips-snippet.adoc
new file mode 100644
index 000000000000..c92166bde1e0
--- /dev/null
+++ b/snippets/fips-snippet.adoc
@@ -0,0 +1,34 @@
+// Text snippet included in the following modules:
+//
+// * modules/agent-installer-fips-compliance.adoc
+// * modules/installation-aws-config-yaml.adoc
+// * modules/installation-aws-config-yaml.adoc
+// * modules/installation-azure-config-yaml.adoc
+// * modules/installation-azure-config-yaml.adoc
+// * modules/installation-azure-config-yaml.adoc
+// * modules/installation-azure-config-yaml.adoc
+// * modules/installation-azure-stack-hub-config-yaml.adoc
+// * modules/installation-bare-metal-config-yaml.adoc
+// * modules/installation-configuration-parameters.adoc
+// * modules/installation-gcp-config-yaml.adoc
+// * modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc
+// * modules/installation-ibm-cloud-config-yaml.adoc
+// * modules/installation-vsphere-config-yaml.adoc
+// * modules/machine-config-overview.adoc
+// * modules/rhel-compute-requirements.adoc
+// * modules/rosa-sts-interactive-cluster-creation-mode-options.adoc
+// * modules/security-compliance-nist.adoc
+//
+// Text snippet included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-release-notes.adoc
+// * security/file_integrity_operator/file-integrity-operator-release-notes.adoc
+
+:_mod-docs-content-type: SNIPPET
+
+[IMPORTANT]
+====
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base-full} computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
+
+When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
+====
diff --git a/snippets/ibu-ApplicationBackupRestoreLso.adoc b/snippets/ibu-ApplicationBackupRestoreLso.adoc
new file mode 100644
index 000000000000..17b5a67176ac
--- /dev/null
+++ b/snippets/ibu-ApplicationBackupRestoreLso.adoc
@@ -0,0 +1,40 @@
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  labels:
+    velero.io/storage-location: default
+  name: backup-app
+  namespace: openshift-adp
+spec:
+  includedNamespaces:
+  - test
+  includedNamespaceScopedResources:
+  - secrets
+  - persistentvolumeclaims
+  - deployments
+  - statefulsets
+  - configmaps
+  - cronjobs
+  - services
+  - job
+  - poddisruptionbudgets
+  - <application_custom_resources> <1>
+  excludedClusterScopedResources:
+  - persistentVolumes
+---
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: test-app
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "4" 
+spec:
+  backupName:
+    backup-app
+----
+<1> Define custom resources for your application.
\ No newline at end of file
diff --git a/snippets/ibu-ApplicationBackupRestoreLvms.adoc b/snippets/ibu-ApplicationBackupRestoreLvms.adoc
new file mode 100644
index 000000000000..83338a6c3cf1
--- /dev/null
+++ b/snippets/ibu-ApplicationBackupRestoreLvms.adoc
@@ -0,0 +1,50 @@
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  labels:
+    velero.io/storage-location: default
+  name: backup-app
+  namespace: openshift-adp
+spec:
+  includedNamespaces:
+  - test
+  includedNamespaceScopedResources:
+  - secrets
+  - persistentvolumeclaims
+  - deployments
+  - statefulsets
+  - configmaps
+  - cronjobs
+  - services
+  - job
+  - poddisruptionbudgets
+  - <application_custom_resources> <1>
+  includedClusterScopedResources:
+  - persistentVolumes <2>
+  - logicalvolumes.topolvm.io <3>
+  - volumesnapshotcontents <4>
+---
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: test-app
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "4"
+spec:
+  backupName:
+    backup-app
+  restorePVs: true 
+  restoreStatus:
+    includedResources:
+    - logicalvolumes <5>
+----
+<1> Define custom resources for your application.
+<2> Required field.
+<3> Required field
+<4> Optional if you use {lvms} volume snapshots.
+<5> Required field.
\ No newline at end of file
diff --git a/snippets/ibu-ApplicationClusterScopedBackupRestore.adoc b/snippets/ibu-ApplicationClusterScopedBackupRestore.adoc
new file mode 100644
index 000000000000..e49d37e22234
--- /dev/null
+++ b/snippets/ibu-ApplicationClusterScopedBackupRestore.adoc
@@ -0,0 +1,35 @@
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  annotations:
+    lca.openshift.io/apply-label: "apiextensions.k8s.io/v1/customresourcedefinitions/test.example.com,security.openshift.io/v1/securitycontextconstraints/test,rbac.authorization.k8s.io/v1/clusterroles/test-role,rbac.authorization.k8s.io/v1/clusterrolebindings/system:openshift:scc:test" <1>
+  name: backup-app-cluster-resources
+  labels:
+    velero.io/storage-location: default
+  namespace: openshift-adp
+spec:
+  includedClusterScopedResources:
+  - customresourcedefinitions
+  - securitycontextconstraints
+  - clusterrolebindings
+  - clusterroles
+  excludedClusterScopedResources:
+  - Namespace
+---
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: test-app-cluster-resources
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "3" <2>
+spec:
+  backupName:
+    backup-app-cluster-resources
+----
+<1> Replace the example resource name with your actual resources.
+<2> The `lca.openshift.io/apply-wave` value must be higher than the value in the platform `Restore` CRs and lower than the value in the application namespace-scoped `Restore` CR.
\ No newline at end of file
diff --git a/snippets/ibu-PlatformBackupRestore.adoc b/snippets/ibu-PlatformBackupRestore.adoc
new file mode 100644
index 000000000000..9ead412ae0e4
--- /dev/null
+++ b/snippets/ibu-PlatformBackupRestore.adoc
@@ -0,0 +1,39 @@
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  name: acm-klusterlet
+  annotations:
+    lca.openshift.io/apply-label: "apps/v1/deployments/open-cluster-management-agent/klusterlet,v1/secrets/open-cluster-management-agent/bootstrap-hub-kubeconfig,rbac.authorization.k8s.io/v1/clusterroles/klusterlet,v1/serviceaccounts/open-cluster-management-agent/klusterlet,scheduling.k8s.io/v1/priorityclasses/klusterlet-critical,rbac.authorization.k8s.io/v1/clusterroles/open-cluster-management:klusterlet-admin-aggregate-clusterrole,rbac.authorization.k8s.io/v1/clusterrolebindings/klusterlet,operator.open-cluster-management.io/v1/klusterlets/klusterlet,apiextensions.k8s.io/v1/customresourcedefinitions/klusterlets.operator.open-cluster-management.io,v1/secrets/open-cluster-management-agent/open-cluster-management-image-pull-credentials" <1>
+  labels:
+    velero.io/storage-location: default
+  namespace: openshift-adp
+spec:
+  includedNamespaces:
+  - open-cluster-management-agent
+  includedClusterScopedResources:
+  - klusterlets.operator.open-cluster-management.io
+  - clusterroles.rbac.authorization.k8s.io
+  - clusterrolebindings.rbac.authorization.k8s.io
+  - priorityclasses.scheduling.k8s.io
+  includedNamespaceScopedResources:
+  - deployments
+  - serviceaccounts
+  - secrets
+  excludedNamespaceScopedResources: []
+---
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: acm-klusterlet
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "1"
+spec:
+  backupName:
+    acm-klusterlet
+----
+<1> If your `multiclusterHub` CR does not have `.spec.imagePullSecret` defined and the secret does not exist on the `open-cluster-management-agent` namespace in your hub cluster, remove `v1/secrets/open-cluster-management-agent/open-cluster-management-image-pull-credentials`.
\ No newline at end of file
diff --git a/snippets/ibu-PlatformBackupRestoreLvms.adoc b/snippets/ibu-PlatformBackupRestoreLvms.adoc
new file mode 100644
index 000000000000..51ba1ec5b17a
--- /dev/null
+++ b/snippets/ibu-PlatformBackupRestoreLvms.adoc
@@ -0,0 +1,31 @@
+[source,yaml]
+----
+apiVersion: velero.io/v1
+kind: Backup
+metadata:
+  labels:
+    velero.io/storage-location: default
+  name: lvmcluster
+  namespace: openshift-adp
+spec:
+  includedNamespaces:
+    - openshift-storage
+  includedNamespaceScopedResources:
+    - lvmclusters
+    - lvmvolumegroups
+    - lvmvolumegroupnodestatuses
+---
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: lvmcluster
+  namespace: openshift-adp
+  labels:
+    velero.io/storage-location: default
+  annotations:
+    lca.openshift.io/apply-wave: "2" <1>
+spec:
+  backupName:
+    lvmcluster
+----
+<1> The `lca.openshift.io/apply-wave` value must be lower than the values specified in the application `Restore` CRs.
\ No newline at end of file
diff --git a/snippets/lvms-disconnected-ImageSetConfig.adoc b/snippets/lvms-disconnected-ImageSetConfig.adoc
index 9975d16f91d3..5bd136967202 100644
--- a/snippets/lvms-disconnected-ImageSetConfig.adoc
+++ b/snippets/lvms-disconnected-ImageSetConfig.adoc
@@ -25,7 +25,7 @@ mirror:
   - name: registry.redhat.io/ubi9/ubi:latest <9>
   helm: {}
 ----
-<1> Set the the maximum size (in GiB) of each file within the image set.
+<1> Set the maximum size (in GiB) of each file within the image set.
 <2> Specify the location in which you want to save the image set. This location can be a registry or a local directory. You must configure the `storageConfig` field unless you are using the Technology Preview OCI feature.
 <3> Specify the storage URL for the image stream when using a registry. For more information, see _Why use imagestreams_.
 <4> Specify the channel from which you want to retrieve the {product-title} images.
@@ -33,4 +33,4 @@ mirror:
 <6> Specify the Operator catalog from which you want to retrieve the {product-title} images.
 <7> Specify the Operator packages to include in the image set. If this field is empty, all packages in the catalog are retrieved.
 <8> Specify the channels of the Operator packages to include in the image set. You must include the default channel for the Operator package even if you do not use the bundles in that channel. You can find the default channel by running the following command: `$ oc mirror list operators --catalog=<catalog_name> --package=<package_name>`.
-<9> Specify any additional images to include in the image set.
\ No newline at end of file
+<9> Specify any additional images to include in the image set.
diff --git a/snippets/lvms-scaling-up-storage-lvmcluster-cr-snippet.adoc b/snippets/lvms-scaling-up-storage-lvmcluster-cr-snippet.adoc
index c46233c11d1f..8fc649f52767 100644
--- a/snippets/lvms-scaling-up-storage-lvmcluster-cr-snippet.adoc
+++ b/snippets/lvms-scaling-up-storage-lvmcluster-cr-snippet.adoc
@@ -22,7 +22,7 @@ spec:
 <1> Contains the configuration to specify the paths to the devices that you want to add to the LVM volume group.
 You can specify the device paths in the `paths` field, the `optionalPaths` field, or both. If you do not specify the device paths in both `paths` and `optionalPaths`, {lvms-first} adds the supported unused devices to the LVM volume group. {lvms} adds the devices to the LVM volume group only if the following conditions are met:
 * The device path exists.
-* The device is supported by {lvms}. For information about unsupported devices, see "Devices not supported by {lvms}" in the "Additional resources" section.
+* The device is supported by {lvms}. For information about unsupported devices, see "Devices not supported by {lvms}".
 <2> Specify the device paths. If the device path specified in this field does not exist, or the device is not supported by {lvms}, the `LVMCluster` CR moves to the `Failed` state.
 <3> Specify the optional device paths. If the device path specified in this field does not exist, or the device is not supported by {lvms}, {lvms} ignores the device without causing an error. 
 +
diff --git a/snippets/machine-config-node-disruption-actions.adoc b/snippets/machine-config-node-disruption-actions.adoc
new file mode 100644
index 000000000000..d7fbecbe35e9
--- /dev/null
+++ b/snippets/machine-config-node-disruption-actions.adoc
@@ -0,0 +1,21 @@
+// Text snippet included in the following modules:
+//
+// * modules/machine-config-node-disruption.adoc
+// * modules/machine-config-node-disruption-config.adoc
+
+When you make any of these changes, the node disruption policy determines which of the following actions are required when the MCO implements the changes:
+
+* *Reboot*: The MCO drains and reboots the nodes. This is the default behavior.
+* *None*: The MCO does not drain or reboot the nodes. The MCO applies the changes with no further action.
+* *Drain*: The MCO cordons and drains the nodes of their workloads. The workloads restart with the new configurations.
+* *Reload*: For services, the MCO reloads the specified services without restarting the service.
+* *Restart*: For services, the MCO fully restarts the specified services.
+* *DaemonReload*: The MCO reloads the systemd manager configuration.
+* *Special*: This is an internal MCO-only action and cannot be set by the user.
+
+[NOTE]
+====
+* The `Reboot` and `None` actions cannot be used with any other actions, as the `Reboot` and `None` actions override the others. 
+* Actions are applied in the order that they are set in the node disruption policy list.
+* If you make other machine config changes that do require a reboot or other disruption to the nodes, that reboot supercedes the node disruption policy actions.
+====
diff --git a/snippets/microshift-healthy-pods-snip.adoc b/snippets/microshift-healthy-pods-snip.adoc
new file mode 100644
index 000000000000..05d284597b45
--- /dev/null
+++ b/snippets/microshift-healthy-pods-snip.adoc
@@ -0,0 +1,31 @@
+// Snippet for healthy MicroShift output with oc get pods -a
+//
+//*  microshift_troubleshooting/microshift-troubleshoot-cluster
+
+:_mod-docs-content-type: SNIPPET
+
+[source,terminal]
+----
+$ oc get pods -A
+----
+.Example output
+[source,terminal]
+----
+NAMESPACE                   NAME                                                     READY   STATUS   RESTARTS  AGE
+default                     i-06166fbb376f14a8bus-west-2computeinternal-debug-qtwcr  1/1     Running  0		    46m
+kube-system                 csi-snapshot-controller-5c6586d546-lprv4                 1/1     Running  0		    51m
+kube-system                 csi-snapshot-webhook-6bf8ddc7f5-kz6k9                    1/1     Running  0		    51m
+openshift-dns               dns-default-45jl7                                        2/2     Running  0		    50m
+openshift-dns               node-resolver-7wmzf                                      1/1     Running  0		    51m
+openshift-ingress           router-default-78b86fbf9d-qvj9s                          1/1     Running  0		    51m
+openshift-ovn-kubernetes    ovnkube-master-5rfhh                                     4/4     Running  0		    51m
+openshift-ovn-kubernetes    ovnkube-node-gcnt6                                       1/1     Running  0		    51m
+openshift-service-ca        service-ca-bf5b7c9f8-pn6rk                               1/1     Running  0		    51m
+openshift-storage           topolvm-controller-549f7fbdd5-7vrmv                      5/5     Running  0		    51m
+openshift-storage           topolvm-node-rht2m                                       3/3     Running  0		    50m
+----
+
+[NOTE]
+====
+This example output shows basic {microshift-short}. If you have installed optional RPMs, the status of pods running those services is also expected to be shown in your output.
+====
\ No newline at end of file
diff --git a/snippets/network-flow-matrix.csv b/snippets/network-flow-matrix.csv
new file mode 100644
index 000000000000..24066b38c8c9
--- /dev/null
+++ b/snippets/network-flow-matrix.csv
@@ -0,0 +1,67 @@
+Direction,Protocol,Port,Namespace,Service,Pod,Container,Node Role,Optional
+Ingress,TCP,22,Host system service,sshd,,,master,TRUE
+Ingress,TCP,53,openshift-dns,dns-default,dnf-default,dns,master,FALSE
+Ingress,TCP,111,Host system service,rpcbind,,,master,TRUE
+Ingress,TCP,2379,openshift-etcd,etcd,etcd,etcdctl,master,FALSE
+Ingress,TCP,2380,openshift-etcd,healthz,etcd,etcd,master,FALSE
+Ingress,TCP,5050,openshift-machine-api,,ironic-proxy,ironic-proxy,master,FALSE
+Ingress,TCP,6080,openshift-kube-apiserver,,kube-apiserver,kube-apiserver-insecure-readyz,master,FALSE
+Ingress,TCP,6385,openshift-machine-api,,ironic-proxy,ironic-proxy,master,FALSE
+Ingress,TCP,6443,openshift-kube-apiserver,apiserver,kube-apiserver,kube-apiserver,master,FALSE
+Ingress,TCP,8080,openshift-network-operator   ,,network-operator,network-operator,master,FALSE
+Ingress,TCP,8798,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,machine-config-daemon,master,FALSE
+Ingress,TCP,9001,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,kube-rbac-proxy,master,FALSE
+Ingress,TCP,9099,openshift-cluster-version,cluster-version-operator,cluster-version-operator,cluster-version-operator,master,FALSE
+Ingress,TCP,9100,openshift-monitoring,node-exporter,node-exporter,kube-rbac-proxy,master,FALSE
+Ingress,TCP,9103,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-node,master,FALSE
+Ingress,TCP,9104,openshift-network-operator,metrics,network-operator,network-operator,master,FALSE
+Ingress,TCP,9105,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-ovn-metrics,master,FALSE
+Ingress,TCP,9107,openshift-ovn-kubernetes,egressip-node-healthcheck,ovnkube-node,ovnkube-controller,master,FALSE
+Ingress,TCP,9108,openshift-ovn-kubernetes,ovn-kubernetes-control-plane,ovnkube-control-plane,kube-rbac-proxy,master,FALSE
+Ingress,TCP,9192,openshift-cluster-machine-approver,machine-approver,machine-approver,kube-rbac-proxy,master,FALSE
+Ingress,TCP,9258,openshift-cloud-controller-manager-operator,machine-approver,cluster-cloud-controller-manager,cluster-cloud-controller-manager,master,FALSE
+Ingress,TCP,9444,openshift-kni-infra,,haproxy,haproxy,master,FALSE
+Ingress,TCP,9445,openshift-kni-infra,,haproxy,haproxy,master,FALSE
+Ingress,TCP,9447,openshift-machine-api,,metal3-baremetal-operator,,master,FALSE
+Ingress,TCP,9537,Host system service,crio-metrics,,,master,FALSE
+Ingress,TCP,9637,openshift-machine-config-operator,kube-rbac-proxy-crio,kube-rbac-proxy-crio,kube-rbac-proxy-crio,master,FALSE
+Ingress,TCP,9978,openshift-etcd,etcd,etcd,etcd-metrics,master,FALSE
+Ingress,TCP,9979,openshift-etcd,etcd,etcd,etcd-metrics,master,FALSE
+Ingress,TCP,9980,openshift-etcd,etcd,etcd,etcd,master,FALSE
+Ingress,TCP,10250,Host system service,kubelet,,,master,FALSE
+Ingress,TCP,10256,openshift-ovn-kubernetes,ovnkube,ovnkube,ovnkube-controller,master,FALSE
+Ingress,TCP,10257,openshift-kube-controller-manager,kube-controller-manager,kube-controller-manager,kube-controller-manager,master,FALSE
+Ingress,TCP,10258,openshift-cloud-controller-manager-operator,cloud-controller,cloud-controller-manager,cloud-controller-manager,master,FALSE
+Ingress,TCP,10259,openshift-kube-scheduler,scheduler,openshift-kube-scheduler,kube-scheduler,master,FALSE
+Ingress,TCP,10260,openshift-cloud-controller-manager-operator,cloud-controller,cloud-controller-manager,cloud-controller-manager,master,FALSE
+Ingress,TCP,10300,openshift-cluster-csi-drivers,csi-livenessprobe,csi-driver-node,csi-driver,master,FALSE
+Ingress,TCP,10309,openshift-cluster-csi-drivers,csi-node-driver,csi-driver-node,csi-node-driver-registrar,master,FALSE
+Ingress,TCP,10357,openshift-kube-apiserver,openshift-kube-apiserver-healthz,kube-apiserver,kube-apiserver-check-endpoints,master,FALSE
+Ingress,TCP,17697,openshift-kube-apiserver,openshift-kube-apiserver-healthz,kube-apiserver,kube-apiserver-check-endpoints,master,FALSE
+Ingress,TCP,18080,openshift-kni-infra,,coredns,coredns,master,FALSE
+Ingress,TCP,22623,openshift-machine-config-operator,machine-config-server,machine-config-server,machine-config-server,master,FALSE
+Ingress,TCP,22624,openshift-machine-config-operator,machine-config-server,machine-config-server,machine-config-server,master,FALSE
+Ingress,UDP,53,openshift-dns,dns-default,dnf-default,dns,master,FALSE
+Ingress,UDP,111,Host system service,rpcbind,,,master,TRUE
+Ingress,UDP,6081,openshift-ovn-kubernetes,ovn-kubernetes geneve,,,master,FALSE
+Ingress,TCP,22,Host system service,sshd,,,worker,TRUE
+Ingress,TCP,53,openshift-dns,dns-default,dnf-default,dns,worker,FALSE
+Ingress,TCP,80,openshift-ingress,router-default,router-default,router,worker,FALSE
+Ingress,TCP,111,Host system service,rpcbind,,,worker,TRUE
+Ingress,TCP,443,openshift-ingress,router-default,router-default,router,worker,FALSE
+Ingress,TCP,8798,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,machine-config-daemon,worker,FALSE
+Ingress,TCP,9001,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,kube-rbac-proxy,worker,FALSE
+Ingress,TCP,9100,openshift-monitoring,node-exporter,node-exporter,kube-rbac-proxy,worker,FALSE
+Ingress,TCP,9103,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-node,worker,FALSE
+Ingress,TCP,9105,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-ovn-metrics,worker,FALSE
+Ingress,TCP,9107,openshift-ovn-kubernetes,egressip-node-healthcheck,ovnkube-node,ovnkube-controller,worker,FALSE
+Ingress,TCP,9537,Host system service,crio-metrics,,,worker,FALSE
+Ingress,TCP,9637,openshift-machine-config-operator,kube-rbac-proxy-crio,kube-rbac-proxy-crio,kube-rbac-proxy-crio,worker,FALSE
+Ingress,TCP,10250,Host system service,kubelet,,,worker,FALSE
+Ingress,TCP,10256,openshift-ovn-kubernetes,ovnkube,ovnkube,ovnkube-controller,worker,TRUE
+Ingress,TCP,10300,openshift-cluster-csi-drivers,csi-livenessprobe,csi-driver-node,csi-driver,worker,FALSE
+Ingress,TCP,10309,openshift-cluster-csi-drivers,csi-node-driver-registrar,csi-driver-node,csi-node-driver-registrar,worker,FALSE
+Ingress,TCP,18080,openshift-kni-infra,,coredns,coredns,worker,FALSE
+Ingress,UDP,53,openshift-dns,dns-default,dnf-default,dns,worker,FALSE
+Ingress,UDP,111,Host system service,rpcbind,,,worker,TRUE
+Ingress,UDP,6081,openshift-ovn-kubernetes,ovn-kubernetes geneve,,,worker,FALSE
\ No newline at end of file
diff --git a/snippets/olmv1-cli-only.adoc b/snippets/olmv1-cli-only.adoc
index 2408aedfad71..f53cb06dc950 100644
--- a/snippets/olmv1-cli-only.adoc
+++ b/snippets/olmv1-cli-only.adoc
@@ -1,7 +1,7 @@
 // Text snippet included in the following modules:
 //
 // * operators/olm_v1/olmv1-installing-an-operator-from-a-catalog.adoc
-// * operators/olm_v1/olmv1-managing-plain-bundles.adoc
+
 
