Enable multi-upstream for MCPServer, MCPRemoteProxy, and proxy runner (#4322)

* Add explicit-name validation and proxy runner multi-upstream guard

Move multi-upstream restrictions from the authserver library to consumer
layers. The library now accepts multi-upstream configs but enforces name
semantics: single-upstream defaults empty names to "default", while
multi-upstream requires explicit non-"default" names with distinct error
messages for empty vs reserved names.

Validate upstream names against a DNS-label regex (no leading/trailing
hyphens, lowercase alphanumeric only) to prevent delimiter injection in
storage keys. Add test coverage for invalid name formats (uppercase,
underscores, leading/trailing hyphens).

Remove the GetUpstream() convenience method (no callers remain after
Phase 2). Add a cardinality guard in the proxy runner's Run() that
rejects len(Upstreams) > 1 with an actionable error pointing to
VirtualMCPServer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Move multi-upstream restriction from CRD to controller layers

Remove the len > 1 guard from MCPExternalAuthConfig.validateEmbeddedAuthServer()
so the CRD accepts multi-upstream configs. Add multi-upstream rejection to
MCPServer and MCPRemoteProxy controllers in handleExternalAuthConfig(), setting
a ConditionFalse status with reason MultiUpstreamNotSupported and an actionable
error directing users to VirtualMCPServer.

Add duplicate upstream name validation in the CRD webhook so conflicts
are caught at admission time rather than Pod startup. Tighten the Name
field pattern to disallow trailing hyphens and add MaxLength=63 for
RFC 1123 compliance.

VirtualMCPServer remains unrestricted as the intended multi-upstream consumer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Enable multi-upstream for MCPServer, MCPRemoteProxy, and proxy runner

The embedded auth server has supported sequential multi-upstream chains
since the Phase 2 work, but every consumer layer (MCPServer controller,
MCPRemoteProxy controller, proxy runner) blocked configs with more than
one upstream provider. This commit lifts all those restrictions and fixes
the two bugs that would have broken multi-upstream even without the guards.

Guard removal:
- MCPServer controller: remove len > 1 check in handleExternalAuthConfig
- MCPRemoteProxy controller: same removal
- Proxy runner Run(): remove len > 1 early-return
- Remove associated condition type/reason constants and rejection tests

Converter fix (authserver.go):
- GenerateAuthServerEnvVars now iterates all providers and emits
  name-keyed env vars (TOOLHIVE_UPSTREAM_CLIENT_SECRET_OKTA, _GITHUB, …)
  derived from each provider's Name field, instead of only reading
  UpstreamProviders[0] into a single unindexed var. Name-keyed bindings
  are position-independent, so reordering providers in the CRD does not
  change the secret-to-provider mapping.
- buildEmbeddedAuthServerRunnerConfig now builds Upstreams from all
  providers instead of only the first; buildUpstreamRunConfig gains an
  envVarName parameter to match the env var naming

Middleware fix (middleware.go):
- Restore ProviderName auto-derivation in addUpstreamSwapMiddleware,
  defaulting to the first upstream's name for single-upstream configs.
  Multi-upstream ProviderName selection will be addressed when a CRD
  field is added in a follow-up.

Observability (upstreamswap/middleware.go):
- Add provider field to all upstreamswap log lines (injection success,
  empty-token warning, get-tokens error) to make confused-deputy
  debugging tractable when multiple providers are in play.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix lint: reduce cyclomatic complexity and update stale comments

Extract validateUpstreamName and validateUpstreamType from
validateUpstreams to bring cyclomatic complexity under the limit.
Break long fmt.Errorf line that exceeded 130 characters.

Update stale godoc comments in controllerutil/authserver.go that
still referenced the old index-based env var naming scheme.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Downgrade client-attributable token errors to Debug log level

Client-attributable errors (session not found, no refresh token, refresh
failed, invalid binding) are expected conditions that trigger re-auth,
not server issues an operator needs to investigate. Log these at Debug
instead of Warn; keep Warn for unexpected server-side failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Re-add multi-upstream guards for MCPServer and MCPRemoteProxy

The upstream swap middleware only injects one provider's token, and
there is no CRD field to control which provider. Until tokenInjection-
Provider is added and Cedar upstream claims extraction is implemented,
multi-upstream configs would silently inject only the first upstream's
token while the second is stored but unused.

