diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json b/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json index 336ad99df751..c2915e709ea5 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json @@ -60,6 +60,11 @@ "clientId": "clientid", "secret": "secret" }, + "securityProfile": { + "customCATrustCertificates": [ + "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ=" + ] + }, "addonProfiles": {}, "enableRBAC": true, "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des", @@ -116,6 +121,11 @@ "servicePrincipalProfile": { "clientId": "clientid" }, + "securityProfile": { + "customCATrustCertificates": [ + "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ=" + ] + }, "nodeResourceGroup": "MC_rg1_clustername1_location1", "enableRBAC": true, "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des", @@ -208,6 +218,11 @@ "servicePrincipalProfile": { "clientId": "clientid" }, + "securityProfile": { + "customCATrustCertificates": [ + "ZHVtbXlFeGFtcGxlVGVzdFZhbHVlRm9yQ2VydGlmaWNhdGVUb0JlQWRkZWQ=" + ] + }, "nodeResourceGroup": "MC_rg1_clustername1_location1", "enableRBAC": true, "diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des", diff --git a/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json b/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json index 5c894adb1a73..1a85affe8698 100644 --- a/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json +++ b/specification/containerservice/resource-manager/Microsoft.ContainerService/preview/2022-09-02-preview/managedClusters.json @@ -597,7 +597,7 @@ "Create Managed Cluster with Dedicated Host Group": { "$ref": "./examples/ManagedClustersCreate_DedicatedHostGroup.json" }, - "Create Managed Cluster with CustomCATrust enabled": { + "Create Managed Cluster with CustomCATrustCertificates populated and CustomCATrust enabled": { "$ref": "./examples/ManagedClustersCreate_EnableCustomCATrust.json" } } @@ -3418,7 +3418,7 @@ "enableCustomCATrust": { "type": "boolean", "title": "Whether to enable Custom CA Trust feature.", - "description": "When set to true, AKS deploys a daemonset and host services to sync custom certificate authorities from a user-provided config map into node trust stores. Defaults to false." + "description": "When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false." }, "nodePublicIPPrefixID": { "type": "string", @@ -6380,6 +6380,10 @@ "nodeRestriction": { "$ref": "#/definitions/ManagedClusterSecurityProfileNodeRestriction", "description": "[Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings for the security profile." + }, + "customCATrustCertificates": { + "$ref": "#/definitions/ManagedClusterSecurityProfileCustomCATrustCertificates", + "description": "A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see [Custom CA Trust Certificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority)" } }, "description": "Security profile for the container service cluster." @@ -6529,6 +6533,17 @@ }, "description": "Node Restriction settings for the security profile." }, + "ManagedClusterSecurityProfileCustomCATrustCertificates": { + "type": "array", + "items": { + "type": "string", + "format": "byte" + }, + "minItems": 0, + "maxItems": 10, + "title": "The list of base64 encoded certificate strings that will be added to the node trust store. At most 10 strings can be provided.", + "description": "Certificates will only be added to trust stores on node pools that have enableCustomCATrust field set to true. If updated, the new list of certificates will be installed in the trust store in place of the old certificates. The certificates are applied asynchronously and will be available a short time after the list is updated." + }, "ManagedClusterStorageProfileDiskCSIDriver": { "type": "object", "properties": { diff --git a/specification/containerservice/resource-manager/readme.md b/specification/containerservice/resource-manager/readme.md index 548a30cf8fc1..bea43d3c4810 100644 --- a/specification/containerservice/resource-manager/readme.md +++ b/specification/containerservice/resource-manager/readme.md @@ -844,4 +844,8 @@ directive: - suppress: TrackedResourcePatchOperation from: containerService.json reason: ACS service is deprecated so a PATCH endpoint won't be implemented + - suppress: DefinitionsPropertiesNamesCamelCase + from: managedClusters.json + where: $.definitions.ManagedClusterSecurityProfile.properties.customCATrustCertificates + reason: customCATrustCertificates contains a widely used acronym, no camel case restriction needed. ```