As of now, etcd supports HTTPS natively, and also supports client-side SSL certificates. In the most recent versions, however, etcd allows also to define ACLs. The only issue with ACLs is that they're not supported e.g. in confd as far as I can see. We should probably figure out a viable way to configure ACLs and leave a read-only unauthenticated section that can be reached by confd.