fix(render): do not overwrite function docker network if set, start crossplane-container in same network

[nkzk]

Description of your changes

Closes #75

Fixes:

• Do not overwrite the docker-network annotation in functions if it has already been set
• If the docker-network annotation is passed to the FunctionAnnotations flag, run crossplane-container in it.

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[adamwg]

Thanks for the PR, @nkzk! Would you mind creating an issue for this as well, for discoverability and tracking? I haven't reviewed in detail yet, but the described fixes sound reasonable.

[nkzk]

I see that there are already tests for passing function annotations to the engine. I had copilot help me create unit tests for injectNetworkAnnotations. Also ran flake check.

[nkzk]

Hmm, i got it to work in a devcontainer with this fix, but the current implemention has some issues in CI. But i think this can be solved on the user-side.

One of our earliest approaches was to start up functions as service-containers before running multiple/different renders, and it worked because gitlab/github connects the job-container to the bridge-network used by service-containers.

But since crossplane render will start up crossplane in another temporary bridge network, it doesnt seem that this will continue to work. However, my theory is that the user can specify the docker-network in their CI-provider (gitlab/github), and then specify the the docker-network flag in the crossplane render command with the fix in this branch to solve this.

We have another workflow which uses rootless DinD/PinP, but kind of the same issue there.

I'll do some more testing soon.

But let me know if something i say sounds off :D

[nkzk]

Think this PR is ready for review, i did some more testing in CI and did not completely figure it out yet, but i think its just an issue of configuring the docker-network in CI and setting that value as the function-docker-network flag in the render-command.

A quality of life improvement for us would be if we can spin up the crossplane container ourselves and make render use it. If we could configure the crossplane-containerthe same way as functions, with the development annotation to manage the container lifecycle ourselves, it would just simplify this alot for us.

But maybe its out of scope for this PR, i'm not sure whats the best way to implement this would be. But open to work on it if someone has some ideas.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds an optional CrossplaneDockerNetwork flag, threads it into the docker render engine, makes dockerRenderEngine.Setup skip temporary network creation when a network is preconfigured, preserves existing runtime network annotations, provides an annotation parser, and wires network defaulting into both render commands.

Changes

Docker network preconfiguration support

Layer / File(s)	Summary
Annotation parsing utility cmd/crossplane/render/annotation.go	New Annotations map type and NewAnnotationsFromStrings function parse key=value strings from CLI or function metadata, skipping malformed entries.
Engine network flag and conditional setup cmd/crossplane/render/engine.go, cmd/crossplane/render/engine_docker.go	EngineFlags.CrossplaneDockerNetwork parameter threads through NewEngineFromFlags to dockerRenderEngine. dockerRenderEngine.Setup conditionally creates a temporary Docker network only when e.network is empty; when preconfigured, it returns a no-op cleanup without annotation injection.
Network annotation preservation cmd/crossplane/render/render.go	injectNetworkAnnotation now checks for existing AnnotationKeyRuntimeDockerNetwork annotations before setting them, preserving caller-provided or preexisting network values.
Function-based network defaulting cmd/crossplane/render/network.go, cmd/crossplane/render/network_test.go	New SetDefaultCrossplaneDockerNetwork method extracts the network from the first function's AnnotationKeyRuntimeDockerNetwork annotation when the flag is empty, with comprehensive test coverage for explicit flags, annotation selection, and empty-function cases.
Annotation override tests cmd/crossplane/render/render_test.go	Tests for OverrideFunctionAnnotations validate that CLI overrides are applied to all functions, replace existing keys, and error on malformed flags, with a test helper to construct annotated functions.
Command wiring for network configuration cmd/crossplane/render/op/cmd.go, cmd/crossplane/render/xr/cmd.go, cmd/crossplane/render/op/cmd_test.go, cmd/crossplane/render/xr/cmd_test.go	Both render commands call SetDefaultCrossplaneDockerNetwork after loading functions but before engine initialization, ensuring the network flag is populated from function annotations. Tests verify that function annotation CLI overrides propagate to engine flags before Setup runs.

