docs: add an article for "immutable image tags"

Fixes #160 Signed-off-by: Ramkumar Chinchani <[email protected]>
project-zot · Mar 13, 2024 · 39a6d6c · 39a6d6c
1 parent 9d8c6e5
commit 39a6d6c
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/docs/articles/immutable-tags.md b/docs/articles/immutable-tags.md
@@ -0,0 +1,49 @@
+# Immutable Image Tags
+
+> :point_right: Immutable image tag support is achieved by leveraging authorization policies.
+
+It is considered best practice to avoid changing the content once a software
+version has been released. While `zot` does not have an explicit configuration
+flag to make image tags immutable, the same effect can be achieved with
+[authorization](../articles/authn-authz.md) as follows.
+
+## Immutable For All Users
+
+By setting the `defaultPolicy` to "read" and "create" for a particular
+repository, images can be pushed (once) and pulled but further updates are
+rejected.
+
+```json
+{
+...
+  "repositories": {
+    "**": {
+      "defaultPolicy": ["read", "create"]
+    }
+  }
+...
+}
+```
+
+## Immutable With Overrides
+
+Like the example above, by setting the `defaultPolicy` to "read" and "create"
+for a particular repository, images can be pushed (once) and pulled but further
+updates are rejected. However, exceptions can be made for some users and
+user-specific policies can be added to allow "update" operation.
+
+```json
+{
+...
+  "repositories": {
+    "**": {
+      "policies": [{
+        "users": ["alice", "bob"],
+        "actions": ["read", "create", "update"]
+      }],
+      "defaultPolicy": ["read", "create"]
+    }
+  }
+...
+}
+```