Address review feedback on MCPOIDCConfig MCPRemoteProxy wiring

- Add CEL XValidation rule enforcing mutual exclusivity between
  oidcConfig and oidcConfigRef
- Make oidcConfig optional (pointer type) with deprecation notice,
  matching the MCPServer pattern from PR #4481
- Reuse shared OIDC condition constants from MCPServer types instead
  of introducing duplicate per-type constants
- Use ConditionReasonOIDCConfigRefNotValid (matching MCPServer/vMCP)
  instead of the divergent OIDCConfigRefNotReady
- Add nil guards in validation methods for the now-optional oidcConfig
- Fix all downstream value→pointer type changes in tests and helpers
- Regenerate CRDs, Helm templates, DeepCopy, and API docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ChrisJBurns

cmd/thv-operator/api/v1alpha1/mcpremoteproxy_types.go

@@ -34,6 +34,10 @@ type HeaderFromSecret struct {
 }
 
 // MCPRemoteProxySpec defines the desired state of MCPRemoteProxy
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.oidcConfig) && has(self.oidcConfigRef))",message="oidcConfig and oidcConfigRef are mutually exclusive; use oidcConfigRef to reference a shared MCPOIDCConfig"
+//
+//nolint:lll // CEL validation rules exceed line length limit
 type MCPRemoteProxySpec struct {
 	// RemoteURL is the URL of the remote MCP server to proxy
 	// +kubebuilder:validation:Required
@@ -51,10 +55,11 @@ type MCPRemoteProxySpec struct {
 	// +kubebuilder:default=streamable-http
 	Transport string `json:"transport,omitempty"`
 
-	// OIDCConfig defines OIDC authentication configuration for the proxy
-	// This validates incoming tokens from clients. Required for proxy mode.
-	// +kubebuilder:validation:Required
-	OIDCConfig OIDCConfigRef `json:"oidcConfig"`
+	// OIDCConfig defines OIDC authentication configuration for the proxy.
+	// Deprecated: Use OIDCConfigRef to reference a shared MCPOIDCConfig resource instead.
+	// This field will be removed in v1beta1. OIDCConfig and OIDCConfigRef are mutually exclusive.
+	// +optional
+	OIDCConfig *OIDCConfigRef `json:"oidcConfig,omitempty"`
 
 	// OIDCConfigRef references a shared MCPOIDCConfig resource for OIDC authentication.
 	// The referenced MCPOIDCConfig must exist in the same namespace as this MCPRemoteProxy.
@@ -210,9 +215,6 @@ const (
 	// ConditionTypeMCPRemoteProxyExternalAuthConfigValidated indicates whether the ExternalAuthConfigRef is valid
 	ConditionTypeMCPRemoteProxyExternalAuthConfigValidated = "ExternalAuthConfigValidated"
 
-	// ConditionTypeMCPRemoteProxyOIDCConfigRefValidated indicates whether the OIDCConfigRef is valid
-	ConditionTypeMCPRemoteProxyOIDCConfigRefValidated = "OIDCConfigRefValidated"
-
 	// ConditionTypeConfigurationValid indicates whether the proxy spec has passed all pre-deployment validation checks
 	ConditionTypeConfigurationValid = "ConfigurationValid"
 )
@@ -271,15 +273,6 @@ const (
 	// for MCPRemoteProxy (use VirtualMCPServer for multi-upstream).
 	ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream = "MultiUpstreamNotSupported"
 
-	// ConditionReasonMCPRemoteProxyOIDCConfigRefValid indicates the referenced MCPOIDCConfig is valid and ready
-	ConditionReasonMCPRemoteProxyOIDCConfigRefValid = "OIDCConfigRefValid"
-
-	// ConditionReasonMCPRemoteProxyOIDCConfigRefNotFound indicates the referenced MCPOIDCConfig was not found
-	ConditionReasonMCPRemoteProxyOIDCConfigRefNotFound = "OIDCConfigRefNotFound"
-
-	// ConditionReasonMCPRemoteProxyOIDCConfigRefNotReady indicates the referenced MCPOIDCConfig is not ready
-	ConditionReasonMCPRemoteProxyOIDCConfigRefNotReady = "OIDCConfigRefNotReady"
-
 	// ConditionReasonConfigurationValid indicates all configuration validations passed
 	ConditionReasonConfigurationValid = "ConfigurationValid"
 
@@ -348,7 +341,7 @@ func (m *MCPRemoteProxy) GetNamespace() string {
 
 // GetOIDCConfig returns the OIDC configuration reference
 func (m *MCPRemoteProxy) GetOIDCConfig() *OIDCConfigRef {
-	return &m.Spec.OIDCConfig
+	return m.Spec.OIDCConfig
 }
 
