Azure · zhoxing-ms · May 28, 2022 · May 6, 2022 · May 19, 2022 · May 19, 2022
@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+0.5.76
+++++++
+* Add support for Custom CA Trust in `az aks create`, `az aks nodepool add`, `az aks nodepool update`.
+
 0.5.75
 ++++++
 

@@ -27,7 +27,8 @@
             "test_aks_snapshot",
             "test_aks_custom_kubelet_identity",
             "test_aks_nodepool_add_with_ossku_windows2022",
-            "test_list_trustedaccess_roles"
+            "test_list_trustedaccess_roles",
+            "test_aks_custom_ca_trust_flow"
         ]
     }
 }
@@ -441,6 +441,9 @@
         - name: --dns-zone-resource-id
           type: string
           short-summary: The resource ID of the DNS zone resource to use with the web_application_routing addon.
+        - name: --enable-custom-ca-trust
+          type: bool
+          short-summary: Enable Custom CA Trust on agent node pool.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -504,6 +507,8 @@
           text: az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
         - name: Create a kubernetes cluster with no CNI installed.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
+        - name: Create a kubernetes cluster with Custom CA Trust enabled.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
 
 """.format(sp_cache=AKS_SERVICE_PRINCIPAL_CACHE)
 
@@ -1129,6 +1134,9 @@
         - name: --message-of-the-day
           type: string
           short-summary: Path to a file containing the desired message of the day. Only valid for linux nodes. Will be written to /etc/motd.
+        - name: --enable-custom-ca-trust
+          type: bool
+          short-summary: Enable Custom CA Trust on agent node pool.
     examples:
         - name: Create a nodepool in an existing AKS cluster with ephemeral os enabled.
           text: az aks nodepool add -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48
@@ -1211,6 +1219,12 @@
         - name: --node-taints
           type: string
           short-summary: The node taints for the node pool.
+        - name: --enable-custom-ca-trust
+          type: bool
+          short-summary: Enable Custom CA Trust on agent node pool.
+        - name: --dcat --disable-custom-ca-trust
+          type: bool
+          short-summary: Disable Custom CA Trust on agent node pool.
         - name: --aks-custom-headers
           type: string
           short-summary: Send custom headers. When specified, format should be Key1=Value1,Key2=Value2

@@ -109,6 +109,7 @@
     validate_user,
     validate_vm_set_type,
     validate_vnet_subnet_id,
+    validate_enable_custom_ca_trust,
 )
 
 # candidates for enumeration
@@ -299,6 +300,8 @@ def load_arguments(self, _):
         c.argument('enable_apiserver_vnet_integration', action='store_true', is_preview=True)
         c.argument('apiserver_subnet_id', validator=validate_apiserver_subnet_id, is_preview=True)
         c.argument('dns-zone-resource-id')
+        # no validation for aks create because it already only supports Linux.
+        c.argument('enable_custom_ca_trust', action='store_true')
 
     with self.argument_context('aks update') as c:
         # managed cluster paramerters
@@ -445,6 +448,7 @@ def load_arguments(self, _):
             c.argument('kubelet_config')
             c.argument('linux_os_config')
             c.argument('aks_custom_headers')
+            c.argument('enable_custom_ca_trust', action='store_true', validator=validate_enable_custom_ca_trust)
             # extensions
             c.argument('host_group_id', validator=validate_host_group_id, is_preview=True)
             c.argument('crg_id', validator=validate_crg_id, is_preview=True)
@@ -484,6 +488,8 @@ def load_arguments(self, _):
         c.argument('max_surge', validator=validate_max_surge)
         c.argument('mode', arg_type=get_enum_type(node_mode_types))
         c.argument('scale_down_mode', arg_type=get_enum_type(scale_down_modes))
+        c.argument('enable_custom_ca_trust', action='store_true', validator=validate_enable_custom_ca_trust)
+        c.argument('disable_custom_ca_trust', options_list=['--disable-custom-ca-trust', '--dcat'], action='store_true')
 
     with self.argument_context('aks addon show') as c:
         c.argument('addon', options_list=[