 :_mod-docs-content-type: SNIPPET
 
diff --git a/snippets/olmv1-operator-api-group.adoc b/snippets/olmv1-operator-api-group.adoc
deleted file mode 100644
index 61ddfb412011..000000000000
--- a/snippets/olmv1-operator-api-group.adoc
+++ /dev/null
@@ -1,17 +0,0 @@
-// Text snippet included in the following modules:
-//
-// * modules/olmv1-operator-api.adoc
-
-:_mod-docs-content-type: SNIPPET
-
-[NOTE]
-====
-When using the OpenShift CLI (`oc`), the `Operator` resource provided with {olmv1} during this Technology Preview phase requires specifying the full `<resource>.<group>` format: `operator.operators.operatorframework.io`. For example:
-
-[source,terminal]
-----
-$ oc get operator.operators.operatorframework.io
-----
-
-If you specify only the `Operator` resource without the API group, the CLI returns results for an earlier API (`operator.operators.coreos.com`) that is unrelated to {olmv1}.
-====
diff --git a/snippets/osdk-deprecation.adoc b/snippets/osdk-deprecation.adoc
new file mode 100644
index 000000000000..32fa5a15f5ff
--- /dev/null
+++ b/snippets/osdk-deprecation.adoc
@@ -0,0 +1,60 @@
+// Text snippet included in the following assemblies:
+// * cli_reference/osdk/cli-osdk-install.adoc
+// * cli_reference/osdk/cli-osdk-ref.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-cr-status.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-inside-operator.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-k8s-collection.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-project-layout.adoc
+// * opearotors/operator_sdk/ansible/osdk-ansible-quickstart.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-support.adoc
+// * operators/operator_sdk/ansible/osdk-ansible-tutorial.adoc
+// * operators/ansible/osdk-ansible-updating-projects.adoc
+// * operator/operator_sdk/golang/osdk-golang-project-layout.adoc
+// * operators/operator_sdk/golang/osdk-golang-quickstart.adoc
+// * operators/operator_sdk/golang/osdk-golang-tutorial.adoc
+// * operators/operator_sdk/golang/osdk-golang-updating-projects.adoc
+// * operators/operator_sdk/helm/osdk-helm-project-layout.adoc
+// * operators/operator_sdk/helm/osdk-helm-quickstart.adoc
+// * operators/operator_sdk/helm/osdk-helm-support.adoc
+// * operators/operator_sdk/helm/osdk-helm-tutorial.adoc
+// * operators/operator_sdk/helm/osdk-helm-updating-projects.adoc
+// * operators/operator_sdk/helm/osdk-hybrid-helm-updating-projects.adoc
+// * operators/operator_sdk/helm/osdk-hybrid-helm.adoc
+// * operators/operator_sdk/java/osdk-java-project-layout.adoc
+// * operators/operator_sdk/java/osdk-java-quickstart.adoc
+// * operators/operator_sdk/java/osdk-java-tutorial.adoc
+// * operators/operator_sdk/java/osdk-java-updating-projects.adoc
+// * operators/operator_sdk/osdk-about.adoc
+// * operators/operator_sdk/osdk-bundle-validate.adoc
+// * operators/operator_sdk/osdk-cli-ref.adoc
+// * operators/operator_sdk/osdk-complying-with-psa.adoc
+// * operators/operator_sdk/osdk-generating-csvs.adoc
+// * operators/operator_sdk/osdk-ha-sno.adoc
+// * operators/operator_sdk/osdk-installing-cli.adoc
+// * operators/operator_sdk/osdk-leader-election.adoc
+// * operators/operator_sdk/osdk-migrating-to-v0-1-0.adoc
+// * operators/operator_sdk/osdk-monitoring-prometheus.adoc
+// * operators/operator_sdk/osdk-multi-arch-support.adoc
+// * operators/operator_sdk/osdk-pkgman-to-bundle.adoc
+// * operators/operator_sdk/osdk-pruning-utility.adoc
+// * operators/operator_sdk/osdk-scorecard.adoc
+// * operators/operator_sdk/osdk-working-bundle-images.adoc
+
+[IMPORTANT]
+====
+[subs="attributes+"]
+The Red{nbsp}Hat-supported version of the Operator SDK CLI tool, including the related scaffolding and testing tools for Operator projects, is deprecated and is planned to be removed in a future release of {product-title}. Red{nbsp}Hat will provide bug fixes and support for this feature during the current release lifecycle, but this feature will no longer receive enhancements and will be removed from future {product-title} releases.
+
+The Red{nbsp}Hat-supported version of the Operator SDK is not recommended for creating new Operator projects. Operator authors with existing Operator projects can use the version of the Operator SDK CLI tool released with {product-title} {product-version} to maintain their projects and create Operator releases targeting newer versions of {product-title}.
+
+The following related base images for Operator projects are _not_ deprecated. The runtime functionality and configuration APIs for these base images are still supported for bug fixes and for addressing CVEs.
+
+* The base image for Ansible-based Operator projects
+* The base image for Helm-based Operator projects
+
+ifndef::openshift-rosa,openshift-dedicated[]
+For the most recent list of major functionality that has been deprecated or removed within {product-title}, refer to the _Deprecated and removed features_ section of the {product-title} release notes.
+endif::openshift-rosa,openshift-dedicated[]
+
+For information about the unsupported, community-maintained, version of the Operator SDK, see link:https://sdk.operatorframework.io[Operator SDK (Operator Framework)].
+====
diff --git a/snippets/ossm-current-version-support-snippet.adoc b/snippets/ossm-current-version-support-snippet.adoc
new file mode 100644
index 000000000000..0a600c68061f
--- /dev/null
+++ b/snippets/ossm-current-version-support-snippet.adoc
@@ -0,0 +1,7 @@
+// Snippets included in the following assemblies and modules:
+//
+// * service_mesh/v2x/ossm-rn-new-features.adoc
+
+:_mod-docs-content-type: SNIPPET
+
+The most current version of the {SMProductName} Operator can be used with all supported versions of {SMProductShortName}. The version of {SMProductShortName} is specified using the `ServiceMeshControlPlane`.
diff --git a/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc b/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
new file mode 100644
index 000000000000..d05e85c49b4d
--- /dev/null
+++ b/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
@@ -0,0 +1,33 @@
+[source,yaml]
+----
+manifests:
+- path: source-crs/DefaultCatsrc.yaml
+  patches:
+    - metadata:
+        name: redhat-operators
+      spec:
+        displayName: Red Hat Operators Catalog
+        image: registry.example.com:5000/olm/redhat-operators:v{product-version}
+        updateStrategy:
+            registryPoll:
+                interval: 1h
+      status:
+        connectionState:
+            lastObservedState: READY
+- path: source-crs/DefaultCatsrc.yaml
+  patches:
+    - metadata:
+        name: redhat-operators-v2 <1>
+      spec:
+        displayName: Red Hat Operators Catalog v2 <2>
+        image: registry.example.com:5000/olredhat-operators:<version> <3>
+        updateStrategy:
+            registryPoll:
+                interval: 1h
+      status:
+        connectionState:
+            lastObservedState: READY
+----
+<1> Update the name for the new configuration.
+<2> Update the display name for the new configuration.
+<3> Update the index image URL. This `policies.manifests.patches.spec.image` field overrides any configuration in the `DefaultCatsrc.yaml` file.
diff --git a/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-update.adoc b/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-update.adoc
new file mode 100644
index 000000000000..5154ed1c01b7
--- /dev/null
+++ b/snippets/pg-cnf-topology-aware-lifecycle-manager-operator-update.adoc
@@ -0,0 +1,48 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: du-upgrade
+placementBindingDefaults:
+    name: du-upgrade-placement-binding
+policyDefaults:
+    namespace: ztp-group-du-sno
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: group-du-sno
+                  operator: Exists
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: du-upgrade-operator-catsrc-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/DefaultCatsrc.yaml
+          patches:
+            - metadata:
+                name: redhat-operators
+              spec:
+                displayName: Red Hat Operators Catalog
+                image: registry.example.com:5000/olm/redhat-operators:v{product-version} <1>
+                updateStrategy: <2>
+                    registryPoll:
+                        interval: 1h
+              status:
+                connectionState:
+                    lastObservedState: READY <3>
+----
+<1> Contains the required Operator images. If the index images are always pushed to the same image name and tag, this change is not needed.
+<2> Sets how frequently the Operator Lifecycle Manager (OLM) polls the index image for new Operator versions with the `registryPoll.interval` field. This change is not needed if a new index image tag is always pushed for y-stream and z-stream Operator updates. The `registryPoll.interval` field can be set to a shorter interval to expedite the update, however shorter intervals increase computational load. To counteract this, you can restore `registryPoll.interval` to the default value once the update is complete.
+<3> Displays the observed state of the catalog connection. The `READY` value ensures that the `CatalogSource` policy is ready, indicating that the index pod is pulled and is running. This way, {cgu-operator} upgrades the Operators based on up-to-date policy compliance states.
diff --git a/snippets/pg-cnf-topology-aware-lifecycle-manager-pao-update.yaml b/snippets/pg-cnf-topology-aware-lifecycle-manager-pao-update.yaml
new file mode 100644
index 000000000000..df38008fdb39
--- /dev/null
+++ b/snippets/pg-cnf-topology-aware-lifecycle-manager-pao-update.yaml
@@ -0,0 +1,7 @@
+- name: group-du-sno-pg-subscriptions-policy
+  policyAnnotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+  manifests:
+    - path: source-crs/PaoSubscriptionNS.yaml
+    - path: source-crs/PaoSubscriptionOperGroup.yaml
+    - path: source-crs/PaoSubscription.yaml
\ No newline at end of file
diff --git a/snippets/pg-cnf-topology-aware-lifecycle-manager-platform-update.adoc b/snippets/pg-cnf-topology-aware-lifecycle-manager-platform-update.adoc
new file mode 100644
index 000000000000..cb07a97e7207
--- /dev/null
+++ b/snippets/pg-cnf-topology-aware-lifecycle-manager-platform-update.adoc
@@ -0,0 +1,66 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: du-upgrade
+placementBindingDefaults:
+    name: du-upgrade-placement-binding
+policyDefaults:
+    namespace: ztp-group-du-sno
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: group-du-sno
+                  operator: Exists
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: du-upgrade-platform-upgrade
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "100"
+      manifests:
+        - path: source-crs/ClusterVersion.yaml <1>
+          patches:
+            - metadata:
+                name: version
+              spec:
+                channel: stable-{product-version}
+                desiredUpdate:
+                    version: {product-version}.4
+                upstream: http://upgrade.example.com/images/upgrade-graph_stable-{product-version}
+              status:
+                history:
+                    - state: Completed
+                      version: {product-version}.4
+    - name: du-upgrade-platform-upgrade-prep
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/ImageSignature.yaml <2>
+        - path: source-crs/DisconnectedICSP.yaml
+          patches:
+            - metadata:
+                name: disconnected-internal-icsp-for-ocp
+              spec:
+                repositoryDigestMirrors: <3>
+                    - mirrors:
+                        - quay-intern.example.com/ocp4/openshift-release-dev
+                      source: quay.io/openshift-release-dev/ocp-release
+                    - mirrors:
+                        - quay-intern.example.com/ocp4/openshift-release-dev
+                      source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+----
+<1> Shows the `ClusterVersion` CR to trigger the update. The `channel`, `upstream`, and `desiredVersion` fields are all required for image pre-caching.
+<2> `ImageSignature.yaml` contains the image signature of the required release image. The image signature is used to verify the image before applying the platform update.
+<3> Shows the mirror repository that contains the required {product-title} image. Get the mirrors from the `imageContentSources.yaml` file that you saved when following the procedures in the "Setting up the environment" section.
+
diff --git a/snippets/pg-group-du-sno-config-policy.yaml b/snippets/pg-group-du-sno-config-policy.yaml
new file mode 100644
index 000000000000..db03631e73ab
--- /dev/null
+++ b/snippets/pg-group-du-sno-config-policy.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: du-upgrade
+placementBindingDefaults:
+    name: du-upgrade-placement-binding
+policyDefaults:
+    namespace: ztp-group-du-sno
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: group-du-sno
+                  operator: Exists
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: du-upgrade-operator-catsrc-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/DefaultCatsrc.yaml
+          patches:
+            - metadata:
+                name: redhat-operators
+              spec:
+                displayName: Red Hat Operators Catalog
+                image: registry.example.com:5000/olm/redhat-operators:v4.14
+                updateStrategy:
+                    registryPoll:
+                        interval: 1h
+              status:
+                connectionState:
+                    lastObservedState: READY
diff --git a/snippets/pg-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc b/snippets/pg-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc
new file mode 100644
index 000000000000..bb09d4e08933
--- /dev/null
+++ b/snippets/pg-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc
@@ -0,0 +1,51 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: du-upgrade
+placementBindingDefaults:
+    name: du-upgrade-placement-binding
+policyDefaults:
+    namespace: ztp-group-du-sno
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: group-du-sno
+                  operator: Exists
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: du-upgrade-fec-catsrc-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/DefaultCatsrc.yaml
+          patches:
+            - metadata:
+                name: certified-operators
+              spec:
+                displayName: Intel SRIOV-FEC Operator
+                image: registry.example.com:5000/olm/far-edge-sriov-fec:v4.10
+                updateStrategy:
+                    registryPoll:
+                        interval: 10m
+    - name: du-upgrade-subscriptions-fec-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/AcceleratorsSubscription.yaml
+          patches:
+            - spec:
+                channel: stable
+                source: certified-operators
+----
diff --git a/snippets/pg-using-ztp-to-update-source-crs.yaml b/snippets/pg-using-ztp-to-update-source-crs.yaml
new file mode 100644
index 000000000000..cc23f89dfc41
--- /dev/null
+++ b/snippets/pg-using-ztp-to-update-source-crs.yaml
@@ -0,0 +1,13 @@
+- path: source-crs/PerformanceProfile.yaml
+  patches:
+    - spec:
+        # These must be tailored for the specific hardware platform
+        cpu:
+          isolated: "2-19,22-39"
+          reserved: "0-1,20-21"
+        hugepages:
+          defaultHugepagesSize: 1G
+          pages:
+          - size: 1G
+            count: 10
+        globallyDisableIrqLoadBalancing: false
diff --git a/snippets/pg-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc b/snippets/pg-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc
new file mode 100644
index 000000000000..da3df80a080b
--- /dev/null
+++ b/snippets/pg-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc
@@ -0,0 +1,20 @@
+:_mod-docs-content-type: SNIPPET
+[source,terminal]
+----
+example
+└── acmpolicygenerator
+    ├── dev.yaml
+    ├── kustomization.yaml
+    ├── mec-edge-sno1.yaml
+    ├── sno.yaml
+    └── source-crs <1>
+        ├── PaoCatalogSource.yaml
+        ├── PaoSubscription.yaml
+        ├── custom-crs
+        |   ├── apiserver-config.yaml
+        |   └── disable-nic-lldp.yaml
+        └── elasticsearch
+            ├── ElasticsearchNS.yaml
+            └── ElasticsearchOperatorGroup.yaml
+----
+<1> The `source-crs` subdirectory must be in the same directory as the `kustomization.yaml` file.
diff --git a/snippets/pg-ztp-adding-new-content-to-gitops-ztp.adoc b/snippets/pg-ztp-adding-new-content-to-gitops-ztp.adoc
new file mode 100644
index 000000000000..7dd94da67b88
--- /dev/null
+++ b/snippets/pg-ztp-adding-new-content-to-gitops-ztp.adoc
@@ -0,0 +1,99 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: group-dev
+placementBindingDefaults:
+    name: group-dev-placement-binding
+policyDefaults:
+    namespace: ztp-clusters
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: dev
+                  operator: In
+                  values:
+                    - "true"
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: group-dev-group-dev-cluster-log-ns
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/ClusterLogNS.yaml
+    - name: group-dev-group-dev-cluster-log-operator-group
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/ClusterLogOperGroup.yaml
+    - name: group-dev-group-dev-cluster-log-sub
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/ClusterLogSubscription.yaml
+    - name: group-dev-group-dev-lso-ns
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/StorageNS.yaml
+    - name: group-dev-group-dev-lso-operator-group
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/StorageOperGroup.yaml
+    - name: group-dev-group-dev-lso-sub
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/StorageSubscription.yaml
+    - name: group-dev-group-dev-pao-cat-source
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/PaoSubscriptionCatalogSource.yaml
+          patches:
+            - spec:
+                image: <container_image_url>
+    - name: group-dev-group-dev-pao-ns
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/PaoSubscriptionNS.yaml
+    - name: group-dev-group-dev-pao-sub
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: source-crs/PaoSubscription.yaml
+    - name: group-dev-group-dev-elasticsearch-ns
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: elasticsearch/ElasticsearchNS.yaml <1>
+    - name: group-dev-group-dev-elasticsearch-operator-group
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: elasticsearch/ElasticsearchOperatorGroup.yaml
+    - name: group-dev-group-dev-apiserver-config
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: custom-crs/apiserver-config.yaml <1>
+    - name: group-dev-group-dev-disable-nic-lldp
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests:
+        - path: custom-crs/disable-nic-lldp.yaml
+----
+<1> Set `policies.manifests.path` to include the relative path to the file from the `/source-crs` parent directory.
diff --git a/snippets/pg-ztp-configuring-hwevents-using-pgt-hardware-event.adoc b/snippets/pg-ztp-configuring-hwevents-using-pgt-hardware-event.adoc
new file mode 100644
index 000000000000..3357dd558705
--- /dev/null
+++ b/snippets/pg-ztp-configuring-hwevents-using-pgt-hardware-event.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- path: source-crs/HardwareEvent.yaml <1>
+  patches:
+    - spec:
+        logLevel: debug
+        nodeSelector: {}
+        transportHost: http://hw-event-publisher-service.openshift-bare-metal-events.svc.cluster.local:9043
+----
+<1> Each baseboard management controller (BMC) requires a single `HardwareEvent` CR only.
diff --git a/snippets/pg-ztp-configuring-hwevents.yaml b/snippets/pg-ztp-configuring-hwevents.yaml
new file mode 100644
index 000000000000..531daddd6015
--- /dev/null
+++ b/snippets/pg-ztp-configuring-hwevents.yaml
@@ -0,0 +1,4 @@
+# Bare Metal Event Relay Operator
+- path: source-crs/BareMetalEventRelaySubscriptionNS.yaml
+- path: source-crs/BareMetalEventRelaySubscriptionOperGroup.yaml
+- path: source-crs/BareMetalEventRelaySubscription.yaml
\ No newline at end of file
diff --git a/snippets/pg-ztp-configuring-ptp-fast-events-amqp-transport.yaml b/snippets/pg-ztp-configuring-ptp-fast-events-amqp-transport.yaml
new file mode 100644
index 000000000000..ff0ecff6664c
--- /dev/null
+++ b/snippets/pg-ztp-configuring-ptp-fast-events-amqp-transport.yaml
@@ -0,0 +1,13 @@
+- path: source-crs/PtpOperatorConfigForEvent.yaml
+  patches:
+  - metadata:
+      name: default
+      namespace: openshift-ptp
+      annotations:
+        ran.openshift.io/ztp-deploy-wave: "10"
+    spec:
+      daemonNodeSelector:
+        node-role.kubernetes.io/$mcp: ""
+      ptpEventConfig:
+        enableEventPublisher: true
+        transportHost: "amqp://amq-router.amq-router.svc.cluster.local"
diff --git a/snippets/pg-ztp-configuring-ptp-fast-events-amqp.yaml b/snippets/pg-ztp-configuring-ptp-fast-events-amqp.yaml
new file mode 100644
index 000000000000..7e2bbd00c113
--- /dev/null
+++ b/snippets/pg-ztp-configuring-ptp-fast-events-amqp.yaml
@@ -0,0 +1,4 @@
+#AMQ Interconnect Operator for fast events
+- path: source-crs/AmqSubscriptionNS.yaml
+- path: source-crs/AmqSubscriptionOperGroup.yaml
+- path: source-crs/AmqSubscription.yaml
\ No newline at end of file
diff --git a/snippets/pg-ztp-configuring-ptp-fast-events-linuxptp.adoc b/snippets/pg-ztp-configuring-ptp-fast-events-linuxptp.adoc
new file mode 100644
index 000000000000..a93404d2fca3
--- /dev/null
+++ b/snippets/pg-ztp-configuring-ptp-fast-events-linuxptp.adoc
@@ -0,0 +1,135 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- path: source-crs/PtpConfigSlave.yaml <1>
+  patches:
+  - metadata:
+      name: "du-ptp-slave"
+    spec:
+      recommend:
+      - match:
+        - nodeLabel: node-role.kubernetes.io/master
+        priority: 4
+        profile: slave
+      profile:
+      - name: "slave"
+        # This interface must match the hardware in this group
+        interface: "ens5f0" <2>
+        ptp4lOpts: "-2 -s --summary_interval -4" <3>
+        phc2sysOpts: "-a -r -n 24" <4>
+        ptpSchedulingPolicy: SCHED_FIFO
+        ptpSchedulingPriority: 10
+        ptpSettings:
+          logReduce: "true"
+        ptp4lConf: |
+          [global]
+          #
+          # Default Data Set
+          #
+          twoStepFlag 1
+          slaveOnly 1
+          priority1 128
+          priority2 128
+          domainNumber 24
+          #utc_offset 37
+          clockClass 255
+          clockAccuracy 0xFE
+          offsetScaledLogVariance 0xFFFF
+          free_running 0
+          freq_est_interval 1
+          dscp_event 0
+          dscp_general 0
+          dataset_comparison G.8275.x
+          G.8275.defaultDS.localPriority 128
+          #
+          # Port Data Set
+          #
+          logAnnounceInterval -3
+          logSyncInterval -4
+          logMinDelayReqInterval -4
+          logMinPdelayReqInterval -4
+          announceReceiptTimeout 3
+          syncReceiptTimeout 0
+          delayAsymmetry 0
+          fault_reset_interval -4
+          neighborPropDelayThresh 20000000
+          masterOnly 0
+          G.8275.portDS.localPriority 128
+          #
+          # Run time options
+          #
+          assume_two_step 0
+          logging_level 6
+          path_trace_enabled 0
+          follow_up_info 0
+          hybrid_e2e 0
+          inhibit_multicast_service 0
+          net_sync_monitor 0
+          tc_spanning_tree 0
+          tx_timestamp_timeout 50
+          unicast_listen 0
+          unicast_master_table 0
+          unicast_req_duration 3600
+          use_syslog 1
+          verbose 0
+          summary_interval 0
+          kernel_leap 1
+          check_fup_sync 0
+          clock_class_threshold 7
+          #
+          # Servo Options
+          #
+          pi_proportional_const 0.0
+          pi_integral_const 0.0
+          pi_proportional_scale 0.0
+          pi_proportional_exponent -0.3
+          pi_proportional_norm_max 0.7
+          pi_integral_scale 0.0
+          pi_integral_exponent 0.4
+          pi_integral_norm_max 0.3
+          step_threshold 2.0
+          first_step_threshold 0.00002
+          max_frequency 900000000
+          clock_servo pi
+          sanity_freq_limit 200000000
+          ntpshm_segment 0
+          #
+          # Transport options
+          #
+          transportSpecific 0x0
+          ptp_dst_mac 01:1B:19:00:00:00
+          p2p_dst_mac 01:80:C2:00:00:0E
+          udp_ttl 1
+          udp6_scope 0x0E
+          uds_address /var/run/ptp4l
+          #
+          # Default interface options
+          #
+          clock_type OC
+          network_transport L2
+          delay_mechanism E2E
+          time_stamping hardware
+          tsproc_mode filter
+          delay_filter moving_median
+          delay_filter_length 10
+          egressLatency 0
+          ingressLatency 0
+          boundary_clock_jbod 0
+          #
+          # Clock description
+          #
+          productDescription ;;
+          revisionData ;;
+          manufacturerIdentity 00:00:00
+          userDescription ;
+          timeSource 0xA0
+      ptpClockThreshold: <5>
+        holdOverTimeout: 30 # seconds
+        maxOffsetThreshold: 100  # nano seconds
+        minOffsetThreshold: -100
+----
+<1> Can be one of `PtpConfigMaster.yaml`, `PtpConfigSlave.yaml`, or `PtpConfigSlaveCvl.yaml` depending on your requirements. `PtpConfigSlaveCvl.yaml` configures `linuxptp` services for an Intel E810 Columbiaville NIC. For configurations based on `{policy-prefix}group-du-sno-ranGen.yaml` or `{policy-prefix}group-du-3node-ranGen.yaml`, use `PtpConfigSlave.yaml`.
+<2> Device specific interface name.
+<3> You must append the `--summary_interval -4` value to `ptp4lOpts` in `.spec.sourceFiles.spec.profile` to enable PTP fast events.
+<4> Required `phc2sysOpts` values. `-m` prints messages to `stdout`. The `linuxptp-daemon` `DaemonSet` parses the logs and generates Prometheus metrics.
+<5> Optional. If the `ptpClockThreshold` stanza is not present, default values are used for the `ptpClockThreshold` fields. The stanza shows default `ptpClockThreshold` values. The `ptpClockThreshold` values configure how long after the PTP master clock is disconnected before PTP events are triggered. `holdOverTimeout` is the time value in seconds before the PTP clock event state changes to `FREERUN` when the PTP master clock is disconnected. The `maxOffsetThreshold` and `minOffsetThreshold` settings configure offset values in nanoseconds that compare against the values for `CLOCK_REALTIME` (`phc2sys`) or master offset (`ptp4l`). When the `ptp4l` or `phc2sys` offset value is outside this range, the PTP clock state is set to `FREERUN`. When the offset value is within this range, the PTP clock state is set to `LOCKED`.
diff --git a/snippets/pg-ztp-configuring-ptp-fast-events.yaml b/snippets/pg-ztp-configuring-ptp-fast-events.yaml
new file mode 100644
index 000000000000..6bfe38d92e6d
--- /dev/null
+++ b/snippets/pg-ztp-configuring-ptp-fast-events.yaml
@@ -0,0 +1,13 @@
+- path: source-crs/PtpOperatorConfigForEvent.yaml
+  patches:
+  - metadata:
+      name: default
+      namespace: openshift-ptp
+      annotations:
+        ran.openshift.io/ztp-deploy-wave: "10"
+    spec:
+      daemonNodeSelector:
+        node-role.kubernetes.io/$mcp: ""
+      ptpEventConfig:
+        enableEventPublisher: true
+        transportHost: "http://ptp-event-publisher-service-NODE_NAME.openshift-ptp.svc.cluster.local:9043"
diff --git a/snippets/pg-ztp-creating-hwevents-amqp.yaml b/snippets/pg-ztp-creating-hwevents-amqp.yaml
new file mode 100644
index 000000000000..91fad4336b8b
--- /dev/null
+++ b/snippets/pg-ztp-creating-hwevents-amqp.yaml
@@ -0,0 +1,8 @@
+# AMQ Interconnect Operator for fast events
+- path: source-crs/AmqSubscriptionNS.yaml
+- path: source-crs/AmqSubscriptionOperGroup.yaml
+- path: source-crs/AmqSubscription.yaml
+# Bare Metal Event Relay Operator
+- path: source-crs/BareMetalEventRelaySubscriptionNS.yaml
+- path: source-crs/BareMetalEventRelaySubscriptionOperGroup.yaml
+- path: source-crs/BareMetalEventRelaySubscription.yaml
\ No newline at end of file
diff --git a/snippets/pg-ztp-example-single-node-cluster-validator.adoc b/snippets/pg-ztp-example-single-node-cluster-validator.adoc
new file mode 100644
index 000000000000..efd43e7f010f
--- /dev/null
+++ b/snippets/pg-ztp-example-single-node-cluster-validator.adoc
@@ -0,0 +1,41 @@
+.Example single-node cluster validator inform policy CR (acm-group-du-sno-validator-ranGen.yaml)
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: group-du-sno-validator-latest
+placementBindingDefaults:
+    name: group-du-sno-validator-latest-placement-binding
+policyDefaults:
+    namespace: ztp-group
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: du-profile
+                  operator: In
+                  values:
+                    - latest
+                - key: group-du-sno
+                  operator: Exists
+                - key: ztp-done
+                  operator: DoesNotExist
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: group-du-sno-validator-latest-du-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "10000"
+      evaluationInterval:
+        compliant: 5s
+      manifests:
+        - path: source-crs/validatorCRs/informDuValidator-MCP-master.yaml
+----
diff --git a/snippets/pg-ztp-provisioning-lvm-storage-cluster.adoc b/snippets/pg-ztp-provisioning-lvm-storage-cluster.adoc
new file mode 100644
index 000000000000..47c4bb1ea633
--- /dev/null
+++ b/snippets/pg-ztp-provisioning-lvm-storage-cluster.adoc
@@ -0,0 +1,16 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: StorageLVMCluster.yaml
+  policyName: "lvms-config"
+    metadata:
+      name: "lvms-storage-cluster-config"
+        spec:
+          storage:
+            deviceClasses:
+            - name: vg1
+              thinPoolConfig:
+                name: thin-pool-1
+                sizePercent: 90
+                overprovisionRatio: 10
+----
diff --git a/snippets/pg-ztp-provisioning-lvm-storage-sub.yaml b/snippets/pg-ztp-provisioning-lvm-storage-sub.yaml
new file mode 100644
index 000000000000..359d1d2497c6
--- /dev/null
+++ b/snippets/pg-ztp-provisioning-lvm-storage-sub.yaml
@@ -0,0 +1,3 @@
+- path: source-crs/StorageLVMSubscriptionNS.yaml
+- path: source-crs/StorageLVMSubscriptionOperGroup.yaml
+- path: source-crs/StorageLVMSubscription.yaml
diff --git a/snippets/pg-ztp-provisioning-lvm-storage.adoc b/snippets/pg-ztp-provisioning-lvm-storage.adoc
new file mode 100644
index 000000000000..62c3d6f59057
--- /dev/null
+++ b/snippets/pg-ztp-provisioning-lvm-storage.adoc
@@ -0,0 +1,14 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+- name: subscription-policies
+  policyAnnotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+  manifests:
+    - path: source-crs/StorageLVMOSubscriptionNS.yaml
+    - path: source-crs/StorageLVMOSubscriptionOperGroup.yaml
+    - path: source-crs/StorageLVMOSubscription.yaml
+      spec:
+        name: lvms-operator
+        channel: stable-{product-version}
+----
diff --git a/snippets/pg-ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml b/snippets/pg-ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml
new file mode 100644
index 000000000000..78055287b9e6
--- /dev/null
+++ b/snippets/pg-ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml
@@ -0,0 +1,101 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: group-du-sno-pgt
+placementBindingDefaults:
+    name: group-du-sno-pgt-placement-binding
+policyDefaults:
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: group-du-sno-zone
+                  operator: In
+                  values:
+                    - zone-1
+                - key: hardware-type
+                  operator: In
+                  values:
+                    - hardware-type-1
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: group-du-sno-pgt-group-du-sno-cfg-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "10"
+      manifests:
+        - path: source-crs/ClusterLogForwarder.yaml
+          patches:
+            - spec:
+                outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
+                pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
+        - path: source-crs/PerformanceProfile-MCP-master.yaml
+          patches:
+            - metadata:
+                name: openshift-node-performance-profile
+              spec:
+                additionalKernelArgs:
+                    - rcupdate.rcu_normal_after_boot=0
+                    - vfio_pci.enable_sriov=1
+                    - vfio_pci.disable_idle_d3=1
+                    - efi=runtime
+                cpu:
+                    isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}'
+                    reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}'
+                hugepages:
+                    defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}'
+                    pages:
+                        - count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}'
+                          size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}'
+                realTimeKernel:
+                    enabled: true
+    - name: group-du-sno-pgt-group-du-sno-sriov-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "100"
+      manifests:
+        - path: source-crs/SriovNetwork.yaml
+          patches:
+            - metadata:
+                name: sriov-nw-du-fh
+              spec:
+                resourceName: du_fh
+                vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}'
+        - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml
+          patches:
+            - metadata:
+                name: sriov-nnp-du-fh
+              spec:
+                deviceType: netdevice
+                isRdma: false
+                nicSelector:
+                    pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
+                numVfs: 8
+                priority: 10
+                resourceName: du_fh
+        - path: source-crs/SriovNetwork.yaml
+          patches:
+            - metadata:
+                name: sriov-nw-du-mh
+              spec:
+                resourceName: du_mh
+                vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}'
+        - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml
+          patches:
+            - metadata:
+                name: sriov-nw-du-fh
+              spec:
+                deviceType: netdevice
+                isRdma: false
+                nicSelector:
+                    pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
+                numVfs: 8
+                priority: 10
+                resourceName: du_fh
diff --git a/snippets/pg-ztp-the-policygenerator.adoc b/snippets/pg-ztp-the-policygenerator.adoc
new file mode 100644
index 000000000000..120bcf3e0789
--- /dev/null
+++ b/snippets/pg-ztp-the-policygenerator.adoc
@@ -0,0 +1,76 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: common-latest
+placementBindingDefaults:
+    name: common-latest-placement-binding <1>
+policyDefaults:
+    namespace: ztp-common
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: common
+                  operator: In
+                  values:
+                    - "true"
+                - key: du-profile
+                  operator: In
+                  values:
+                    - latest
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: common-latest-config-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "1"
+      manifests:
+        - path: source-crs/ReduceMonitoringFootprint.yaml
+        - path: source-crs/DefaultCatsrc.yaml <2>
+          patches:
+            - metadata:
+                name: redhat-operators-disconnected
+              spec:
+                displayName: disconnected-redhat-operators
+                image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.9
+        - path: source-crs/DisconnectedICSP.yaml
+          patches:
+            - spec:
+                repositoryDigestMirrors:
+                    - mirrors:
+                        - registry.example.com:5000
+                      source: registry.redhat.io
+    - name: common-latest-subscriptions-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "2"
+      manifests: <3>
+        - path: source-crs/SriovSubscriptionNS.yaml
+        - path: source-crs/SriovSubscriptionOperGroup.yaml
+        - path: source-crs/SriovSubscription.yaml
+        - path: source-crs/SriovOperatorStatus.yaml
+        - path: source-crs/PtpSubscriptionNS.yaml
+        - path: source-crs/PtpSubscriptionOperGroup.yaml
+        - path: source-crs/PtpSubscription.yaml
+        - path: source-crs/PtpOperatorStatus.yaml
+        - path: source-crs/ClusterLogNS.yaml
+        - path: source-crs/ClusterLogOperGroup.yaml
+        - path: source-crs/ClusterLogSubscription.yaml
+        - path: source-crs/ClusterLogOperatorStatus.yaml
+        - path: source-crs/StorageNS.yaml
+        - path: source-crs/StorageOperGroup.yaml
+        - path: source-crs/StorageSubscription.yaml
+        - path: source-crs/StorageOperatorStatus.yaml
+----
+<1> Applies the policies to all clusters with this label.
+<2> The `DefaultCatsrc.yaml` file contains the catalog source for the disconnected registry and related registry configuration details.
+<3> Files listed under `policies.manifests` create the Operator policies for installed clusters.
diff --git a/snippets/pg-ztp-using-pg-to-configure-high-performance-mode.yaml b/snippets/pg-ztp-using-pg-to-configure-high-performance-mode.yaml
new file mode 100644
index 000000000000..25c48381f62a
--- /dev/null
+++ b/snippets/pg-ztp-using-pg-to-configure-high-performance-mode.yaml
@@ -0,0 +1,7 @@
+- path: source-crs/PerformanceProfile.yaml
+  patches:
+    - spec:
+        workloadHints:
+             realTime: true
+             highPowerConsumption: true
+             perPodPowerManagement: false
\ No newline at end of file
diff --git a/snippets/pg-ztp-using-pg-to-configure-performance-mode.yaml b/snippets/pg-ztp-using-pg-to-configure-performance-mode.yaml
new file mode 100644
index 000000000000..e50ebfac520a
--- /dev/null
+++ b/snippets/pg-ztp-using-pg-to-configure-performance-mode.yaml
@@ -0,0 +1,7 @@
+- path: source-crs/PerformanceProfile.yaml
+  patches:
+    - spec:
+        workloadHints:
+             realTime: true
+             highPowerConsumption: false
+             perPodPowerManagement: false
\ No newline at end of file
diff --git a/snippets/pg-ztp-using-pg-to-configure-power-saving-mode.adoc b/snippets/pg-ztp-using-pg-to-configure-power-saving-mode.adoc
new file mode 100644
index 000000000000..73f527fec1ce
--- /dev/null
+++ b/snippets/pg-ztp-using-pg-to-configure-power-saving-mode.adoc
@@ -0,0 +1,17 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- path: source-crs/PerformanceProfile.yaml
+  patches:
+    - spec:
+        # ...
+        workloadHints:
+          realTime: true
+          highPowerConsumption: false
+          perPodPowerManagement: true
+        # ...
+        additionalKernelArgs:
+          - # ...
+          - "cpufreq.default_governor=schedutil" <1>
+----
+<1> The `schedutil` governor is recommended, however, you can also use other governors, including `ondemand` and `powersave`.
diff --git a/snippets/pg-ztp-using-pg-to-maximize-power-saving-mode.adoc b/snippets/pg-ztp-using-pg-to-maximize-power-saving-mode.adoc