Re-add controller-level guards (MCPServer, MCPRemoteProxy, proxy
runner) that reject len > 1 with actionable errors directing users to
VirtualMCPServer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* regen docs

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jhrozek

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go

@@ -182,7 +182,7 @@ type EmbeddedAuthServerConfig struct {
 
 	// UpstreamProviders configures connections to upstream Identity Providers.
 	// The embedded auth server delegates authentication to these providers.
-	// Currently only a single upstream provider is supported (validated at runtime).
+	// MCPServer and MCPRemoteProxy support a single upstream; VirtualMCPServer supports multiple.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinItems=1
 	UpstreamProviders []UpstreamProviderConfig `json:"upstreamProviders"`
@@ -238,8 +238,11 @@ const (
 type UpstreamProviderConfig struct {
 	// Name uniquely identifies this upstream provider.
 	// Used for routing decisions and session binding in multi-upstream scenarios.
+	// Must be lowercase alphanumeric with hyphens (DNS-label-like).
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9-]*[a-z0-9])?$`
 	Name string `json:"name"`
 
 	// Type specifies the provider type: "oidc" or "oauth2"
@@ -783,12 +786,17 @@ func (r *MCPExternalAuthConfig) validateEmbeddedAuthServer() error {
 	if len(cfg.UpstreamProviders) == 0 {
 		return fmt.Errorf("at least one upstream provider is required")
 	}
-	// Note: we add runtime validation for 'max items = 1' here since multi-provider support is not yet implemented.
-	if len(cfg.UpstreamProviders) > 1 {
-		return fmt.Errorf("currently only one upstream provider is supported (found %d)", len(cfg.UpstreamProviders))
-	}
+	// Note: multi-upstream is accepted at the CRD level. Consumer controllers
+	// (MCPServer, MCPRemoteProxy) enforce single-upstream restrictions;
+	// VirtualMCPServer allows multiple upstreams.
 
+	seen := make(map[string]bool, len(cfg.UpstreamProviders))
 	for i, provider := range cfg.UpstreamProviders {
+		if seen[provider.Name] {
+			return fmt.Errorf("upstreamProviders[%d]: duplicate name %q", i, provider.Name)
+		}
+		seen[provider.Name] = true
+
 		if err := r.validateUpstreamProvider(i, &provider); err != nil {
 			return err
 		}

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types_test.go

@@ -127,7 +127,7 @@ func TestMCPExternalAuthConfig_Validate(t *testing.T) {
 			expectErr: false,
 		},
 		{
-			name: "invalid embeddedAuthServer with multiple providers",
+			name: "embeddedAuthServer with multiple providers - valid at CRD level",
 			config: &MCPExternalAuthConfig{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-embedded-multi",
@@ -152,8 +152,7 @@ func TestMCPExternalAuthConfig_Validate(t *testing.T) {
 					},
 				},
 			},
-			expectErr: true,
-			errMsg:    "currently only one upstream provider is supported (found 2)",
+			expectErr: false,
 		},
 		{
 			name: "invalid embeddedAuthServer with no providers",
@@ -312,7 +311,7 @@ func TestMCPExternalAuthConfig_validateEmbeddedAuthServer(t *testing.T) {
 			expectErr: false,
 		},
 		{
-			name: "multiple providers - invalid",
+			name: "multiple providers - valid at CRD level",
 			config: &MCPExternalAuthConfig{
 				Spec: MCPExternalAuthConfigSpec{
 					Type: ExternalAuthTypeEmbeddedAuthServer,
@@ -343,8 +342,7 @@ func TestMCPExternalAuthConfig_validateEmbeddedAuthServer(t *testing.T) {
 					},
 				},
 			},
-			expectErr: true,
-			errMsg:    "currently only one upstream provider is supported (found 3)",
+			expectErr: false,
 		},
 		{
 			name: "empty providers array - invalid",

cmd/thv-operator/api/v1alpha1/mcpremoteproxy_types.go

@@ -260,6 +260,10 @@ const (
 	// ConditionReasonMCPRemoteProxyExternalAuthConfigFetchError indicates an error occurred fetching the MCPExternalAuthConfig
 	ConditionReasonMCPRemoteProxyExternalAuthConfigFetchError = "ExternalAuthConfigFetchError"
 
