Azure · yanzhudd · Oct 15, 2025 · Oct 9, 2025 · Oct 13, 2025
@@ -11,8 +11,14 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+
+19.0.0b1
++++++++
+* [BREAKING CHANGE]: `az aks create`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks update`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks nodepool add`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks nodepool update`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
 * Vendor new SDK and bump API version to 2025-08-02-preview.
-* Pre-deprecate `--enable-custom-ca-trust` and `--disable-custom-ca-trust` in `az aks create`, `az aks update` commands.
 
 18.0.0b43
 +++++++

@@ -517,9 +517,6 @@
         - name: --dns-zone-resource-ids
           type: string
           short-summary: A comma separated list of resource IDs of the DNS zone resource to use with the App Routing addon.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
         - name: --ca-certs --custom-ca-trust-certificates
           type: string
           short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
@@ -730,8 +727,6 @@
           text: az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
         - name: Create a kubernetes cluster with no CNI installed.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
-        - name: Create a kubernetes cluster with Custom CA Trust enabled.
-          text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
         - name: Create a kubernetes cluster with safeguards set to "Warning"
           text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy
         - name: Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded
@@ -2019,9 +2014,6 @@
         - name: --message-of-the-day
           type: string
           short-summary: Path to a file containing the desired message of the day. Only valid for linux nodes. Will be written to /etc/motd.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
         - name: --disable-windows-outbound-nat
           type: bool
           short-summary: Disable Windows OutboundNAT on Windows agent node pool. Must use VMSS agent pool type.
@@ -2241,12 +2233,6 @@
         - name: --node-taints
           type: string
           short-summary: The node taints for the node pool.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
-        - name: --dcat --disable-custom-ca-trust
-          type: bool
-          short-summary: Disable Custom CA Trust on agent node pool.
         - name: --aks-custom-headers
           type: string
           short-summary: Send custom headers. When specified, format should be Key1=Value1,Key2=Value2

@@ -186,7 +186,6 @@
     validate_defender_disable_and_enable_parameters,
     validate_disable_windows_outbound_nat,
     validate_asm_egress_name,
-    validate_enable_custom_ca_trust,
     validate_eviction_policy,
     validate_grafanaresourceid,
     validate_host_group_id,
@@ -976,8 +975,6 @@ def load_arguments(self, _):
             arg_type=get_enum_type(workload_runtimes),
             default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER,
         )
-        # no validation for aks create because it already only supports Linux.
-        c.argument("enable_custom_ca_trust", action="store_true")
         c.argument(
             "nodepool_allowed_host_ports",
             validator=validate_allowed_host_ports,
@@ -1779,11 +1776,6 @@ def load_arguments(self, _):
             arg_type=get_enum_type(workload_runtimes),
             default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER,
         )
-        c.argument(
-            "enable_custom_ca_trust",
-            action="store_true",
-            validator=validate_enable_custom_ca_trust,
-        )
         c.argument(
             "disable_windows_outbound_nat",
             action="store_true",
@@ -1898,16 +1890,6 @@ def load_arguments(self, _):
         c.argument("mode", arg_type=get_enum_type(node_mode_types))
         c.argument("scale_down_mode", arg_type=get_enum_type(scale_down_modes))
         # extensions
-        c.argument(
-            "enable_custom_ca_trust",
-            action="store_true",
-            validator=validate_enable_custom_ca_trust,
-        )
-        c.argument(
-            "disable_custom_ca_trust",
-            options_list=["--disable-custom-ca-trust", "--dcat"],
-            action="store_true",
-        )
         c.argument(
             "allowed_host_ports", validator=validate_allowed_host_ports, is_preview=True
         )

@@ -731,14 +731,6 @@ def validate_bootstrap_container_registry_resource_id(namespace):
         raise InvalidArgumentValueError("--bootstrap-container-registry-resource-id is not a valid Azure resource ID.")
 
