diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
index ce4704e3c..e6f8939a7 100644
--- a/cmd/fluxd/main.go
+++ b/cmd/fluxd/main.go
@@ -111,12 +111,9 @@ func main() {
 		upstreamURL = fs.String("connect", "", "Connect to an upstream service e.g., Weave Cloud, at this base address")
 		token       = fs.String("token", "", "Authentication token for upstream service")
 
-		// Deprecated
-		_ = fs.String("docker-config", "", "path to a docker config to use for credentials")
+		dockerConfig = fs.String("docker-config", "", "path to a docker config to use for image registry credentials")
 	)
 
-	fs.MarkDeprecated("docker-config", "credentials are taken from imagePullSecrets now")
-
 	fs.Parse(os.Args)
 
 	if *versionFlag {
@@ -240,6 +237,14 @@ func main() {
 		}
 
 		imageCreds = k8sInst.ImagesToFetch
+		if *dockerConfig != "" {
+			credsWithDefaults, err := registry.ImageCredsWithDefaults(imageCreds, *dockerConfig)
+			if err != nil {
+				logger.Log("msg", "--docker-config not used", "err", err)
+			} else {
+				imageCreds = credsWithDefaults
+			}
+		}
 		k8s = k8sInst
 		// There is only one way we currently interpret a repo of
 		// files as manifests, and that's as Kubernetes yamels.
diff --git a/registry/credentials.go b/registry/credentials.go
index a44e60eb8..36ef0697b 100644
--- a/registry/credentials.go
+++ b/registry/credentials.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/url"
 	"strings"
 
@@ -96,7 +97,30 @@ func ParseCredentials(from string, b []byte) (Credentials, error) {
 	return Credentials{m: m}, nil
 }
 
-// For yields an authenticator for a specific host.
+func ImageCredsWithDefaults(lookup func() ImageCreds, configPath string) (func() ImageCreds, error) {
+	var defaults Credentials
+	bs, err := ioutil.ReadFile(configPath)
+	if err == nil {
+		defaults, err = ParseCredentials(configPath, bs)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return func() ImageCreds {
+		imageCreds := lookup()
+		for k, v := range imageCreds {
+			newCreds := NoCredentials()
+			newCreds.Merge(defaults)
+			newCreds.Merge(v)
+			imageCreds[k] = newCreds
+		}
+		return imageCreds
+	}, nil
+}
+
+// ---
+
+// credsFor yields an authenticator for a specific host.
 func (cs Credentials) credsFor(host string) creds {
 	if cred, found := cs.m[host]; found {
 		return cred