Sequence Diagram

sequenceDiagram
  participant RenderCmd
  participant FunctionSet
  participant EngineFlags
  participant dockerEngine
  participant DockerNetwork
  
  RenderCmd->>FunctionSet: load functions with annotations
  RenderCmd->>RenderCmd: SetDefaultCrossplaneDockerNetwork(fns)
  activate RenderCmd
    RenderCmd->>FunctionSet: find first function with AnnotationKeyRuntimeDockerNetwork
    RenderCmd->>EngineFlags: set CrossplaneDockerNetwork if flag empty
  deactivate RenderCmd
  
  RenderCmd->>dockerEngine: NewEngineFromFlags(network: CrossplaneDockerNetwork)
  dockerEngine->>dockerEngine: Setup(functions)
  
  alt CrossplaneDockerNetwork is preconfigured
    dockerEngine->>FunctionSet: skip annotation injection
    dockerEngine-->>RenderCmd: return no-op cleanup
  else CrossplaneDockerNetwork is empty
    dockerEngine->>DockerNetwork: create temporary render network
    dockerEngine->>FunctionSet: inject network annotation
    dockerEngine-->>RenderCmd: return cleanup to remove network
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Issue #75: This PR directly addresses the bug where function Docker network annotations are overwritten and temporary networks are always created. The changes implement preconfiguration capability so the engine skips temporary network creation and preserves existing annotations, supporting devcontainer and multi-function render scenarios.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title exceeds the 72-character requirement at 104 characters, though it accurately describes the main changes: preventing docker network annotation overwrites and running crossplane in the same network.	Consider shortening the title to meet the 72-character limit, for example: 'fix(render): preserve function docker network and use it for crossplane'

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the fixes and including test coverage, checklist verification, and a reference to the linked issue.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #75: preventing annotation overwrites via conditional injection in render.go, accepting docker network configuration via new EngineFlags field, and defaulting from function annotations via SetDefaultCrossplaneDockerNetwork method.
Out of Scope Changes check	✅ Passed	All changes directly support the linked issue objectives: annotation utilities, network configuration flags, default derivation logic, and comprehensive test coverage align with preventing overwrites and enabling network control.
Breaking Changes	✅ Passed	PR adds optional field CrossplaneDockerNetwork and new exports (additive changes) while fixing injectNetworkAnnotation to preserve existing annotations—no removed/renamed fields, no required fields...
Feature Gate Requirement	✅ Passed	PR modifies only cmd/crossplane/render/ (CLI implementation, not apis/**) and adds bug fixes with parameterized control via new flags; not experimental features requiring feature gates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[adamwg]

A quality of life improvement for us would be if we can spin up the crossplane container ourselves and make render use it. If we could configure the crossplane-containerthe same way as functions, with the development annotation to manage the container lifecycle ourselves, it would just simplify this alot for us.

But maybe its out of scope for this PR, i'm not sure whats the best way to implement this would be. But open to work on it if someone has some ideas.

@nkzk Good thought - I can see how this would be useful. It's a little tricky, since the crossplane container in render doesn't actually run a server, it's just a one-off command (crossplane internal render ...).

For your use-case, would it be easier to download a crossplane binary and use the --crossplane-binary render flag? In that mode, the functions need to be accessible to the host (like with the old crossplane render), but there's no assumptions about inter-container networking.

[adamwg]

Thanks for filing an issue for this, and for the fix. A few comments inline, but the overall approach looks good to me.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cmd/crossplane/render/engine.go (1)

67-71: ⚡ Quick win

Update stale constructor docs after signature change.

