Container Registry should be read-only on secondary site
Problem
It's not really an urgent issue I think but it can be confusing that you can push images to a secondary site. Even if you push some images to a secondary node, after the next sync the whole repository will be re-scanned and anything that is absent on the primary will be deleted.
Suggestion
We can implement read-only behavior in Auth::ContainerRegistryAuthenticationService
class.
Edited by Valery Sizov