new file mode 100644
index 000000000000..c65ef14c9205
--- /dev/null
+++ b/snippets/pg-ztp-using-pg-to-maximize-power-saving-mode.adoc
@@ -0,0 +1,14 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- path: source-crs/TunedPerformancePatch.yaml
+  patches:
+    - spec:
+      profile:
+        - name: performance-patch
+          data: |
+            # ...
+            [sysfs]
+            /sys/devices/system/cpu/intel_pstate/max_perf_pct=<x> <1>
+----
+<1> The `max_perf_pct` controls the maximum frequency the `cpufreq` driver is allowed to set as a percentage of the maximum supported CPU frequency. This value applies to all CPUs. You can check the maximum supported frequency in `/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq`. As a starting point, you can use a percentage that caps all CPUs at the `All Cores Turbo` frequency. The `All Cores Turbo` frequency is the frequency that all cores run at when the cores are all fully occupied.
diff --git a/snippets/pg-ztp-worker-node-preparing-policies.adoc b/snippets/pg-ztp-worker-node-preparing-policies.adoc
new file mode 100644
index 000000000000..299da20a7c19
--- /dev/null
+++ b/snippets/pg-ztp-worker-node-preparing-policies.adoc
@@ -0,0 +1,100 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+    name: example-sno-workers
+placementBindingDefaults:
+    name: example-sno-workers-placement-binding
+policyDefaults:
+    namespace: example-sno
+    placement:
+        labelSelector:
+            matchExpressions:
+                - key: sites
+                  operator: In
+                  values:
+                    - example-sno <1>
+    remediationAction: inform
+    severity: low
+    namespaceSelector:
+        exclude:
+            - kube-*
+        include:
+            - '*'
+    evaluationInterval:
+        compliant: 10m
+        noncompliant: 10s
+policies:
+    - name: example-sno-workers-config-policy
+      policyAnnotations:
+        ran.openshift.io/ztp-deploy-wave: "10"
+      manifests:
+        - path: source-crs/MachineConfigGeneric.yaml <2>
+          patches:
+            - metadata:
+                labels:
+                    machineconfiguration.openshift.io/role: worker <3>
+                name: enable-workload-partitioning
+              spec:
+                config:
+                    storage:
+                        files:
+                            - contents:
+                                source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS53b3JrbG9hZHMubWFuYWdlbWVudF0KYWN0aXZhdGlvbl9hbm5vdGF0aW9uID0gInRhcmdldC53b3JrbG9hZC5vcGVuc2hpZnQuaW8vbWFuYWdlbWVudCIKYW5ub3RhdGlvbl9wcmVmaXggPSAicmVzb3VyY2VzLndvcmtsb2FkLm9wZW5zaGlmdC5pbyIKcmVzb3VyY2VzID0geyAiY3B1c2hhcmVzIiA9IDAsICJjcHVzZXQiID0gIjAtMyIgfQo=
+                              mode: 420
+                              overwrite: true
+                              path: /etc/crio/crio.conf.d/01-workload-partitioning
+                              user:
+                                name: root
+                            - contents:
+                                source: data:text/plain;charset=utf-8;base64,ewogICJtYW5hZ2VtZW50IjogewogICAgImNwdXNldCI6ICIwLTMiCiAgfQp9Cg==
+                              mode: 420
+                              overwrite: true
+                              path: /etc/kubernetes/openshift-workload-pinning
+                              user:
+                                name: root
+        - path: source-crs/PerformanceProfile-MCP-worker.yaml
+          patches:
+            - metadata:
+                name: openshift-worker-node-performance-profile
+              spec:
+                cpu: <4>
+                    isolated: 4-47
+                    reserved: 0-3
+                hugepages:
+                    defaultHugepagesSize: 1G
+                    pages:
+                        - count: 32
+                          size: 1G
+                realTimeKernel:
+                    enabled: true
+        - path: source-crs/TunedPerformancePatch-MCP-worker.yaml
+          patches:
+            - metadata:
+                name: performance-patch-worker
+              spec:
+                profile:
+                    - data: |
+                      [main]
+                      summary=Configuration changes profile inherited from performance created tuned
+                      include=openshift-node-performance-openshift-worker-node-performance-profile
+                      [bootloader]
+                      cmdline_crash=nohz_full=4-47 <5>
+                      [sysctl]
+                      kernel.timer_migration=1
+                      [scheduler]
+                      group.ice-ptp=0:f:10:*:ice-ptp.*
+                      [service]
+                      service.stalld=start,enable
+                      service.chronyd=stop,disable
+                      name: performance-patch-worker
+                recommend:
+                    - profile: performance-patch-worker
+----
+<1> The policies are applied to all clusters with this label.
+<2> This generic `MachineConfig` CR is used to configure workload partitioning on the worker node.
+<3> The `MCP` field must be set to `worker`.
+<4> The `cpu.isolated` and `cpu.reserved` fields must be configured for each particular hardware platform.
+<5> The `cmdline_crash` CPU set must match the `cpu.isolated` set in the `PerformanceProfile` section.
diff --git a/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc b/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
new file mode 100644
index 000000000000..242f4a78f682
--- /dev/null
+++ b/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-troubleshooting.adoc
@@ -0,0 +1,35 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: DefaultCatsrc.yaml
+      remediationAction: inform
+      policyName: "operator-catsrc-policy"
+      metadata:
+        name: redhat-operators
+      spec:
+        displayName: Red Hat Operators Catalog
+        image: registry.example.com:5000/olm/redhat-operators:v{product-version}
+        updateStrategy:
+          registryPoll:
+            interval: 1h
+      status:
+        connectionState:
+            lastObservedState: READY
+- fileName: DefaultCatsrc.yaml
+      remediationAction: inform
+      policyName: "operator-catsrc-policy"
+      metadata:
+        name: redhat-operators-v2 <1>
+      spec:
+        displayName: Red Hat Operators Catalog v2 <2>
+        image: registry.example.com:5000/olredhat-operators:<version> <3>
+        updateStrategy:
+          registryPoll:
+            interval: 1h
+      status:
+        connectionState:
+            lastObservedState: READY
+----
+<1> Update the name for the new configuration.
+<2> Update the display name for the new configuration.
+<3> Update the index image URL. This `fileName.spec.image` field overrides any configuration in the `DefaultCatsrc.yaml` file.
diff --git a/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-update.adoc b/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-update.adoc
new file mode 100644
index 000000000000..0ed0e2784190
--- /dev/null
+++ b/snippets/pgt-cnf-topology-aware-lifecycle-manager-operator-update.adoc
@@ -0,0 +1,32 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "du-upgrade"
+  namespace: "ztp-group-du-sno"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  remediationAction: inform
+  sourceFiles:
+    - fileName: DefaultCatsrc.yaml
+      remediationAction: inform
+      policyName: "operator-catsrc-policy"
+      metadata:
+        name: redhat-operators
+      spec:
+        displayName: Red Hat Operators Catalog
+        image: registry.example.com:5000/olm/redhat-operators:v{product-version} <1>
+        updateStrategy: <2>
+          registryPoll:
+            interval: 1h
+      status:
+        connectionState:
+            lastObservedState: READY <3>
+----
+<1> The index image URL contains the desired Operator images. If the index images are always pushed to the same image name and tag, this change is not needed.
+<2> Set how frequently the Operator Lifecycle Manager (OLM) polls the index image for new Operator versions with the `registryPoll.interval` field. This change is not needed if a new index image tag is always pushed for y-stream and z-stream Operator updates. The `registryPoll.interval` field can be set to a shorter interval to expedite the update, however shorter intervals increase computational load. To counteract this behavior, you can restore `registryPoll.interval` to the default value once the update is complete.
+<3> Last observed state of the catalog connection. The `READY` value ensures that the `CatalogSource` policy is ready, indicating that the index pod is pulled and is running. This way, {cgu-operator} upgrades the Operators based on up-to-date policy compliance states.
diff --git a/snippets/pgt-cnf-topology-aware-lifecycle-manager-pao-update.yaml b/snippets/pgt-cnf-topology-aware-lifecycle-manager-pao-update.yaml
new file mode 100644
index 000000000000..37a4bf4fbdc3
--- /dev/null
+++ b/snippets/pgt-cnf-topology-aware-lifecycle-manager-pao-update.yaml
@@ -0,0 +1,9 @@
+- fileName: PaoSubscriptionNS.yaml
+  policyName: "subscriptions-policy"
+  complianceType: mustnothave
+- fileName: PaoSubscriptionOperGroup.yaml
+  policyName: "subscriptions-policy"
+  complianceType: mustnothave
+- fileName: PaoSubscription.yaml
+  policyName: "subscriptions-policy"
+  complianceType: mustnothave
\ No newline at end of file
diff --git a/snippets/pgt-cnf-topology-aware-lifecycle-manager-platform-update.adoc b/snippets/pgt-cnf-topology-aware-lifecycle-manager-platform-update.adoc
new file mode 100644
index 000000000000..d4e6efcb36a6
--- /dev/null
+++ b/snippets/pgt-cnf-topology-aware-lifecycle-manager-platform-update.adoc
@@ -0,0 +1,48 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "du-upgrade"
+  namespace: "ztp-group-du-sno"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  remediationAction: inform
+  sourceFiles:
+    - fileName: ImageSignature.yaml <1>
+      policyName: "platform-upgrade-prep"
+      binaryData:
+        ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64} <2>
+    - fileName: DisconnectedICSP.yaml
+      policyName: "platform-upgrade-prep"
+      metadata:
+        name: disconnected-internal-icsp-for-ocp
+      spec:
+        repositoryDigestMirrors: <3>
+          - mirrors:
+            - quay-intern.example.com/ocp4/openshift-release-dev
+            source: quay.io/openshift-release-dev/ocp-release
+          - mirrors:
+            - quay-intern.example.com/ocp4/openshift-release-dev
+            source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+    - fileName: ClusterVersion.yaml <4>
+      policyName: "platform-upgrade"
+      metadata:
+        name: version
+      spec:
+        channel: "stable-{product-version}"
+        upstream: http://upgrade.example.com/images/upgrade-graph_stable-{product-version}
+        desiredUpdate:
+          version: {product-version}.4
+      status:
+        history:
+          - version: {product-version}.4
+            state: "Completed"
+----
+<1> The `ConfigMap` CR contains the signature of the desired release image to update to.
+<2> Shows the image signature of the desired {product-title} release. Get the signature from the `checksum-${OCP_RELEASE_NUMBER}.yaml` file you saved when following the procedures in the "Setting up the environment" section.
+<3> Shows the mirror repository that contains the desired {product-title} image. Get the mirrors from the `imageContentSources.yaml` file that you saved when following the procedures in the "Setting up the environment" section.
+<4> Shows the `ClusterVersion` CR to trigger the update. The `channel`, `upstream`, and `desiredVersion` fields are all required for image pre-caching.
diff --git a/snippets/pgt-deprecation-notice.adoc b/snippets/pgt-deprecation-notice.adoc
new file mode 100644
index 000000000000..3a77abf30603
--- /dev/null
+++ b/snippets/pgt-deprecation-notice.adoc
@@ -0,0 +1,8 @@
+:_mod-docs-content-type: SNIPPET
+[IMPORTANT]
+====
+Using `PolicyGenTemplate` CRs to manage and deploy polices to managed clusters will be deprecated in an upcoming {product-title} release.
+Equivalent and improved functionality is available using {rh-rhacm-first} and `PolicyGenerator` CRs.
+
+For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/integrate-third-party-policy-controllers#policy-generator[Policy Generator] documentation.
+====
diff --git a/snippets/pgt-group-du-sno-config-policy.yaml b/snippets/pgt-group-du-sno-config-policy.yaml
new file mode 100644
index 000000000000..82471c83ec2e
--- /dev/null
+++ b/snippets/pgt-group-du-sno-config-policy.yaml
@@ -0,0 +1,54 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: group-du-ptp-config-policy
+  namespace: groups-sub
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+spec:
+    remediationAction: inform
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: group-du-ptp-config-policy-config
+            spec:
+                remediationAction: inform
+                severity: low
+                namespaceselector:
+                    exclude:
+                        - kube-*
+                    include:
+                        - '*'
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: ptp.openshift.io/v1
+                        kind: PtpConfig
+                        metadata:
+                            name: du-ptp-slave
+                            namespace: openshift-ptp
+                        spec:
+                            recommend:
+                                - match:
+                                - nodeLabel: node-role.kubernetes.io/worker-du
+                                  priority: 4
+                                  profile: slave
+                            profile:
+                                - interface: ens5f0
+                                  name: slave
+                                  phc2sysOpts: -a -r -n 24
+                                  ptp4lConf: |
+                                    [global]
+                                    #
+                                    # Default Data Set
+                                    #
+                                    twoStepFlag 1
+                                    slaveOnly 0
+                                    priority1 128
+                                    priority2 128
+                                    domainNumber 24
\ No newline at end of file
diff --git a/snippets/pgt-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc b/snippets/pgt-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc
new file mode 100644
index 000000000000..625521681c10
--- /dev/null
+++ b/snippets/pgt-sriov-fec-cnf-topology-aware-lifecycle-manager-operator-update.adoc
@@ -0,0 +1,32 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "du-upgrade"
+  namespace: "ztp-group-du-sno"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  remediationAction: inform
+  sourceFiles:
+      # ...
+    - fileName: DefaultCatsrc.yaml
+      remediationAction: inform
+      policyName: "fec-catsrc-policy"
+      metadata:
+        name: certified-operators
+      spec:
+        displayName: Intel SRIOV-FEC Operator
+        image: registry.example.com:5000/olm/far-edge-sriov-fec:v4.10
+        updateStrategy:
+          registryPoll:
+            interval: 10m
+    - fileName: AcceleratorsSubscription.yaml
+      policyName: "subscriptions-fec-policy"
+      spec:
+        channel: "stable"
+        source: certified-operators
+----
diff --git a/snippets/pgt-using-ztp-to-update-source-crs.yaml b/snippets/pgt-using-ztp-to-update-source-crs.yaml
new file mode 100644
index 000000000000..089d0a4bbd9a
--- /dev/null
+++ b/snippets/pgt-using-ztp-to-update-source-crs.yaml
@@ -0,0 +1,15 @@
+- fileName: PerformanceProfile.yaml
+  policyName: "config-policy"
+  metadata:
+    name: openshift-node-performance-profile
+  spec:
+    cpu:
+      # These must be tailored for the specific hardware platform
+      isolated: "2-19,22-39"
+      reserved: "0-1,20-21"
+    hugepages:
+      defaultHugepagesSize: 1G
+      pages:
+        - size: 1G
+          count: 10
+    globallyDisableIrqLoadBalancing: false
diff --git a/snippets/pgt-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc b/snippets/pgt-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc
new file mode 100644
index 000000000000..755defb2ceb4
--- /dev/null
+++ b/snippets/pgt-ztp-adding-new-content-to-gitops-ztp-folder-structure.adoc
@@ -0,0 +1,20 @@
+:_mod-docs-content-type: SNIPPET
+[source,terminal]
+----
+example
+└── policygentemplates
+    ├── dev.yaml
+    ├── kustomization.yaml
+    ├── mec-edge-sno1.yaml
+    ├── sno.yaml
+    └── source-crs <1>
+        ├── PaoCatalogSource.yaml
+        ├── PaoSubscription.yaml
+        ├── custom-crs
+        |   ├── apiserver-config.yaml
+        |   └── disable-nic-lldp.yaml
+        └── elasticsearch
+            ├── ElasticsearchNS.yaml
+            └── ElasticsearchOperatorGroup.yaml
+----
+<1> The `source-crs` subdirectory must be in the same directory as the `kustomization.yaml` file.
diff --git a/snippets/pgt-ztp-adding-new-content-to-gitops-ztp.adoc b/snippets/pgt-ztp-adding-new-content-to-gitops-ztp.adoc
new file mode 100644
index 000000000000..1e00cfe1f846
--- /dev/null
+++ b/snippets/pgt-ztp-adding-new-content-to-gitops-ztp.adoc
@@ -0,0 +1,63 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "group-dev"
+  namespace: "ztp-clusters"
+spec:
+  bindingRules:
+    dev: "true"
+  mcp: "master"
+  sourceFiles:
+    # These policies/CRs come from the internal container Image
+    #Cluster Logging
+    - fileName: ClusterLogNS.yaml
+      remediationAction: inform
+      policyName: "group-dev-cluster-log-ns"
+    - fileName: ClusterLogOperGroup.yaml
+      remediationAction: inform
+      policyName: "group-dev-cluster-log-operator-group"
+    - fileName: ClusterLogSubscription.yaml
+      remediationAction: inform
+      policyName: "group-dev-cluster-log-sub"
+    #Local Storage Operator
+    - fileName: StorageNS.yaml
+      remediationAction: inform
+      policyName: "group-dev-lso-ns"
+    - fileName: StorageOperGroup.yaml
+      remediationAction: inform
+      policyName: "group-dev-lso-operator-group"
+    - fileName: StorageSubscription.yaml
+      remediationAction: inform
+      policyName: "group-dev-lso-sub"
+    #These are custom local polices that come from the source-crs directory in the git repo
+    # Performance Addon Operator
+    - fileName: PaoSubscriptionNS.yaml
+      remediationAction: inform
+      policyName: "group-dev-pao-ns"
+    - fileName: PaoSubscriptionCatalogSource.yaml
+      remediationAction: inform
+      policyName: "group-dev-pao-cat-source"
+      spec:
+        image: <container_image_url>
+    - fileName: PaoSubscription.yaml
+      remediationAction: inform
+      policyName: "group-dev-pao-sub"
+    #Elasticsearch Operator
+    - fileName: elasticsearch/ElasticsearchNS.yaml <1>
+      remediationAction: inform
+      policyName: "group-dev-elasticsearch-ns"
+    - fileName: elasticsearch/ElasticsearchOperatorGroup.yaml
+      remediationAction: inform
+      policyName: "group-dev-elasticsearch-operator-group"
+    #Custom Resources
+    - fileName: custom-crs/apiserver-config.yaml <1>
+      remediationAction: inform
+      policyName: "group-dev-apiserver-config"
+    - fileName: custom-crs/disable-nic-lldp.yaml
+      remediationAction: inform
+      policyName: "group-dev-disable-nic-lldp"
+----
+<1> Set `fileName` to include the relative path to the file from the `/source-crs` parent directory.
diff --git a/snippets/pgt-ztp-configuring-hwevents-using-pgt-hardware-event.adoc b/snippets/pgt-ztp-configuring-hwevents-using-pgt-hardware-event.adoc
new file mode 100644
index 000000000000..2a6905f418a9
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-hwevents-using-pgt-hardware-event.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: HardwareEvent.yaml <1>
+  policyName: "config-policy"
+  spec:
+    nodeSelector: {}
+    transportHost: "http://hw-event-publisher-service.openshift-bare-metal-events.svc.cluster.local:9043"
+    logLevel: "info"
+----
+<1> Each baseboard management controller (BMC) requires a single `HardwareEvent` CR only.
diff --git a/snippets/pgt-ztp-configuring-hwevents-using-pgt.yaml b/snippets/pgt-ztp-configuring-hwevents-using-pgt.yaml
new file mode 100644
index 000000000000..dc3f558cdfc7
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-hwevents-using-pgt.yaml
@@ -0,0 +1,7 @@
+# Bare Metal Event Relay Operator
+- fileName: BareMetalEventRelaySubscriptionNS.yaml
+  policyName: "subscriptions-policy"
+- fileName: BareMetalEventRelaySubscriptionOperGroup.yaml
+  policyName: "subscriptions-policy"
+- fileName: BareMetalEventRelaySubscription.yaml
+  policyName: "subscriptions-policy"
\ No newline at end of file
diff --git a/snippets/pgt-ztp-configuring-ptp-fast-events-amqp-transport.yaml b/snippets/pgt-ztp-configuring-ptp-fast-events-amqp-transport.yaml
new file mode 100644
index 000000000000..c7d52280e160
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-ptp-fast-events-amqp-transport.yaml
@@ -0,0 +1,7 @@
+- fileName: PtpOperatorConfigForEvent.yaml
+  policyName: "config-policy"
+  spec:
+    daemonNodeSelector: {}
+    ptpEventConfig:
+      enableEventPublisher: true
+      transportHost: "amqp://amq-router.amq-router.svc.cluster.local"
\ No newline at end of file
diff --git a/snippets/pgt-ztp-configuring-ptp-fast-events-amqp.yaml b/snippets/pgt-ztp-configuring-ptp-fast-events-amqp.yaml
new file mode 100644
index 000000000000..35751e41386e
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-ptp-fast-events-amqp.yaml
@@ -0,0 +1,7 @@
+#AMQ interconnect operator for fast events
+- fileName: AmqSubscriptionNS.yaml
+  policyName: "subscriptions-policy"
+- fileName: AmqSubscriptionOperGroup.yaml
+  policyName: "subscriptions-policy"
+- fileName: AmqSubscription.yaml
+  policyName: "subscriptions-policy"
\ No newline at end of file
diff --git a/snippets/pgt-ztp-configuring-ptp-fast-events-linuxptp.adoc b/snippets/pgt-ztp-configuring-ptp-fast-events-linuxptp.adoc
new file mode 100644
index 000000000000..a9a8637ca4b8
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-ptp-fast-events-linuxptp.adoc
@@ -0,0 +1,23 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: PtpConfigSlave.yaml <1>
+  policyName: "config-policy"
+  metadata:
+    name: "du-ptp-slave"
+  spec:
+    profile:
+    - name: "slave"
+      interface: "ens5f1" <2>
+      ptp4lOpts: "-2 -s --summary_interval -4" <3>
+      phc2sysOpts: "-a -r -m -n 24 -N 8 -R 16" <4>
+    ptpClockThreshold: <5>
+      holdOverTimeout: 30 # seconds
+      maxOffsetThreshold: 100  # nano seconds
+      minOffsetThreshold: -100
+----
+<1> Can be one of `PtpConfigMaster.yaml`, `PtpConfigSlave.yaml`, or `PtpConfigSlaveCvl.yaml` depending on your requirements. `PtpConfigSlaveCvl.yaml` configures `linuxptp` services for an Intel E810 Columbiaville NIC. For configurations based on `{policy-prefix}group-du-sno-ranGen.yaml` or `{policy-prefix}group-du-3node-ranGen.yaml`, use `PtpConfigSlave.yaml`.
+<2> Device specific interface name.
+<3> You must append the `--summary_interval -4` value to `ptp4lOpts` in `.spec.sourceFiles.spec.profile` to enable PTP fast events.
+<4> Required `phc2sysOpts` values. `-m` prints messages to `stdout`. The `linuxptp-daemon` `DaemonSet` parses the logs and generates Prometheus metrics.
+<5> Optional. If the `ptpClockThreshold` stanza is not present, default values are used for the `ptpClockThreshold` fields. The stanza shows default `ptpClockThreshold` values. The `ptpClockThreshold` values configure how long after the PTP master clock is disconnected before PTP events are triggered. `holdOverTimeout` is the time value in seconds before the PTP clock event state changes to `FREERUN` when the PTP master clock is disconnected. The `maxOffsetThreshold` and `minOffsetThreshold` settings configure offset values in nanoseconds that compare against the values for `CLOCK_REALTIME` (`phc2sys`) or master offset (`ptp4l`). When the `ptp4l` or `phc2sys` offset value is outside this range, the PTP clock state is set to `FREERUN`. When the offset value is within this range, the PTP clock state is set to `LOCKED`.
diff --git a/snippets/pgt-ztp-configuring-ptp-fast-events.yaml b/snippets/pgt-ztp-configuring-ptp-fast-events.yaml
new file mode 100644
index 000000000000..4c928dd50c07
--- /dev/null
+++ b/snippets/pgt-ztp-configuring-ptp-fast-events.yaml
@@ -0,0 +1,7 @@
+- fileName: PtpOperatorConfigForEvent.yaml
+  policyName: "config-policy"
+  spec:
+    daemonNodeSelector: {}
+    ptpEventConfig:
+      enableEventPublisher: true
+      transportHost: http://ptp-event-publisher-service-NODE_NAME.openshift-ptp.svc.cluster.local:9043
diff --git a/snippets/pgt-ztp-creating-hwevents-amqp.yaml b/snippets/pgt-ztp-creating-hwevents-amqp.yaml
new file mode 100644
index 000000000000..697ba36225c7
--- /dev/null
+++ b/snippets/pgt-ztp-creating-hwevents-amqp.yaml
@@ -0,0 +1,14 @@
+# AMQ Interconnect Operator for fast events
+- fileName: AmqSubscriptionNS.yaml
+  policyName: "subscriptions-policy"
+- fileName: AmqSubscriptionOperGroup.yaml
+  policyName: "subscriptions-policy"
+- fileName: AmqSubscription.yaml
+  policyName: "subscriptions-policy"
+# Bare Metal Event Relay Operator
+- fileName: BareMetalEventRelaySubscriptionNS.yaml
+  policyName: "subscriptions-policy"
+- fileName: BareMetalEventRelaySubscriptionOperGroup.yaml
+  policyName: "subscriptions-policy"
+- fileName: BareMetalEventRelaySubscription.yaml
+  policyName: "subscriptions-policy"
\ No newline at end of file
diff --git a/snippets/pgt-ztp-example-single-node-cluster-validator.adoc b/snippets/pgt-ztp-example-single-node-cluster-validator.adoc
new file mode 100644
index 000000000000..9d62ef4a9bb8
--- /dev/null
+++ b/snippets/pgt-ztp-example-single-node-cluster-validator.adoc
@@ -0,0 +1,27 @@
+.Example single-node cluster validator inform policy CR (group-du-sno-validator-ranGen.yaml)
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "group-du-sno-validator" <1>
+  namespace: "ztp-group" <2>
+spec:
+  bindingRules:
+    group-du-sno: "" <3>
+  bindingExcludedRules:
+    ztp-done: "" <4>
+  mcp: "master" <5>
+  sourceFiles:
+    - fileName: validatorCRs/informDuValidator.yaml
+      remediationAction: inform <6>
+      policyName: "du-policy" <7>
+----
+<1> The name of the `{policy-gen-crs}` object. This name is also used as part of the names
+for the `placementBinding`, `placementRule`, and `policy` that are created in the requested `namespace`.
+<2> This value should match the `namespace` used in the group `policy-gen-crs`.
+<3> The `group-du-*` label defined in `bindingRules` must exist in the `SiteConfig` files.
+<4> The label defined in `bindingExcludedRules` must be`ztp-done:`. The `ztp-done` label is used in coordination with the {cgu-operator-full}.
+<5> `mcp` defines the `MachineConfigPool` object that is used in the source file `validatorCRs/informDuValidator.yaml`. It should be `master` for single node and three-node cluster deployments and `worker` for standard cluster deployments.
+<6> Optional. The default value is `inform`.
+<7> This value is used as part of the name for the generated {rh-rhacm} policy. The generated validator policy for the single node example is `group-du-sno-validator-du-policy`.
diff --git a/snippets/pgt-ztp-provisioning-lvm-storage-cluster.adoc b/snippets/pgt-ztp-provisioning-lvm-storage-cluster.adoc
new file mode 100644
index 000000000000..bbf4870bd61e
--- /dev/null
+++ b/snippets/pgt-ztp-provisioning-lvm-storage-cluster.adoc
@@ -0,0 +1,14 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: StorageLVMCluster.yaml
+  policyName: "lvms-config"
+  spec:
+    storage:
+      deviceClasses:
+      - name: vg1
+        thinPoolConfig:
+          name: thin-pool-1
+          sizePercent: 90
+          overprovisionRatio: 10
+----
diff --git a/snippets/pgt-ztp-provisioning-lvm-storage-sub.yaml b/snippets/pgt-ztp-provisioning-lvm-storage-sub.yaml
new file mode 100644
index 000000000000..aca70a7cfeff
--- /dev/null
+++ b/snippets/pgt-ztp-provisioning-lvm-storage-sub.yaml
@@ -0,0 +1,6 @@
+- fileName: StorageLVMSubscriptionNS.yaml
+  policyName: subscription-policies
+- fileName: StorageLVMSubscriptionOperGroup.yaml
+  policyName: subscription-policies
+- fileName: StorageLVMSubscription.yaml
+  policyName: subscription-policies
\ No newline at end of file
diff --git a/snippets/pgt-ztp-provisioning-lvm-storage.adoc b/snippets/pgt-ztp-provisioning-lvm-storage.adoc
new file mode 100644
index 000000000000..09eb8dd0f924
--- /dev/null
+++ b/snippets/pgt-ztp-provisioning-lvm-storage.adoc
@@ -0,0 +1,13 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml,subs="attributes+"]
+----
+- fileName: StorageLVMOSubscriptionNS.yaml
+  policyName: subscription-policies
+- fileName: StorageLVMOSubscriptionOperGroup.yaml
+  policyName: subscription-policies
+- fileName: StorageLVMOSubscription.yaml
+  spec:
+    name: lvms-operator
+    channel: stable-{product-version}
+  policyName: subscription-policies
+----
diff --git a/snippets/pgt-ztp-the-policygentemplate.adoc b/snippets/pgt-ztp-the-policygentemplate.adoc
new file mode 100644
index 000000000000..cd7ed3777688
--- /dev/null
+++ b/snippets/pgt-ztp-the-policygentemplate.adoc
@@ -0,0 +1,64 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "common-latest"
+  namespace: "ztp-common"
+spec:
+  bindingRules:
+    common: "true" <1>
+    du-profile: "latest"
+  sourceFiles: <2>
+    - fileName: SriovSubscriptionNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: SriovSubscriptionOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: SriovSubscription.yaml
+      policyName: "subscriptions-policy"
+    - fileName: SriovOperatorStatus.yaml
+      policyName: "subscriptions-policy"
+    - fileName: PtpSubscriptionNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: PtpSubscriptionOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: PtpSubscription.yaml
+      policyName: "subscriptions-policy"
+    - fileName: PtpOperatorStatus.yaml
+      policyName: "subscriptions-policy"
+    - fileName: ClusterLogNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: ClusterLogOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: ClusterLogSubscription.yaml
+      policyName: "subscriptions-policy"
+    - fileName: ClusterLogOperatorStatus.yaml
+      policyName: "subscriptions-policy"
+    - fileName: StorageNS.yaml
+      policyName: "subscriptions-policy"
+    - fileName: StorageOperGroup.yaml
+      policyName: "subscriptions-policy"
+    - fileName: StorageSubscription.yaml
+      policyName: "subscriptions-policy"
+    - fileName: StorageOperatorStatus.yaml
+      policyName: "subscriptions-policy"
+    - fileName: DefaultCatsrc.yaml <3>
+      policyName: "config-policy" <4>
+      metadata:
+        name: redhat-operators-disconnected
+      spec:
+        displayName: disconnected-redhat-operators
+        image: registry.example.com:5000/disconnected-redhat-operators/disconnected-redhat-operator-index:v4.9
+    - fileName: DisconnectedICSP.yaml
+      policyName: "config-policy"
+      spec:
+        repositoryDigestMirrors:
+        - mirrors:
+          - registry.example.com:5000
+          source: registry.redhat.io
+----
+<1> `common: "true"` applies the policies to all clusters with this label.
+<2> Files listed under `sourceFiles` create the Operator policies for installed clusters.
+<3> `DefaultCatsrc.yaml` configures the catalog source for the disconnected registry.
+<4> `policyName: "config-policy"` configures Operator subscriptions. The `OperatorHub` CR disables the default and this CR replaces `redhat-operators` with a `CatalogSource` CR that points to the disconnected registry.
diff --git a/snippets/pgt-ztp-using-pgt-to-configure-high-performance-mode.yaml b/snippets/pgt-ztp-using-pgt-to-configure-high-performance-mode.yaml
new file mode 100644
index 000000000000..345edf98f134
--- /dev/null
+++ b/snippets/pgt-ztp-using-pgt-to-configure-high-performance-mode.yaml
@@ -0,0 +1,10 @@
+- fileName: PerformanceProfile.yaml
+  policyName: "config-policy"
+  metadata:
+  #  ...
+  spec:
+  #  ...
+    workloadHints:
+         realTime: true
+         highPowerConsumption: true
+         perPodPowerManagement: false
diff --git a/snippets/pgt-ztp-using-pgt-to-configure-performance-mode.yaml b/snippets/pgt-ztp-using-pgt-to-configure-performance-mode.yaml
new file mode 100644
index 000000000000..61d4b37ae810
--- /dev/null
+++ b/snippets/pgt-ztp-using-pgt-to-configure-performance-mode.yaml
@@ -0,0 +1,10 @@
+- fileName: PerformanceProfile.yaml
+  policyName: "config-policy"
+  metadata:
+  # ...
+  spec:
+    # ...
+    workloadHints:
+         realTime: true
+         highPowerConsumption: false
+         perPodPowerManagement: false
diff --git a/snippets/pgt-ztp-using-pgt-to-configure-power-saving-mode.adoc b/snippets/pgt-ztp-using-pgt-to-configure-power-saving-mode.adoc
new file mode 100644
index 000000000000..0e33606979a2
--- /dev/null
+++ b/snippets/pgt-ztp-using-pgt-to-configure-power-saving-mode.adoc
@@ -0,0 +1,19 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: PerformanceProfile.yaml
+  policyName: "config-policy"
+  metadata:
+  # ...
+  spec:
+    # ...
+    workloadHints:
+      realTime: true
+      highPowerConsumption: false
+      perPodPowerManagement: true
+    # ...
+    additionalKernelArgs:
+      - # ...
+      - "cpufreq.default_governor=schedutil" <1>
+----
+<1> The `schedutil` governor is recommended, however, other governors that can be used include `ondemand` and `powersave`.
diff --git a/snippets/pgt-ztp-using-pgt-to-maximize-power-saving-mode.adoc b/snippets/pgt-ztp-using-pgt-to-maximize-power-saving-mode.adoc
new file mode 100644
index 000000000000..34bedf22905e
--- /dev/null
+++ b/snippets/pgt-ztp-using-pgt-to-maximize-power-saving-mode.adoc
@@ -0,0 +1,14 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- fileName: TunedPerformancePatch.yaml
+  policyName: "config-policy"
+  spec:
+    profile:
+      - name: performance-patch
+        data: |
+          # ...
+          [sysfs]
+          /sys/devices/system/cpu/intel_pstate/max_perf_pct=<x> <1>
+----
+<1> The `max_perf_pct` controls the maximum frequency the `cpufreq` driver is allowed to set as a percentage of the maximum supported CPU frequency. This value applies to all CPUs. You can check the maximum supported frequency in `/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq`. As a starting point, you can use a percentage that caps all CPUs at the `All Cores Turbo` frequency. The `All Cores Turbo` frequency is the frequency that all cores will run at when the cores are all fully occupied.
diff --git a/snippets/pgt-ztp-worker-node-preparing-policies.adoc b/snippets/pgt-ztp-worker-node-preparing-policies.adoc
new file mode 100644
index 000000000000..3abad4dbc6e1
--- /dev/null
+++ b/snippets/pgt-ztp-worker-node-preparing-policies.adoc
@@ -0,0 +1,80 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "example-sno-workers"
+  namespace: "example-sno"
+spec:
+  bindingRules:
+    sites: "example-sno" <1>
+  mcp: "worker" <2>
+  sourceFiles:
+    - fileName: MachineConfigGeneric.yaml <3>
+      policyName: "config-policy"
+      metadata:
+        labels:
+          machineconfiguration.openshift.io/role: worker
+        name: enable-workload-partitioning
+      spec:
+        config:
+          storage:
+            files:
+            - contents:
+                source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS53b3JrbG9hZHMubWFuYWdlbWVudF0KYWN0aXZhdGlvbl9hbm5vdGF0aW9uID0gInRhcmdldC53b3JrbG9hZC5vcGVuc2hpZnQuaW8vbWFuYWdlbWVudCIKYW5ub3RhdGlvbl9wcmVmaXggPSAicmVzb3VyY2VzLndvcmtsb2FkLm9wZW5zaGlmdC5pbyIKcmVzb3VyY2VzID0geyAiY3B1c2hhcmVzIiA9IDAsICJjcHVzZXQiID0gIjAtMyIgfQo=
+              mode: 420
+              overwrite: true
+              path: /etc/crio/crio.conf.d/01-workload-partitioning
+              user:
+                name: root
+            - contents:
+                source: data:text/plain;charset=utf-8;base64,ewogICJtYW5hZ2VtZW50IjogewogICAgImNwdXNldCI6ICIwLTMiCiAgfQp9Cg==
+              mode: 420
+              overwrite: true
+              path: /etc/kubernetes/openshift-workload-pinning
+              user:
+                name: root
+    - fileName: PerformanceProfile.yaml
+      policyName: "config-policy"
+      metadata:
+        name: openshift-worker-node-performance-profile
+      spec:
+        cpu: <4>
+          isolated: "4-47"
+          reserved: "0-3"
+        hugepages:
+          defaultHugepagesSize: 1G
+          pages:
+            - size: 1G
+              count: 32
+        realTimeKernel:
+          enabled: true
+    - fileName: TunedPerformancePatch.yaml
+      policyName: "config-policy"
+      metadata:
+        name: performance-patch-worker
+      spec:
+        profile:
+          - name: performance-patch-worker
+            data: |
+              [main]
+              summary=Configuration changes profile inherited from performance created tuned
+              include=openshift-node-performance-openshift-worker-node-performance-profile
+              [bootloader]
+              cmdline_crash=nohz_full=4-47 <5>
+              [sysctl]
+              kernel.timer_migration=1
+              [scheduler]
+              group.ice-ptp=0:f:10:*:ice-ptp.*
+              [service]
+              service.stalld=start,enable
+              service.chronyd=stop,disable
+        recommend:
+        - profile: performance-patch-worker
+----
+<1> The policies are applied to all clusters with this label.
+<2> The `MCP` field must be set to `worker`.
+<3> This generic `MachineConfig` CR is used to configure workload partitioning on the worker node.
+<4> The `cpu.isolated` and `cpu.reserved` fields must be configured for each particular hardware platform.
+<5> The `cmdline_crash` CPU set must match the `cpu.isolated` set in the `PerformanceProfile` section.
diff --git a/snippets/ptp-amq-interconnect-eol.adoc b/snippets/ptp-amq-interconnect-eol.adoc
index d2810115bf88..4875975de04b 100644
--- a/snippets/ptp-amq-interconnect-eol.adoc
+++ b/snippets/ptp-amq-interconnect-eol.adoc
@@ -1,3 +1,4 @@
+:_mod-docs-content-type: SNIPPET
 [NOTE]
 ====
 HTTP transport is the default transport for PTP and bare-metal events.
diff --git a/snippets/technology-preview.adoc b/snippets/technology-preview.adoc
index 9c1acea0a89b..a91b9795f01d 100644
--- a/snippets/technology-preview.adoc
+++ b/snippets/technology-preview.adoc
@@ -9,4 +9,4 @@
 For more information about the support scope of Red Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
 ====
 // Undefine {FeatureName} attribute, so that any mistakes are easily spotted
-:!FeatureName:
+:!FeatureName: The Alibaba Cloud installation with Assisted Installer
diff --git a/snippets/terraform-modification-disclaimer.adoc b/snippets/terraform-modification-disclaimer.adoc
index 3e7911ac7de7..f5526a53b30b 100644
--- a/snippets/terraform-modification-disclaimer.adoc
+++ b/snippets/terraform-modification-disclaimer.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * rosa_install_access_delete_clusters/terraform/rosa-sts-creating-a-cluster-quickly-terraform.adoc
+// * rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
 // * rosa_planning/rosa-understanding-terraform.adoc
 