 // GetProxyPort returns the proxy port of the MCPRemoteProxy

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -435,6 +435,9 @@ func setConfigurationInvalidCondition(proxy *mcpv1alpha1.MCPRemoteProxy, reason,
 // validateOIDCIssuerURL validates the OIDC issuer URL scheme.
 func (*MCPRemoteProxyReconciler) validateOIDCIssuerURL(proxy *mcpv1alpha1.MCPRemoteProxy) error {
 	oidcConfig := proxy.Spec.OIDCConfig
+	if oidcConfig == nil {
+		return nil
+	}
 
 	switch oidcConfig.Type {
 	case mcpv1alpha1.OIDCConfigTypeInline:
@@ -453,6 +456,9 @@ func (*MCPRemoteProxyReconciler) validateOIDCIssuerURL(proxy *mcpv1alpha1.MCPRem
 // validateJWKSURL validates the JWKS URL scheme in the OIDC config.
 func (*MCPRemoteProxyReconciler) validateJWKSURL(proxy *mcpv1alpha1.MCPRemoteProxy) error {
 	oidcConfig := proxy.Spec.OIDCConfig
+	if oidcConfig == nil {
+		return nil
+	}
 
 	switch oidcConfig.Type {
 	case mcpv1alpha1.OIDCConfigTypeInline:
@@ -727,9 +733,9 @@ func (r *MCPRemoteProxyReconciler) handleOIDCConfig(ctx context.Context, proxy *
 	oidcConfig, err := ctrlutil.GetOIDCConfigForServer(ctx, r.Client, proxy.Namespace, proxy.Spec.OIDCConfigRef)
 	if err != nil {
 		meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
-			Type:               mcpv1alpha1.ConditionTypeMCPRemoteProxyOIDCConfigRefValidated,
+			Type:               mcpv1alpha1.ConditionOIDCConfigRefValidated,
 			Status:             metav1.ConditionFalse,
-			Reason:             mcpv1alpha1.ConditionReasonMCPRemoteProxyOIDCConfigRefNotFound,
+			Reason:             mcpv1alpha1.ConditionReasonOIDCConfigRefNotFound,
 			Message:            fmt.Sprintf("MCPOIDCConfig %s not found: %v", proxy.Spec.OIDCConfigRef.Name, err),
 			ObservedGeneration: proxy.Generation,
 		})
@@ -741,9 +747,9 @@ func (r *MCPRemoteProxyReconciler) handleOIDCConfig(ctx context.Context, proxy *
 
 	if oidcConfig == nil {
 		meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
-			Type:               mcpv1alpha1.ConditionTypeMCPRemoteProxyOIDCConfigRefValidated,
+			Type:               mcpv1alpha1.ConditionOIDCConfigRefValidated,
 			Status:             metav1.ConditionFalse,
-			Reason:             mcpv1alpha1.ConditionReasonMCPRemoteProxyOIDCConfigRefNotFound,
+			Reason:             mcpv1alpha1.ConditionReasonOIDCConfigRefNotFound,
 			Message:            fmt.Sprintf("MCPOIDCConfig %s not found", proxy.Spec.OIDCConfigRef.Name),
 			ObservedGeneration: proxy.Generation,
 		})
@@ -761,9 +767,9 @@ func (r *MCPRemoteProxyReconciler) handleOIDCConfig(ctx context.Context, proxy *
 			msg = fmt.Sprintf("MCPOIDCConfig %s is not ready: %s", proxy.Spec.OIDCConfigRef.Name, readyCondition.Message)
 		}
 		meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
-			Type:               mcpv1alpha1.ConditionTypeMCPRemoteProxyOIDCConfigRefValidated,
+			Type:               mcpv1alpha1.ConditionOIDCConfigRefValidated,
 			Status:             metav1.ConditionFalse,
-			Reason:             mcpv1alpha1.ConditionReasonMCPRemoteProxyOIDCConfigRefNotReady,
+			Reason:             mcpv1alpha1.ConditionReasonOIDCConfigRefNotValid,
 			Message:            msg,
 			ObservedGeneration: proxy.Generation,
 		})
@@ -781,9 +787,9 @@ func (r *MCPRemoteProxyReconciler) handleOIDCConfig(ctx context.Context, proxy *
 
