stacklok · tmchow · Apr 4, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
@@ -162,12 +162,12 @@ type OutgoingAuthConfig struct {
 // BackendAuthConfig defines authentication configuration for a backend MCPServer
 type BackendAuthConfig struct {
 	// Type defines the authentication type
-	// +kubebuilder:validation:Enum=discovered;external_auth_config_ref
+	// +kubebuilder:validation:Enum=discovered;externalAuthConfigRef;external_auth_config_ref
 	// +kubebuilder:validation:Required
 	Type string `json:"type"`
 
 	// ExternalAuthConfigRef references an MCPExternalAuthConfig resource
-	// Only used when Type is "external_auth_config_ref"
+	// Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref")
 	// +optional
 	ExternalAuthConfigRef *ExternalAuthConfigRef `json:"externalAuthConfigRef,omitempty"`
 }
@@ -341,7 +341,11 @@ const (
 	BackendAuthTypeDiscovered = "discovered"
 
 	// BackendAuthTypeExternalAuthConfigRef references an MCPExternalAuthConfig resource
-	BackendAuthTypeExternalAuthConfigRef = "external_auth_config_ref"
+	BackendAuthTypeExternalAuthConfigRef = "externalAuthConfigRef"
+
+	// DeprecatedBackendAuthTypeExternalAuthConfigRef is the old snake_case value.
+	// Deprecated: Use BackendAuthTypeExternalAuthConfigRef ("externalAuthConfigRef") instead.
+	DeprecatedBackendAuthTypeExternalAuthConfigRef = "external_auth_config_ref"
 )
 
 // Workflow step types
@@ -495,10 +499,10 @@ func (*VirtualMCPServer) validateBackendAuth(backendName string, auth BackendAut
 
 	// Validate type-specific configurations
 	switch auth.Type {
-	case BackendAuthTypeExternalAuthConfigRef:
+	case BackendAuthTypeExternalAuthConfigRef, DeprecatedBackendAuthTypeExternalAuthConfigRef:
 		if auth.ExternalAuthConfigRef == nil {
 			return fmt.Errorf(
-				"spec.outgoingAuth.backends[%s].externalAuthConfigRef is required when type is external_auth_config_ref",
+				"spec.outgoingAuth.backends[%s].externalAuthConfigRef is required when type is externalAuthConfigRef",
 				backendName)
 		}
 		if auth.ExternalAuthConfigRef.Name == "" {
@@ -510,7 +514,7 @@ func (*VirtualMCPServer) validateBackendAuth(backendName string, auth BackendAut
 
 	default:
 		return fmt.Errorf(
-			"spec.outgoingAuth.backends[%s].type must be one of: discovered, external_auth_config_ref",
+			"spec.outgoingAuth.backends[%s].type must be one of: discovered, externalAuthConfigRef",
 			backendName)
 	}
 

@@ -276,7 +276,7 @@ func TestBackendAuthConfigTypes(t *testing.T) {
 			isValid: true,
 		},
 		{
-			name: "external_auth_config_ref_valid",
+			name: "externalAuthConfigRef_valid",
 			authConfig: BackendAuthConfig{
 				Type: BackendAuthTypeExternalAuthConfigRef,
 				ExternalAuthConfigRef: &ExternalAuthConfigRef{

@@ -1788,7 +1788,7 @@ func (r *VirtualMCPServerReconciler) convertBackendAuthConfigToVMCP(
 		}, nil
 	}
 
-	// For type="external_auth_config_ref", fetch and convert the referenced config
+	// For type="externalAuthConfigRef", fetch and convert the referenced config
 	if crdConfig.ExternalAuthConfigRef != nil {
 		// Fetch the MCPExternalAuthConfig and convert it
 		externalAuthConfig, err := ctrlutil.GetExternalAuthConfigByName(

@@ -638,7 +638,7 @@ func TestBuildOutgoingAuthConfig(t *testing.T) {
 					OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 						Source: "discovered",
 						Default: &mcpv1alpha1.BackendAuthConfig{
-							Type: "external_auth_config_ref",
+							Type: "externalAuthConfigRef",
 							ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 								Name: "missing-default-auth", // Auth config doesn't exist
 							},
@@ -676,7 +676,7 @@ func TestBuildOutgoingAuthConfig(t *testing.T) {
 						Source: "discovered",
 						Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 							"api-backend": {
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "missing-backend-auth",
 								},
@@ -765,7 +765,7 @@ func TestConvertBackendAuthConfigToVMCP(t *testing.T) {
 		validate    func(*testing.T, *authtypes.BackendAuthStrategy)
 	}{
 		{
-			name: "external_auth_config_ref type",
+			name: "externalAuthConfigRef type",
 			crdConfig: &mcpv1alpha1.BackendAuthConfig{
 				Type: mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef,
 				ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{