 :_mod-docs-content-type: SNIPPET
diff --git a/snippets/ztp-creating-hwevents-amqp-hardware-event.adoc b/snippets/ztp-creating-hwevents-amqp-hardware-event.adoc
new file mode 100644
index 000000000000..bd91a8084378
--- /dev/null
+++ b/snippets/ztp-creating-hwevents-amqp-hardware-event.adoc
@@ -0,0 +1,10 @@
+:_mod-docs-content-type: SNIPPET
+[source,yaml]
+----
+- path: HardwareEvent.yaml
+  patches:
+    nodeSelector: {}
+    transportHost: "amqp://<amq_interconnect_name>.<amq_interconnect_namespace>.svc.cluster.local" <1>
+    logLevel: "info"
+----
+<1>  The `transportHost` URL is composed of the existing AMQ Interconnect CR `name` and `namespace`. For example, in `transportHost: "amqp://amq-router.amq-router.svc.cluster.local"`, the AMQ Interconnect `name` and `namespace` are both set to `amq-router`.
diff --git a/snippets/ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml b/snippets/ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml
new file mode 100644
index 000000000000..4f6e605f6f82
--- /dev/null
+++ b/snippets/ztp-specifying-nics-in-pgt-hub-cluster-templates.yaml
@@ -0,0 +1,80 @@
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: group-du-sno-pgt
+  namespace: ztp-group
+spec:
+  bindingRules:
+    # These policies will correspond to all clusters with these labels
+    group-du-sno-zone: "zone-1"
+    hardware-type: "hardware-type-1"
+  mcp: "master"
+  sourceFiles:
+    - fileName: ClusterLogForwarder.yaml # wave 10
+      policyName: "group-du-sno-cfg-policy"
+      spec:
+        outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
+        pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}'
+
+    - fileName: PerformanceProfile.yaml # wave 10
+      policyName: "group-du-sno-cfg-policy"
+      metadata:
+        name: openshift-node-performance-profile
+      spec:
+        additionalKernelArgs:
+        - rcupdate.rcu_normal_after_boot=0
+        - vfio_pci.enable_sriov=1
+        - vfio_pci.disable_idle_d3=1
+        - efi=runtime
+        cpu:
+          isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}'
+          reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}'
+        hugepages:
+          defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}'
+          pages:
+            - size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}'
+              count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}'
+        realTimeKernel:
+          enabled: true
+
+    - fileName: SriovNetwork.yaml # wave 100
+      policyName: "group-du-sno-sriov-policy"
+      metadata:
+        name: sriov-nw-du-fh
+      spec:
+        resourceName: du_fh
+        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}'
+
+    - fileName: SriovNetworkNodePolicy.yaml # wave 100
+      policyName: "group-du-sno-sriov-policy"
+      metadata:
+        name: sriov-nnp-du-fh
+      spec:
+        deviceType: netdevice
+        isRdma: false
+        nicSelector:
+          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
+        numVfs: 8
+        priority: 10
+        resourceName: du_fh
+
+    - fileName: SriovNetwork.yaml # wave 100
+      policyName: "group-du-sno-sriov-policy"
+      metadata:
+        name: sriov-nw-du-mh
+      spec:
+        resourceName: du_mh
+        vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}'
+
+    - fileName: SriovNetworkNodePolicy.yaml # wave 100
+      policyName: "group-du-sno-sriov-policy"
+      metadata:
+        name: sriov-nw-du-fh
+      spec:
+        deviceType: netdevice
+        isRdma: false
+        nicSelector:
+          pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}'
+        numVfs: 8
+        priority: 10
+        resourceName: du_fh
\ No newline at end of file
diff --git a/snippets/ztp-the-policygenerator-single.yaml b/snippets/ztp-the-policygenerator-single.yaml
new file mode 100644
index 000000000000..375cf3d09751
--- /dev/null
+++ b/snippets/ztp-the-policygenerator-single.yaml
@@ -0,0 +1,152 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: group-du-sno
+placementBindingDefaults:
+  name: group-du-sno-placement-binding
+policyDefaults:
+  namespace: ztp-group
+  placement:
+    labelSelector:
+      matchExpressions:
+        - key: group-du-sno
+          operator: Exists
+  remediationAction: inform
+  severity: low
+  namespaceSelector:
+    exclude:
+      - kube-*
+    include:
+      - '*'
+  evaluationInterval:
+    compliant: 10m
+    noncompliant: 10s
+policies:
+  - name: group-du-sno-config-policy
+    policyAnnotations:
+      ran.openshift.io/ztp-deploy-wave: '10'
+    manifests:
+      - path: source-crs/PtpConfigSlave-MCP-master.yaml
+        patches:
+          - metadata: null
+            name: du-ptp-slave
+            namespace: openshift-ptp
+            annotations:
+              ran.openshift.io/ztp-deploy-wave: '10'
+            spec:
+              profile:
+                - name: slave
+                  interface: $interface
+                  ptp4lOpts: '-2 -s'
+                  phc2sysOpts: '-a -r -n 24'
+                  ptpSchedulingPolicy: SCHED_FIFO
+                  ptpSchedulingPriority: 10
+                  ptpSettings:
+                    logReduce: 'true'
+                  ptp4lConf: |
+                    [global]
+                    #
+                    # Default Data Set
+                    #
+                    twoStepFlag 1
+                    slaveOnly 1
+                    priority1 128
+                    priority2 128
+                    domainNumber 24
+                    #utc_offset 37
+                    clockClass 255
+                    clockAccuracy 0xFE
+                    offsetScaledLogVariance 0xFFFF
+                    free_running 0
+                    freq_est_interval 1
+                    dscp_event 0
+                    dscp_general 0
+                    dataset_comparison G.8275.x
+                    G.8275.defaultDS.localPriority 128
+                    #
+                    # Port Data Set
+                    #
+                    logAnnounceInterval -3
+                    logSyncInterval -4
+                    logMinDelayReqInterval -4
+                    logMinPdelayReqInterval -4
+                    announceReceiptTimeout 3
+                    syncReceiptTimeout 0
+                    delayAsymmetry 0
+                    fault_reset_interval -4
+                    neighborPropDelayThresh 20000000
+                    masterOnly 0
+                    G.8275.portDS.localPriority 128
+                    #
+                    # Run time options
+                    #
+                    assume_two_step 0
+                    logging_level 6
+                    path_trace_enabled 0
+                    follow_up_info 0
+                    hybrid_e2e 0
+                    inhibit_multicast_service 0
+                    net_sync_monitor 0
+                    tc_spanning_tree 0
+                    tx_timestamp_timeout 50
+                    unicast_listen 0
+                    unicast_master_table 0
+                    unicast_req_duration 3600
+                    use_syslog 1
+                    verbose 0
+                    summary_interval 0
+                    kernel_leap 1
+                    check_fup_sync 0
+                    clock_class_threshold 7
+                    #
+                    # Servo Options
+                    #
+                    pi_proportional_const 0.0
+                    pi_integral_const 0.0
+                    pi_proportional_scale 0.0
+                    pi_proportional_exponent -0.3
+                    pi_proportional_norm_max 0.7
+                    pi_integral_scale 0.0
+                    pi_integral_exponent 0.4
+                    pi_integral_norm_max 0.3
+                    step_threshold 2.0
+                    first_step_threshold 0.00002
+                    max_frequency 900000000
+                    clock_servo pi
+                    sanity_freq_limit 200000000
+                    ntpshm_segment 0
+                    #
+                    # Transport options
+                    #
+                    transportSpecific 0x0
+                    ptp_dst_mac 01:1B:19:00:00:00
+                    p2p_dst_mac 01:80:C2:00:00:0E
+                    udp_ttl 1
+                    udp6_scope 0x0E
+                    uds_address /var/run/ptp4l
+                    #
+                    # Default interface options
+                    #
+                    clock_type OC
+                    network_transport L2
+                    delay_mechanism E2E
+                    time_stamping hardware
+                    tsproc_mode filter
+                    delay_filter moving_median
+                    delay_filter_length 10
+                    egressLatency 0
+                    ingressLatency 0
+                    boundary_clock_jbod 0
+                    #
+                    # Clock description
+                    #
+                    productDescription ;;
+                    revisionData ;;
+                    manufacturerIdentity 00:00:00
+                    userDescription ;
+                    timeSource 0xA0
+              recommend:
+                - profile: slave
+                  priority: 4
+                  match:
+                    - nodeLabel: node-role.kubernetes.io/master
diff --git a/snippets/ztp-the-policygentemplate-single.yaml b/snippets/ztp-the-policygentemplate-single.yaml
new file mode 100644
index 000000000000..728f2e78d62c
--- /dev/null
+++ b/snippets/ztp-the-policygentemplate-single.yaml
@@ -0,0 +1,20 @@
+apiVersion: ran.openshift.io/v1
+kind: PolicyGenTemplate
+metadata:
+  name: "group-du-sno"
+  namespace: "ztp-group"
+spec:
+  bindingRules:
+    group-du-sno: ""
+  mcp: "master"
+  sourceFiles:
+    - fileName: PtpConfigSlave.yaml
+      policyName: "config-policy"
+      metadata:
+        name: "du-ptp-slave"
+      spec:
+        profile:
+        - name: "slave"
+          interface: "ens5f0"
+          ptp4lOpts: "-2 -s --summary_interval -4"
+          phc2sysOpts: "-a -r -n 24"
\ No newline at end of file
diff --git a/snippets/ztp_99-sync-time-once-master.yaml b/snippets/ztp_99-sync-time-once-master.yaml
index 0b5401585268..5195ba9fb877 100644
--- a/snippets/ztp_99-sync-time-once-master.yaml
+++ b/snippets/ztp_99-sync-time-once-master.yaml
@@ -13,7 +13,8 @@ spec:
         - contents: |
             [Unit]
             Description=Sync time once
-            After=network.service
+            After=network-online.target
+            Wants=network-online.target
             [Service]
             Type=oneshot
             TimeoutStartSec=300
diff --git a/snippets/ztp_99-sync-time-once-worker.yaml b/snippets/ztp_99-sync-time-once-worker.yaml
index 59c6b9a6467d..2675a637ed2e 100644
--- a/snippets/ztp_99-sync-time-once-worker.yaml
+++ b/snippets/ztp_99-sync-time-once-worker.yaml
@@ -13,7 +13,7 @@ spec:
         - contents: |
             [Unit]
             Description=Sync time once
-            After=network.service
+            After=network-online.target
             [Service]
             Type=oneshot
             TimeoutStartSec=300
diff --git a/snippets/ztp_SriovOperatorConfig.yaml b/snippets/ztp_SriovOperatorConfig.yaml
index fafae3ee7df6..270f7383e30b 100644
--- a/snippets/ztp_SriovOperatorConfig.yaml
+++ b/snippets/ztp_SriovOperatorConfig.yaml
@@ -3,7 +3,8 @@ kind: SriovOperatorConfig
 metadata:
   name: default
   namespace: openshift-sriov-network-operator
-  annotations: {}
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "10"
 spec:
   configDaemonNodeSelector:
     "node-role.kubernetes.io/$mcp": ""
@@ -20,6 +21,8 @@ spec:
   #          openshift.io/<resource_name>:  "1"
   #        requests:
   #          openshift.io/<resource_name>:  "1"
-  enableInjector: true
-  enableOperatorWebhook: true
+  enableInjector: false
+  enableOperatorWebhook: false
+  # Disable drain is needed for single-node OpenShift.
+  disableDrain: true
   logLevel: 0
diff --git a/snippets/ztp_TunedPerformancePatch.yaml b/snippets/ztp_TunedPerformancePatch.yaml
index f7e8d90732e1..5e47d72b63f5 100644
--- a/snippets/ztp_TunedPerformancePatch.yaml
+++ b/snippets/ztp_TunedPerformancePatch.yaml
@@ -3,7 +3,8 @@ kind: Tuned
 metadata:
   name: performance-patch
   namespace: openshift-cluster-node-tuning-operator
-  annotations: {}
+  annotations:
+    ran.openshift.io/ztp-deploy-wave: "10"
 spec:
   profile:
     - name: performance-patch
@@ -16,11 +17,10 @@ spec:
         [main]
         summary=Configuration changes profile inherited from performance created tuned
         include=openshift-node-performance-openshift-node-performance-profile
-        [sysctl]
-        kernel.timer_migration=1
         [scheduler]
         group.ice-ptp=0:f:10:*:ice-ptp.*
         group.ice-gnss=0:f:10:*:ice-gnss.*
+        group.ice-dplls=0:f:10:*:ice-dplls.*
         [service]
         service.stalld=start,enable
         service.chronyd=stop,disable
diff --git a/snippets/ztp_example-sno.yaml b/snippets/ztp_example-sno.yaml
index 1c1f3ecc07be..6d7fec894272 100644
--- a/snippets/ztp_example-sno.yaml
+++ b/snippets/ztp_example-sno.yaml
@@ -1,6 +1,6 @@
 # example-node1-bmh-secret & assisted-deployment-pull-secret need to be created under same namespace example-sno
 ---
-apiVersion: ran.openshift.io/v2
+apiVersion: ran.openshift.io/v1
 kind: SiteConfig
 metadata:
   name: "example-sno"
@@ -12,96 +12,142 @@ spec:
   clusterImageSetNameRef: "openshift-4.10"
   sshPublicKey: "ssh-rsa AAAA..."
   clusters:
-    - clusterName: "example-sno"
-      networkType: "OVNKubernetes"
-      # installConfigOverrides is a generic way of passing install-config
-      # parameters through the siteConfig.  The 'capabilities' field configures
-      # the composable openshift feature.  In this 'capabilities' setting, we
-      # remove all but the marketplace component from the optional set of
-      # components.
-      # Notes:
-      # - OperatorLifecycleManager is needed for 4.15 and later
-      # - NodeTuning is needed for 4.13 and later, not for 4.12 and earlier
-      installConfigOverrides: "{\"capabilities\":{\"baselineCapabilitySet\": \"None\", \"additionalEnabledCapabilities\": [ \"OperatorLifecycleManager\", \"NodeTuning\" ] }}"
-      # It is strongly recommended to include crun manifests as part of the additional install-time manifests for 4.13+.
-      # The crun manifests can be obtained from source-crs/optional-extra-manifest/ and added to the git repo ie.sno-extra-manifest.
-      # extraManifestPath: sno-extra-manifest
-      clusterLabels:
-        # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples
-        du-profile: "latest"
-        # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples in ../policygentemplates:
-        # ../policygentemplates/common-ranGen.yaml will apply to all clusters with 'common: true'
-        common: true
-        # ../policygentemplates/group-du-sno-ranGen.yaml will apply to all clusters with 'group-du-sno: ""'
-        group-du-sno: ""
-        # ../policygentemplates/example-sno-site.yaml will apply to all clusters with 'sites: "example-sno"'
-        # Normally this should match or contain the cluster name so it only applies to a single cluster
-        sites: "example-sno"
-      clusterNetwork:
-        - cidr: 1001:1::/48
-          hostPrefix: 64
-      machineNetwork:
-        - cidr: 1111:2222:3333:4444::/64
-      serviceNetwork:
-        - 1001:2::/112
-      additionalNTPSources:
-        - 1111:2222:3333:4444::2
-      # Initiates the cluster for workload partitioning. Setting specific reserved/isolated CPUSets is done via PolicyTemplate
-      # please see Workload Partitioning Feature for a complete guide.
-      cpuPartitioningMode: AllNodes
-      # Optionally; This can be used to override the KlusterletAddonConfig that is created for this cluster:
-      #crTemplates:
-      #  KlusterletAddonConfig: "KlusterletAddonConfigOverride.yaml"
-      nodes:
-        - hostName: "example-node1.example.com"
-          role: "master"
-          # Optionally; This can be used to configure desired BIOS setting on a host:
-          #biosConfigRef:
-          #  filePath: "example-hw.profile"
-          bmcAddress: "idrac-virtualmedia+https://[1111:2222:3333:4444::bbbb:1]/redfish/v1/Systems/System.Embedded.1"
-          bmcCredentialsName:
-            name: "example-node1-bmh-secret"
-          bootMACAddress: "AA:BB:CC:DD:EE:11"
-          # Use UEFISecureBoot to enable secure boot
-          bootMode: "UEFI"
-          rootDeviceHints:
-            wwn: "0x11111000000asd123"
-            # example of diskPartition below is used for image registry (check ImageRegistry.md for more details), but it's not limited to this use case
-          #        diskPartition:
-          #          - device: /dev/disk/by-id/wwn-0x11111000000asd123 # match rootDeviceHints
-          #            partitions:
-          #              - mount_point: /var/imageregistry
-          #                size: 102500
-          #                start: 344844
-
-          nodeNetwork:
+  - clusterName: "example-sno"
+    networkType: "OVNKubernetes"
+    # installConfigOverrides is a generic way of passing install-config
+    # parameters through the siteConfig.  The 'capabilities' field configures
+    # the composable openshift feature.  In this 'capabilities' setting, we
+    # remove all but the marketplace component from the optional set of
+    # components.
+    # Notes:
+    # - OperatorLifecycleManager is needed for 4.15 and later
+    # - NodeTuning is needed for 4.13 and later, not for 4.12 and earlier
+    # - Ingress is needed for 4.16 and later
+    installConfigOverrides: | 
+      {
+        "capabilities": {
+          "baselineCapabilitySet": "None",
+          "additionalEnabledCapabilities": [
+            "NodeTuning",
+            "OperatorLifecycleManager"
+            "Ingress"
+          ]
+        }
+      }
+    # It is strongly recommended to include crun manifests as part of the additional install-time manifests for 4.13+.
+    # The crun manifests can be obtained from source-crs/optional-extra-manifest/ and added to the git repo ie.sno-extra-manifest.
+    # extraManifestPath: sno-extra-manifest
+    clusterLabels:
+      # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples
+      du-profile: "latest"
+      # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples in ../policygentemplates:
+      # ../policygentemplates/common-ranGen.yaml will apply to all clusters with 'common: true'
+      common: true
+      # ../policygentemplates/group-du-sno-ranGen.yaml will apply to all clusters with 'group-du-sno: ""'
+      group-du-sno: ""
+      # ../policygentemplates/example-sno-site.yaml will apply to all clusters with 'sites: "example-sno"'
+      # Normally this should match or contain the cluster name so it only applies to a single cluster
+      sites : "example-sno"
+    clusterNetwork:
+      - cidr: 1001:1::/48
+        hostPrefix: 64
+    machineNetwork:
+      - cidr: 1111:2222:3333:4444::/64
+    serviceNetwork:
+      - 1001:2::/112
+    additionalNTPSources:
+      - 1111:2222:3333:4444::2
+    # Initiates the cluster for workload partitioning. Setting specific reserved/isolated CPUSets is done via PolicyTemplate
+    # please see Workload Partitioning Feature for a complete guide.
+    cpuPartitioningMode: AllNodes
+    # Optionally; This can be used to override the KlusterletAddonConfig that is created for this cluster:
+    #crTemplates:
+    #  KlusterletAddonConfig: "KlusterletAddonConfigOverride.yaml"
+    nodes:
+      - hostName: "example-node1.example.com"
+        role: "master"
+        # Optionally; This can be used to configure desired BIOS setting on a host:
+        #biosConfigRef:
+        #  filePath: "example-hw.profile"
+        bmcAddress: "idrac-virtualmedia+https://[1111:2222:3333:4444::bbbb:1]/redfish/v1/Systems/System.Embedded.1"
+        bmcCredentialsName:
+          name: "example-node1-bmh-secret"
+        bootMACAddress: "AA:BB:CC:DD:EE:11"
+        # Use UEFISecureBoot to enable secure boot
+        bootMode: "UEFI"
+        rootDeviceHints:
+          deviceName: "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0"
+        # disk partition at `/var/lib/containers` with ignitionConfigOverride. Some values must be updated. See DiskPartitionContainer.md for more details
+        ignitionConfigOverride: | 
+           {
+            "ignition": {
+              "version": "3.2.0"
+            },
+            "storage": {
+              "disks": [
+                {
+                  "device": "/dev/disk/by-id/wwn-0x6b07b250ebb9d0002a33509f24af1f62",
+                  "partitions": [
+                    {
+                     "label": "var-lib-containers",
+                     "sizeMiB": 0,
+                     "startMiB": 250000
+                  }
+              ],
+              "wipeTable": false
+             }
+           ],
+            "filesystems": [
+              {
+               "device": "/dev/disk/by-partlabel/var-lib-containers",
+               "format": "xfs",
+               "mountOptions": [
+                 "defaults",
+                 "prjquota"
+                ],
+                "path": "/var/lib/containers",
+                "wipeFilesystem": true
+               }
+             ]
+           },
+           "systemd": {
+             "units": [
+               {
+                "contents": "# Generated by Butane\n[Unit]\nRequires=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\nAfter=systemd-fsck@dev-disk-by\\x2dpartlabel-var\\x2dlib\\x2dcontainers.service\n\n[Mount]\nWhere=/var/lib/containers\nWhat=/dev/disk/by-partlabel/var-lib-containers\nType=xfs\nOptions=defaults,prjquota\n\n[Install]\nRequiredBy=local-fs.target",
+                "enabled": true,
+                "name": "var-lib-containers.mount"
+               }
+              ]
+            }
+           }
+        nodeNetwork:
+          interfaces:
+            - name: eno1
+              macAddress: "AA:BB:CC:DD:EE:11"
+          config:
             interfaces:
               - name: eno1
-                macAddress: "AA:BB:CC:DD:EE:11"
-            config:
-              interfaces:
-                - name: eno1
-                  type: ethernet
-                  state: up
-                  ipv4:
-                    enabled: false
-                  ipv6:
-                    enabled: true
-                    address:
-                      # For SNO sites with static IP addresses, the node-specific,
-                      # API and Ingress IPs should all be the same and configured on
-                      # the interface
-                      - ip: 1111:2222:3333:4444::aaaa:1
-                        prefix-length: 64
-              dns-resolver:
-                config:
-                  search:
-                    - example.com
-                  server:
-                    - 1111:2222:3333:4444::2
-              routes:
-                config:
-                  - destination: ::/0
-                    next-hop-interface: eno1
-                    next-hop-address: 1111:2222:3333:4444::1
-                    table-id: 254
+                type: ethernet
+                state: up
+                ipv4:
+                  enabled: false
+                ipv6:
+                  enabled: true
+                  address:
+                  # For SNO sites with static IP addresses, the node-specific,
+                  # API and Ingress IPs should all be the same and configured on
+                  # the interface
+                  - ip: 1111:2222:3333:4444::aaaa:1
+                    prefix-length: 64
+            dns-resolver:
+              config:
+                search:
+                - example.com
+                server:
+                - 1111:2222:3333:4444::2
+            routes:
+              config:
+              - destination: ::/0
+                next-hop-interface: eno1
+                next-hop-address: 1111:2222:3333:4444::1
+                table-id: 254
\ No newline at end of file
diff --git a/storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc b/storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc
index 4e68c0219b6d..acdccfad9fbf 100644
--- a/storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc
+++ b/storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.adoc
@@ -16,7 +16,7 @@ This procedure is specific to the link:https://github.com/openshift/aws-efs-csi-
 