+	// ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream indicates multi-upstream is not supported
+	// for MCPRemoteProxy (use VirtualMCPServer for multi-upstream).
+	ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream = "MultiUpstreamNotSupported"
+
 	// ConditionReasonConfigurationValid indicates all configuration validations passed
 	ConditionReasonConfigurationValid = "ConfigurationValid"
 

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -68,6 +68,17 @@ const (
 	ConditionReasonCABundleRefInvalid = "CABundleRefInvalid"
 )
 
+const (
+	// ConditionTypeExternalAuthConfigValidated indicates whether the ExternalAuthConfig is valid
+	ConditionTypeExternalAuthConfigValidated = "ExternalAuthConfigValidated"
+)
+
+const (
+	// ConditionReasonExternalAuthConfigMultiUpstream indicates the ExternalAuthConfig has multiple upstreams,
+	// which is not supported for MCPServer (use VirtualMCPServer for multi-upstream).
+	ConditionReasonExternalAuthConfigMultiUpstream = "MultiUpstreamNotSupported"
+)
+
 // MCPServerSpec defines the desired state of MCPServer
 type MCPServerSpec struct {
 	// Image is the container image for the MCP server

cmd/thv-operator/controllers/mcpremoteproxy_controller.go

@@ -652,6 +652,23 @@ func (r *MCPRemoteProxyReconciler) handleExternalAuthConfig(ctx context.Context,
 		return fmt.Errorf("failed to fetch MCPExternalAuthConfig: %w", err)
 	}
 
+	// MCPRemoteProxy supports only single-upstream embedded auth server configs.
+	// Multi-upstream requires VirtualMCPServer.
+	if embeddedCfg := externalAuthConfig.Spec.EmbeddedAuthServer; embeddedCfg != nil && len(embeddedCfg.UpstreamProviders) > 1 {
+		meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
+			Type:   mcpv1alpha1.ConditionTypeMCPRemoteProxyExternalAuthConfigValidated,
+			Status: metav1.ConditionFalse,
+			Reason: mcpv1alpha1.ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream,
+			Message: fmt.Sprintf(
+				"MCPRemoteProxy supports only one upstream provider (found %d); "+
+					"use VirtualMCPServer for multi-upstream",
+				len(embeddedCfg.UpstreamProviders)),
+			ObservedGeneration: proxy.Generation,
+		})
+		return fmt.Errorf("MCPRemoteProxy %s/%s: embedded auth server has %d upstream providers, but only 1 is supported",
+			proxy.Namespace, proxy.Name, len(embeddedCfg.UpstreamProviders))
+	}
+
 	// ExternalAuthConfig found and valid
 	meta.SetStatusCondition(&proxy.Status.Conditions, metav1.Condition{
 		Type:               mcpv1alpha1.ConditionTypeMCPRemoteProxyExternalAuthConfigValidated,

cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go

@@ -699,6 +699,43 @@ func TestHandleExternalAuthConfig(t *testing.T) {
 			expectedCondStatus: metav1.ConditionFalse,
 			expectedCondReason: mcpv1alpha1.ConditionReasonMCPRemoteProxyExternalAuthConfigFetchError,
 		},
+		{
+			name: "embedded auth server with multiple upstreams rejected",
+			proxy: &mcpv1alpha1.MCPRemoteProxy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "multi-upstream-proxy",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPRemoteProxySpec{
+					RemoteURL: "https://mcp.example.com",
+					ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
+						Name: "multi-upstream-config",
+					},
+				},
+			},
+			externalAuth: &mcpv1alpha1.MCPExternalAuthConfig{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "multi-upstream-config",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPExternalAuthConfigSpec{
+					Type: mcpv1alpha1.ExternalAuthTypeEmbeddedAuthServer,
+					EmbeddedAuthServer: &mcpv1alpha1.EmbeddedAuthServerConfig{
+						Issuer: "https://auth.example.com",
+						UpstreamProviders: []mcpv1alpha1.UpstreamProviderConfig{
+							{Name: "github", Type: mcpv1alpha1.UpstreamProviderTypeOIDC, OIDCConfig: &mcpv1alpha1.OIDCUpstreamConfig{IssuerURL: "https://github.com", ClientID: "id1"}},
+							{Name: "google", Type: mcpv1alpha1.UpstreamProviderTypeOIDC, OIDCConfig: &mcpv1alpha1.OIDCUpstreamConfig{IssuerURL: "https://accounts.google.com", ClientID: "id2"}},
+						},
+					},
+				},
+				Status: mcpv1alpha1.MCPExternalAuthConfigStatus{ConfigHash: "multi-hash"},
+			},
+			expectError:        true,
+			errContains:        "only 1 is supported",
+			expectCondition:    true,
+			expectedCondStatus: metav1.ConditionFalse,
+			expectedCondReason: mcpv1alpha1.ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream,
+		},
 	}
 
 	for _, tt := range tests {

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -1827,6 +1827,25 @@ func (r *MCPServerReconciler) handleExternalAuthConfig(ctx context.Context, m *m
 		return fmt.Errorf("MCPExternalAuthConfig %s not found", m.Spec.ExternalAuthConfigRef.Name)
 	}
 
+	// MCPServer supports only single-upstream embedded auth server configs.
+	// Multi-upstream requires VirtualMCPServer.
+	if embeddedCfg := externalAuthConfig.Spec.EmbeddedAuthServer; embeddedCfg != nil && len(embeddedCfg.UpstreamProviders) > 1 {
+		meta.SetStatusCondition(&m.Status.Conditions, metav1.Condition{
+			Type:   mcpv1alpha1.ConditionTypeExternalAuthConfigValidated,
+			Status: metav1.ConditionFalse,
+			Reason: mcpv1alpha1.ConditionReasonExternalAuthConfigMultiUpstream,
+			Message: fmt.Sprintf(
+				"MCPServer supports only one upstream provider (found %d); "+
+					"use VirtualMCPServer for multi-upstream",
+				len(embeddedCfg.UpstreamProviders)),
+			ObservedGeneration: m.Generation,
+		})
+		return fmt.Errorf(
+			"MCPServer %s/%s: embedded auth server has %d upstream providers, "+
+				"but only 1 is supported; use VirtualMCPServer",
+			m.Namespace, m.Name, len(embeddedCfg.UpstreamProviders))
+	}
+
 	// Check if the MCPExternalAuthConfig hash has changed
 	if m.Status.ExternalAuthConfigHash != externalAuthConfig.Status.ConfigHash {
 		ctxLogger.Info("MCPExternalAuthConfig has changed, updating MCPServer",

cmd/thv-operator/controllers/mcpserver_externalauth_test.go

@@ -175,6 +175,40 @@ func TestMCPServerReconciler_handleExternalAuthConfig(t *testing.T) {
 			expectHash:        "",
 			expectHashCleared: true,
 		},
+		{
+			name: "embedded auth server with multiple upstreams rejected",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-server",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					Image: "test-image",
+					ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
+						Name: "multi-upstream-config",
+					},
+				},
+				Status: mcpv1alpha1.MCPServerStatus{},
+			},
+			externalAuthConfig: &mcpv1alpha1.MCPExternalAuthConfig{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "multi-upstream-config",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPExternalAuthConfigSpec{
+					Type: mcpv1alpha1.ExternalAuthTypeEmbeddedAuthServer,
+					EmbeddedAuthServer: &mcpv1alpha1.EmbeddedAuthServerConfig{
+						Issuer: "https://auth.example.com",
+						UpstreamProviders: []mcpv1alpha1.UpstreamProviderConfig{
+							{Name: "github", Type: mcpv1alpha1.UpstreamProviderTypeOIDC, OIDCConfig: &mcpv1alpha1.OIDCUpstreamConfig{IssuerURL: "https://github.com", ClientID: "id1"}},
+							{Name: "google", Type: mcpv1alpha1.UpstreamProviderTypeOIDC, OIDCConfig: &mcpv1alpha1.OIDCUpstreamConfig{IssuerURL: "https://accounts.google.com", ClientID: "id2"}},
+						},
+					},
+				},
+				Status: mcpv1alpha1.MCPExternalAuthConfigStatus{ConfigHash: "multi-hash"},
+			},
+			expectError: true,
+		},
 	}
 
