From f9aba3537a94bef59d13387750d73779d31d3d9e Mon Sep 17 00:00:00 2001
From: Nikita Z <nkzk95@gmail.com>
Date: Thu, 4 Jun 2026 09:51:11 +0200
Subject: [PATCH 1/5] fix(render): do not override function docker-network
 annotation

Signed-off-by: Nikita Z <nkzk95@gmail.com>
---
 cmd/crossplane/render/render.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cmd/crossplane/render/render.go b/cmd/crossplane/render/render.go
index 5cc373f..25b0be8 100644
--- a/cmd/crossplane/render/render.go
+++ b/cmd/crossplane/render/render.go
@@ -158,7 +158,11 @@ func injectNetworkAnnotation(fns []pkgv1.Function, networkName string) {
 		if fns[i].Annotations == nil {
 			fns[i].Annotations = make(map[string]string)
 		}
-		fns[i].Annotations[AnnotationKeyRuntimeDockerNetwork] = networkName
+
+		_, ok := fns[i].Annotations[AnnotationKeyRuntimeDockerNetwork]
+		if !ok {
+			fns[i].Annotations[AnnotationKeyRuntimeDockerNetwork] = networkName
+		}
 	}
 }
 

From 70f6cdd88b40431ce8bbab45f864383acf63ee41 Mon Sep 17 00:00:00 2001
From: Nikita Z <nkzk95@gmail.com>
Date: Thu, 4 Jun 2026 09:51:11 +0200
Subject: [PATCH 2/5] fix: if AnnotationKeyRuntimeDockerNetwork is set, start
 crossplane container in it

Signed-off-by: Nikita Z <nkzk95@gmail.com>
---
 cmd/crossplane/render/engine.go        |  5 +++--
 cmd/crossplane/render/engine_docker.go | 17 +++++++++++------
 cmd/crossplane/render/op/cmd.go        | 18 ++++++++++++++++--
 cmd/crossplane/render/xr/cmd.go        | 17 +++++++++++++++--
 4 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/cmd/crossplane/render/engine.go b/cmd/crossplane/render/engine.go
index 1e08ce4..aa801fa 100644
--- a/cmd/crossplane/render/engine.go
+++ b/cmd/crossplane/render/engine.go
@@ -61,17 +61,18 @@ type EngineFlags struct {
 	CrossplaneVersion string `help:"Version of the Crossplane image to use for rendering. Defaults to the latest stable version." placeholder:"VERSION" xor:"crossplane-selector"`
 	CrossplaneImage   string `help:"Override the full Crossplane Docker image reference for rendering."                           placeholder:"IMAGE"   xor:"crossplane-selector"`
 	CrossplaneBinary  string `help:"Path to a local crossplane binary to use instead of Docker."                                  placeholder:"PATH"    type:"existingfile"       xor:"crossplane-selector"`
+	Network           string `help:"The network containers should connect to"`
 }
 
 // NewEngineFromFlags creates an Engine from the flag configuration. If a binary
 // path is set, it returns a local engine. Otherwise it returns a Docker engine
 // using the resolved image reference.
-func NewEngineFromFlags(f *EngineFlags, log logging.Logger) Engine {
+func NewEngineFromFlags(f *EngineFlags, network string, log logging.Logger) Engine {
 	if f.CrossplaneBinary != "" {
 		return &localRenderEngine{BinaryPath: f.CrossplaneBinary}
 	}
 
-	return &dockerRenderEngine{image: crossplaneImageFromFlags(f), log: log}
+	return &dockerRenderEngine{image: crossplaneImageFromFlags(f), network: network, log: log}
 }
 
 func crossplaneImageFromFlags(f *EngineFlags) string {
diff --git a/cmd/crossplane/render/engine_docker.go b/cmd/crossplane/render/engine_docker.go
index b67cf54..9bde1fb 100644
--- a/cmd/crossplane/render/engine_docker.go
+++ b/cmd/crossplane/render/engine_docker.go
@@ -83,13 +83,18 @@ func (e *dockerRenderEngine) CheckContextSupport() error {
 // containers also join it. The returned cleanup function removes the
 // network.
 func (e *dockerRenderEngine) Setup(ctx context.Context, fns []pkgv1.Function) (func(), error) {
-	networkID, networkName, err := createRenderNetwork(ctx)
-	if err != nil {
-		return func() {}, errors.Wrap(err, "cannot create Docker network for rendering")
-	}
+	var networkID, networkName string
 