 {product-title} is capable of provisioning persistent volumes (PVs) using the link:https://github.com/openshift/aws-efs-csi-driver[AWS EFS CSI driver].
 
-Familiarity with link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-overview_understanding-persistent-storage[persistent storage] and link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
+Familiarity with link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-overview_understanding-persistent-storage[persistent storage] and link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
 
 After installing the AWS EFS CSI Driver Operator, {product-title} installs the AWS EFS CSI Operator and the AWS EFS CSI driver by default in the `openshift-cluster-csi-drivers` namespace. This allows the AWS EFS CSI Driver Operator to create CSI-provisioned PVs that mount to AWS EFS assets.
 
@@ -87,5 +87,5 @@ include::modules/persistent-storage-csi-olm-operator-uninstall.adoc[leveloffset=
 [role="_additional-resources"]
 == Additional resources
 
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-csi[Configuring CSI volumes]
+* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-csi[Configuring CSI volumes]
 
diff --git a/storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc b/storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
new file mode 100644
index 000000000000..ab50f5ed9cee
--- /dev/null
+++ b/storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc
@@ -0,0 +1,40 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="persistent-storage-csi-smb-cifs"]
+= CIFS/SMB CSI Driver Operator
+include::_attributes/common-attributes.adoc[]
+:context: persistent-storage-csi-smb-cifs
+
+toc::[]
+
+{product-title} is capable of provisioning persistent volumes (PVs) with a Container Storage Interface (CSI) driver for Common Internet File System (CIFS) dialect/Server Message Block (SMB) protocol.
+
+:FeatureName: CIFS/SMB CSI Driver Operator
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+Familiarity with xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] and xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
+
+After installing the CIFS/SMB CSI Driver Operator, {product-title} installs corresponding pods for the Operator and driver in the `openshift-cluster-csi-drivers` namespace by default. This allows the CIFS/SMB CSI Driver to create CSI-provisioned persistent volumes (PVs) that mount to CIFS/SMB shares.
+
+* The _CIFS/SMB CSI Driver Operator_, after being installed, does not create a storage class by default to use to create persistent volume claims (PVCs). However, xref:../../storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc#persistent-storage-csi-smb-cifs-provision-dynamic_persistent-storage-csi-smb-cifs[you can manually create the CIFS/SMB `StorageClass` for dynamic provisioning]. The CIFS/SMB CSI Driver Operator supports dynamic volume provisioning by allowing storage volumes to be created on-demand.
+This eliminates the need for cluster administrators to pre-provision storage.
+
+* The _CIFS/SMB CSI driver_ enables you to create and mount CIFS/SMB PVs.
+
+include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-smb-cifs-limits.adoc[leveloffset=+1]
+
+:FeatureName: CIFS/SMB
+include::modules/persistent-storage-csi-olm-operator-install.adoc[leveloffset=+1]
+
+:FeatureName: CIFS/SMB
+include::modules/persistent-storage-csi-smb-cifs-operator-install-driver.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-smb-cifs-provision-dynamic.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-smb-cifs-provision-static.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+* xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
diff --git a/storage/container_storage_interface/persistent-storage-csi-snapshots.adoc b/storage/container_storage_interface/persistent-storage-csi-snapshots.adoc
index 421063d62510..f0682c6248f6 100644
--- a/storage/container_storage_interface/persistent-storage-csi-snapshots.adoc
+++ b/storage/container_storage_interface/persistent-storage-csi-snapshots.adoc
@@ -21,3 +21,8 @@ include::modules/persistent-storage-csi-snapshots-create.adoc[leveloffset=+1]
 include::modules/persistent-storage-csi-snapshots-delete.adoc[leveloffset=+1]
 
 include::modules/persistent-storage-csi-snapshots-restore.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-vsphere-change-max-snapshot.adoc[leveloffset=+1]
+
+== Additional resources
+* link:https://kb.vmware.com/s/article/1025279[Best practices for using VMware snapshots in the vSphere environment]
diff --git a/storage/container_storage_interface/persistent-storage-csi-vsphere.adoc b/storage/container_storage_interface/persistent-storage-csi-vsphere.adoc
index fd03a85ff151..a97405ebebcf 100644
--- a/storage/container_storage_interface/persistent-storage-csi-vsphere.adoc
+++ b/storage/container_storage_interface/persistent-storage-csi-vsphere.adoc
@@ -16,7 +16,7 @@ To create CSI-provisioned persistent volumes (PVs) that mount to vSphere storage
 
 * *vSphere CSI Driver Operator*: The Operator provides a storage class, called `thin-csi`, that you can use to create persistent volumes claims (PVCs). The vSphere CSI Driver Operator supports dynamic volume provisioning by allowing storage volumes to be created on-demand, eliminating the need for cluster administrators to pre-provision storage. You can disable this default storage class if desired (see xref:../../storage/container_storage_interface/persistent-storage-csi-sc-manage.adoc#persistent-storage-csi-sc-manage[Managing the default storage class]).
 
-* *vSphere CSI driver*: The driver enables you to create and mount vSphere PVs. In {product-title} 4.15, the driver version is 3.0.2. The vSphere CSI driver supports all of the file systems supported by the underlying Red Hat Core OS release, including XFS and Ext4. For more information about supported file systems, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_file_systems/assembly_overview-of-available-file-systems_managing-file-systems[Overview of available file systems].
+* *vSphere CSI driver*: The driver enables you to create and mount vSphere PVs. In {product-title} 4.15, the driver version is 3.1.2. The vSphere CSI driver supports all of the file systems supported by the underlying Red Hat Core operating system release, including XFS and Ext4. For more information about supported file systems, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_file_systems/overview-of-available-file-systems_managing-file-systems[Overview of available file systems].
 
 //Please update driver version as needed with each major OCP release starting with 4.13.
 
@@ -96,5 +96,9 @@ include::modules/persistent-storage-csi-vsphere-top-aware-infra-top.adoc[levelof
 
 include::modules/persistent-storage-csi-vsphere-top-aware-results.adoc[leveloffset=+2]
 
+include::modules/persistent-storage-csi-vsphere-change-max-snapshot.adoc[leveloffset=+1]
+
 == Additional resources
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
+
+* link:https://kb.vmware.com/s/article/1025279[Best practices for using VMware snapshots in the vSphere environment]
diff --git a/storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc b/storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
index fd4a0b14892f..f9c08fd1beb9 100644
--- a/storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
+++ b/storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc
@@ -69,9 +69,13 @@ include::modules/lvms-about-adding-devices-to-a-vg.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
+* xref:../../../installing/install_config/installing-customizing.adoc#installation-special-config-raid_installing-customizing[Configuring a RAID-enabled data volume]
+
+* xref:../../../installing/install_config/installing-customizing.adoc#installation-special-config-encrypt-disk_installing-customizing[About disk encryption]
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-integrating-software-raid-arrays_logical-volume-manager-storage[Integrating software RAID arrays with {lvms}]
+* xref:../../../installing/install_config/installing-customizing.adoc#installation-special-config-storage-procedure_installing-customizing[Configuring disk encryption and mirroring]
+
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
 
 // Devices not supported by LVMS
 include::modules/lvms-unsupported-devices.adoc[leveloffset=+2]
@@ -83,17 +87,6 @@ include::modules/lvms-about-creating-lvmcluster-cr.adoc[leveloffset=+1]
 // Reusing a volume group from the previous LVM Storage installation
 include::modules/lvms-reusing-vg-from-prev-installation.adoc[leveloffset=+2]
 
-//Integrating software RAID arrays
-include::modules/lvms-integrating-software-raid-arrays.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-
-* xref:../../../installing/install_config/installing-customizing.adoc#installation-special-config-raid_installing-customizing[Configuring a RAID-enabled data volume]
-* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#creating-a-software-raid-on-an-installed-system_managing-raid[Creating a software RAID on an installed system]
-* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#replacing-a-failed-disk-in-raid_managing-raid[Replacing a failed disk in RAID]
-* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_storage_devices/managing-raid_managing-storage-devices#repairing-raid-disks_managing-raid[Repairing RAID disks]
-
 include::modules/lvms-creating-lvms-cluster-using-cli.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -147,18 +140,18 @@ include::modules/lvms-scaling-storage-of-clusters-using-cli.adoc[leveloffset=+2]
 
 * xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-integrating-software-raid-arrays_logical-volume-manager-storage[Integrating software RAID arrays with {lvms}]
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-adding-devices-to-a-vg_logical-volume-manager-storage[About adding devices to a volume group]
 
 include::modules/lvms-scaling-storage-of-clusters-using-web-console.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-lvmcluster_logical-volume-manager-storage[About the LVMCluster custom resource]
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-integrating-software-raid-arrays_logical-volume-manager-storage[Integrating software RAID arrays with {lvms}]
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-lvmcluster_logical-volume-manager-storage[About the LVMCluster custom resource]
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-adding-devices-to-a-vg_logical-volume-manager-storage[About adding devices to a volume group]
 
 include::modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc[leveloffset=+2]
 
@@ -171,7 +164,7 @@ include::modules/lvms-scaling-storage-of-clusters-using-rhacm.adoc[leveloffset=+
 
 * xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-unsupported-devices_logical-volume-manager-storage[Devices not supported by {lvms}]
 
-* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#lvms-integrating-software-raid-arrays_logical-volume-manager-storage[Integrating software RAID arrays with {lvms}]
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-adding-devices-to-a-vg_logical-volume-manager-storage[About adding devices to a volume group]
 
 // Expanding PVCs
 include::modules/lvms-scaling-storage-expand-pvc.adoc[leveloffset=+1]
@@ -212,6 +205,7 @@ include::modules/lvms-monitoring-logical-volume-manager-operator.adoc[leveloffse
 
 // Uninstalling LVM Storage
 
+include::modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-cli.adoc[leveloffset=+1]
 include::modules/lvms-uninstalling-logical-volume-manager-operator-using-openshift-web-console.adoc[leveloffset=+1]
 include::modules/lvms-uninstalling-logical-volume-manager-operator-using-rhacm.adoc[leveloffset=+1]
 
@@ -222,3 +216,36 @@ include::modules/lvms-download-log-files-and-diagnostics.adoc[leveloffset=+1]
 .Additional resources
 
 * xref:../../../support/gathering-cluster-data.adoc#about-must-gather_gathering-cluster-data[About the must-gather tool]
+
+//Troubleshooting local persistent storage using LVM Storage
+
+include::modules/lvms-troubleshooting-persistent-storage.adoc[leveloffset=+1]
+
+include::modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc[leveloffset=+2]
+
+include::modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-lvmcluster_logical-volume-manager-storage[About the LVMCluster custom resource]
+
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#about-creating-lvmcluster-cr_logical-volume-manager-storage[Ways to create an LVMCluster custom resource]
+
+include::modules/lvms-troubleshooting-recovering-from-node-failure.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources-forced-cleanup-1"]
+.Additional resources
+
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#performing-a-forced-cleanup_logical-volume-manager-storage[Performing a forced clean-up]
+
+include::modules/lvms-troubleshooting-recovering-from-disk-failure.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources-forced-cleanup-2"]
+.Additional resources
+
+* xref:../../../storage/persistent_storage/persistent_storage_local/persistent-storage-using-lvms.adoc#performing-a-forced-cleanup_logical-volume-manager-storage[Performing a forced clean-up]
+
+include::modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc[leveloffset=+2]
\ No newline at end of file
diff --git a/storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc b/storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
deleted file mode 100644
index 3ae4d7e76db5..000000000000
--- a/storage/persistent_storage/persistent_storage_local/troubleshooting-local-persistent-storage-using-lvms.adoc
+++ /dev/null
@@ -1,31 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-[id="troubleshooting-local-persistent-storage"]
-= Troubleshooting local persistent storage using LVMS
-include::_attributes/common-attributes.adoc[]
-:context: troubleshooting-local-persistent-storage-using-lvms
-
-toc::[]
-
-Because {product-title} does not scope a persistent volume (PV) to a single project, it can be shared across the cluster and claimed by any project using a persistent volume claim (PVC). This can lead to a number of issues that require troubleshooting.
-
-include::modules/lvms-troubleshooting-investigating-a-pvc-stuck-in-the-pending-state.adoc[leveloffset=+1]
-
-include::modules/lvms-troubleshooting-recovering-from-missing-lvms-or-operator-components.adoc[leveloffset=+1]
-
-include::modules/lvms-troubleshooting-recovering-from-node-failure.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-[id="additional-resources-forced-cleanup-1"]
-.Additional resources
-
-* xref:../../../troubleshooting-local-persistent-storage-using-lvms.adoc#performing-a-forced-cleanup_troubleshooting-local-persistent-storage-using-lvms[Performing a forced cleanup]
-
-include::modules/lvms-troubleshooting-recovering-from-disk-failure.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-[id="additional-resources-forced-cleanup-2"]
-.Additional resources
-
-* xref:../../../troubleshooting-local-persistent-storage-using-lvms.adoc#performing-a-forced-cleanup_troubleshooting-local-persistent-storage-using-lvms[Performing a forced cleanup]
-
-include::modules/lvms-troubleshooting-performing-a-forced-cleanup.adoc[leveloffset=+1]
diff --git a/storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc b/storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc
index 1f25cab6ce69..a54a204a5af2 100644
--- a/storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc
+++ b/storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc
@@ -16,7 +16,7 @@ This procedure is specific to the Amazon Web Services Elastic File System (AWS E
 
 {product-title} is capable of provisioning persistent volumes (PVs) using the Container Storage Interface (CSI) driver for AWS Elastic File Service (EFS).
 
-Familiarity with link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-overview_understanding-persistent-storage[persistent storage] and link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
+Familiarity with link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-overview_understanding-persistent-storage[persistent storage] and link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-csi[configuring CSI volumes] is recommended when working with a CSI Operator and driver.
 
 After installing the AWS EFS CSI Driver Operator, {product-title} installs the AWS EFS CSI Operator and the AWS EFS CSI driver by default in the `openshift-cluster-csi-drivers` namespace. This allows the AWS EFS CSI Driver Operator to create CSI-provisioned PVs that mount to AWS EFS assets.
 
@@ -51,7 +51,7 @@ include::modules/persistent-storage-csi-efs-sts.adoc[leveloffset=+1]
 * xref:../../storage/persistent_storage/rosa-persistent-storage-aws-efs-csi.adoc#persistent-storage-csi-olm-operator-install_rosa-persistent-storage-aws-efs-csi[Installing the AWS EFS CSI Driver Operator]
 
 
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/authentication_and_authorization/index#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility]
+* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/authentication_and_authorization/index#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility]
 
 :StorageClass: AWS EFS
 :Provisioner: efs.csi.aws.com
@@ -80,5 +80,5 @@ include::modules/persistent-storage-csi-olm-operator-uninstall.adoc[leveloffset=
 [role="_additional-resources"]
 == Additional resources
 
-* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html-single/storage/index#persistent-storage-csi[Configuring CSI volumes]
+* link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/html-single/storage/index#persistent-storage-csi[Configuring CSI volumes]
 
diff --git a/support/troubleshooting/rosa-managed-resources.adoc b/support/troubleshooting/rosa-managed-resources.adoc
index 75a293bc3a3d..5216afbbd599 100644
--- a/support/troubleshooting/rosa-managed-resources.adoc
+++ b/support/troubleshooting/rosa-managed-resources.adoc
@@ -28,7 +28,7 @@ include::https://raw.githubusercontent.com/openshift/managed-cluster-config/mast
 [id="rosa-add-on-managed-namespaces"]
 == {product-title} add-on namespaces
 
-{product-title} add-ons are services available for installation after cluster installation. These additional services include {openshift-dev-spaces-productname}, Red Hat OpenShift API Management, and Cluster Logging Operator. Any changes to resources within the following namespaces can be overridden by the add-on during upgrades, which can lead to unsupported configurations for the add-on functionality.
+{product-title} add-ons are services available for installation after cluster installation. These additional services include {openshift-dev-spaces-productname}, Red{nbsp}Hat OpenShift API Management, and Cluster Logging Operator. Any changes to resources within the following namespaces can be overridden by the add-on during upgrades, which can lead to unsupported configurations for the add-on functionality.
 
