EmailProvider

Two CRDs manage email delivery — ClusterEmailProvider for cluster-wide defaults and EmailProvider for namespace-scoped overrides. This mirrors the AuthPolicy two-tier model, letting platform teams set a baseline email provider while application teams can override it per namespace.

Nauthera uses email providers for transactional emails such as email verification, password reset, and magic links.

Example

ClusterEmailProvider (Cluster-Wide Default)

apiVersion: auth.nauthera.io/v1alpha1
kind: ClusterEmailProvider
metadata:
  name: global-email
spec:
  providers:
    - name: primary
      type: resend
      from: "noreply@example.com"
      credentialsSecretRef:
        name: resend-api-key
    - name: fallback
      type: smtp
      from: "noreply@example.com"
      credentialsSecretRef:
        name: smtp-credentials
  defaultProvider: primary

EmailProvider (Namespaced Override)

A namespaced EmailProvider overrides the cluster default for all OidcClients in its namespace:

apiVersion: auth.nauthera.io/v1alpha1
kind: EmailProvider
metadata:
  name: team-email
  namespace: my-app
spec:
  providers:
    - name: team-resend
      type: resend
      from: "auth@myapp.example.com"
      credentialsSecretRef:
        name: myapp-resend-key
  defaultProvider: team-resend

Provider Types

Type	Description	Secret Keys
`resend`	Resend email API	`api-key`
`smtp`	Standard SMTP relay	`host`, `port`, `username`, `password`

Resend Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: resend-api-key
type: Opaque
stringData:
  api-key: "re_xxxxxxxxxxxx"

SMTP Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: smtp-credentials
type: Opaque
stringData:
  host: "smtp.example.com"
  port: "587"
  username: "user@example.com"
  password: "secret"

ClusterEmailProvider Spec Reference

EmailProvider Spec Reference

Provider Resolution Order

The operator resolves which email provider to use for a given client in this order:

OidcClient spec.emailProviderName — per-client override
AuthPolicy spec.defaultEmailProvider — namespace-level default
ClusterAuthPolicy spec.defaultEmailProvider — cluster-level default
EmailProvider in the same namespace — namespace-level provider config
ClusterEmailProvider — cluster-level provider config

ClusterEmailProvider Status

EmailProvider Status

OidcClient — Per-client email provider override via emailProviderName.
AuthPolicy — Namespace-level defaultEmailProvider setting.

PreviousAuthPolicy NextIdentityProvider (OIDC)

EmailProvider

Nauthera uses email providers for transactional emails such as email verification, password reset, and magic links.

Example

ClusterEmailProvider (Cluster-Wide Default)

apiVersion: auth.nauthera.io/v1alpha1
kind: ClusterEmailProvider
metadata:
  name: global-email
spec:
  providers:
    - name: primary
      type: resend
      from: "noreply@example.com"
      credentialsSecretRef:
        name: resend-api-key
    - name: fallback
      type: smtp
      from: "noreply@example.com"
      credentialsSecretRef:
        name: smtp-credentials
  defaultProvider: primary

EmailProvider (Namespaced Override)

A namespaced EmailProvider overrides the cluster default for all OidcClients in its namespace:

apiVersion: auth.nauthera.io/v1alpha1
kind: EmailProvider
metadata:
  name: team-email
  namespace: my-app
spec:
  providers:
    - name: team-resend
      type: resend
      from: "auth@myapp.example.com"
      credentialsSecretRef:
        name: myapp-resend-key
  defaultProvider: team-resend

Provider Types

Type	Description	Secret Keys
`resend`	Resend email API	`api-key`
`smtp`	Standard SMTP relay	`host`, `port`, `username`, `password`

Resend Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: resend-api-key
type: Opaque
stringData:
  api-key: "re_xxxxxxxxxxxx"

SMTP Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: smtp-credentials
type: Opaque
stringData:
  host: "smtp.example.com"
  port: "587"
  username: "user@example.com"
  password: "secret"

ClusterEmailProvider Spec Reference

EmailProvider Spec Reference

Provider Resolution Order

The operator resolves which email provider to use for a given client in this order:

OidcClient spec.emailProviderName — per-client override
AuthPolicy spec.defaultEmailProvider — namespace-level default
ClusterAuthPolicy spec.defaultEmailProvider — cluster-level default
EmailProvider in the same namespace — namespace-level provider config
ClusterEmailProvider — cluster-level provider config

ClusterEmailProvider Status

EmailProvider Status

OidcClient — Per-client email provider override via emailProviderName.
AuthPolicy — Namespace-level defaultEmailProvider setting.

PreviousAuthPolicy NextIdentityProvider (OIDC)

EmailProvider

#Example

#ClusterEmailProvider (Cluster-Wide Default)

#EmailProvider (Namespaced Override)

#Provider Types

#Resend Secret Example

#SMTP Secret Example

#ClusterEmailProvider Spec Reference

#EmailProvider Spec Reference

#Provider Resolution Order

#ClusterEmailProvider Status

#EmailProvider Status

#Related Resources

EmailProvider

#Example

#ClusterEmailProvider (Cluster-Wide Default)

#EmailProvider (Namespaced Override)

#Provider Types

#Resend Secret Example

#SMTP Secret Example

#ClusterEmailProvider Spec Reference

#EmailProvider Spec Reference

#Provider Resolution Order

#ClusterEmailProvider Status

#EmailProvider Status

#Related Resources

Example

ClusterEmailProvider (Cluster-Wide Default)

EmailProvider (Namespaced Override)

Provider Types

Resend Secret Example

SMTP Secret Example

ClusterEmailProvider Spec Reference

EmailProvider Spec Reference

Provider Resolution Order

ClusterEmailProvider Status

EmailProvider Status

Related Resources

Example

ClusterEmailProvider (Cluster-Wide Default)

EmailProvider (Namespaced Override)

Provider Types

Resend Secret Example

SMTP Secret Example

ClusterEmailProvider Spec Reference

EmailProvider Spec Reference

Provider Resolution Order

ClusterEmailProvider Status

EmailProvider Status

Related Resources