@@ -585,3 +585,11 @@ def validate_azure_keyvault_kms_key_id(namespace):
         segments = key_id[len(https_prefix):].split("/")
         if len(segments) != 4 or segments[1] != "keys":
             raise InvalidArgumentValueError(err_msg)
+
+
+def validate_enable_custom_ca_trust(namespace):
+    """Validates Custom CA Trust can only be used on Linux."""
+    if namespace.enable_custom_ca_trust:
+        if hasattr(namespace, 'os_type') and namespace.os_type != "Linux":
+            raise ArgumentUsageError(
+                '--enable_custom_ca_trust can only be set for Linux nodepools')
@@ -16,7 +16,10 @@
     AKSAgentPoolParamDict,
     AKSAgentPoolUpdateDecorator,
 )
-from azure.cli.core.azclierror import InvalidArgumentValueError
+from azure.cli.core.azclierror import (
+    ArgumentUsageError,
+    InvalidArgumentValueError,
+)
 from azure.cli.core.commands import AzCliCommand
 from azure.cli.core.profiles import ResourceType
 from azure.cli.core.util import read_file_content

@@ -812,6 +812,7 @@ def aks_create(cmd,
                enable_apiserver_vnet_integration=False,
                apiserver_subnet_id=None,
                dns_zone_resource_id=None,
+               enable_custom_ca_trust=False,
                yes=False):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
@@ -902,7 +903,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                enable_azure_keyvault_kms=False,
                azure_keyvault_kms_key_id=None,
                enable_apiserver_vnet_integration=False,
-               apiserver_subnet_id=None):
+               apiserver_subnet_id=None,
+               ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
 
@@ -1651,8 +1653,9 @@ def aks_agentpool_add(cmd,      # pylint: disable=unused-argument,too-many-local
                       message_of_the_day=None,
                       workload_runtime=None,
                       gpu_instance_profile=None,
+                      enable_custom_ca_trust=False，
                       no_wait=False,
-                      aks_custom_headers=None,):
+                      aks_custom_headers=None):
     instances = client.list(resource_group_name, cluster_name)
     for agentpool_profile in instances:
         if agentpool_profile.name == nodepool_name:
@@ -1729,7 +1732,8 @@ def aks_agentpool_add(cmd,      # pylint: disable=unused-argument,too-many-local
         gpu_instance_profile=gpu_instance_profile,
         creation_data=creationData,
         host_group_id=host_group_id,
-        capacity_reservation_group_id=crg_id
+        capacity_reservation_group_id=crg_id,
+        enable_custom_ca_trust=enable_custom_ca_trust
     )
 
     if priority == CONST_SCALE_SET_PRIORITY_SPOT:
@@ -1851,13 +1855,16 @@ def aks_agentpool_update(cmd,   # pylint: disable=unused-argument
                          max_surge=None,
                          mode=None,
                          scale_down_mode=None,
+                         enable_custom_ca_trust=False,
+                         disable_custom_ca_trust=False，
                          no_wait=False,
                          aks_custom_headers=None):
-
     update_autoscaler = enable_cluster_autoscaler + \
         disable_cluster_autoscaler + update_cluster_autoscaler
 
-    if (update_autoscaler != 1 and not tags and not scale_down_mode and not mode and not max_surge and labels is None and node_taints is None):
+    update_custom_ca_trust = enable_custom_ca_trust + disable_custom_ca_trust
+
+    if (update_autoscaler != 1 and not tags and not scale_down_mode and not mode and not max_surge and labels is None and node_taints is None and not update_custom_ca_trust):
         reconcilePrompt = 'no argument specified to update would you like to reconcile to current settings?'
         if not prompt_y_n(reconcilePrompt, default="n"):
             raise CLIError('Please specify one or more of "--enable-cluster-autoscaler" or '
@@ -1931,6 +1938,17 @@ def aks_agentpool_update(cmd,   # pylint: disable=unused-argument
 
     if labels is not None:
         instance.node_labels = labels
+
+    if enable_custom_ca_trust:
+        instance.enable_custom_ca_trust = True
+
+    if disable_custom_ca_trust:
+        if not instance.enable_custom_ca_trust:
+            logger.warning(
+                'Custom CA Trust is already disabled for this node pool.')
+            return None
+        instance.enable_custom_ca_trust = False
+
     return sdk_no_wait(no_wait, client.begin_create_or_update, resource_group_name, cluster_name, nodepool_name, instance)
-Original file line number
+Diff line change
@@ Expand Up @@
     Pending
     +++++++
+.5.76
+    ++++++
+    * Add support for Custom CA Trust in `az aks create`, `az aks nodepool add`, `az aks nodepool update`.
 .5.75
     ++++++
@@ Expand Down @@