-	e.network = networkName
-	injectNetworkAnnotation(fns, networkName)
+	if e.network == "" {
+		var err error
+		networkID, networkName, err = createRenderNetwork(ctx)
+		if err != nil {
+			return func() {}, errors.Wrap(err, "cannot create Docker network for rendering")
+		}
+		e.network = networkName
+
+		injectNetworkAnnotation(fns, networkName)
+	}
 
 	cleanup := func() { //nolint:contextcheck // Detached context for cleanup.
 		_ = removeRenderNetwork(context.Background(), networkID)
diff --git a/cmd/crossplane/render/op/cmd.go b/cmd/crossplane/render/op/cmd.go
index 04e6bc9..120cc79 100644
--- a/cmd/crossplane/render/op/cmd.go
+++ b/cmd/crossplane/render/op/cmd.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/alecthomas/kong"
@@ -84,7 +85,7 @@ type Cmd struct {
 	fs afero.Fs
 
 	// newEngine constructs the render Engine.
-	newEngine func(*render.EngineFlags, logging.Logger) render.Engine
+	newEngine func(*render.EngineFlags, string, logging.Logger) render.Engine
 }
 
 // Help prints out the help for the alpha render op command.
@@ -167,7 +168,20 @@ func (c *Cmd) Run(k *kong.Context, log logging.Logger, sp terminal.SpinnerPrinte
 		}
 	}
 
-	engine := c.newEngine(&c.EngineFlags, log)
+	network := ""
+	for _, annotation := range c.FunctionAnnotations {
+		parts := strings.SplitN(annotation, "=", 2)
+		if len(parts) != 2 {
+			return errors.Errorf("invalid function annotation format %q, expected key=value", annotation)
+		}
+		key, value := parts[0], parts[1]
+		if key == render.AnnotationKeyRuntimeDockerNetwork {
+			network = value
+			break
+		}
+	}
+
+	engine := c.newEngine(&c.EngineFlags, network, log)
 
 	seedCtx := len(c.ContextValues) > 0 || len(c.ContextFiles) > 0
 	captureCtx := c.IncludeContext
diff --git a/cmd/crossplane/render/xr/cmd.go b/cmd/crossplane/render/xr/cmd.go
index f3995b7..26036f1 100644
--- a/cmd/crossplane/render/xr/cmd.go
+++ b/cmd/crossplane/render/xr/cmd.go
@@ -92,7 +92,7 @@ type Cmd struct {
 	fs afero.Fs
 
 	// newEngine constructs the render Engine.
-	newEngine func(*render.EngineFlags, logging.Logger) render.Engine
+	newEngine func(*render.EngineFlags, string, logging.Logger) render.Engine
 }
 
 // Help prints out the help for the render command.
@@ -224,7 +224,20 @@ func (c *Cmd) Run(k *kong.Context, log logging.Logger, sp terminal.SpinnerPrinte
 		}
 	}
 
-	engine := c.newEngine(&c.EngineFlags, log)
+	network := ""
+	for _, annotation := range c.FunctionAnnotations {
+		parts := strings.SplitN(annotation, "=", 2)
+		if len(parts) != 2 {
+			return errors.Errorf("invalid function annotation format %q, expected key=value", annotation)
+		}
+		key, value := parts[0], parts[1]
+		if key == render.AnnotationKeyRuntimeDockerNetwork {
+			network = value
+			break
+		}
+	}
+
+	engine := c.newEngine(&c.EngineFlags, network, log)
 
 	seedCtx := len(c.ContextValues) > 0 || len(c.ContextFiles) > 0
 	captureCtx := c.IncludeContext

