As of now, etcd supports HTTPS natively, and also supports client-side SSL certificates. In the most recent versions, however, etcd allows also to define ACLs. The only issue with ACLs is that they're not supported e.g. in confd as far as I can see. We should probably figure out a viable way to configure ACLs and leave a read-only unauthenticated section that can be reached by confd.
So, my proposal would be:
- Upgrade the cluster to 2.2
- Add authentication to python-etcd, conftool, update the cluster
- Define a root user with a password; save it.
- Add a rw user for conftool and group
- Create a locks group, add conftool to it
- Limit writes on /conftool to the conftool group, allowing reads from everyone
- Limit writes on /_locks to the locks group
- Do the same for eventlogging