feat: allow adding auth to etcd (#980)

Allow both password or TLS auth, if none of these is provided fallback to no auth

Closes #657

Cargo.lock

@@ -6735,8 +6735,10 @@ dependencies = [
  "percent-encoding",
  "pin-project",
  "prost 0.13.5",
+ "rustls-pemfile",
  "socket2",
  "tokio",
+ "tokio-rustls",
  "tokio-stream",
  "tower 0.4.13",
  "tower-layer",

Cargo.toml

@@ -55,7 +55,7 @@ chrono = { version = "0.4", default-features = false, features = ["alloc", "std"
 derive_builder = { version = "0.20" }
 derive-getters = { version = "0.5" }
 either = { version = "1.13", features = ["serde"] }
-etcd-client = { version = "0.14" }
+etcd-client = { version = "0.14", features = ["tls"] }
 futures = { version = "0.3" }
 hf-hub = { version = "0.4.2", default-features = false, features = ["tokio", "rustls-tls"] }
 humantime = { version = "2.2.0" }

lib/bindings/python/Cargo.lock

@@ -4563,8 +4563,10 @@ dependencies = [
  "percent-encoding",
  "pin-project",
  "prost",
+ "rustls-pemfile",
  "socket2",
  "tokio",
+ "tokio-rustls",
  "tokio-stream",
  "tower 0.4.13",
  "tower-layer",

lib/runtime/examples/Cargo.lock

@@ -2120,6 +2120,7 @@ version = "0.23.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df51b5869f3a441595eac5e8ff14d486ff285f7b8c0df8770e49c3b56351f0f0"
 dependencies = [
+ "log",
  "once_cell",
  "ring",
  "rustls-pki-types",
@@ -2734,8 +2735,10 @@ dependencies = [
  "percent-encoding",
  "pin-project",
  "prost",
+ "rustls-pemfile",
  "socket2",
  "tokio",
+ "tokio-rustls",
  "tokio-stream",
  "tower 0.4.13",
  "tower-layer",

lib/runtime/src/transports/etcd.rs

@@ -25,8 +25,8 @@ use tokio::sync::{mpsc, RwLock};
 use validator::Validate;
 
 use etcd_client::{
-    Compare, CompareOp, DeleteOptions, GetOptions, PutOptions, PutResponse, Txn, TxnOp,
-    TxnOpResponse, WatchOptions, Watcher,
+    Certificate, Compare, CompareOp, DeleteOptions, GetOptions, Identity, PutOptions, PutResponse,
+    TlsOptions, Txn, TxnOp, TxnOpResponse, WatchOptions, Watcher,
 };
 
 pub use etcd_client::{ConnectOptions, KeyValue, LeaseClient};
@@ -413,9 +413,32 @@ pub struct ClientOptions {
 
 impl Default for ClientOptions {
     fn default() -> Self {
+        let mut connect_options = None;
+
+        if let (Ok(username), Ok(password)) = (
+            std::env::var("ETCD_AUTH_USERNAME"),
+            std::env::var("ETCD_AUTH_PASSWORD"),
+        ) {
+            // username and password are set
+            connect_options = Some(ConnectOptions::new().with_user(username, password));
+        } else if let (Ok(ca), Ok(cert), Ok(key)) = (
+            std::env::var("ETCD_AUTH_CA"),
+            std::env::var("ETCD_AUTH_CLIENT_CERT"),
+            std::env::var("ETCD_AUTH_CLIENT_KEY"),
+        ) {
+            // TLS is set
+            connect_options = Some(
+                ConnectOptions::new().with_tls(
+                    TlsOptions::new()
+                        .ca_certificate(Certificate::from_pem(ca))
+                        .identity(Identity::from_pem(cert, key)),
+                ),
+            );
+        }
+
         ClientOptions {
             etcd_url: default_servers(),
-            etcd_connect_options: None,
+            etcd_connect_options: connect_options,
             attach_lease: true,
         }
     }