BREAKING CHANGE: restrict taints and startupTaints for the domain "kubernetes.azure.com"

[charliedmcb]

Fixes #

Description
Restricting the domain of taints, and startupTaints for the domain "kubernetes.azure.com".

This is to align with AKS validation of taints, and usage of well-known taints.

Note: had to restrict taints to a max of 100 to work within CEL validation time complexity limits

Broken off fixing the cel validation for labels and requirements into separate PR here:

• test(CEL): fix CEL validation in testing for Labels, and Requirements #1168

How was this change tested?

Manually tested impact of having these CRDs applied, if there was an existing non-compliant NodePool, and found the following:
(1) A warning will be returned on an update that doesn't modify the taint:

(2) An error will be returned if the taint is removed, and then attempted to be reapplied:

E2E runs:

• https://github.com/Azure/karpenter-provider-azure/actions/runs/17812964958
• https://github.com/Azure/karpenter-provider-azure/actions/runs/17869614118

Does this change impact docs?

• Yes, PR includes docs updates
• Yes, issue opened: #
• No

Release Note

BREAKING CHANGE:
- "taints": restricted keys, will reject any non-well-known taint key for the domain "kubernetes.azure.com" (well-known taints: "kubernetes.azure.com/scalesetpriority" and "kubernetes.azure.com/mode")
- "taints": restricted to a "maxItems: 100"
- "startupTaints": restricted keys, will reject any taint for the domain "kubernetes.azure.com"

[tallaxes]

The implementation LGTM. In the larger picture, I have some concerns surrounding implicit application of taints in general (Karpenter - or any autoscaler - needs to be aware of expected taints), and spot-specific taint in particular (breaks mixed nodepools); discussing offline.