Update ROSA HCP cluster creation and IAM role instructions:

- Add ROSA and MachinePool feature gate requirements before clusterctl init
- Add note about rosa-creds-secret namespace matching resource namespace
- Add note about ROSARoleConfig prefix max length (4 characters)
- Update OpenShift version from 4.19.0 to 4.20.11 with version check hint
- Update Cluster and MachinePool API version from v1beta1 to v1beta2

Author: tinaafitz

docs/book/src/topics/rosa/creating-a-cluster.md

@@ -5,7 +5,13 @@
 1. Install the required tools and set up the prerequisite infrastructure using the [ROSA Setup guide](https://docs.aws.amazon.com/rosa/latest/userguide/set-up.html).
 
 
-2. Create a management cluster using the [Quick Start Guide.](https://cluster-api-aws.sigs.k8s.io/quick-start)
+2. Export the following: 
+    ```shell
+    export EXP_ROSA=true
+    export EXP_MACHINE_POOL=true
+    ```
+   
+3. Create a management cluster using the [Quick Start Guide.](https://cluster-api-aws.sigs.k8s.io/quick-start)
 
 
 ## IAM Role Configuration
@@ -38,7 +44,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
       --from-literal=ocmClientSecret='eyJhbGciOiJIUzI1NiIsI....' \
       --from-literal=ocmApiUrl='https://api.openshift.com'
     ```
-    Note: to consume the secret without the need to reference it from your `ROSAControlPlane`, name your secret `rosa-creds-secret` and create it in the CAPA manager namespace (usually `capa-system`)
+    **Note:** The secret must be created in the same namespace where your ROSA resources will be deployed. Alternatively, to consume the secret without the need to reference it from your `ROSAControlPlane`, name your secret `rosa-creds-secret` and create it in the CAPA manager namespace (usually `capa-system`)
     ```shell
     kubectl -n capa-system create secret generic rosa-creds-secret \
       --from-literal=ocmClientID='....' \
@@ -51,7 +57,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
 
 1. Prepare the environment:
     ```bash
-    export OPENSHIFT_VERSION="4.19.0"
+    export OPENSHIFT_VERSION="4.20.11"  # check available versions with: rosa list versions --hosted-cp
     export AWS_REGION="us-west-2"
     export AWS_AVAILABILITY_ZONE="us-west-2a"
     export AWS_ACCOUNT_ID="<account_id>"
@@ -70,6 +76,8 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
     - Public and private subnet pairs for each availability zone
     - Associated networking resources (internet gateway, NAT gateways, route tables)
 
+    **Note:** The `prefix` field has a maximum length of 4 characters.
+
     Save the following to a file `rosa-role-network.yaml`:
 
     ```yaml
@@ -80,7 +88,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
     spec:
       accountRoleConfig:
         prefix: "rosa"
-        version: "4.19.0"
+        version: "4.20.11"
       operatorRoleConfig:
         prefix: "rosa"
       credentialsSecretRef:
@@ -187,7 +195,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
 1. Save the following to a file `rosa-cluster.yaml`:
 
     ```yaml
-    apiVersion: cluster.x-k8s.io/v1beta1
+    apiVersion: cluster.x-k8s.io/v1beta2
     kind: Cluster
     metadata:
       name: "rosa-hcp-1"
@@ -196,11 +204,11 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
         pods:
           cidrBlocks: ["192.168.0.0/16"]
       infrastructureRef:
-        apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+        apiGroup: infrastructure.cluster.x-k8s.io
         kind: ROSACluster
         name: "rosa-hcp-1"
       controlPlaneRef:
-        apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+        apiGroup: controlplane.cluster.x-k8s.io
         kind: ROSAControlPlane
         name: "rosa-hcp-1-control-plane"
     ---
@@ -221,7 +229,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
       domainPrefix: rosa-hcp
       rosaRoleConfigRef:
         name: role-config  # reference to the ROSARoleConfig created above
-      version: "4.19.0"
+      version: "4.20.11"
       region: "us-west-2"
       rosaNetworkRef:
         name: "rosa-vpc" # reference to the ROSANetwork created above
@@ -302,7 +310,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
 1. To add an additional `ROSAMachinePool`, save the following to a file `rosa-machinepool-extra.yaml`:
 
     ```yaml
-    apiVersion: cluster.x-k8s.io/v1beta1
+    apiVersion: cluster.x-k8s.io/v1beta2
     kind: MachinePool
     metadata:
       name: "rosa-hcp-1-workers-extra"
@@ -315,7 +323,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
           bootstrap:
             dataSecretName: ""
           infrastructureRef:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+            apiGroup: infrastructure.cluster.x-k8s.io
             kind: ROSAMachinePool
             name: "workers-extra"
     ---
@@ -325,7 +333,7 @@ The CAPA controller requires service account credentials to provision ROSA HCP c
       name: "workers-extra"
     spec:
       nodePoolName: "workers-extra"
-      version: "4.19.0"
+      version: "4.20.11"
       instanceType: "m5.xlarge"
       autoRepair: true
     ```

docs/book/src/topics/rosa/specify-management-iam-role.md

@@ -60,8 +60,13 @@ When using a management cluster (OCP or ROSA-HCP) created using AWS credentials
 
     aws iam attach-role-policy --role-name capa-manager-role \
       --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess
+
+    aws iam attach-role-policy --role-name capa-manager-role \
+      --policy-arn arn:aws:iam::aws:policy/IAMFullAccess
     ```
 
+    **Note:** The `IAMFullAccess` policy is required for the CAPA controller to create and manage the ROSA account roles, operator roles, and OIDC providers via the `ROSARoleConfig` resource.
+
 ## Annotate the Service Account
 
 1. Retrieve the IAM role ARN:
@@ -77,10 +82,20 @@ When using a management cluster (OCP or ROSA-HCP) created using AWS credentials
       eks.amazonaws.com/role-arn=$APP_IAM_ROLE_ARN
     ```
 
-3. Restart the CAPA controller to pick up the new role:
+3. Remove the bootstrap AWS credentials from the CAPA controller so it uses the IAM role instead of static credentials. First, delete the secret:
+
+    ```shell
+    kubectl delete secret -n capa-system capa-manager-bootstrap-credentials
+    ```
+
+    Then remove the credentials volume and volume mount from the deployment:
 
     ```shell
-    kubectl rollout restart deployment capa-controller-manager -n capa-system
+    kubectl patch deployment capa-controller-manager -n capa-system --type='json' \
+      -p='[{"op": "remove", "path": "/spec/template/spec/volumes/1"},
+           {"op": "remove", "path": "/spec/template/spec/containers/0/volumeMounts/1"}]'
     ```
 
+    **Note:** The volume indices above (`/1`) assume the default deployment configuration. Verify the correct indices by inspecting the deployment if you have customized it.
+
 After this configuration, the CAPA controller will use the IAM role to manage AWS resources, and you can provision ROSA HCP clusters without storing AWS credentials in the management cluster.