From 556ef501c124d9bd1df14800c0059540bedd4902 Mon Sep 17 00:00:00 2001
From: Nikita Z <nkzk95@gmail.com>
Date: Thu, 4 Jun 2026 09:51:11 +0200
Subject: [PATCH 3/5] test: update newEngineFunc signature

Signed-off-by: Nikita Z <nkzk95@gmail.com>
---
 cmd/crossplane/render/op/cmd_test.go | 4 ++--
 cmd/crossplane/render/xr/cmd_test.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/crossplane/render/op/cmd_test.go b/cmd/crossplane/render/op/cmd_test.go
index f17ec0c..6a9e16e 100644
--- a/cmd/crossplane/render/op/cmd_test.go
+++ b/cmd/crossplane/render/op/cmd_test.go
@@ -63,8 +63,8 @@ var includeFunctionResultsOutput string
 //go:embed testdata/cmd/output/include-full-operation.yaml
 var includeFullOperationOutput string
 
-func newEngineFunc(engine render.Engine) func(*render.EngineFlags, logging.Logger) render.Engine {
-	return func(*render.EngineFlags, logging.Logger) render.Engine {
+func newEngineFunc(engine render.Engine) func(*render.EngineFlags, string, logging.Logger) render.Engine {
+	return func(*render.EngineFlags, string, logging.Logger) render.Engine {
 		return engine
 	}
 }
diff --git a/cmd/crossplane/render/xr/cmd_test.go b/cmd/crossplane/render/xr/cmd_test.go
index d57cc14..cf40315 100644
--- a/cmd/crossplane/render/xr/cmd_test.go
+++ b/cmd/crossplane/render/xr/cmd_test.go
@@ -78,8 +78,8 @@ var includeFunctionResultsOutput string
 //go:embed testdata/cmd/output/include-full-xr.yaml
 var includeFullXROutput string
 
-func newEngineFunc(engine render.Engine) func(*render.EngineFlags, logging.Logger) render.Engine {
-	return func(*render.EngineFlags, logging.Logger) render.Engine {
+func newEngineFunc(engine render.Engine) func(*render.EngineFlags, string, logging.Logger) render.Engine {
+	return func(*render.EngineFlags, string, logging.Logger) render.Engine {
 		return engine
 	}
 }

From 9ed0203cb28c8cd52df4501c67a54860b06f6135 Mon Sep 17 00:00:00 2001
From: Nikita Z <nkzk95@gmail.com>
Date: Thu, 4 Jun 2026 12:18:39 +0200
Subject: [PATCH 4/5] fix: remove network from engineflage, use
 dockerRenderEngine

Signed-off-by: Nikita Z <nkzk95@gmail.com>
---
 cmd/crossplane/render/engine.go        | 5 +++--
 cmd/crossplane/render/engine_docker.go | 3 +--
 cmd/crossplane/render/op/cmd.go        | 2 +-
 cmd/crossplane/render/xr/cmd.go        | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cmd/crossplane/render/engine.go b/cmd/crossplane/render/engine.go
index aa801fa..333fb79 100644
--- a/cmd/crossplane/render/engine.go
+++ b/cmd/crossplane/render/engine.go
@@ -61,12 +61,13 @@ type EngineFlags struct {
 	CrossplaneVersion string `help:"Version of the Crossplane image to use for rendering. Defaults to the latest stable version." placeholder:"VERSION" xor:"crossplane-selector"`
 	CrossplaneImage   string `help:"Override the full Crossplane Docker image reference for rendering."                           placeholder:"IMAGE"   xor:"crossplane-selector"`
 	CrossplaneBinary  string `help:"Path to a local crossplane binary to use instead of Docker."                                  placeholder:"PATH"    type:"existingfile"       xor:"crossplane-selector"`
-	Network           string `help:"The network containers should connect to"`
 }
 
