From 4711b47be2753793efae5ae5cfa04a0b638c2510 Mon Sep 17 00:00:00 2001
From: Ammar Alavi <ammaralavi@microsoft.com>
Date: Tue, 17 Feb 2026 02:24:20 +0530
Subject: [PATCH 1/2] Add env variable to symphony and msi adapter to remove
 admin capabilities

---
 .../helm/symphony/templates/symphony-core/symphony-api.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/packages/helm/symphony/templates/symphony-core/symphony-api.yaml b/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
index 59fc889aa..7b39f66e3 100644
--- a/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
+++ b/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
@@ -56,6 +56,10 @@ spec:
                 fieldPath: spec.serviceAccountName
           - name: SYMPHONY_CONTROLLER_SERVICE_ACCOUNT_NAME
             value: '{{ include "symphony.fullname" . }}-controller-manager'
+          - name: IDENTITY_ENDPOINT
+            value: "http://127.0.0.1:8421/metadata/identity/oauth2/token"
+          - name: IDENTITY_HEADER
+            value: "ArcK8s"
         envFrom:
         - secretRef:
             name: {{ include "symphony.fullname" . }}-auth
@@ -106,6 +110,8 @@ spec:
         env:
         - name: TOKEN_NAMESPACE
           value: {{ .Release.Namespace }}
+        - name: ENABLE_LOCALHOST_TOKEN_ENDPOINT
+          value: "true"
         {{- .Values.global.azure.identity.mSIAdapterYaml | nindent 8 }}
       {{- end }}
       volumes:

From 391a1735b105a20d761fe94ea53e584e5255aa8d Mon Sep 17 00:00:00 2001
From: ammar-alavi10 <superalavi20@gmail.com>
Date: Tue, 17 Feb 2026 06:29:03 +0530
Subject: [PATCH 2/2] add env var behind msi adaper flag

---
 .../helm/symphony/templates/symphony-core/symphony-api.yaml     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/helm/symphony/templates/symphony-core/symphony-api.yaml b/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
index 7b39f66e3..708a719ea 100644
--- a/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
+++ b/packages/helm/symphony/templates/symphony-core/symphony-api.yaml
@@ -56,10 +56,12 @@ spec:
                 fieldPath: spec.serviceAccountName
           - name: SYMPHONY_CONTROLLER_SERVICE_ACCOUNT_NAME
             value: '{{ include "symphony.fullname" . }}-controller-manager'
+          {{- if .Values.global.azure.identity.mSIAdapterYaml }}
           - name: IDENTITY_ENDPOINT
             value: "http://127.0.0.1:8421/metadata/identity/oauth2/token"
           - name: IDENTITY_HEADER
             value: "ArcK8s"
+          {{- end }}
         envFrom:
         - secretRef:
             name: {{ include "symphony.fullname" . }}-auth