Add registry auth config, and use docker resolver in containerd.

Signed-off-by: Lantao Liu <lantaol@google.com>

docs/installation.md

@@ -1,4 +1,3 @@
-<!-- TODO(now) -->
 # Install Containerd with Release Tarball
 This document provides the steps to install `containerd` and its dependencies with the release tarball, and bring up a Kubernetes cluster using kubeadm.
 

docs/registry.md

@@ -1,6 +1,7 @@
 # Configure Image Registry
 This document describes the method to configure the image registry for `containerd` for use with the `cri` plugin.
 
+## Configure Registry Endpoint
 With containerd, `docker.io` is the default image registry. You can also set up other image registries similar to docker.
 
 To configure image registries create/modify the `/etc/containerd/config.toml` as follows:
@@ -19,4 +20,26 @@ The default configuration can be generated by `containerd config default > /etc/
 The endpoint is a list that can contain multiple image registry URLs split by commas. When pulling an image
 from a registry, containerd will try these endpoint URLs one by one, and use the first working one.
 
-After modify the config file, you need restart the `containerd` service.
+After modify this config, you need restart the `containerd` service.
+
+## Configure Registry Credentials
+
+`cri` plugin also supports docker like registry credential config.
+
+To configure a credential for a specific registry endpoint, create/modify the
+`/etc/containerd/config.toml` as follows:
+```toml
+[plugins.cri.registry.auths]
+  [plugins.cri.registry.auths."https://gcr.io"]
+    username = ""
+    password = ""
+    auth = ""
+    identitytoken = ""
+```
+The meaning of each field is the same with the corresponding field in `.docker/config.json`.
+
+Please note that auth config passed by CRI takes precedence over this config.
+The registry credential in this config will only be used when auth config is
+not specified by Kubernetes via CRI.
+
+After modify this config, you need restart the `containerd` service.