Could you update this comment? On Line 69 it still mentions a network parameter, but NewEngineFromFlags now derives this from EngineFlags.CrossplaneDockerNetwork.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/crossplane/render/engine.go` around lines 67 - 71, Update the doc comment
for NewEngineFromFlags to remove the outdated reference to a `network parameter`
and instead state that the Docker network is derived from
EngineFlags.CrossplaneDockerNetwork; specifically edit the comment block above
the NewEngineFromFlags function to reflect that when no binary path is set it
returns a Docker engine using the resolved image reference and that the Docker
network is taken from EngineFlags.CrossplaneDockerNetwork (not supplied by the
caller).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/crossplane/render/op/cmd.go`:
- Around line 170-185: The override parsing for
render.AnnotationKeyRuntimeDockerNetwork is nested inside the if
c.EngineFlags.CrossplaneDockerNetwork == "" block so the --function-annotations
override never applies when a network is already set; move the block that parses
c.FunctionAnnotations (using render.NewAnnotationsFromStrings and checking
render.AnnotationKeyRuntimeDockerNetwork) out of that conditional and always run
it so that when an annotation value exists you set
c.EngineFlags.CrossplaneDockerNetwork (and/or c.CrossplaneDockerNetwork if used
elsewhere) to that value, ensuring the function-annotations override takes
precedence.

---

Nitpick comments:
In `@cmd/crossplane/render/engine.go`:
- Around line 67-71: Update the doc comment for NewEngineFromFlags to remove the
outdated reference to a `network parameter` and instead state that the Docker
network is derived from EngineFlags.CrossplaneDockerNetwork; specifically edit
the comment block above the NewEngineFromFlags function to reflect that when no
binary path is set it returns a Docker engine using the resolved image reference
and that the Docker network is taken from EngineFlags.CrossplaneDockerNetwork
(not supplied by the caller).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 14a09b90-8615-4a74-831b-924cd8db6271

📥 Commits

Reviewing files that changed from the base of the PR and between 396a2d1 and a2deb33.

📒 Files selected for processing (6)

• cmd/crossplane/render/annotation.go
• cmd/crossplane/render/engine.go
• cmd/crossplane/render/engine_docker.go
• cmd/crossplane/render/op/cmd.go
• cmd/crossplane/render/render.go
• cmd/crossplane/render/xr/cmd.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/crossplane/render/engine_docker.go
• cmd/crossplane/render/render.go

[jcogilvie]

I like this change and I want to see it land, but you've checked off the PR checklist box about adding tests and I don't see any. Have I missed something?

[adamwg]

LGTM. Per @jcogilvie's comment, this could probably use a bit of test coverage (may be easiest to factor out the network defaulting logic from both render commands and test it separately).

[nkzk]

yeah my bad, had some tests but dissapeared in a revert+refactor. i can look into it tomorrow!

[nkzk]

Added tests with alot of help from copilot, but the tests look reasonable to me. Let me know if you have any more feedback, thanks! :)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/crossplane/render/network.go`:
- Around line 42-44: In the condition checking for
AnnotationKeyRuntimeDockerNetwork, add an additional check to verify that the
annotation value is not empty before assigning it to f.CrossplaneDockerNetwork
and returning. If the value is empty, the code should skip the assignment and
return, allowing the loop to continue checking for other valid annotations
instead of short-circuiting on an empty annotation value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 053e7f3a-2568-4b83-a7b9-3686bac7c660

📥 Commits

Reviewing files that changed from the base of the PR and between 2c2f39b and cf98778.

📒 Files selected for processing (11)

• cmd/crossplane/render/annotation.go
• cmd/crossplane/render/engine.go
• cmd/crossplane/render/engine_docker.go
• cmd/crossplane/render/network.go
• cmd/crossplane/render/network_test.go
• cmd/crossplane/render/op/cmd.go
• cmd/crossplane/render/op/cmd_test.go
• cmd/crossplane/render/render.go
• cmd/crossplane/render/render_test.go
• cmd/crossplane/render/xr/cmd.go
• cmd/crossplane/render/xr/cmd_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• cmd/crossplane/render/annotation.go
• cmd/crossplane/render/engine_docker.go
• cmd/crossplane/render/render.go