docs(quick-10-01): document dockerConfigCredential across all guides

Mark Altmann · Mark Altmann · commit 6dd17c10ae90 · 2026-04-05T18:57:45.000+02:00
- Add "Local development with crossplane render" section to OCI guide
- Add dockerConfigCredential reference to module-system.md
- Add field to README input table and full config example
- Add field to llms.txt input table and config section
diff --git a/README.md b/README.md
@@ -178,6 +178,7 @@ All fields under `spec` in a `StarlarkInput` resource:
 | `modules` | map[string]string | -- | Inline modules loadable via `load("name.star", "func")` |
 | `modulePaths` | []string | -- | Additional filesystem directories for module resolution |
 | `dockerConfigSecret` | string | -- | Kubernetes Secret name for private OCI registry credentials |
+| `dockerConfigCredential` | string | -- | gRPC credential name for private OCI registry auth (for `crossplane render`) |
 | `ociDefaultRegistry` | string | -- | Default OCI registry for short-form `load()` targets |
 | `ociInsecureRegistries` | []string | -- | Registries to access over plain HTTP (development only) |
 | `usageAPIVersion` | string | `v2` | Crossplane Usage API version -- `v1` (Crossplane 1.x) or `v2` (Crossplane 2.x) |
@@ -233,6 +234,7 @@ spec:
     - /scripts/shared-lib
 
   dockerConfigSecret: registry-creds
+  dockerConfigCredential: registry-creds
   ociDefaultRegistry: "ghcr.io/my-org"
   ociInsecureRegistries: ["localhost:5050"]
   usageAPIVersion: "v2"
diff --git a/docs/module-system.md b/docs/module-system.md
@@ -401,6 +401,12 @@ The secret must be mounted into the function pod via a
 DeploymentRuntimeConfig. For complete authentication setup (ACR, ECR, GHCR),
 see the [OCI module distribution guide](oci-module-distribution.md#authentication).
 
+For local development with `crossplane render`, use `spec.dockerConfigCredential`
+instead -- it receives Docker credentials via the gRPC request rather than a
+filesystem mount. See the
+[OCI module distribution guide](oci-module-distribution.md#local-development-with-crossplane-render)
+for setup instructions.
+
 ## See also
 
 - [OCI Module Distribution](oci-module-distribution.md) -- full guide for
diff --git a/docs/oci-module-distribution.md b/docs/oci-module-distribution.md
@@ -408,6 +408,56 @@ kubectl create secret docker-registry ghcr-creds \
   -n crossplane-system
 ```
 
+### Local development with `crossplane render`
+
+`crossplane render` cannot mount volumes into function containers. To access
+private registries during local rendering, use `--function-credentials` to pass
+Docker credentials via gRPC:
+
+**1. Generate a credentials file from your local Docker config:**
+
+```bash
+kubectl create secret generic docker-config \
+  --from-file=config.json=$HOME/.docker/config.json \
+  --dry-run=client -o yaml > credentials.yaml
+```
+
+**2. Add `credentials` block and `dockerConfigCredential` to your Composition:**
+
+```yaml
+pipeline:
+- step: starlark
+  functionRef:
+    name: function-starlark
+  credentials:
+  - name: registry-creds
+    source: Secret
+    secretRef:
+      name: docker-config
+      namespace: default
+  input:
+    apiVersion: starlark.fn.crossplane.io/v1alpha1
+    kind: StarlarkInput
+    spec:
+      dockerConfigCredential: registry-creds
+      source: |
+        load("oci://myregistry.azurecr.io/modules/helpers:v1/helpers.star", "*")
+```
+
+**3. Render with credentials:**
+
+```bash
+crossplane render xr.yaml composition.yaml functions.yaml \
+  --function-credentials credentials.yaml
+```
+
+This works with any registry you've authenticated to via `docker login`,
+`az acr login`, or similar.
+
+> **Note:** The `secretRef.namespace` in the Composition's `credentials` block
+> must match the `metadata.namespace` in the `credentials.yaml` file used with
+> `crossplane render`. The CLI matches credentials by both name and namespace.
+
 ## Caching
 
 OCI modules are cached in-memory with a two-layer architecture:
diff --git a/llms.txt b/llms.txt
@@ -28,6 +28,7 @@ spec:
 | ociDefaultRegistry | string | -- | Default OCI registry for short-form load syntax. Overrides STARLARK_OCI_DEFAULT_REGISTRY env var. |
 | ociInsecureRegistries | []string | -- | HTTP-only registries (dev only). Overrides STARLARK_OCI_INSECURE_REGISTRIES env var. |
 | dockerConfigSecret | string | -- | Secret name for private OCI registry auth. Overrides STARLARK_DOCKER_CONFIG_SECRET env var. |
+| dockerConfigCredential | string | -- | gRPC credential name for private OCI registry auth. Used with crossplane render --function-credentials or Composition credentials block. |
 | usageAPIVersion | string | v2 | Crossplane Usage API version: v1 (Crossplane 1.x) or v2 (Crossplane 2.x, default). Overrides STARLARK_USAGE_API_VERSION env var. |
 | sequencingTTL | duration | 10s | Response TTL when creation sequencing defers resources |
 
@@ -241,6 +242,7 @@ Configuration (spec fields override env vars):
 - `spec.ociDefaultRegistry` / `STARLARK_OCI_DEFAULT_REGISTRY` env var
 - `spec.ociInsecureRegistries` / `STARLARK_OCI_INSECURE_REGISTRIES` env var (comma-separated)
 - `spec.dockerConfigSecret` / `STARLARK_DOCKER_CONFIG_SECRET` env var
+- `spec.dockerConfigCredential` (gRPC credential for crossplane render / Composition credentials block)
 - `spec.usageAPIVersion` / `STARLARK_USAGE_API_VERSION` env var
 - `STARLARK_OCI_CACHE_TTL` env var (pod-level only, default 5m)
 
