Custom CA Trust updates for 20220902 preview version (Azure#20995)

* add create managed cluster example with certs

* add description of custom ca certs in managed cluster security profile json

* better phrasing

* Use dummy base64 encoded values for examples, set format: byte for cert array

* Update specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json

Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>

* update description

* add exception for linter camel case

Co-authored-by: Mikolaj Umanski <mumanski@microsoft.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>

specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json

@@ -60,6 +60,11 @@
           "clientId": "clientid",
           "secret": "secret"
         },
+        "securityProfile": {
+          "customCATrustCertificates": [
+            "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ="
+          ]
+        },
         "addonProfiles": {},
         "enableRBAC": true,
         "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
@@ -116,6 +121,11 @@
           "servicePrincipalProfile": {
             "clientId": "clientid"
           },
+          "securityProfile": {
+            "customCATrustCertificates": [
+              "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ="
+            ]
+          },
           "nodeResourceGroup": "MC_rg1_clustername1_location1",
           "enableRBAC": true,
           "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
@@ -208,6 +218,11 @@
           "servicePrincipalProfile": {
             "clientId": "clientid"
           },
+          "securityProfile": {
+            "customCATrustCertificates": [
+              "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ="
+            ]
+          },
           "nodeResourceGroup": "MC_rg1_clustername1_location1",
           "enableRBAC": true,
           "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",

specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json

@@ -597,7 +597,7 @@
           "Create Managed Cluster with Dedicated Host Group": {
             "$ref": "./examples/ManagedClustersCreate_DedicatedHostGroup.json"
           },
-          "Create Managed Cluster with CustomCATrust enabled": {
+          "Create Managed Cluster with CustomCATrustCertificates populated and CustomCATrust enabled": {
             "$ref": "./examples/ManagedClustersCreate_EnableCustomCATrust.json"
           }
         }
@@ -3418,7 +3418,7 @@
         "enableCustomCATrust": {
           "type": "boolean",
           "title": "Whether to enable Custom CA Trust feature.",
-          "description": "When set to true, AKS deploys a daemonset and host services to sync custom certificate authorities from a user-provided config map into node trust stores. Defaults to false."
+          "description": "When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false."
         },
         "nodePublicIPPrefixID": {
           "type": "string",
@@ -6380,6 +6380,10 @@
         "nodeRestriction": {
           "$ref": "#/definitions/ManagedClusterSecurityProfileNodeRestriction",
           "description": "[Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings for the security profile."
+        },
+        "customCATrustCertificates": {
+          "$ref": "#/definitions/ManagedClusterSecurityProfileCustomCATrustCertificates",
+          "description": "A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see [Custom CA Trust Certificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority)"
         }
       },
       "description": "Security profile for the container service cluster."
@@ -6529,6 +6533,17 @@
       },
       "description": "Node Restriction settings for the security profile."
     },
+    "ManagedClusterSecurityProfileCustomCATrustCertificates": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "format": "byte"
+      },
+      "minItems": 0,
+      "maxItems": 10,
+      "title": "The list of base64 encoded certificate strings that will be added to the node trust store. At most 10 strings can be provided.",
+      "description": "Certificates will only be added to trust stores on node pools that have enableCustomCATrust field set to true. If updated, the new list of certificates will be installed in the trust store in place of the old certificates. The certificates are applied asynchronously and will be available a short time after the list is updated."
+    },
     "ManagedClusterStorageProfileDiskCSIDriver": {
       "type": "object",
       "properties": {

specification/containerservice/resource-manager/readme.md

@@ -844,4 +844,8 @@ directive:
   - suppress: TrackedResourcePatchOperation
     from: containerService.json
     reason: ACS service is deprecated so a PATCH endpoint won't be implemented
+  - suppress: DefinitionsPropertiesNamesCamelCase
+    from: managedClusters.json
+    where: $.definitions.ManagedClusterSecurityProfile.properties.customCATrustCertificates      
+    reason: customCATrustCertificates contains a widely used acronym, no camel case restriction needed.
 ```