 	for _, tt := range tests {

cmd/thv-operator/pkg/controllerutil/authserver.go

@@ -6,6 +6,7 @@ package controllerutil
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	k8sptr "k8s.io/utils/ptr"
@@ -51,14 +52,43 @@ const (
 	// AuthServerHMACFilePattern is the pattern for HMAC secret filenames
 	AuthServerHMACFilePattern = "hmac-%d"
 
-	// UpstreamClientSecretEnvVar is the environment variable name for the upstream client secret
+	// UpstreamClientSecretEnvVar is the prefix for upstream client secret environment variables.
+	// Actual names are TOOLHIVE_UPSTREAM_CLIENT_SECRET_<PROVIDER> where PROVIDER is the
+	// upstream name uppercased with hyphens replaced by underscores.
 	// #nosec G101 -- This is an environment variable name, not a hardcoded credential
 	UpstreamClientSecretEnvVar = "TOOLHIVE_UPSTREAM_CLIENT_SECRET"
 
 	// DefaultSentinelPort is the default Redis Sentinel port
 	DefaultSentinelPort = 26379
 )
 
+// upstreamSecretBinding binds an upstream provider to its env var name for the
+// client secret. Both GenerateAuthServerEnvVars (Pod env) and
+// buildUpstreamRunConfig (runtime config) MUST use these bindings so the
+// env var names stay consistent.
+type upstreamSecretBinding struct {
+	Provider   *mcpv1alpha1.UpstreamProviderConfig
+	EnvVarName string
+}
+
+// buildUpstreamSecretBindings computes the canonical env var name for each
+// upstream provider's client secret. The env var name is derived from the
+// provider's Name field (uppercased, hyphens replaced with underscores) to
+// keep bindings stable across provider reordering in the CRD.
+func buildUpstreamSecretBindings(
+	providers []mcpv1alpha1.UpstreamProviderConfig,
+) []upstreamSecretBinding {
+	bindings := make([]upstreamSecretBinding, len(providers))
+	for i := range providers {
+		suffix := strings.ToUpper(strings.ReplaceAll(providers[i].Name, "-", "_"))
+		bindings[i] = upstreamSecretBinding{
+			Provider:   &providers[i],
+			EnvVarName: fmt.Sprintf("%s_%s", UpstreamClientSecretEnvVar, suffix),
+		}
+	}
+	return bindings
+}
+
 // GenerateAuthServerConfig generates volumes, volume mounts, and environment variables
 // for the embedded auth server if the external auth config is of type embeddedAuthServer.
 //
@@ -228,13 +258,11 @@ func GenerateAuthServerVolumes(
 }
 
 // GenerateAuthServerEnvVars creates environment variables for embedded auth server.
-// Currently generates TOOLHIVE_UPSTREAM_CLIENT_SECRET from the upstream provider's
-// client secret reference.
+// Generates TOOLHIVE_UPSTREAM_CLIENT_SECRET_<PROVIDER> env vars for each upstream
+// provider that has a client secret reference configured, where PROVIDER is the
+// provider name uppercased with hyphens replaced by underscores.
 //
-// The function looks at the first upstream provider (currently only one is supported)
-// and generates an environment variable for its client secret if one is configured.
-//
-// Returns nil slice if authConfig is nil or if no client secret is configured.
+// Returns nil slice if authConfig is nil or if no client secrets are configured.
 func GenerateAuthServerEnvVars(
 	authConfig *mcpv1alpha1.EmbeddedAuthServerConfig,
 ) []corev1.EnvVar {
@@ -244,27 +272,25 @@ func GenerateAuthServerEnvVars(
 
 	var envVars []corev1.EnvVar
 
-	// Generate env var for upstream client secret if provided
-	if len(authConfig.UpstreamProviders) > 0 {
-		provider := authConfig.UpstreamProviders[0]
-
+	// Generate env vars for upstream client secrets using shared bindings
+	for _, b := range buildUpstreamSecretBindings(authConfig.UpstreamProviders) {
 		// Extract client secret reference based on provider type
 		var clientSecretRef *mcpv1alpha1.SecretKeyRef
 