 .List of add-on managed namespaces
 [%collapsible]
diff --git a/support/troubleshooting/troubleshooting-network-issues.adoc b/support/troubleshooting/troubleshooting-network-issues.adoc
index 2df95543a80f..7dcb5ca520e2 100644
--- a/support/troubleshooting/troubleshooting-network-issues.adoc
+++ b/support/troubleshooting/troubleshooting-network-issues.adoc
@@ -21,8 +21,8 @@ include::modules/configuring-ovs-log-level-permanently.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Understanding the Machine Config Operator]
+* xref:../../machine_configuration/index.adoc#machine-config-operator_machine-config-overview[Understanding the Machine Config Operator]
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#checking-mco-status_post-install-machine-configuration-tasks[Checking machine config pool status]
+* xref:../../machine_configuration/index.adoc#checking-mco-status_machine-config-overview[Checking machine config pool status]
 
 include::modules/displaying-ovs-logs.adoc[leveloffset=+2]
diff --git a/telco_ref_design_specs/core/telco-core-ref-design-components.adoc b/telco_ref_design_specs/core/telco-core-ref-design-components.adoc
index 63354160848d..7e0a011b1107 100644
--- a/telco_ref_design_specs/core/telco-core-ref-design-components.adoc
+++ b/telco_ref_design_specs/core/telco-core-ref-design-components.adoc
@@ -14,102 +14,102 @@ include::modules/telco-core-cpu-partitioning-performance-tune.adoc[leveloffset=+
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-cpu-infra-container_cnf-master[Tuning nodes for low latency with the performance profile]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-cpu-infra-container_cnf-master[Tuning nodes for low latency with the performance profile]
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-reference-cluster-configuration-for-vdu.html#ztp-du-configuring-host-firmware-requirements_sno-configure-for-vdu[Configuring host firmware for low latency and high performance]
 
 include::modules/telco-core-service-mesh.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/service_mesh/v2x/ossm-about.html[About OpenShift Service Mesh]
+* link:https://docs.openshift.com/container-platform/4.16/service_mesh/v2x/ossm-about.html[About OpenShift Service Mesh]
 
 include::modules/telco-core-rds-networking.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/networking/understanding-networking.html[Understanding networking]
+* link:https://docs.openshift.com/container-platform/4.16/networking/understanding-networking.html[Understanding networking]
 
 include::modules/telco-core-cluster-network-operator.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/networking/cluster-network-operator.html#nw-cluster-network-operator_cluster-network-operator[Cluster Network Operator]
+* link:https://docs.openshift.com/container-platform/4.16/networking/cluster-network-operator.html#nw-cluster-network-operator_cluster-network-operator[Cluster Network Operator]
 
 include::modules/telco-core-load-balancer.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/networking/metallb/about-metallb.html[About MetalLB and the MetalLB Operator]
+* link:https://docs.openshift.com/container-platform/4.16/networking/metallb/about-metallb.html[About MetalLB and the MetalLB Operator]
 
 include::modules/telco-core-sriov.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/networking/hardware_networks/about-sriov.html[About SR-IOV hardware networks]
+* link:https://docs.openshift.com/container-platform/4.16/networking/hardware_networks/about-sriov.html[About SR-IOV hardware networks]
 
 include::modules/telco-nmstate-operator.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/networking/k8s_nmstate/k8s-nmstate-about-the-k8s-nmstate-operator.html[About the Kubernetes NMState Operator]
+* link:https://docs.openshift.com/container-platform/4.16/networking/k8s_nmstate/k8s-nmstate-about-the-k8s-nmstate-operator.html[About the Kubernetes NMState Operator]
 
 include::modules/telco-core-logging.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/observability/logging/cluster-logging.html[About logging]
+* link:https://docs.openshift.com/container-platform/4.16/observability/logging/cluster-logging.html[About logging]
 
 include::modules/telco-core-power-management.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes that run colocated high and low priority workloads]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/low_latency_tuning/cnf-tuning-low-latency-nodes-with-perf-profile.html#cnf-configuring-power-saving-for-nodes_cnf-low-latency-perf-profile[Configuring power saving for nodes that run colocated high and low priority workloads]
 
 include::modules/telco-core-storage.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.15[Product Documentation for Red Hat OpenShift Data Foundation]
+* link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.16[Product Documentation for Red Hat OpenShift Data Foundation]
 
 include::modules/telco-core-monitoring.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/observability/monitoring/monitoring-overview.html#about-openshift-monitoring[About {product-version} monitoring]
+* link:https://docs.openshift.com/container-platform/4.16/observability/monitoring/monitoring-overview.html#about-openshift-monitoring[About {product-version} monitoring]
 
 include::modules/telco-core-scheduling.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/nodes/scheduling/nodes-scheduler-about.html[Controlling pod placement using the scheduler]
+* link:https://docs.openshift.com/container-platform/4.16/nodes/scheduling/nodes-scheduler-about.html[Controlling pod placement using the scheduler]
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/cnf-numa-aware-scheduling.html[Scheduling NUMA-aware workloads]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/cnf-numa-aware-scheduling.html[Scheduling NUMA-aware workloads]
 
 include::modules/telco-core-installation.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.html[Installing an {product-title} cluster with the Agent-based Installer]
+* link:https://docs.openshift.com/container-platform/4.16/installing/installing_with_agent_based_installer/installing-with-agent-based-installer.html[Installing an {product-title} cluster with the Agent-based Installer]
 
 include::modules/telco-core-security.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/authentication/managing-security-context-constraints.html[Managing security context constraints]
+* link:https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html[Managing security context constraints]
 
 include::modules/telco-core-scalability.adoc[leveloffset=+1]
 
@@ -121,7 +121,7 @@ include::modules/telco-core-rds-disconnected.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating_disconnected_cluster/index.html[About cluster updates in a disconnected environment]
+* link:https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating_disconnected_cluster/index.html[About cluster updates in a disconnected environment]
 
 include::modules/telco-core-kernel.adoc[leveloffset=+2]
 
diff --git a/telco_ref_design_specs/ran/telco-ran-ref-du-components.adoc b/telco_ref_design_specs/ran/telco-ran-ref-du-components.adoc
index e5e9c8197f7f..86d9afeed9a0 100644
--- a/telco_ref_design_specs/ran/telco-ran-ref-du-components.adoc
+++ b/telco_ref_design_specs/ran/telco-ran-ref-du-components.adoc
@@ -45,9 +45,9 @@ include::modules/telco-ran-gitops-operator-and-ztp-plugins.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-preparing-the-hub-cluster.html#ztp-preparing-the-ztp-git-repository-ver-ind_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository for version independence]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-preparing-the-hub-cluster.html#ztp-preparing-the-ztp-git-repository-ver-ind_ztp-preparing-the-hub-cluster[Preparing the {ztp} site configuration repository for version independence]
 
-* link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.html#ztp-adding-new-content-to-gitops-ztp_ztp-advanced-policy-config[Adding custom content to the {ztp} pipeline]
+* link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-advanced-policy-config.html#ztp-adding-new-content-to-gitops-ztp_ztp-advanced-policy-config[Adding custom content to the {ztp} pipeline]
 
 include::modules/telco-ran-agent-based-installer-abi.adoc[leveloffset=+2]
 
diff --git a/telco_ref_design_specs/ran/telco-ran-ref-du-crs.adoc b/telco_ref_design_specs/ran/telco-ran-ref-du-crs.adoc
index 1ca5d0e2cc22..5807fa4dcc11 100644
--- a/telco_ref_design_specs/ran/telco-ran-ref-du-crs.adoc
+++ b/telco_ref_design_specs/ran/telco-ran-ref-du-crs.adoc
@@ -14,7 +14,7 @@ CR fields you can change are annotated in the CR with YAML comments.
 [NOTE]
 ====
 You can extract the complete set of RAN DU CRs from the `ztp-site-generate` container image.
-See link:https://docs.openshift.com/container-platform/4.15/scalability_and_performance/ztp_far_edge/ztp-preparing-the-hub-cluster.html#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the GitOps ZTP site configuration repository] for more information.
+See link:https://docs.openshift.com/container-platform/4.16/scalability_and_performance/ztp_far_edge/ztp-preparing-the-hub-cluster.html#ztp-preparing-the-ztp-git-repository_ztp-preparing-the-hub-cluster[Preparing the GitOps ZTP site configuration repository] for more information.
 ====
 
 include::modules/telco-ran-crs-day-2-operators.adoc[leveloffset=+1]
diff --git a/updating/preparing_for_updates/kmm-preflight-validation.adoc b/updating/preparing_for_updates/kmm-preflight-validation.adoc
index 5d5da309c730..50077bddc0bd 100644
--- a/updating/preparing_for_updates/kmm-preflight-validation.adoc
+++ b/updating/preparing_for_updates/kmm-preflight-validation.adoc
@@ -11,8 +11,9 @@ WARNING: This assembly has been moved into a subdirectory for 4.14+. Changes to
 
 To do: Remove this comment once 4.13 docs are EOL.
 ////
+// Updated for TELCODOCS-1848
 
-Before performing an upgrade on the cluster with applied KMM modules, the administrator must verify that kernel modules installed using KMM are able to be installed on the nodes after the cluster upgrade and possible kernel upgrade. Preflight attempts to validate every `Module` loaded in the cluster, in parallel. Preflight does not wait for validation of one `Module` to complete before starting validation of another `Module`.
+Before performing an upgrade on the cluster with applied KMM modules, you must verify that kernel modules installed using KMM are able to be installed on the nodes after the cluster upgrade and possible kernel upgrade. Preflight attempts to validate every `Module` loaded in the cluster, in parallel. Preflight does not wait for validation of one `Module` to complete before starting validation of another `Module`.
 
 :FeatureName: Kernel Module Management Operator Preflight validation
 
diff --git a/updating/preparing_for_updates/updating-cluster-prepare.adoc b/updating/preparing_for_updates/updating-cluster-prepare.adoc
index 47ac934e3a66..1b0c07ff8e24 100644
--- a/updating/preparing_for_updates/updating-cluster-prepare.adoc
+++ b/updating/preparing_for_updates/updating-cluster-prepare.adoc
@@ -1,6 +1,6 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="updating-cluster-prepare"]
-= Preparing to update to {product-title} 4.15
+= Preparing to update to {product-title} 4.16
 include::_attributes/common-attributes.adoc[]
 :context: updating-cluster-prepare
 
@@ -27,15 +27,11 @@ Without the correct micro-architecture requirements, the update process will fai
 [id="kube-api-removals_{context}"]
 == Kubernetes API removals
 
-There are no Kubernetes API removals in {product-title} 4.15.
+{product-title} 4.16 uses Kubernetes 1.29, which removed several deprecated APIs.
 
-// Commenting out this section because there are no APIs being removed in OCP 4.15 / Kube 1.28. But we'll need this section again for 4.16
-////
-{product-title} 4.14 uses Kubernetes 1.27, which removed several deprecated APIs.
-
-A cluster administrator must provide a manual acknowledgment before the cluster can be updated from {product-title} 4.13 to 4.14. This is to help prevent issues after upgrading to {product-title} 4.14, where APIs that have been removed are still in use by workloads, tools, or other components running on or interacting with the cluster. Administrators must evaluate their cluster for any APIs in use that will be removed and migrate the affected components to use the appropriate new API version. After this evaluation and migration is complete, the administrator can provide the acknowledgment.
+A cluster administrator must provide a manual acknowledgment before the cluster can be updated from {product-title} 4.15 to 4.16. This is to help prevent issues after upgrading to {product-title} 4.16, where APIs that have been removed are still in use by workloads, tools, or other components running on or interacting with the cluster. Administrators must evaluate their cluster for any APIs in use that will be removed and migrate the affected components to use the appropriate new API version. After this evaluation and migration is complete, the administrator can provide the acknowledgment.
 
-Before you can update your {product-title} 4.13 cluster to 4.14, you must provide the administrator acknowledgment.
+Before you can update your {product-title} 4.15 cluster to 4.16, you must provide the administrator acknowledgment.
 
 // Removed Kubernetes APIs
 include::modules/update-preparing-list.adoc[leveloffset=+2]
@@ -59,7 +55,6 @@ include::modules/update-preparing-migrate.adoc[leveloffset=+2]
 
 // Providing the administrator acknowledgment
 include::modules/update-preparing-ack.adoc[leveloffset=+2]
-////
 
 // Assessing the risk of conditional updates
 include::modules/update-preparing-conditional.adoc[leveloffset=+1]
diff --git a/updating/understanding_updates/how-updates-work.adoc b/updating/understanding_updates/how-updates-work.adoc
index 47f5da1e0347..2d05421784d1 100644
--- a/updating/understanding_updates/how-updates-work.adoc
+++ b/updating/understanding_updates/how-updates-work.adoc
@@ -42,4 +42,4 @@ include::modules/update-mco-process.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine config overview]
\ No newline at end of file
+* xref:../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
\ No newline at end of file
diff --git a/updating/understanding_updates/intro-to-updates.adoc b/updating/understanding_updates/intro-to-updates.adoc
index 8c4b6c9ce4cb..be3744dab863 100644
--- a/updating/understanding_updates/intro-to-updates.adoc
+++ b/updating/understanding_updates/intro-to-updates.adoc
@@ -55,7 +55,7 @@ include::modules/update-common-terms.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine config overview]
+* xref:../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
 ifdef::openshift-enterprise[]
 * xref:../../updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.adoc#update-service-overview_updating-restricted-network-cluster-osus[Using the OpenShift Update Service in a disconnected environment]
 * xref:../../updating/understanding_updates/understanding-update-channels-release.adoc#understanding-update-channels_understanding-update-channels-releases[Update channels]
diff --git a/updating/understanding_updates/understanding-openshift-update-duration.adoc b/updating/understanding_updates/understanding-openshift-update-duration.adoc
index 5a496028f444..2d3aa7fce587 100644
--- a/updating/understanding_updates/understanding-openshift-update-duration.adoc
+++ b/updating/understanding_updates/understanding-openshift-update-duration.adoc
@@ -33,7 +33,7 @@ include::modules/update-duration-mco.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine config overview]
+* xref:../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
 * xref:../../nodes/pods/nodes-pods-configuring.adoc#nodes-pods-configuring-pod-distruption-about_nodes-pods-configuring[Pod disruption budget]
 
 //Example update duration of cluster Operators
@@ -63,4 +63,4 @@ endif::openshift-origin[]
 == Additional resources
 
 * xref:../../architecture/architecture.adoc#architecture[OpenShift Container Platform architecture]
-* xref:../../updating/understanding_updates/intro-to-updates.adoc#understanding-openshift-updates[OpenShift Container Platform updates]
\ No newline at end of file
+* xref:../../updating/understanding_updates/intro-to-updates.adoc#understanding-openshift-updates[OpenShift Container Platform updates]
diff --git a/updating/updating_a_cluster/eus-eus-update.adoc b/updating/updating_a_cluster/eus-eus-update.adoc
index 10acd3f2e5e5..0d6df464051c 100644
--- a/updating/updating_a_cluster/eus-eus-update.adoc
+++ b/updating/updating_a_cluster/eus-eus-update.adoc
@@ -26,7 +26,6 @@ There are a number of caveats to consider when attempting an EUS-to-EUS update.
 * EUS-to-EUS updates are only offered after updates between all versions involved have been made available in `stable` channels.
 * If you encounter issues during or after updating to the odd-numbered minor version but before updating to the next even-numbered version, then remediation of those issues may require that non-control plane hosts complete the update to the odd-numbered version before moving forward.
 * You can do a partial update by updating the worker or custom pool nodes to accommodate the time it takes for maintenance.
-* You can complete the update process during multiple maintenance windows by pausing at intermediate steps. However, plan to complete the entire update within 60 days. This is critical to ensure that normal cluster automation processes are completed.
 
 * Until the machine config pools are unpaused and the update is complete, some features and bugs fixes in <4.y+1> and <4.y+2> of {product-title} are not available.
 
diff --git a/updating/updating_a_cluster/migrating-to-multi-payload.adoc b/updating/updating_a_cluster/migrating-to-multi-payload.adoc
index 869005a62142..0420a0052d7a 100644
--- a/updating/updating_a_cluster/migrating-to-multi-payload.adoc
+++ b/updating/updating_a_cluster/migrating-to-multi-payload.adoc
@@ -14,7 +14,9 @@ To do: Remove this comment once 4.13 docs are EOL.
 
 You can migrate your current cluster with single-architecture compute machines to a cluster with multi-architecture compute machines by updating to a multi-architecture, manifest-listed payload. This allows you to add mixed architecture compute nodes to your cluster.
 
-For information about configuring your multi-architecture compute machines, see _Configuring multi-architecture compute machines on an {product-title} cluster_.
+For information about configuring your multi-architecture compute machines, see "Configuring multi-architecture compute machines on an {product-title} cluster".
+
+Before migrating your single-architecture cluster to a cluster with multi-architecture compute machines, it is recommended to install the Multiarch Tuning Operator, and deploy a `ClusterPodPlacementConfig` custom resource. For more information, see "Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator
 
 [IMPORTANT]
 ====
@@ -27,6 +29,7 @@ include::modules/migrating-to-multi-arch-cli.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 * xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc#multi-architecture-configuration[Configuring multi-architecture compute machines on an {product-title} cluster]
+* xref:../../post_installation_configuration/configuring-multi-arch-compute-machines/multiarch-tuning-operator.adoc#multiarch-tuning-operator[Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator]. 
 * xref:../../updating/updating_a_cluster/updating-cluster-web-console.adoc#updating-cluster-web-console[Updating a cluster using the web console]
 * xref:../../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]
 * xref:../../updating/understanding_updates/intro-to-updates.adoc#understanding-clusterversion-conditiontypes_understanding-openshift-updates[Understanding cluster version condition types]
diff --git a/updating/updating_a_cluster/updating-cluster-cli.adoc b/updating/updating_a_cluster/updating-cluster-cli.adoc
index dc04fa1d4a52..13f0f98e413b 100644
--- a/updating/updating_a_cluster/updating-cluster-cli.adoc
+++ b/updating/updating_a_cluster/updating-cluster-cli.adoc
@@ -30,7 +30,7 @@ See xref:../../authentication/using-rbac.adoc#using-rbac[Using RBAC to define an
 * Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy.
 * If your cluster uses manually maintained credentials, update the cloud provider resources for the new release. For more information, including how to determine if this is a requirement for your cluster, see xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#preparing-manual-creds-update[Preparing to update a cluster with manually maintained credentials].
 * Ensure that you address all `Upgradeable=False` conditions so the cluster allows an update to the next minor version. An alert displays at the top of the *Cluster Settings* page when you have one or more cluster Operators that cannot be updated. You can still update to the next available patch update for the minor release you are currently on.
-// * Review the list of APIs that were removed in Kubernetes 1.28, migrate any affected components to use the new API version, and provide the administrator acknowledgment. For more information, see xref:../../updating/preparing_for_updates/updating-cluster-prepare.adoc#updating-cluster-prepare[Preparing to update to {product-title} 4.14].
+* Review the list of APIs that were removed in Kubernetes 1.28, migrate any affected components to use the new API version, and provide the administrator acknowledgment. For more information, see xref:../../updating/preparing_for_updates/updating-cluster-prepare.adoc#updating-cluster-prepare[Preparing to update to {product-title} 4.16].
 * If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the update process. If `minAvailable` is set to 1 in `PodDisruptionBudget`, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the `PodDisruptionBudget` field can prevent the node drain.
 
 [IMPORTANT]
@@ -57,6 +57,9 @@ include::modules/updating-sno.adoc[leveloffset=+1]
 // Updating a cluster by using the CLI
 include::modules/update-upgrading-cli.adoc[leveloffset=+1]
 
+//Introducing oc adm upgrade status - Tech Preview
+include::modules/update-upgrading-oc-adm-upgrade-status.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 .Additional resources
 
diff --git a/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.adoc b/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.adoc
index eb88863818e4..247a4becab34 100644
--- a/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.adoc
+++ b/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update-osus.adoc
@@ -24,7 +24,7 @@ The following steps outline the high-level workflow on how to update a cluster i
 
 . Create a graph data container image for the OpenShift Update Service.
 
-. Install the OSUS application and configure your clusters to use the local OpenShift Update Service.
+. Install the OSUS application and configure your clusters to use the OpenShift Update Service in your environment.
 
 . Perform a supported update procedure from the documentation as you would with a connected cluster.
 
@@ -40,7 +40,7 @@ include::modules/disconnected-osus-overview.adoc[leveloffset=+1]
 == Prerequisites
 
 * You must have the `oc` command-line interface (CLI) tool installed.
-* You must provision a local container image registry with the container images for your update, as described in xref:../../../updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring {product-title} images].
+* You must provision a container image registry in your environment with the container images for your update, as described in xref:../../../updating/updating_a_cluster/updating_disconnected_cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring {product-title} images].
 
 [id="registry-configuration-for-update-service"]
 == Configuring access to a secured registry for the OpenShift Update Service
@@ -66,7 +66,7 @@ data:
     ...
     -----END CERTIFICATE-----
 ----
-<1> The OpenShift Update Service Operator requires the config map key name updateservice-registry in the registry CA cert.
+<1> The OpenShift Update Service Operator requires the config map key name `updateservice-registry` in the registry CA cert.
 <2> If the registry has the port, such as `registry-with-port.example.com:5000`, `:` should be replaced with `..`.
 
 // Updating the global cluster pull secret
@@ -114,7 +114,7 @@ and must be no more than 63 characters`, try creating the Update Service with a
 ====
 
 // Configuring the Cluster Version Operator (CVO)
-include::modules/update-service-configure-cvo.adoc[leveloffset=+3]
+include::modules/update-service-configure-cvo.adoc[leveloffset=+1]
 
 [NOTE]
 ====
@@ -126,15 +126,15 @@ See xref:../../../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-
 
 Before updating your cluster, confirm that the following conditions are met:
 
-* The Cluster Version Operator (CVO) is configured to use your locally-installed OpenShift Update Service application.
+* The Cluster Version Operator (CVO) is configured to use your installed OpenShift Update Service application.
 * The release image signature config map for the new release is applied to your cluster.
 +
 [NOTE]
 ====
-The release image signature config map allows the Cluster Version Operator (CVO) to ensure the integrity of release images by verifying that the actual image signatures match the expected signatures.
+The Cluster Version Operator (CVO) uses release image signatures to ensure that release images have not been modified, by verifying that the release image signatures match the expected result.
 ====
-* The current release and update target release images are mirrored to a locally accessible registry.
-* A recent graph data container image has been mirrored to your local registry.
+* The current release and update target release images are mirrored to a registry in the disconnected environment.
+* A recent graph data container image has been mirrored to your registry.
 * A recent version of the OpenShift Update Service Operator is installed.
 +
 [NOTE]
@@ -143,7 +143,7 @@ If you have not recently installed or updated the OpenShift Update Service Opera
 See xref:../../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks] for more information about how to update your OLM catalog in a disconnected environment.
 ====
 
-After you configure your cluster to use the locally-installed OpenShift Update Service and local mirror registry, you can use any of the following update methods:
+After you configure your cluster to use the installed OpenShift Update Service and local mirror registry, you can use any of the following update methods:
 
 ** xref:../../../updating/updating_a_cluster/updating-cluster-web-console.adoc#updating-cluster-web-console[Updating a cluster using the web console]
 ** xref:../../../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]
diff --git a/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update.adoc b/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update.adoc
index 6f72574b54ff..5f9c2baca6e0 100644
--- a/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update.adoc
+++ b/updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update.adoc
@@ -69,4 +69,4 @@ include::modules/generating-icsp-object-scoped-to-a-registry.adoc[leveloffset=+1
 
 * xref:../../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]
 
-* xref:../../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine Config Overview]
+* xref:../../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
diff --git a/upgrading/rosa-upgrading-sts.adoc b/upgrading/rosa-upgrading-sts.adoc
index f31edd084355..1f93d98d0a7b 100644
--- a/upgrading/rosa-upgrading-sts.adoc
+++ b/upgrading/rosa-upgrading-sts.adoc
@@ -11,7 +11,7 @@ toc::[]
 
 To plan an upgrade, review the xref:../rosa_architecture/rosa_policy_service_definition/rosa-life-cycle.adoc#rosa-life-cycle[{product-title} update life cycle]. The life cycle page includes release definitions, support and upgrade requirements, installation policy information and life cycle dates.
 
-Upgrades are manually initiated or automatically scheduled. Red Hat Site Reliability Engineers (SREs) monitor upgrade progress and remedy any issues encountered.
+Upgrades are manually initiated or automatically scheduled. Red{nbsp}Hat Site Reliability Engineers (SREs) monitor upgrade progress and remedy any issues encountered.
 
 [id="rosa-sts-upgrading-a-cluster-with-sts"]
 == Upgrading a ROSA Classic cluster
diff --git a/virt/about_virt/about-virt.adoc b/virt/about_virt/about-virt.adoc
index 10e1a8ac102d..86b78160eb11 100644
--- a/virt/about_virt/about-virt.adoc
+++ b/virt/about_virt/about-virt.adoc
@@ -52,3 +52,4 @@ endif::openshift-rosa,openshift-dedicated[]
 * xref:../../virt/live_migration/virt-about-live-migration.adoc#virt-about-live-migration[About live migration]
 * xref:../../virt/nodes/virt-node-maintenance.adoc#eviction-strategies[Eviction strategies]
 * link:https://access.redhat.com/articles/6994974[Tuning & Scaling Guide]
+* link:https://access.redhat.com/articles/6571671[Supported limits for OpenShift Virtualization 4.x]
diff --git a/virt/backup_restore/virt-backing-up-vms.adoc b/virt/backup_restore/virt-backing-up-vms.adoc
deleted file mode 100644
index 682f8ae093e2..000000000000
--- a/virt/backup_restore/virt-backing-up-vms.adoc
+++ /dev/null
@@ -1,65 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-include::_attributes/common-attributes.adoc[]
-[id="virt-backing-up-vms"]
-= Backing up virtual machines
-:context: virt-backing-up-vms
-
-toc::[]
-
-You back up virtual machines (VMs) by creating an OpenShift API for Data Protection (OADP) xref:../../virt/backup_restore/virt-backing-up-vms.adoc#oadp-creating-backup-cr_virt-backing-up-vms[`Backup` custom resource (CR)].
-
-The `Backup` CR performs the following actions:
-
-// Hiding MOG from ROSA/OSD as not supported
-ifndef::openshift-rosa,openshift-dedicated[]
-* Backs up {VirtProductName} resources by creating an archive file on S3-compatible object storage, such as xref:../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-mcg.adoc#installing-oadp-mcg[Multicloud Object Gateway], Noobaa, or Minio.
-endif::openshift-rosa,openshift-dedicated[]
-ifdef::openshift-rosa,openshift-dedicated[]
-* Backs up {VirtProductName} resources by creating an archive file on S3-compatible object storage, such as Noobaa or Minio.
-endif::openshift-rosa,openshift-dedicated[]
-
-// Hiding Backup/Restore link until 68901 is merged
-ifndef::openshift-rosa,openshift-dedicated[]
-* Backs up VM disks by using one of the following options:
-
-** xref:../../virt/backup_restore/virt-backing-up-vms.adoc#oadp-backing-up-pvs-csi_virt-backing-up-vms[Container Storage Interface (CSI) snapshots] on CSI-enabled cloud storage, such as Ceph RBD or Ceph FS.
-** xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-backing-up-applications-restic-doc.adoc#backing-up-applications[Backing up applications with File System Backup: Kopia or Restic] on object storage.
-endif::openshift-rosa,openshift-dedicated[]
-ifdef::openshift-rosa,openshift-dedicated[]
-* Backs up VM disks by using one of the following options:
-
-** xref:../../virt/backup_restore/virt-backing-up-vms.adoc#oadp-backing-up-pvs-csi_virt-backing-up-vms[Container Storage Interface (CSI) snapshots] on CSI-enabled cloud storage, such as Ceph RBD or Ceph FS.
-** Backing up applications with File System Backup: Kopia or Restic on object storage.
-endif::openshift-rosa,openshift-dedicated[]
-
-[NOTE]
-====
-OADP provides backup hooks to freeze the VM file system before the backup operation and unfreeze it when the backup is complete.
-
-The `kubevirt-controller` creates the `virt-launcher` pods with annotations that enable Velero to run the `virt-freezer` binary before and after the backup operation.
-
-The `freeze` and `unfreeze` APIs are subresources of the VM snapshot API. See xref:../../virt/backup_restore/virt-backup-restore-snapshots.adoc#virt-about-vm-snapshots_virt-backup-restore-snapshots[About virtual machine snapshots] for details.
-====
-
-ifndef::openshift-rosa,openshift-dedicated[]
-You can add xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-creating-backup-hooks-doc.adoc#backing-up-applications[hooks] to the `Backup` CR to run commands on specific VMs before or after the backup operation.
-
-You schedule a backup by creating a xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-scheduling-backups-doc.adoc#backing-up-applications[`Schedule` CR] instead of a `Backup` CR.
-endif::openshift-rosa,openshift-dedicated[]
-ifdef::openshift-rosa,openshift-dedicated[]
-You can add hooks to the `Backup` CR to run commands on specific VMs before or after the backup operation.
-
-You schedule a backup by creating a `Schedule` CR instead of a `Backup` CR.
-endif::openshift-rosa,openshift-dedicated[]
-
-include::modules/oadp-creating-backup-cr.adoc[leveloffset=+1]
-include::modules/oadp-backing-up-pvs-csi.adoc[leveloffset=+2]
-include::modules/oadp-backing-up-applications-restic.adoc[leveloffset=+2]
-include::modules/oadp-creating-backup-hooks.adoc[leveloffset=+2]
-
-ifndef::openshift-rosa,openshift-dedicated[]
-[id="additional-resources_virt-backing-up-vms"]
-== Additional resources
-
-* xref:../../storage/container_storage_interface/persistent-storage-csi-snapshots.adoc#persistent-storage-csi-snapshots-overview_persistent-storage-csi-snapshots[Overview of CSI volume snapshots]
-endif::openshift-rosa,openshift-dedicated[]
diff --git a/virt/backup_restore/virt-backup-restore-overview.adoc b/virt/backup_restore/virt-backup-restore-overview.adoc
index 8548f32b55e6..6b6dce95c5e8 100644
--- a/virt/backup_restore/virt-backup-restore-overview.adoc
+++ b/virt/backup_restore/virt-backup-restore-overview.adoc
@@ -3,45 +3,54 @@ include::_attributes/common-attributes.adoc[]
 [id="virt-backup-restore-overview"]
 = Backing up and restoring virtual machines
 :context: virt-backup-restore-overview
+:virt-backup-restore-overview:
+:credentials: cloud-credentials
+:provider: gcp
 
 toc::[]
 
-//Hiding all links until PR 68901 merges
-ifndef::openshift-rosa,openshift-dedicated[]
-Back up and restore virtual machines by using the xref:../../backup_and_restore/index.adoc#application-backup-restore-operations-overview[OpenShift API for Data Protection (OADP)].
+You can install the {oadp-first} with {VirtProductName} by installing the {oadp-short} Operator and configuring a backup location. Then, you can install the Data Protection Application.
 
