Docs: CNF publish options and permissions

src/aosm/README.md

@@ -49,7 +49,9 @@ For CNFs you must have these packages installed on the machine you are running t
 
 For CNFs, you must provide:
 * helm packages with an associated schema. These files must be on your disk and will be referenced in the `input.json` config file. 
-* a reference to an existing Azure Container Registry which contains the images for your CNF. Currently, only one ACR is supported per CNF. The images to be copied from this ACR are populated automatically based on the helm package schema.
+* images for your CNF.  For these you have the following options:
+  - a reference to an existing Azure Container Registry which contains the images for your CNF. Currently, only one ACR and namespace is supported per CNF. The images to be copied from this ACR are populated automatically based on the helm package schema. You must have Reader/AcrPull permissions on this ACR. To use this option, fill in `source_registry` and optionally `source_registry_namespace` in the input.json file.
+  - or, the image name of the source docker image from local machine. This is for a limited use case where the CNF only requires a single docker image which exists in the local docker repository. To use this option, fill in `source_local_docker_image` in the input.json file.
 * optionally, you can provide a file (on disk) path_to_mappings which is a copy of values.yaml with your chosen values replaced by deployment parameters, thus exposing them as parameters to the CNF. You can get this file auto-generated by leaving the value as a blank string, either having every value as a deployment parameter, or using `--interactive` to interactively choose.
 When filling in the input.json file, you must list helm packages in the order they are to be deployed. For example, if A must be deployed before B, your input.json should look something like this:
 
@@ -71,6 +73,13 @@ When filling in the input.json file, you must list helm packages in the order th
                 ]
             },
 
+##### Permissions for publishing CNFs
+If sourcing the CNF images from an existing ACR, you need to have `Reader`/`AcrPull` permissions
+from this ACR, and ideally, `Contributor` role + `AcrPush` role (or a custom role that allows the `importImage` action and `AcrPush`) over the whole subscription in order to be able to import to the new Artifact store. If you have these, you 
+do not need docker to be installed locally, and the image copy is very quick.
+
+If you do not have the subscription-wide permissions then you can run the `az aosm nfd publish` command using the `--no-subscription-permissions` flag to pull the image to your local machine and then push it to the Artifact Store using manifest credentials scoped only to the store. This requires Docker to be installed locally.
+
 #### NSDs
 For NSDs, you will need to have a Resource Group with a deployed Publisher, Artifact Store, Network Function Definition and Network Function Definition Version. You can use the `az aosm nfd` commands to create all of these resources.