-		switch provider.Type {
+		switch b.Provider.Type {
 		case mcpv1alpha1.UpstreamProviderTypeOIDC:
-			if provider.OIDCConfig != nil {
-				clientSecretRef = provider.OIDCConfig.ClientSecretRef
+			if b.Provider.OIDCConfig != nil {
+				clientSecretRef = b.Provider.OIDCConfig.ClientSecretRef
 			}
 		case mcpv1alpha1.UpstreamProviderTypeOAuth2:
-			if provider.OAuth2Config != nil {
-				clientSecretRef = provider.OAuth2Config.ClientSecretRef
+			if b.Provider.OAuth2Config != nil {
+				clientSecretRef = b.Provider.OAuth2Config.ClientSecretRef
 			}
 		}
 
 		if clientSecretRef != nil {
 			envVars = append(envVars, corev1.EnvVar{
-				Name: UpstreamClientSecretEnvVar,
+				Name: b.EnvVarName,
 				ValueFrom: &corev1.EnvVarSource{
 					SecretKeyRef: &corev1.SecretKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
@@ -431,10 +457,11 @@ func buildEmbeddedAuthServerRunnerConfig(
 		}
 	}
 
-	// Build upstream provider config (currently only one supported)
-	if len(authConfig.UpstreamProviders) > 0 {
-		provider := authConfig.UpstreamProviders[0]
-		config.Upstreams = []authserver.UpstreamRunConfig{*buildUpstreamRunConfig(&provider)}
+	// Build upstream provider configs using shared bindings
+	bindings := buildUpstreamSecretBindings(authConfig.UpstreamProviders)
+	config.Upstreams = make([]authserver.UpstreamRunConfig, 0, len(bindings))
+	for _, b := range bindings {
+		config.Upstreams = append(config.Upstreams, *buildUpstreamRunConfig(b.Provider, b.EnvVarName))
 	}
 
 	// Build storage configuration
@@ -561,9 +588,11 @@ func resolveSentinelAddrs(
 }
 
 // buildUpstreamRunConfig converts CRD UpstreamProviderConfig to authserver.UpstreamRunConfig.
-// Client secrets are passed via environment variable reference (UpstreamClientSecretEnvVar).
+// The envVarName is computed by buildUpstreamSecretBindings to keep Pod env
+// and runtime config in sync.
 func buildUpstreamRunConfig(
 	provider *mcpv1alpha1.UpstreamProviderConfig,
+	envVarName string,
 ) *authserver.UpstreamRunConfig {
 	config := &authserver.UpstreamRunConfig{
 		Name: provider.Name,
@@ -581,7 +610,7 @@ func buildUpstreamRunConfig(
 			}
 			// If client secret is configured, reference it via env var
 			if provider.OIDCConfig.ClientSecretRef != nil {
-				config.OIDCConfig.ClientSecretEnvVar = UpstreamClientSecretEnvVar
+				config.OIDCConfig.ClientSecretEnvVar = envVarName
 			}
 			if provider.OIDCConfig.UserInfoOverride != nil {
 				config.OIDCConfig.UserInfoOverride = buildUserInfoRunConfig(provider.OIDCConfig.UserInfoOverride)
@@ -598,7 +627,7 @@ func buildUpstreamRunConfig(
 			}
 			// If client secret is configured, reference it via env var
 			if provider.OAuth2Config.ClientSecretRef != nil {
-				config.OAuth2Config.ClientSecretEnvVar = UpstreamClientSecretEnvVar
+				config.OAuth2Config.ClientSecretEnvVar = envVarName
 			}
 			if provider.OAuth2Config.UserInfo != nil {
 				config.OAuth2Config.UserInfo = buildUserInfoRunConfig(provider.OAuth2Config.UserInfo)