@@ -196,7 +196,7 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 					Name: "auth-config",
 				},
 			},
-			// For external_auth_config_ref, the type comes from the referenced MCPExternalAuthConfig
+			// For externalAuthConfigRef, the type comes from the referenced MCPExternalAuthConfig
 			expectedType: "unauthenticated",
 		},
 	}
@@ -219,7 +219,7 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 				},
 			}
 
-			// For external_auth_config_ref test, create the referenced MCPExternalAuthConfig
+			// For externalAuthConfigRef test, create the referenced MCPExternalAuthConfig
 			var converter *vmcpconfigconv.Converter
 			if tt.authConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef {
 				// Create a fake MCPExternalAuthConfig
@@ -259,7 +259,7 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 
 			// Note: HeaderInjection and TokenExchange are nil because the CRD's
 			// BackendAuthConfig only stores type and reference information.
-			// For external_auth_config_ref, the actual auth config is resolved
+			// For externalAuthConfigRef, the actual auth config is resolved
 			// at runtime from the referenced MCPExternalAuthConfig resource.
 			assert.Nil(t, strategy.HeaderInjection)
 			assert.Nil(t, strategy.TokenExchange)

@@ -751,7 +751,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) {
 					Spec: mcpv1alpha1.VirtualMCPServerSpec{
 						OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 							Default: &mcpv1alpha1.BackendAuthConfig{
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "test-auth",
 								},
@@ -781,7 +781,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) {
 						OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 							Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 								"backend1": {
-									Type: "external_auth_config_ref",
+									Type: "externalAuthConfigRef",
 									ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 										Name: "test-auth",
 									},
@@ -831,7 +831,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) {
 					Spec: mcpv1alpha1.VirtualMCPServerSpec{
 						OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 							Default: &mcpv1alpha1.BackendAuthConfig{
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "test-auth",
 								},
@@ -1406,7 +1406,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) {
 				Spec: mcpv1alpha1.VirtualMCPServerSpec{
 					OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 						Default: &mcpv1alpha1.BackendAuthConfig{
-							Type: "external_auth_config_ref",
+							Type: "externalAuthConfigRef",
 							ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 								Name: "test-auth",
 							},
@@ -1424,7 +1424,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) {
 					OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 						Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 							"backend1": {
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "test-auth",
 								},
@@ -1460,7 +1460,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) {
 				Spec: mcpv1alpha1.VirtualMCPServerSpec{
 					OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 						Default: &mcpv1alpha1.BackendAuthConfig{
-							Type: "external_auth_config_ref",
+							Type: "externalAuthConfigRef",
 							ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 								Name: "other-auth",
 							},
@@ -1478,13 +1478,13 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) {
 					OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
 						Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 							"backend1": {
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "other-auth",
 								},
 							},
 							"backend2": {
-								Type: "external_auth_config_ref",
+								Type: "externalAuthConfigRef",
 								ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 									Name: "test-auth",
 								},

@@ -452,10 +452,20 @@ func (c *Converter) convertBackendAuthConfig(
 		}, nil
 	}
 
-	// If type is "external_auth_config_ref", resolve the MCPExternalAuthConfig
-	if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef {
+	// Handle deprecated snake_case value
+	if crdConfig.Type == mcpv1alpha1.DeprecatedBackendAuthTypeExternalAuthConfigRef {
+		log.FromContext(ctx).Info(
+			"backend auth type \"external_auth_config_ref\" is deprecated,"+
+				" use \"externalAuthConfigRef\" instead",
+			"backend", backendName, "vmcp", vmcp.Name,
+		)
+	}
+
+	// If type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref"), resolve the MCPExternalAuthConfig
+	if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef ||
+		crdConfig.Type == mcpv1alpha1.DeprecatedBackendAuthTypeExternalAuthConfigRef {
 		if crdConfig.ExternalAuthConfigRef == nil {
-			return nil, fmt.Errorf("backend %s: external_auth_config_ref type requires externalAuthConfigRef field", backendName)
+			return nil, fmt.Errorf("backend %s: externalAuthConfigRef type requires externalAuthConfigRef field", backendName)
 		}
 