 	// Set valid condition
 	meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
-		Type:               mcpv1alpha1.ConditionTypeMCPRemoteProxyOIDCConfigRefValidated,
+		Type:               mcpv1alpha1.ConditionOIDCConfigRefValidated,
 		Status:             metav1.ConditionTrue,
-		Reason:             mcpv1alpha1.ConditionReasonMCPRemoteProxyOIDCConfigRefValid,
+		Reason:             mcpv1alpha1.ConditionReasonOIDCConfigRefValid,
 		Message:            fmt.Sprintf("MCPOIDCConfig %s is valid and ready", proxy.Spec.OIDCConfigRef.Name),
 		ObservedGeneration: proxy.Generation,
 	})

cmd/thv-operator/controllers/mcpremoteproxy_controller.go

@@ -57,7 +57,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.salesforce.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://login.salesforce.com",
@@ -77,7 +77,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -101,7 +101,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.company.com",
@@ -159,7 +159,7 @@ func TestMCPRemoteProxyReconcile_CreateResources(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.salesforce.com",
 			ProxyPort: 8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://login.salesforce.com",

cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go

@@ -189,17 +189,7 @@ func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
 	}
 
 	// Add OIDC client secret environment variable if using inline config with secretRef
-	if proxy.Spec.OIDCConfig.Type == "inline" && proxy.Spec.OIDCConfig.Inline != nil {
-		oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
-			ctx, r.Client, proxy.Namespace, proxy.Spec.OIDCConfig.Inline.ClientSecretRef,
-		)
-		if err != nil {
-			ctxLogger := log.FromContext(ctx)
-			ctxLogger.Error(err, "Failed to generate OIDC client secret environment variable")
-		} else if oidcClientSecretEnvVar != nil {
-			env = append(env, *oidcClientSecretEnvVar)
-		}
-	}
+	env = append(env, r.buildOIDCClientSecretEnvVars(ctx, proxy)...)
 
 	// Add header forward secret environment variables
 	if proxy.Spec.HeaderForward != nil && len(proxy.Spec.HeaderForward.AddHeadersFromSecret) > 0 {
@@ -228,6 +218,28 @@ func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
 	return ctrlutil.EnsureRequiredEnvVars(ctx, env)
 }
 
+// buildOIDCClientSecretEnvVars returns OIDC client secret env vars when inline OIDC config
+// with a client secret ref is used. Returns nil when OIDCConfig is nil or not inline.
+func (r *MCPRemoteProxyReconciler) buildOIDCClientSecretEnvVars(
+	ctx context.Context, proxy *mcpv1alpha1.MCPRemoteProxy,
+) []corev1.EnvVar {
+	if proxy.Spec.OIDCConfig == nil || proxy.Spec.OIDCConfig.Type != "inline" || proxy.Spec.OIDCConfig.Inline == nil {
+		return nil
+	}
+	oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
+		ctx, r.Client, proxy.Namespace, proxy.Spec.OIDCConfig.Inline.ClientSecretRef,
+	)
+	if err != nil {
+		ctxLogger := log.FromContext(ctx)
+		ctxLogger.Error(err, "Failed to generate OIDC client secret environment variable")
+		return nil
+	}
+	if oidcClientSecretEnvVar == nil {
+		return nil
+	}
+	return []corev1.EnvVar{*oidcClientSecretEnvVar}
+}
+
 // buildHeaderForwardSecretEnvVars builds environment variables for header forward secrets.
 // Each secret is mounted as an env var using Kubernetes SecretKeyRef, with a name following
 // the TOOLHIVE_SECRET_<identifier> pattern expected by the secrets.EnvironmentProvider.

cmd/thv-operator/controllers/mcpremoteproxy_deployment.go

@@ -892,7 +892,7 @@ func TestBuildEnvVarsForProxy(t *testing.T) {
 				},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",

cmd/thv-operator/controllers/mcpremoteproxy_deployment_test.go

@@ -61,7 +61,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 					RemoteURL: "https://mcp.salesforce.com",
 					ProxyPort: 8080,
 					Transport: "streamable-http",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://login.salesforce.com",
@@ -134,7 +134,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 9090,
 					Transport: "sse",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.company.com",
@@ -248,7 +248,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -363,7 +363,7 @@ func TestMCPRemoteProxyConfigChangePropagation(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
 			ProxyPort: 8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -444,7 +444,7 @@ func TestMCPRemoteProxyStatusProgression(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
 			ProxyPort: 8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -617,7 +617,7 @@ func TestEnsureAuthzConfigMapShared(t *testing.T) {
 		},
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -681,7 +681,7 @@ func TestRBACClientIntegration(t *testing.T) {
 		},
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -813,7 +813,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "http-oidc-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "http://insecure-idp.example.com",
@@ -833,7 +833,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "http-insecure-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:            "http://dev-idp.example.com",
@@ -853,7 +853,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "https-oidc-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -872,7 +872,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "invalid-cedar-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -898,7 +898,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "missing-configmap-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -924,7 +924,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "missing-header-secret-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -955,7 +955,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "bad-scheme-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "ftp://bad-scheme.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -975,7 +975,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "http-jwks-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -1064,7 +1064,7 @@ func TestValidateAndHandleConfigs(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -1100,7 +1100,7 @@ func TestValidateAndHandleConfigs(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",