Read only user for Docker Registry

I have a Docker Registry setup in Docker Swarm behind Traefik

version: '3'
services:
  docker-registry:
    image: registry:2
    networks:
      - traefik-net
    deploy:
      labels:
        traefik.enable: 'true'
        traefik.docker.network: traefik-net
        traefik.http.services.docker-registry.loadbalancer.server.port: 5000
        traefik.http.routers.docker-registry.rule: Host(`docker-registry.my.domain`)
        traefik.http.routers.docker-registry.entrypoints: 'websecure'
        traefik.http.routers.docker-registry.tls: 'true'
        traefik.http.routers.docker-registry.middlewares: docker-registry-auth
        traefik.http.middlewares.docker-registry-auth.basicauth.users: admin:passwordHash

networks:
  traefik-net:
    external: true

I configured a user admin that can push and pull Docker images. I'd like to add another user that may only read/pull Docker images. How do I configure Traefik to do this?


If found an article about how to do this using Nginx as proxy for Docker Registry v1. A comment in the linked Gist refers to a Nginx configuration for Docker Registry v2. How do I configure Traefik in a similar way?