 // NewEngineFromFlags creates an Engine from the flag configuration. If a binary
 // path is set, it returns a local engine. Otherwise it returns a Docker engine
-// using the resolved image reference.
+// using the resolved image reference. The network parameter sets the Docker
+// network the render container should join; it is derived from function
+// annotations (AnnotationKeyRuntimeDockerNetwork) by the caller.
 func NewEngineFromFlags(f *EngineFlags, network string, log logging.Logger) Engine {
 	if f.CrossplaneBinary != "" {
 		return &localRenderEngine{BinaryPath: f.CrossplaneBinary}
diff --git a/cmd/crossplane/render/engine_docker.go b/cmd/crossplane/render/engine_docker.go
index 9bde1fb..83d5059 100644
--- a/cmd/crossplane/render/engine_docker.go
+++ b/cmd/crossplane/render/engine_docker.go
@@ -53,8 +53,7 @@ func (realContainerRunner) Run(ctx context.Context, img string, opts ...docker.R
 type dockerRenderEngine struct {
 	// image is the Crossplane Docker image reference.
 	image string
-	// network is the Docker network to connect the container to. When set,
-	// the container joins this network so it can reach function containers.
+	// network is the Docker network to connect the container to.
 	network string
 
 	log logging.Logger
diff --git a/cmd/crossplane/render/op/cmd.go b/cmd/crossplane/render/op/cmd.go
index 120cc79..ee70914 100644
--- a/cmd/crossplane/render/op/cmd.go
+++ b/cmd/crossplane/render/op/cmd.go
@@ -168,7 +168,7 @@ func (c *Cmd) Run(k *kong.Context, log logging.Logger, sp terminal.SpinnerPrinte
 		}
 	}
 
-	network := ""
+	var network string
 	for _, annotation := range c.FunctionAnnotations {
 		parts := strings.SplitN(annotation, "=", 2)
 		if len(parts) != 2 {
diff --git a/cmd/crossplane/render/xr/cmd.go b/cmd/crossplane/render/xr/cmd.go
index 26036f1..70401ef 100644
--- a/cmd/crossplane/render/xr/cmd.go
+++ b/cmd/crossplane/render/xr/cmd.go
@@ -224,7 +224,7 @@ func (c *Cmd) Run(k *kong.Context, log logging.Logger, sp terminal.SpinnerPrinte
 		}
 	}
 
-	network := ""
+	var network string
 	for _, annotation := range c.FunctionAnnotations {
 		parts := strings.SplitN(annotation, "=", 2)
 		if len(parts) != 2 {

From 396a2d11a3e2a5852ab925535adcd6b11b1a6740 Mon Sep 17 00:00:00 2001
From: Nikita Z <nkzk95@gmail.com>
Date: Thu, 4 Jun 2026 12:33:12 +0200
Subject: [PATCH 5/5] fix: move cleanup to the empty network branch

Signed-off-by: Nikita Z <nkzk95@gmail.com>
---
 cmd/crossplane/render/engine_docker.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/cmd/crossplane/render/engine_docker.go b/cmd/crossplane/render/engine_docker.go
index 83d5059..63ccb3d 100644
--- a/cmd/crossplane/render/engine_docker.go
+++ b/cmd/crossplane/render/engine_docker.go
@@ -93,13 +93,17 @@ func (e *dockerRenderEngine) Setup(ctx context.Context, fns []pkgv1.Function) (f
 		e.network = networkName
 
 		injectNetworkAnnotation(fns, networkName)
-	}
 
-	cleanup := func() { //nolint:contextcheck // Detached context for cleanup.
-		_ = removeRenderNetwork(context.Background(), networkID)
+		cleanup := func() { //nolint:contextcheck // Detached context for cleanup.
+			_ = removeRenderNetwork(context.Background(), networkID)
+		}
+
+		return cleanup, nil
 	}
 
-	return cleanup, nil
+	// e.network was pre-configured by the caller (e.g. from a function
+	// annotation). We don't own the network, so there is nothing to clean up.
+	return func() {}, nil
 }
 
 // Render marshals the request, runs it through a Docker container, and returns