 		// Fetch the MCPExternalAuthConfig resource

@@ -2136,7 +2136,7 @@ spec:
                         externalAuthConfigRef:
                           description: |-
                             ExternalAuthConfigRef references an MCPExternalAuthConfig resource
-                            Only used when Type is "external_auth_config_ref"
+                            Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref")
                           properties:
                             name:
                               description: Name is the name of the MCPExternalAuthConfig
@@ -2149,6 +2149,7 @@ spec:
                           description: Type defines the authentication type
                           enum:
                           - discovered
+                          - externalAuthConfigRef
                           - external_auth_config_ref
                           type: string
                       required:
@@ -2165,7 +2166,7 @@ spec:
                       externalAuthConfigRef:
                         description: |-
                           ExternalAuthConfigRef references an MCPExternalAuthConfig resource
-                          Only used when Type is "external_auth_config_ref"
+                          Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref")
                         properties:
                           name:
                             description: Name is the name of the MCPExternalAuthConfig
@@ -2178,6 +2179,7 @@ spec:
                         description: Type defines the authentication type
                         enum:
                         - discovered
+                        - externalAuthConfigRef
                         - external_auth_config_ref
                         type: string
                     required:

@@ -2139,7 +2139,7 @@ spec:
                         externalAuthConfigRef:
                           description: |-
                             ExternalAuthConfigRef references an MCPExternalAuthConfig resource
-                            Only used when Type is "external_auth_config_ref"
+                            Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref")
                           properties:
                             name:
                               description: Name is the name of the MCPExternalAuthConfig
@@ -2152,6 +2152,7 @@ spec:
                           description: Type defines the authentication type
                           enum:
                           - discovered
+                          - externalAuthConfigRef
                           - external_auth_config_ref
                           type: string
                       required:
@@ -2168,7 +2169,7 @@ spec:
                       externalAuthConfigRef:
                         description: |-
                           ExternalAuthConfigRef references an MCPExternalAuthConfig resource
-                          Only used when Type is "external_auth_config_ref"
+                          Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref")
                         properties:
                           name:
                             description: Name is the name of the MCPExternalAuthConfig
@@ -2181,6 +2182,7 @@ spec:
                         description: Type defines the authentication type
                         enum:
                         - discovered
+                        - externalAuthConfigRef
                         - external_auth_config_ref
                         type: string
                     required:

@@ -281,7 +281,7 @@ var _ = Describe("VirtualMCPServer Inline Unauthenticated Backend Auth", Ordered
 					// Explicitly configure unauthenticated for specific backend
 					Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 						backendName: {
-							Type: "external_auth_config_ref",
+							Type: "externalAuthConfigRef",
 							ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 								Name: externalAuthConfigName,
 							},
@@ -328,7 +328,7 @@ var _ = Describe("VirtualMCPServer Inline Unauthenticated Backend Auth", Ordered
 			Expect(k8sClient.Get(ctx, types.NamespacedName{Name: vmcpServerName, Namespace: testNamespace}, vmcpServer)).To(Succeed())
 			Expect(vmcpServer.Spec.OutgoingAuth.Source).To(Equal("inline"))
 			Expect(vmcpServer.Spec.OutgoingAuth.Backends).To(HaveKey(backendName))
-			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("external_auth_config_ref"))
+			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("externalAuthConfigRef"))
 			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].ExternalAuthConfigRef.Name).To(Equal(externalAuthConfigName))
 
 			By("Creating MCP client and listing tools")
@@ -680,7 +680,7 @@ var _ = Describe("VirtualMCPServer Inline HeaderInjection Backend Auth", Ordered
 					// Explicitly configure headerInjection for specific backend
 					Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 						backendName: {
-							Type: "external_auth_config_ref",
+							Type: "externalAuthConfigRef",
 							ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
 								Name: externalAuthConfigName,
 							},
@@ -730,7 +730,7 @@ var _ = Describe("VirtualMCPServer Inline HeaderInjection Backend Auth", Ordered
 			Expect(k8sClient.Get(ctx, types.NamespacedName{Name: vmcpServerName, Namespace: testNamespace}, vmcpServer)).To(Succeed())
 			Expect(vmcpServer.Spec.OutgoingAuth.Source).To(Equal("inline"))
 			Expect(vmcpServer.Spec.OutgoingAuth.Backends).To(HaveKey(backendName))
-			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("external_auth_config_ref"))
+			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("externalAuthConfigRef"))
 			Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].ExternalAuthConfigRef.Name).To(Equal(externalAuthConfigName))
 
 			By("Creating MCP client and listing tools")