-.Prerequisites
+Back up and restore virtual machines by using the xref:../../backup_and_restore/index.adoc#application-backup-restore-operations-overview[{oadp-full}].
 
-* Access to the cluster as a user with the `cluster-admin` role.
-// Non-admin user [https://issues.redhat.com/browse/OADP-203] is targeted for OADP 1.2.
+[NOTE]
+====
+{oadp-full} with {VirtProductName} supports the following backup and restore storage options:
 
-.Procedure
+* Container Storage Interface (CSI) backups
 
-. Install the xref:../../backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.adoc#about-installing-oadp[OADP Operator] according to the instructions for your storage provider.
-. Install the xref:../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc#oadp-installing-dpa_installing-oadp-ocs[Data Protection Application] with the `kubevirt` and `openshift` xref:../../backup_and_restore/application_backup_and_restore/oadp-features-plugins.adoc#oadp-plugins_oadp-features-plugins[plugins].
-. Back up virtual machines by creating a xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/backing-up-applications.adoc#backing-up-applications[`Backup` custom resource (CR)].
-. Restore the `Backup` CR by creating a xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#restoring-applications[`Restore` CR].
+* Container Storage Interface (CSI) backups with DataMover
+
+The following storage options are excluded:
+
+* File system backup and restore
+
+* Volume snapshot backup and restore
+
+For more information, see xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/oadp-backing-up-applications-restic-doc.adoc#oadp-backing-up-applications-restic-doc[Backing up applications with File System Backup: Kopia or Restic].
+====
+To install the {oadp-short} Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks] for details.
+
+include::modules/install-and-configure-oadp-kubevirt.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
-[id="additional-resources_virt-backup-restore-overview"]
-== Additional resources
+.Additional resources
 
-* xref:../../backup_and_restore/application_backup_and_restore/oadp-features-plugins.adoc#oadp-features-plugins[OADP features and plugins]
-* xref:../../backup_and_restore/application_backup_and_restore/troubleshooting.adoc#troubleshooting[Troubleshooting]
-endif::openshift-rosa,openshift-dedicated[]
+* xref:../../backup_and_restore/application_backup_and_restore/oadp-features-plugins.adoc#oadp-plugins_oadp-features-plugins[{oadp-short} plugins]
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/backing-up-applications.adoc#backing-up-applications[`Backup` custom resource (CR)]
+* xref:../../backup_and_restore/application_backup_and_restore/backing_up_and_restoring/restoring-applications.adoc#restoring-applications[`Restore` CR]
+* xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]
 
-ifdef::openshift-rosa,openshift-dedicated[]
-Back up and restore virtual machines by using the OpenShift API for Data Protection (OADP).
+include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
 
-.Prerequisites
+[IMPORTANT]
+====
+Red Hat supports using {VirtProductName} 4.14 or later with {oadp-short} 1.3.x or later.
 
-* Access to the cluster as a user with the `cluster-admin` role.
-// Non-admin user [https://issues.redhat.com/browse/OADP-203] is targeted for OADP 1.2.
+{oadp-short} versions before 1.3.0 are not supported for back up and restore of {VirtProductName}.
+====
 
-.Procedure
+:!provider:
+:!credentials:
+:!virt-backup-restore-overview:
 
-. Install the OADP Operator according to the instructions for your storage provider.
-. Install the Data Protection Application with the `kubevirt` and `openshift` plugins.
-. Back up virtual machines by creating a `Backup` custom resource (CR).
-. Restore the `Backup` CR by creating a `Restore` CR.
-endif::openshift-rosa,openshift-dedicated[]
\ No newline at end of file
diff --git a/virt/backup_restore/virt-installing-configuring-oadp.adoc b/virt/backup_restore/virt-installing-configuring-oadp.adoc
deleted file mode 100644
index abcc0ad7c67f..000000000000
--- a/virt/backup_restore/virt-installing-configuring-oadp.adoc
+++ /dev/null
@@ -1,39 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-include::_attributes/common-attributes.adoc[]
-[id="virt-installing-configuring-oadp"]
-= Installing and configuring OADP
-:context: virt-installing-configuring-oadp
-:virt-installing-configuring-oadp:
-:credentials: cloud-credentials
-:provider: gcp
-
-toc::[]
-
-As a cluster administrator, you install the OpenShift API for Data Protection (OADP) by installing the OADP Operator. The Operator installs link:https://{velero-domain}/docs/v{velero-version}/[Velero {velero-version}].
-
-You create a default `Secret` for your backup storage provider and then you install the Data Protection Application.
-
-include::modules/oadp-installing-operator.adoc[leveloffset=+1]
-
-include::modules/oadp-about-backup-snapshot-locations-secrets.adoc[leveloffset=+1]
-include::modules/oadp-creating-default-secret.adoc[leveloffset=+2]
-include::modules/oadp-secrets-for-different-credentials.adoc[leveloffset=+2]
-
-[id="configuring-dpa-ocs"]
-== Configuring the Data Protection Application
-
-You can configure the Data Protection Application by setting Velero resource allocations or enabling self-signed CA certificates.
-
-include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+2]
-include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2]
-
-include::modules/oadp-installing-dpa-1-2-and-earlier.adoc[leveloffset=+1]
-include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
-include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
-
-[id="uninstalling-oadp_{context}"]
-== Uninstalling OADP
-
-You uninstall the OpenShift API for Data Protection (OADP) by deleting the OADP Operator. See xref:../../operators/admin/olm-deleting-operators-from-cluster.adoc#olm-deleting-operators-from-cluster[Deleting Operators from a cluster] for details.
-
-:virt-installing-configuring-oadp!:
diff --git a/virt/backup_restore/virt-restoring-vms.adoc b/virt/backup_restore/virt-restoring-vms.adoc
deleted file mode 100644
index fdac38112e7b..000000000000
--- a/virt/backup_restore/virt-restoring-vms.adoc
+++ /dev/null
@@ -1,14 +0,0 @@
-:_mod-docs-content-type: ASSEMBLY
-include::_attributes/common-attributes.adoc[]
-[id="virt-restoring-vms"]
-= Restoring virtual machines
-:context: virt-restoring-vms
-
-toc::[]
-
-You restore an OpenShift API for Data Protection (OADP) `Backup` custom resource (CR) by creating a xref:../../virt/backup_restore/virt-restoring-vms.adoc#oadp-creating-restore-cr_virt-restoring-vms[`Restore` CR].
-
-You can add xref:../../virt/backup_restore/virt-restoring-vms.adoc#oadp-creating-restore-hooks_virt-restoring-vms[hooks] to the `Restore` CR to run commands in init containers, before the application container starts, or in the application container itself.
-
-include::modules/oadp-creating-restore-cr.adoc[leveloffset=+1]
-include::modules/oadp-creating-restore-hooks.adoc[leveloffset=+2]
diff --git a/virt/getting_started/virt-getting-started.adoc b/virt/getting_started/virt-getting-started.adoc
index 7207a7371c52..f9565a53a4f4 100644
--- a/virt/getting_started/virt-getting-started.adoc
+++ b/virt/getting_started/virt-getting-started.adoc
@@ -26,6 +26,7 @@ endif::openshift-rosa,openshift-dedicated[]
 * xref:../../virt/install/installing-virt.adoc#virt-installing-virt-operator_installing-virt[Install the {VirtProductName} Operator].
 * xref:../../virt/getting_started/virt-using-the-cli-tools.adoc#installing-virtctl_virt-using-the-cli-tools[Install the `virtctl` command line interface (CLI) tool].
 
+
 [discrete]
 [id="additional-resources_planning-and-installing"]
 [role="_additional-resources"]
@@ -101,5 +102,7 @@ Manage a VM:
 * xref:../../virt/storage/virt-storage-config-overview.adoc#virt-storage-config-overview[Configure storage options and automatic boot source updates].
 * xref:../../virt/monitoring/virt-monitoring-overview.adoc#virt-monitoring-overview[Learn about monitoring and health checks].
 * xref:../../virt/live_migration/virt-about-live-migration.adoc#virt-about-live-migration[Learn about live migration].
-* xref:../../virt/backup_restore/virt-backup-restore-overview.adoc#virt-backup-restore-overview[Back up and restore VMs].
+ifndef::openshift-rosa,openshift-dedicated[]
+* xref:../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc#installing-oadp-kubevirt[Back up and restore VMs by using the {oadp-first}].
+endif::openshift-rosa,openshift-dedicated[]
 * link:https://access.redhat.com/articles/6994974[Tune and scale your cluster].
diff --git a/virt/monitoring/virt-exposing-downward-metrics.adoc b/virt/monitoring/virt-exposing-downward-metrics.adoc
index 4eec7c783e73..f86fd50f5abd 100644
--- a/virt/monitoring/virt-exposing-downward-metrics.adoc
+++ b/virt/monitoring/virt-exposing-downward-metrics.adoc
@@ -10,6 +10,13 @@ As an administrator, you can expose a limited set of host and virtual machine (V
 
 Users can view the metrics results by using the command line or the `vm-dump-metrics tool`.
 
+[NOTE]
+====
+On Red Hat Enterprise Linux (RHEL) 9, use the command line to view downward metrics. See xref:../../virt/monitoring/virt-exposing-downward-metrics.adoc#virt-viewing-downward-metrics-cli_virt-exposing-downward-metrics[Viewing downward metrics by using the command line].
+
+The vm-dump-metrics tool is not supported on the Red Hat Enterprise Linux (RHEL) 9 platform.
+====
+
 [id="virt-enabling-disabling-feature-gate"]
 == Enabling or disabling the downwardMetrics feature gate
 
diff --git a/virt/monitoring/virt-prometheus-queries.adoc b/virt/monitoring/virt-prometheus-queries.adoc
index ad676a957dc5..0c57a5252708 100644
--- a/virt/monitoring/virt-prometheus-queries.adoc
+++ b/virt/monitoring/virt-prometheus-queries.adoc
@@ -20,7 +20,7 @@ endif::openshift-rosa,openshift-dedicated[]
 
 // Hiding in ROSA/OSD as user cannot edit MCO
 ifndef::openshift-rosa,openshift-dedicated[]
-* To use the vCPU metric, the `schedstats=enable` kernel argument must be applied to the `MachineConfig` object. This kernel argument enables scheduler statistics used for debugging and performance tuning and adds a minor additional load to the scheduler. For more information, see xref:../../post_installation_configuration/machine-configuration-tasks.adoc#nodes-nodes-kernel-arguments_post-install-machine-configuration-tasks[Adding kernel arguments to nodes].
+* To use the vCPU metric, the `schedstats=enable` kernel argument must be applied to the `MachineConfig` object. This kernel argument enables scheduler statistics used for debugging and performance tuning and adds a minor additional load to the scheduler. For more information, see xref:../../machine_configuration/machine-configs-configure.adoc#nodes-nodes-kernel-arguments_machine-configs-configure[Adding kernel arguments to nodes].
 endif::openshift-rosa,openshift-dedicated[]
 
 * For guest memory swapping queries to return data, memory swapping must be enabled on the virtual guests.
diff --git a/virt/monitoring/virt-running-cluster-checkups.adoc b/virt/monitoring/virt-running-cluster-checkups.adoc
index 49a33f6a7fab..05e2fbf35f1a 100644
--- a/virt/monitoring/virt-running-cluster-checkups.adoc
+++ b/virt/monitoring/virt-running-cluster-checkups.adoc
@@ -22,6 +22,21 @@ include::snippets/technology-preview.adoc[]
 
 include::modules/virt-about-cluster-checkup-framework.adoc[leveloffset=+1]
 
+== Running cluster checkups in the web console
+
+Use the web console to run a latency or storage checkup on a cluster.
+
+Use the following procedures the first time you run a latency checkup and storage checkup in the web console. For additional checkups, click *Run checkup* on either checkup tab, and select the appropriate checkup from the drop down menu.
+
+[IMPORTANT]
+====
+Before you run a latency checkup, you must first xref:../../virt/vm_networking/virt-connecting-vm-to-linux-bridge.adoc#virt-connecting-vm-to-linux-bridge[create a bridge interface] on the cluster nodes to connect the VM's secondary interface to any interface on the node. If you do not create a bridge interface, the VMs will not start and the job will fail.
+====
+
+include::modules/virt-latency-checkup-web-console.adoc[leveloffset=+2]
+
+include::modules/virt-storage-checkup-web-console.adoc[leveloffset=+2]
+
 include::modules/virt-measuring-latency-vm-secondary-network.adoc[leveloffset=+1]
 
 include::modules/virt-checking-cluster-dpdk-readiness.adoc[leveloffset=+1]
diff --git a/virt/support/virt-collecting-virt-data.adoc b/virt/support/virt-collecting-virt-data.adoc
index 7fa74d0be2b4..4bad7aa64753 100644
--- a/virt/support/virt-collecting-virt-data.adoc
+++ b/virt/support/virt-collecting-virt-data.adoc
@@ -39,7 +39,7 @@ Collecting data about your environment minimizes the time required to analyze an
 // must-gather not supported for ROSA/OSD, per Dustin Row
 ifndef::openshift-rosa,openshift-dedicated[]
 . xref:../../support/gathering-cluster-data.adoc#support_gathering_data_gathering-cluster-data[Collect must-gather data for the cluster].
-. link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.15/html-single/troubleshooting_openshift_data_foundation/index#downloading-log-files-and-diagnostic-information_rhodf[Collect must-gather data for {rh-storage-first}], if necessary.
+. link:https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.16/html-single/troubleshooting_openshift_data_foundation/index#downloading-log-files-and-diagnostic-information_rhodf[Collect must-gather data for {rh-storage-first}], if necessary.
 . xref:../../virt/support/virt-collecting-virt-data.adoc#virt-using-virt-must-gather_virt-collecting-virt-data[Collect must-gather data for {VirtProductName}].
 . xref:../../observability/monitoring/managing-metrics.adoc#querying-metrics-for-all-projects-as-an-administrator_managing-metrics[Collect Prometheus metrics for the cluster].
 endif::openshift-rosa,openshift-dedicated[]
diff --git a/virt/virtual_machines/advanced_vm_management/virt-about-multi-queue.adoc b/virt/virtual_machines/advanced_vm_management/virt-about-multi-queue.adoc
new file mode 100644
index 000000000000..e1ae254e12c2
--- /dev/null
+++ b/virt/virtual_machines/advanced_vm_management/virt-about-multi-queue.adoc
@@ -0,0 +1,25 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="virt-about-multi-queue"]
+= About multi-queue functionality
+include::_attributes/common-attributes.adoc[]
+:context: virt-about-multi-queue
+
+toc::[]
+
+Use multi-queue functionality to scale network throughput and performance on virtual machines (VMs) with multiple vCPUs.
+
+By default, the `queueCount` value, which is derived from the domain XML, is determined by the number of vCPUs allocated to a VM. Network performance does not scale as the number of vCPUs increases. Additionally, because virtio-net has only one Tx and Rx queue, guests cannot transmit or retrieve packs in parallel.
+
+[NOTE]
+====
+Enabling virtio-net multiqueue does not offer significant improvements when the number of vNICs in a guest instance is proportional to the number of vCPUs.
+====
+
+[id="virt-about-multi-queue-_{context}"]
+== Known limitations
+
+* MSI vectors are still consumed if virtio-net multiqueue is enabled in the host but not enabled in the guest operating system by the administrator.
+* Each virtio-net queue consumes 64 KiB of kernel memory for the vhost driver.
+* Starting a VM with more than 16 CPUs results in no connectivity if `networkInterfaceMultiqueue` is set to 'true' (link:https://issues.redhat.com/browse/CNV-16107[CNV-16107]).
+
+include::modules/virt-enabling-multi-queue.adoc[leveloffset=+1]
diff --git a/virt/virtual_machines/advanced_vm_management/virt-configuring-pci-passthrough.adoc b/virt/virtual_machines/advanced_vm_management/virt-configuring-pci-passthrough.adoc
index 59776061d752..164d38779c7a 100644
--- a/virt/virtual_machines/advanced_vm_management/virt-configuring-pci-passthrough.adoc
+++ b/virt/virtual_machines/advanced_vm_management/virt-configuring-pci-passthrough.adoc
@@ -49,4 +49,4 @@ include::modules/virt-assigning-pci-device-virtual-machine.adoc[leveloffset=+2]
 == Additional resources
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-troubleshooting-enabling_intel_vt_x_and_amd_v_virtualization_hardware_extensions_in_bios[Enabling Intel VT-X and AMD-V Virtualization Hardware Extensions in BIOS]
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_managing-file-permissions_configuring-basic-system-settings[Managing file permissions]
-* xref:../../../post_installation_configuration/machine-configuration-tasks.adoc#post-install-machine-configuration-tasks[Postinstallation machine configuration tasks]
+* xref:../../../machine_configuration/index.adoc#machine-config-overview[Machine Config Overview]
diff --git a/virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc b/virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc
index 21c11eac8ad2..3a67acb56680 100644
--- a/virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc
+++ b/virt/virtual_machines/advanced_vm_management/virt-uefi-mode-for-vms.adoc
@@ -10,3 +10,5 @@ You can boot a virtual machine (VM) in Unified Extensible Firmware Interface (UE
 
 include::modules/virt-about-uefi-mode-for-vms.adoc[leveloffset=+1]
 include::modules/virt-booting-vms-uefi-mode.adoc[leveloffset=+1]
+include::modules/virt-enabling-persistent-efi.adoc[leveloffset=+1]
+include::modules/virt-configuring-vm-with-persistent-efi.adoc[leveloffset=+1]
\ No newline at end of file
diff --git a/virt/virtual_machines/virt-accessing-vm-consoles.adoc b/virt/virtual_machines/virt-accessing-vm-consoles.adoc
index 12a9bfeff917..d07dc52861a5 100644
--- a/virt/virtual_machines/virt-accessing-vm-consoles.adoc
+++ b/virt/virtual_machines/virt-accessing-vm-consoles.adoc
@@ -27,6 +27,10 @@ include::modules/virt-connecting-vm-virtctl.adoc[leveloffset=+2]
 include::modules/virt-temporary-token-VNC.adoc[leveloffset=+2]
 :!vnc-console:
 
+:context: vnc-console
+include::modules/virt-cluster-role-VNC.adoc[leveloffset=+3]
+:!vnc-console:
+
 [id="serial-console_virt-accessing-vm-consoles"]
 == Connecting to the serial console
 
diff --git a/virt/virtual_machines/virtual_disks/virt-configuring-shared-volumes-for-vms.adoc b/virt/virtual_machines/virtual_disks/virt-configuring-shared-volumes-for-vms.adoc
index 82a5d1859109..7fafc5f13f30 100644
--- a/virt/virtual_machines/virtual_disks/virt-configuring-shared-volumes-for-vms.adoc
+++ b/virt/virtual_machines/virtual_disks/virt-configuring-shared-volumes-for-vms.adoc
@@ -10,8 +10,10 @@ You can configure shared disks to allow multiple virtual machines (VMs) to share
 
 You configure disk sharing by exposing the storage as either of these types:
 
-* An ordinary virtual machine disk
-* A logical unit number (LUN) device with an iSCSi connection and raw device mapping, as required for Windows Failover Clustering for shared volumes
+* An ordinary VM disk
+* A logical unit number (LUN) disk with an iSCSi connection and raw device mapping, as required for Windows Failover Clustering for shared volumes
+
+In addition to configuring disk sharing, you can also set an error policy for each ordinary VM disk or LUN disk. The error policy controls how the hypervisor behaves when an input/output error occurs on a disk Read or Write.
 
 include::modules/virt-configuring-vm-disk-sharing.adoc[leveloffset=+1]
 
diff --git a/virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc b/virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc
new file mode 100644
index 000000000000..675c5b1e18ad
--- /dev/null
+++ b/virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc
@@ -0,0 +1,29 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="virt-accessing-vm-internal-fqdn"]                            
+= Accessing a virtual machine  by using its internal FQDN                                             
+include::_attributes/common-attributes.adoc[]                   
+:context: virt-accessing-vm-internal-fqdn                        
+                                                                
+toc::[]         
+
+You can access a virtual machine (VM) that is connected to the default internal pod network on a stable fully qualified domain name (FQDN) by using headless services.
+
+A Kubernetes _headless service_ is a form of service that does not allocate a cluster IP address to represent a set of pods. Instead of providing a single virtual IP address for the service, a headless service creates a DNS record for each pod associated with the service. You can expose a VM through its FQDN without having to expose a specific TCP or UDP port. 
+ 
+[IMPORTANT]
+====
+If you created a VM by using the {product-title} web console, you can find its internal FQDN listed in the *Network* tile on the *Overview* tab of the *VirtualMachine details* page. For more information about connecting to the VM, see xref:../../virt/vm_networking/virt-accessing-vm-internal-fqdn.adoc#virt-connecting-vm-internal-fqdn_virt-accessing-vm-internal-fqdn[Connecting to a virtual machine by using its internal FQDN].
+====
+
+
+include::modules/virt-creating-headless-services.adoc[leveloffset=+1]
+
+include::modules/virt-discovering-vm-internal-fqdn.adoc[leveloffset=+1]
+
+include::modules/virt-connecting-vm-internal-fqdn.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_virt-accesing-vm-internal-fqdn"]
+== Additional resources
+
+* xref:../../virt/vm_networking/virt-exposing-vm-with-service.adoc#virt-exposing-vm-with-service[Exposing a VM by using a service]
\ No newline at end of file
diff --git a/virt/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc b/virt/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc
index 7608634b9607..5aefb4059c0e 100644
--- a/virt/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc
+++ b/virt/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc
@@ -1,14 +1,14 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="virt-accessing-vm-secondary-network-fqdn"]
-= Accessing a virtual machine by using the cluster FQDN
+= Accessing a virtual machine by using its external FQDN
 include::_attributes/common-attributes.adoc[]
 :context: virt-accessing-vm-secondary-network-fqdn
 
 toc::[]
 
-You can access a virtual machine (VM) that is attached to a secondary network interface from outside the cluster by using the fully qualified domain name (FQDN) of the cluster.
+You can access a virtual machine (VM) that is attached to a secondary network interface from outside the cluster by using its fully qualified domain name (FQDN).
 
-:FeatureName: Accessing VMs by using the cluster FQDN
+:FeatureName: Accessing a VM from outside the cluster by using its FQDN
 include::snippets/technology-preview.adoc[]
 
 include::modules/virt-configuring-secondary-dns-server.adoc[leveloffset=+1]
diff --git a/welcome/about-hcp.adoc b/welcome/about-hcp.adoc
index 4c3aeff28fdb..aa4568d23873 100644
--- a/welcome/about-hcp.adoc
+++ b/welcome/about-hcp.adoc
@@ -13,7 +13,7 @@ toc::[]
 
 * {hcp-title} requires a minimum of only two nodes, making it ideal for smaller projects while still being able to scale to support larger projects and enterprises.
 
-* The underlying control plane infrastructure is fully managed. Control plane components, such as the API server and etcd database, are hosted in a Red Hat-owned AWS account.
+* The underlying control plane infrastructure is fully managed. Control plane components, such as the API server and etcd database, are hosted in a Red{nbsp}Hat-owned AWS account.
 
 * Provisioning time is approximately 10 minutes.
 
@@ -81,11 +81,11 @@ Use the following sections to find content to help you learn about and use {hcp-
 |===
 |Learn about application development in {hcp-title} |Deploy applications |Additional resources
 
-| link:https://developers.redhat.com/[Red Hat Developers site]
+| link:https://developers.redhat.com/[Red{nbsp}Hat Developers site]
 | xref:../applications/index.adoc#building-applications-overview[Building applications overview]
 | xref:../support/index.adoc#support-overview[Getting support]
 
-| link:https://developers.redhat.com/products/openshift-dev-spaces/overview[{openshift-dev-spaces-productname} (formerly Red Hat CodeReady Workspaces)]
+| link:https://developers.redhat.com/products/openshift-dev-spaces/overview[{openshift-dev-spaces-productname} (formerly Red{nbsp}Hat CodeReady Workspaces)]
 | xref:../operators/index.adoc#operators-overview[Operators overview]
 |
 
diff --git a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc
index 9a62f2edacac..4f8bb5f4e6d7 100644
--- a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc
+++ b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc
@@ -15,12 +15,12 @@ toc::[]
 
 [id="credential-methods-rosa-hcp"]
 == AWS STS credential method
-As part of {hcp-title}, Red Hat must be granted the necessary permissions to manage infrastructure resources in your AWS account.
-{hcp-title} grants the cluster's automation software limited, short-term access to resources in your AWS account. 
+As part of {hcp-title}, Red{nbsp}Hat must be granted the necessary permissions to manage infrastructure resources in your AWS account.
+{hcp-title} grants the cluster's automation software limited, short-term access to resources in your AWS account.
 
 The STS method uses predefined roles and policies to grant temporary, least-privilege permissions to IAM roles. The credentials typically expire an hour after being requested. Once expired, they are no longer recognized by AWS and no longer have account access from API requests made with them. For more information, see the link:https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html[AWS documentation].
 
-AWS IAM STS roles must be created for each {hcp-title} cluster. The ROSA command line interface (CLI) (`rosa`) manages the STS roles and helps you attach the ROSA-specific, AWS-managed policies to each role. The CLI provides the commands and files to create the roles, attach the AWS-managed policies, and an option to allow the CLI to automatically create the roles and attach the policies. 
+AWS IAM STS roles must be created for each {hcp-title} cluster. The ROSA command line interface (CLI) (`rosa`) manages the STS roles and helps you attach the ROSA-specific, AWS-managed policies to each role. The CLI provides the commands and files to create the roles, attach the AWS-managed policies, and an option to allow the CLI to automatically create the roles and attach the policies.
 //See [insert new xref when we have one for HCP] for more information about the different `--mode` options.
 
 [id="hcp-sts-security"]
@@ -90,7 +90,7 @@ Deploying a {hcp-title} cluster follows the following steps:
 
 . You create the account-wide roles.
 . You create the Operator roles.
-. Red Hat uses AWS STS to send the required permissions to AWS that allow AWS to create and attach the corresponding AWS-manged Operator policies.
+. Red{nbsp}Hat uses AWS STS to send the required permissions to AWS that allow AWS to create and attach the corresponding AWS-managed Operator policies.
 . You create the OIDC provider.
 . You create the cluster.
 
@@ -101,7 +101,7 @@ The ROSA CLI can automatically create the roles for you, or you can manually cre
 
 [id="hcp-sts-process"]
 == {hcp-title} workflow
-The user creates the required account-wide roles. During role creation, a trust policy, known as a cross-account trust policy, is created which allows a Red Hat-owned role to assume the roles. Trust policies are also created for the EC2 service, which allows workloads on EC2 instances to assume roles and obtain credentials. AWS assigns a corresponding permissions policy to each role.
+The user creates the required account-wide roles. During role creation, a trust policy, known as a cross-account trust policy, is created which allows a Red{nbsp}Hat-owned role to assume the roles. Trust policies are also created for the EC2 service, which allows workloads on EC2 instances to assume roles and obtain credentials. AWS assigns a corresponding permissions policy to each role.
 