 
-def validate_enable_custom_ca_trust(namespace):
-    """Validates Custom CA Trust can only be used on Linux."""
-    if namespace.enable_custom_ca_trust:
-        if hasattr(namespace, 'os_type') and namespace.os_type != "Linux":
-            raise ArgumentUsageError(
-                '--enable_custom_ca_trust can only be set for Linux nodepools')
-
-
 def validate_custom_ca_trust_certificates(namespace):
     """Validates Custom CA Trust Certificates can only be used on Linux."""
     if namespace.custom_ca_trust_certificates is not None and namespace.custom_ca_trust_certificates != "":

@@ -709,7 +709,6 @@ def aks_create(
     crg_id=None,
     message_of_the_day=None,
     workload_runtime=None,
-    enable_custom_ca_trust=False,
     nodepool_allowed_host_ports=None,
     nodepool_asg_ids=None,
     node_public_ip_tags=None,
@@ -1439,7 +1438,6 @@ def aks_agentpool_add(
     crg_id=None,
     message_of_the_day=None,
     workload_runtime=None,
-    enable_custom_ca_trust=False,
     disable_windows_outbound_nat=False,
     allowed_host_ports=None,
     asg_ids=None,
@@ -1516,8 +1514,6 @@ def aks_agentpool_update(
     no_wait=False,
     aks_custom_headers=None,
     # extensions
-    enable_custom_ca_trust=False,
-    disable_custom_ca_trust=False,
     allowed_host_ports=None,
     asg_ids=None,
     enable_artifact_streaming=False,

@@ -5704,7 +5704,6 @@ def test_construct_mc_profile_preview(self):
             enable_fips=False,
             mode=CONST_NODEPOOL_MODE_SYSTEM,
             workload_runtime=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER,
-            enable_custom_ca_trust=False,
             network_profile=self.models.AgentPoolNetworkProfile(),
             security_profile=ground_truth_security_profile,
         )

@@ -227,7 +227,6 @@ def test_update_agentpool_profile_preview_managed_system_mode(self):
             mode=CONST_NODEPOOL_MODE_MANAGEDSYSTEM,
             vm_size="Standard_D2s_v3",
             count=5,
-            enable_custom_ca_trust=True,
         )
 
         # Mock the update_agentpool_profile_default method
@@ -319,7 +318,6 @@ def test_update_agentpool_profile_preview_system_mode_regular_flow(self):
             "resource_group_name": "test_rg",
             "cluster_name": "test_cluster",
             "nodepool_name": "test_nodepool",
-            "enable_custom_ca_trust": True,
         }
 
         decorator = AKSPreviewAgentPoolUpdateDecorator(

@@ -137,12 +137,6 @@ def __init__(self, message_of_the_day, os_type):
         self.message_of_the_day = message_of_the_day
 
 
-class EnableCustomCATrustNamespace:
-    def __init__(self, os_type, enable_custom_ca_trust):
-        self.os_type = os_type
-        self.enable_custom_ca_trust = enable_custom_ca_trust
-
-
 class CustomCATrustCertificatesNamespace:
     def __init__(self, os_type, custom_ca_trust_certificates):
         self.os_type = os_type
@@ -331,35 +325,6 @@ def test_fail_if_os_type_invalid(self):
         )
 
 
-class TestEnableCustomCATrust(unittest.TestCase):
-    def test_pass_if_os_type_linux(self):
-        validators.validate_enable_custom_ca_trust(
-            EnableCustomCATrustNamespace("Linux", True)
-        )
-
-    def test_fail_if_os_type_windows(self):
-        with self.assertRaises(CLIError) as cm:
-            validators.validate_enable_custom_ca_trust(
-                EnableCustomCATrustNamespace("Windows", True)
-            )
-        self.assertTrue(
-            "--enable_custom_ca_trust can only be set for Linux nodepools"
-            in str(cm.exception),
-            msg=str(cm.exception),
-        )
-
-    def test_fail_if_os_type_invalid(self):
-        with self.assertRaises(CLIError) as cm:
-            validators.validate_enable_custom_ca_trust(
-                EnableCustomCATrustNamespace("invalid", True)
-            )
-        self.assertTrue(
-            "--enable_custom_ca_trust can only be set for Linux nodepools"
-            in str(cm.exception),
-            msg=str(cm.exception),
-        )
-
-
 class TestCustomCATrustCertificates(unittest.TestCase):
     def test_valid_cases(self):
         valid = ["foo", ""]

@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "18.0.0b43"
+VERSION = "19.0.0b1"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",