diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl
index 40a0a88..c919ef7 100644
--- a/charts/kellnr/templates/_helpers.tpl
+++ b/charts/kellnr/templates/_helpers.tpl
@@ -259,4 +259,22 @@ KELLNR_OAUTH2__BUTTON_TEXT: {{ .Values.kellnr.oauth2.buttonText | quote }}
 {{ end }}
 {{- end }}
 
+{{/*
+Build the origin URL (protocol + hostname + optional port).
+Omits the port when it matches the default for the protocol (443 for https, 80 for http).
+*/}}
+{{- define "kellnr.originUrl" -}}
+{{- $protocol := default "http" .Values.kellnr.origin.protocol -}}
+{{- $port := include "kellnr.serviceOriginPort" . | int -}}
+{{- $defaultPort := 80 -}}
+{{- if eq $protocol "https" -}}
+  {{- $defaultPort = 443 -}}
+{{- end -}}
+{{- if eq (int $port) (int $defaultPort) -}}
+{{- printf "%s://%s" $protocol .Values.kellnr.origin.hostname -}}
+{{- else -}}
+{{- printf "%s://%s:%d" $protocol .Values.kellnr.origin.hostname $port -}}
+{{- end -}}
+{{- end }}
+
 
diff --git a/charts/kellnr/templates/deployment.yaml b/charts/kellnr/templates/deployment.yaml
index 79e6cf1..3e37772 100644
--- a/charts/kellnr/templates/deployment.yaml
+++ b/charts/kellnr/templates/deployment.yaml
@@ -27,13 +27,16 @@ spec:
         {{- else if not .Values.secret.enabled }}
         configHash: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
         {{- end }}
+        {{- if .Values.docBuilder.enabled }}
+        docConfigHash: {{ include (print $.Template.BasePath "/doc-config.yaml") . | sha256sum }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "kellnr.selectorLabels" . | nindent 8 }}
     spec:
-      {{- if or .Values.pvc.enabled .Values.importCert.enabled }}
+      {{- if or .Values.pvc.enabled .Values.importCert.enabled .Values.docBuilder.enabled }}
       volumes:
         {{- if .Values.pvc.enabled }}
         - name: {{ .Values.deployment.volumes.name }}
@@ -45,6 +48,11 @@ spec:
           configMap:
             name: {{ .Values.importCert.configMapName | quote }}
         {{- end }}
+        {{- if .Values.docBuilder.enabled }}
+        - name: cargo-config
+          configMap:
+            name: {{ .Values.docBuilder.configMapName | quote }}
+        {{- end }}
         - name: certs
           emptyDir: {}
         - name: tmp
@@ -87,6 +95,13 @@ spec:
             valueFrom:
               secretKeyRef: {{ toYaml .Values.kellnr.oauth2.clientSecretRef | nindent 16 }}
           {{- end }}
+          {{- if and .Values.docBuilder.enabled .Values.docBuilder.tokenSecretRef.name }}
+          - name: RUSTUP_TOOLCHAIN
+            value: {{ .Values.docBuilder.rustupToolchain | quote }}
+          - name: CARGO_REGISTRIES_{{ .Values.docBuilder.registryName | upper }}_TOKEN
+            valueFrom:
+              secretKeyRef: {{ toYaml .Values.docBuilder.tokenSecretRef | nindent 16 }}
+          {{- end }}
           envFrom:
             {{- if .Values.secret.enabled }}
             - secretRef:
@@ -99,7 +114,7 @@ spec:
             - containerPort: {{ .Values.service.api.port }}
               name: kellnr-api
               protocol: TCP
-          {{- if or .Values.pvc.enabled .Values.importCert.enabled }}
+          {{- if or .Values.pvc.enabled .Values.importCert.enabled .Values.docBuilder.enabled }}
           volumeMounts:
             {{- if .Values.pvc.enabled }}
             - mountPath: {{ .Values.kellnr.registry.dataDir | quote }}
@@ -111,6 +126,12 @@ spec:
               mountPath: "/usr/local/share/ca-certificates/"
               readOnly: true
             {{- end }}
+            {{- if .Values.docBuilder.enabled }}
+            - name: cargo-config
+              mountPath: "/usr/local/cargo/config.toml"
+              subPath: config.toml
+              readOnly: true
+            {{- end }}
             - mountPath: /etc/ssl/certs
               name: certs
             - mountPath: /tmp
diff --git a/charts/kellnr/templates/doc-config.yaml b/charts/kellnr/templates/doc-config.yaml
new file mode 100644
index 0000000..d4528f2
--- /dev/null
+++ b/charts/kellnr/templates/doc-config.yaml
@@ -0,0 +1,24 @@
+# ConfigMap providing Cargo registry configuration for rustdoc auto-generation.
+# Allows Kellnr to resolve and download crates from itself (localhost) when
+# building documentation inside the container.
+
+{{- if .Values.docBuilder.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.docBuilder.configMapName | quote }}
+  labels:
+    {{- include "kellnr.labels" . | nindent 4 }}
+data:
+  config.toml: |-
+    [registries.{{ .Values.docBuilder.registryName }}]
+    index = "sparse+http://localhost:{{ .Values.service.api.port }}/api/v1/crates/"
+    credential-provider = ["cargo:token"]
+
+    [source.{{ .Values.docBuilder.registryName }}]
+    registry = "sparse+{{ include "kellnr.originUrl" . }}/api/v1/crates/"
+    replace-with = "{{ .Values.docBuilder.registryName }}-local"
+
+    [source.{{ .Values.docBuilder.registryName }}-local]
+    registry = "sparse+http://localhost:{{ .Values.service.api.port }}/api/v1/crates/"
+{{- end }}
diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml
index 0e3e8aa..aa007d1 100644
--- a/charts/kellnr/values.yaml
+++ b/charts/kellnr/values.yaml
@@ -220,6 +220,15 @@ importCert:
   volumeName: "kellnr-cert-storage"
   certificate: ""
 
+docBuilder:
+  enabled: false
+  rustupToolchain: "stable"
+  registryName: kellnr
+  configMapName: kellnr-doc-config
+  tokenSecretRef:
+    name: kellnr-doc-token
+    key: token
+
 dns:
   enabled: false
   dnsPolicy: "None"