 After the account-wide roles and policies are created, the user can create a cluster. Once cluster creation is initiated, the user creates the Operator roles so that cluster Operators can make AWS API calls. These roles are then assigned to the corresponding permission policies that were created earlier and a trust policy with an OIDC provider. The Operator roles differ from the account-wide roles in that they ultimately represent the pods that need access to AWS resources. Because a user cannot attach IAM roles to pods, they must create a trust policy with an OIDC provider so that the Operator, and therefore the pods, can access the roles they need.
 
@@ -109,7 +109,7 @@ Once the user assigns the roles to the corresponding policy permissions, the fin
 
 image::cloud-experts-sts-explained_creation_flow_hcp.png[]
 
-When a new role is needed, the workload currently using the Red Hat role will assume the role in the AWS account, obtain temporary credentials from AWS STS, and begin performing the actions using API calls within the user's AWS account as permitted by the assumed role's permissions policy. The credentials are temporary and have a maximum duration of one hour.
+When a new role is needed, the workload currently using the Red{nbsp}Hat role will assume the role in the AWS account, obtain temporary credentials from AWS STS, and begin performing the actions using API calls within the user's AWS account as permitted by the assumed role's permissions policy. The credentials are temporary and have a maximum duration of one hour.
 
 image::cloud-experts-sts-explained_highlevel.png[]
 
@@ -119,4 +119,4 @@ image::cloud-experts-sts-explained_highlevel.png[]
 
 Operators use the following process to obtain the requisite credentials to perform their tasks. Each Operator is assigned an Operator role, a permissions policy, and a trust policy with an OIDC provider. The Operator will assume the role by passing a JSON web token that contains the role and a token file (`web_identity_token_file`) to the OIDC provider, which then authenticates the signed key with a public key. The public key is created during cluster creation and stored in an S3 bucket. The Operator then confirms that the subject in the signed token file matches the role in the role trust policy which ensures that the OIDC provider can only obtain the allowed role. The OIDC provider then returns the temporary credentials to the Operator so that the Operator can make AWS API calls. For a visual representation, see the following diagram:
 
-image::cloud-experts-sts-explained_oidc_op_roles_hcp.png[]
\ No newline at end of file
+image::cloud-experts-sts-explained_oidc_op_roles_hcp.png[]
diff --git a/welcome/index.adoc b/welcome/index.adoc
index 29635c4804a2..249027e46e8b 100644
--- a/welcome/index.adoc
+++ b/welcome/index.adoc
@@ -72,17 +72,18 @@ Explore the following {product-title} installation tasks:
 
 - **xref:../installing/index.adoc#ocp-installation-overview[{product-title} installation overview]**: Depending on the platform, you can install {product-title} on installer-provisioned or user-provisioned infrastructure. The {product-title} installation program provides the flexibility to deploy {product-title} on a range of different platforms.
 
-- **xref:../installing/installing_alibaba/preparing-to-install-on-alibaba.adoc#preparing-to-install-on-alibaba[Install a cluster on Alibaba]**: On Alibaba Cloud, you can install {product-title} on installer-provisioned infrastructure. This is currently a Technology Preview feature only.
+// PR open https://github.com/openshift/openshift-docs/pull/77474
+//- **xref:../installing/installing_alibaba/installing-alibaba-assisted-installer[Installing a cluster on {alibaba} by using the Assisted Installer]**: On {alibaba}, you can install {product-title} by using the Assisted Installer. This is currently a Technology Preview feature only.
 
-- **xref:../installing/installing_aws/preparing-to-install-on-aws.adoc#preparing-to-install-on-aws[Install a cluster on AWS]**: On AWS, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
+- **xref:../installing/installing_aws/preparing-to-install-on-aws.adoc#preparing-to-install-on-aws[Install a cluster on {aws-short}]**: On AWS, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
 
-- **xref:../installing/installing_azure/preparing-to-install-on-azure.adoc#preparing-to-install-on-azure[Install a cluster on Azure]**: On Microsoft Azure, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
+- **xref:../installing/installing_azure/preparing-to-install-on-azure.adoc#preparing-to-install-on-azure[Install a cluster on {azure-full}]**: On Microsoft Azure, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
 
-- **xref:../installing/installing_azure_stack_hub/preparing-to-install-on-azure-stack-hub.adoc#preparing-to-install-on-azure-stack-hub[Install a cluster on Azure Stack Hub]**: On Microsoft Azure Stack Hub, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
+- **xref:../installing/installing_azure_stack_hub/preparing-to-install-on-azure-stack-hub.adoc#preparing-to-install-on-azure-stack-hub[Install a cluster on {azure-full} Stack Hub]**: On Microsoft Azure Stack Hub, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
 
-- **xref:../installing/installing_on_prem_assisted/installing-on-prem-assisted.html#using-the-assisted-installer_installing-on-prem-assisted[Installing {product-title} with the Assisted Installer]**: The Assisted Installer is an installation solution that is provided on the Red Hat {hybrid-console}. The Assisted Installer supports installing an {product-title} cluster on many platforms, but with a focus on bare metal, Nutanix, and {vmw-full} infrastructures.
+- **xref:../installing/installing_on_prem_assisted/installing-on-prem-assisted.adoc#using-the-assisted-installer_installing-on-prem-assisted[Installing {product-title} with the Assisted Installer]**: The Assisted Installer is an installation solution that is provided on the Red Hat {hybrid-console}. The Assisted Installer supports installing an {product-title} cluster on multiple platforms.
 
-- **xref:../installing/installing_with_agent_based_installer/installing-with-agent-based-installer.html#installing-ocp-agent_installing-with-agent-based-installer[Installing {product-title} with the Agent-based Installer]**: You can use the Agent-based Installer to generate a bootable ISO image that contains the Assisted discovery agent, the Assisted Service, and all the other information required to deploy an {product-title} cluster. The Agent-based Installer leverages the advantages of the Assisted Installer in a disconnected environment
+- **xref:../installing/installing_with_agent_based_installer/installing-with-agent-based-installer.adoc#installing-ocp-agent_installing-with-agent-based-installer[Installing {product-title} with the Agent-based Installer]**: You can use the Agent-based Installer to generate a bootable ISO image that contains the Assisted discovery agent, the Assisted Service, and all the other information required to deploy an {product-title} cluster. The Agent-based Installer leverages the advantages of the Assisted Installer in a disconnected environment
 
 - **xref:../installing/installing_bare_metal/preparing-to-install-on-bare-metal.adoc#preparing-to-install-on-bare-metal[Install a cluster on bare metal]**: On bare metal, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure. If none of the available platform and cloud provider deployment options meet your needs, consider using bare metal user-provisioned infrastructure.
 
@@ -100,24 +101,18 @@ endif::openshift-origin[]
 
 - **Install a cluster on {oci-first}**: You can use the {ai-full} or the Agent-based Installer to install a cluster on {oci}. This means that you can run cluster workloads on infrastructure that supports dedicated, hybrid, public, and multiple cloud environments. See xref:../installing/installing_oci/installing-oci-assisted-installer.adoc#installing-oci-assisted-installer[Installing a cluster on {oci-first-no-rt} by using the {ai-full}] and xref:../installing/installing_oci/installing-oci-agent-based-installer.adoc#installing-oci-agent-based-installer[Installing a cluster on {oci-first-no-rt} by using the Agent-based Installer].
 
-- **xref:../installing/installing_nutanix/preparing-to-install-on-nutanix.html#preparing-to-install-nutanix[Install a cluster on Nutanix]**: On Nutanix, you can install a cluster on your {product-title} on installer-provisioned infrastructure.
+- **xref:../installing/installing_nutanix/preparing-to-install-on-nutanix.adoc#preparing-to-install-nutanix[Install a cluster on Nutanix]**: On Nutanix, you can install a cluster on your {product-title} on installer-provisioned infrastructure.
 
 - **xref:../installing/installing_openstack/preparing-to-install-on-openstack.adoc#preparing-to-install-on-openstack[Install a cluster on {rh-openstack-first}]**: On {rh-openstack}, you can install {product-title} on installer-provisioned infrastructure or user-provisioned infrastructure.
 
 - **xref:../installing/installing_vsphere/ipi/installing-vsphere-installer-provisioned.adoc#installing-vsphere-installer-provisioned[Install a cluster on {vmw-full}]**: You can install {product-title} on supported versions of {vmw-short}.
-////
-You can configure an external load balancer for
-xref:../installing/installing_openstack/installing-openstack-load-balancing.adoc#installing-openstack-load-balancing[load balancing deployments on OpenStack].
-To troubleshoot OpenStack installation issues, you can
-xref:../installing/installing_openstack/installing-openstack-troubleshooting.adoc#installing-openstack-troubleshooting[view instance logs and ssh to an instance].
-////
 
 == Other cluster installer activities
 
 ifndef::openshift-origin[]
 - **Install a cluster in a restricted network**: If your cluster uses
 user-provisioned infrastructure on
-xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS],
+xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[{aws-first}],
 xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[{gcp-short}],
 xref:../installing/installing_vsphere/upi/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[{vmw-short}], xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installing-ibm-cloud-restricted[{ibm-cloud-name}], xref:../installing/installing_ibm_z/preparing-to-install-on-ibm-z.adoc#preparing-to-install-on-ibm-z[{ibm-z-name} and {ibm-linuxone-name}], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[{ibm-power-name}],
  or
@@ -125,41 +120,41 @@ xref:../installing/installing_bare_metal/installing-restricted-networks-bare-met
 does not have full access to the internet, you must mirror the {product-title} installation images. To do this action, use one of the following methods, so that you can install a cluster in a restricted network.
 *** xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[Mirroring images for a disconnected installation]
 *** xref:../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation by using the oc-mirror plug-in]
-
 endif::openshift-origin[]
 
 ifdef::openshift-origin[]
 - **Install a cluster in a restricted network**: If your cluster that uses
 user-provisioned infrastructure on
-xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS],
+xref:../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[{aws-first}],
 xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[{gcp-short}],
  or
 xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]
 does not have full access to the internet, then
 xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the {product-title} installation images] and install a cluster in a restricted network.
-
 endif::openshift-origin[]
 
 - **Install a cluster in an existing network**: If you use an existing Virtual Private Cloud (VPC) in
-xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[AWS] or
+xref:../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[{aws-first}] or
 xref:../installing/installing_gcp/installing-gcp-vpc.adoc#installing-gcp-vpc[{gcp-short}] or an existing
 xref:../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-vnet[VNet]
 on Microsoft Azure, you can install a cluster. Also consider xref:../installing/installing_gcp/installing-gcp-shared-vpc.adoc#installation-gcp-shared-vpc-prerequisites_installing-gcp-shared-vpc[Installing a cluster on {gcp-short} into a shared VPC]
 
 - **Install a private cluster**: If your cluster does not require external
 internet access, you can install a private cluster on
-xref:../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[AWS],
-xref:../installing/installing_azure/installing-azure-private.adoc#installing-aws-private[Azure],
+xref:../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[{aws-first}],
+xref:../installing/installing_azure/installing-azure-private.adoc#installing-aws-private[{azure-full}],
 xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[{gcp-short}], or
 xref:../installing/installing_ibm_cloud_public/preparing-to-install-on-ibm-cloud.adoc#preparing-to-install-on-ibm-cloud[{ibm-cloud-name}]. Internet access is still required to access the cloud APIs and installation media.
 
+- **xref:../installing/installing_bare_metal/installing-bare-metal.adoc#rhcos-install-iscsi-manual_installing-bare-metal[Installing RHCOS manually on an iSCSI boot device] and xref:../installing/installing_bare_metal/installing-bare-metal.adoc#rhcos-install-iscsi-ibft_installing-bare-metal[Installing RHCOS on an iSCSI boot device using iBFT]**: You can target iSCSI devices as the root disk for installation of {op-system}. Multipathing is also supported.
+
 - **xref:../installing/installing-troubleshooting.adoc#installing-troubleshooting[Check installation logs]**: Access installation logs to evaluate issues that occur during {product-title} installation.
 
 - **xref:../web_console/web-console.adoc#web-console[Access {product-title}]**: Use credentials output at the end of the installation process to log in to the {product-title} cluster from the command line or web console.
 
 - **xref:../storage/persistent_storage/persistent-storage-ocs.adoc#red-hat-openshift-data-foundation[Install Red Hat OpenShift Data Foundation]**: You can install {rh-storage-first} as an Operator to provide highly integrated and simplified persistent storage management for containers.
 
-- **xref:../post_installation_configuration/coreos-layering.adoc#coreos-layering[{op-system-first} image layering]**: As a post-installation task, you can add new images on top of the base {op-system} image. This layering does not modify the base {op-system} image. Instead, the layering creates a custom layered image that includes all {op-system} functions and adds additional functions to specific nodes in the cluster.
+- **xref:../machine_configuration/mco-coreos-layering.adoc#mco-coreos-layering[{op-system-first} image layering]**: As a post-installation task, you can add new images on top of the base {op-system} image. This layering does not modify the base {op-system} image. Instead, the layering creates a custom layered image that includes all {op-system} functions and adds additional functions to specific nodes in the cluster.
 endif::[]
 
 ifndef::openshift-rosa,openshift-dedicated,openshift-dpu,microshift[]
@@ -174,13 +169,10 @@ Develop and deploy containerized applications with {product-title}. {product-tit
 
 - **xref:../applications/odc-viewing-application-composition-using-topology-view.adoc#odc-viewing-application-topology_viewing-application-composition-using-topology-view[Viewing application composition using the Topology view]**: Use the *Topology* view to visually interact with your applications, monitor status, connect and group components, and modify your code base.
 
-- **xref:../applications/connecting_applications_to_services/understanding-service-binding-operator.adoc#understanding-service-binding-operator[Understanding Service Binding Operator]**: With the Service Binding Operator, an application developer can bind workloads with Operator-managed backing services by automatically collecting and sharing binding data with the workloads. The Service Binding Operator improves the development lifecycle with a consistent and declarative service binding method that prevents discrepancies in cluster environments.
-
 - **link:https://docs.openshift.com/pipelines/latest/create/creating-applications-with-cicd-pipelines.html#creating-applications-with-cicd-pipelines[Create CI/CD Pipelines]**: Pipelines are serverless, cloud-native, continuous integration and continuous deployment systems that run in isolated containers.
 Pipelines use standard Tekton custom resources to automate deployments and are designed for decentralized teams that work on microservice-based architecture.
 
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
-
 - **link:https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html#about-redhat-openshift-gitops[Manage your infrastructure and application configurations]**: GitOps is a declarative way to implement continuous deployment for cloud native applications. GitOps defines infrastructure and application definitions as code. GitOps uses this code to manage multiple workspaces and clusters to simplify the creation of infrastructure and application configurations. GitOps also handles and automates complex deployments at a fast pace, which saves time during deployment and release cycles.
 
 - **xref:../applications/working_with_helm_charts/configuring-custom-helm-chart-repositories.adoc#installing-a-helm-chart-on-an-openshift-cluster_configuring-custom-helm-chart-repositories[Deploy Helm charts]**:
@@ -252,16 +244,7 @@ Manage machines, provide services to users, and follow monitoring and logging re
 - **Manage xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[ingress], xref:../security/certificates/api-server.adoc#api-server-certificates[API server], and xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates by default for the Ingress Operator, the API server, and for services needed by complex middleware applications that require encryption. You might need to change, add, or rotate these certificates.
 
 - **xref:../networking/understanding-networking.adoc#understanding-networking[Manage networking]**: The cluster network in {product-title} is managed by the xref:../networking/cluster-network-operator.adoc#cluster-network-operator[Cluster Network Operator] (CNO). The CNO uses `iptables` rules in xref:../networking/openshift_sdn/configuring-kube-proxy.adoc#configuring-kube-proxy[kube-proxy] to direct traffic between nodes and pods running on those nodes. The Multus Container Network Interface adds the capability to attach xref:../networking/multiple_networks/understanding-multiple-networks.adoc#understanding-multiple-networks[multiple network interfaces] to a pod. By using
-xref:../networking/openshift_network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
-
-- **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: With {product-title}, a cluster administrator can configure persistent storage by using
-xref:../storage/persistent_storage/persistent-storage-ocs.adoc#red-hat-openshift-data-foundation[Red Hat OpenShift Data Foundation],
-xref:../storage/persistent_storage/persistent-storage-aws.adoc#persistent-storage-using-aws-ebs[AWS Elastic Block Store],
-xref:../storage/persistent_storage/persistent-storage-nfs.adoc#persistent-storage-using-nfs[NFS],
-xref:../storage/persistent_storage/persistent-storage-iscsi.adoc#persistent-storage-using-iscsi[iSCSI],
-xref:../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-using-csi[Container Storage Interface (CSI)],
-and more.
-You can xref:../storage/expanding-persistent-volumes.adoc#expanding-persistent-volumes[expand persistent volumes], configure xref:../storage/dynamic-provisioning.adoc#dynamic-provisioning[dynamic provisioning], and use CSI to xref:../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-using-csi[configure], xref:../storage/container_storage_interface/persistent-storage-csi-cloning.adoc#persistent-storage-csi-cloning[clone], and use xref:../storage/container_storage_interface/persistent-storage-csi-snapshots.adoc#persistent-storage-csi-snapshots[snapshots] of persistent storage.
+xref:../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[network policy] features, you can isolate your pods or permit selected traffic.
 
 - **xref:../operators/understanding/olm-understanding-operatorhub.adoc#olm-understanding-operatorhub[Manage Operators]**: Lists of Red Hat, ISV, and community Operators can be reviewed by cluster administrators and xref:../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[installed on their clusters]. After you install them, you can xref:../operators/user/olm-creating-apps-from-installed-operators.adoc#olm-creating-apps-from-installed-operators[run], xref:../operators/admin/olm-upgrading-operators.adoc#olm-upgrading-operators[upgrade], back up, or otherwise manage the Operator on your cluster.
 
@@ -278,11 +261,11 @@ endif::openshift-enterprise,openshift-webscale,openshift-origin[]
 - **xref:../applications/pruning-objects.adoc#pruning-objects[Prune and reclaim resources]**: Reclaim space by pruning unneeded Operators, groups, deployments, builds, images, registries, and cron jobs.
 
 - **xref:../scalability_and_performance/recommended-performance-scale-practices/recommended-infrastructure-practices.adoc#scaling-cluster-monitoring-operator[Scale] and xref:../scalability_and_performance/using-node-tuning-operator.adoc#using-node-tuning-operator[tune] clusters**: Set cluster limits, tune nodes, scale cluster monitoring, and optimize networking, storage, and routes for your environment.
-
-- **xref:../updating/understanding_updates/intro-to-updates.html[Update a cluster]**:
+// Added context here.
+- **xref:../updating/understanding_updates/intro-to-updates.adoc#understanding-openshift-updates[Update a cluster]**:
 Use the Cluster Version Operator (CVO) to upgrade your {product-title} cluster. If an update is available from the OpenShift Update Service (OSUS), you apply that cluster update from the {product-title} xref:../updating/updating_a_cluster/updating-cluster-web-console.adoc#updating-cluster-web-console[web console] or the xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[OpenShift CLI] (`oc`).
 
-- **xref:../updating/updating_a_cluster/updating_disconnected_cluster/index.html[Using the OpenShift Update Service in a disconnected environment]**: You can use the OpenShift Update Service for recommending {product-title} updates in disconnected environments.
+- **xref:../updating/updating_a_cluster/updating_disconnected_cluster/index.adoc#about-restricted-network-updates[Using the OpenShift Update Service in a disconnected environment]**: You can use the OpenShift Update Service for recommending {product-title} updates in disconnected environments.
 
 - **xref:../nodes/clusters/nodes-cluster-worker-latency-profiles.adoc#nodes-cluster-worker-latency-profiles[Improving cluster stability in high latency environments by using worker latency profiles]**: If your network has latency issues, you can use one of three worker latency profiles to help ensure that your control plane does not accidentally evict pods in case it cannot reach a worker node. You can configure or modify the profile at any time during the life of the cluster.
 
@@ -304,6 +287,25 @@ After configuring monitoring, use the web console to access xref:../observabilit
 - **xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring_about-remote-health-monitoring[Remote health monitoring]**: {product-title} collects anonymized aggregated information about your cluster. By using Telemetry and the Insights Operator, this data is received by Red Hat and used to improve {product-title}. You can view the xref:../support/remote_health_monitoring/showing-data-collected-by-remote-health-monitoring.adoc#showing-data-collected-by-remote-health-monitoring_showing-data-collected-by-remote-health-monitoring[data collected by remote health monitoring].
 
 - **xref:../observability/power_monitoring/power-monitoring-overview.adoc#power-monitoring-overview[{PM-title-c} (Technology Preview)]**: You can use {PM-title} to monitor the power usage and identify power-consuming containers running in an {product-title} cluster. {PM-shortname-c} collects and exports energy-related system statistics from various components, such as CPU and DRAM. {PM-shortname-c} provides granular power consumption data for Kubernetes pods, namespaces, and nodes.
+
+== Storage activities
+
+- **xref:../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[Manage storage]**: With {product-title}, a cluster administrator can configure persistent storage by using
+xref:../storage/persistent_storage/persistent-storage-ocs.adoc#red-hat-openshift-data-foundation[Red Hat OpenShift Data Foundation],
+xref:../storage/persistent_storage/persistent-storage-aws.adoc#persistent-storage-using-aws-ebs[{aws-short} Elastic Block Store],
+xref:../storage/persistent_storage/persistent-storage-nfs.adoc#persistent-storage-using-nfs[NFS],
+xref:../storage/persistent_storage/persistent-storage-iscsi.adoc#persistent-storage-using-iscsi[iSCSI],
+xref:../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-using-csi[Container Storage Interface (CSI)],
+and more.
+You can xref:../storage/expanding-persistent-volumes.adoc#expanding-persistent-volumes[expand persistent volumes], configure xref:../storage/dynamic-provisioning.adoc#dynamic-provisioning[dynamic provisioning], and use CSI to xref:../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-using-csi[configure], xref:../storage/container_storage_interface/persistent-storage-csi-cloning.adoc#persistent-storage-csi-cloning[clone], and use xref:../storage/container_storage_interface/persistent-storage-csi-snapshots.adoc#persistent-storage-csi-snapshots[snapshots] of persistent storage.
+
+- **xref:../storage/container_storage_interface/persistent-storage-csi-smb-cifs.adoc#persistent-storage-csi-smb-cifs[Persistent storage using CIFS/SMB CSI Driver Operator (Technology Preview)]**: {product-title} is capable of provisioning persistent volumes (PVs) with a Container Storage Interface (CSI) driver for the Common Internet File System (CIFS) dialect/Server Message Block (SMB) protocol. The CIFS/SMB CSI Driver Operator that manages this driver is in Technology Preview status.
+
+- **xref:../storage/container_storage_interface/persistent-storage-csi-snapshots.adoc#persistent-storage-csi-snapshots-overview_persistent-storage-csi-snapshots[Changing vSphere CSI maximum number of snapshots]**:  The default maximum number of snapshots in {vmw-first} Container Storage Interface (CSI) is 3 per volume. In {product-title} {product-version}, you can now change this maximum number of snapshots to a maximum of 32 per volume. You also have granular control of the maximum number of snapshots for vSAN and Virtual Volume datastores.
+
+- **xref:../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Volume cloning supported for Azure File (Technology Preview)]**: {product-title} {product-version} introduces volume cloning for the Microsoft Azure File Container Storage Interface (CSI) Driver Operator as a Technology Preview feature.
+
+- **xref:../storage/understanding-persistent-storage.adoc#pv-access-modes_understanding-persistent-storage[RWOP with SELinux context mount]**: {product-title} {product-version} changes feature status from Technical Preview status to generally available for the access mode `ReadWriteOncePod` (RWOP). RWOP can be used only in a single pod on a single node. If the driver enables it, RWOP uses the SELinux context mount set in the PodSpec or container, which allows the driver to mount the volume directly with the correct SELinux labels.
 endif::openshift-enterprise,openshift-webscale,openshift-origin[]
 
 ifdef::openshift-dedicated[]
@@ -317,7 +319,6 @@ While cluster maintenance and host configuration is performed by the Red Hat Sit
 - *Manage nodes*: Learn to manage nodes, including configuring machine pools and autoscaling.
 endif::openshift-dedicated[]
 endif::openshift-enterprise,openshift-webscale,openshift-origin[]
-
 endif::openshift-rosa[]
 
 ifdef::openshift-enterprise[]
@@ -328,11 +329,10 @@ ifdef::openshift-enterprise[]
 ** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#configuring-hosting-service-cluster-configure-bm[Configuring hosted control plane clusters on bare metal]
 ** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#hosted-control-planes-manage-kubevirt[Managing hosted control plane clusters on OpenShift Virtualization]
 
-* **Technology Preview features**: {hcp-capital} remains available as a Technology Preview feature on the Amazon Web Services, {ibm-power-name}, and {ibm-z-name} platforms. You can now provision a hosted control plane cluster by using the non bare metal agent machines. For more information, see the following documentation:
+* **Technology Preview features**: {hcp-capital} remains available as a Technology Preview feature on the {aws-first}, {ibm-power-name}, and {ibm-z-name} platforms. You can now provision a hosted control plane cluster by using the non bare metal agent machines. For more information, see the following documentation:
 
-** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#hosting-service-cluster-configure-aws[Configuring the hosting cluster on AWS (Technology Preview)]
+** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#hosting-service-cluster-configure-aws[Configuring the hosting cluster on {aws-short} (Technology Preview)]
 ** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#config-hosted-service-ibmpower[Configuring the hosting cluster on a 64-bit x86 {product-title} cluster to create {hcp} for {ibm-power-name} compute nodes (Technology Preview)]
 ** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#configuring-hosting-service-cluster-ibmz[Configuring the hosted cluster on 64-bit x86 bare metal for {ibm-z-name} compute nodes (Technology Preview)]
 ** link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/clusters/cluster_mce_overview#configuring-hosting-service-cluster-configure-agent-non-bm[Configuring hosted control plane clusters using non bare metal agent machines (Technology Preview)]
-
 endif::openshift-enterprise[]
diff --git a/welcome/learn_more_about_openshift.adoc b/welcome/learn_more_about_openshift.adoc
index c325385c7b7c..cd0d2a02d12a 100644
--- a/welcome/learn_more_about_openshift.adoc
+++ b/welcome/learn_more_about_openshift.adoc
@@ -46,7 +46,7 @@ Use the following sections to find content to help you learn about and use {prod
 | xref:../support/getting-support.adoc#getting-support[Getting Support]
 
 | xref:../architecture/architecture.adoc#architecture[Architecture]
-| xref:../post_installation_configuration/machine-configuration-tasks.adoc#post-install-machine-configuration-tasks[Post installation configuration]
+| xref:../machine_configuration/index.adoc#machine-config-overview[Machine configuration overview]
 | xref:../observability/logging/cluster-logging.adoc#cluster-logging[Logging]
 | link:https://access.redhat.com/articles/4217411[OpenShift Knowledgebase articles]
 
diff --git a/welcome/oke_about.adoc b/welcome/oke_about.adoc
index fc91ae983ca1..d9136b3d5c82 100644
--- a/welcome/oke_about.adoc
+++ b/welcome/oke_about.adoc
@@ -297,7 +297,6 @@ s| Feature s| {oke} s| {product-title} s| Operator name
 | Developer Application Catalog | Not Included | Included | N/A
 | Source to Image and Builder Automation (Tekton) | Not Included | Included | N/A
 | OpenShift Service Mesh | Not Included | Included | OpenShift Service Mesh Operator
-| Service Binding Operator | Not Included | Included | Service Binding Operator
 s| Feature s| {oke} s| {product-title} s| Operator name
 | Red Hat OpenShift Serverless | Not Included | Included | OpenShift Serverless Operator
 | Web Terminal provided by Red Hat | Not Included | Included | Web Terminal Operator
diff --git a/windows_containers/enabling-windows-container-workloads.adoc b/windows_containers/enabling-windows-container-workloads.adoc
index 3ceddb629267..6688e173c5a8 100644
--- a/windows_containers/enabling-windows-container-workloads.adoc
+++ b/windows_containers/enabling-windows-container-workloads.adoc
@@ -46,6 +46,12 @@ include::modules/installing-wmco-using-cli.adoc[leveloffset=+2]
 
 include::modules/configuring-secret-for-wmco.adoc[leveloffset=+1]
 
+include::modules/wmco-cluster-wide-proxy.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-proxy[Configuring the cluster-wide proxy].
+
 
 [role="_additional-resources"]
 == Additional resources