tarantool
diff --git a/‎doc/code_snippets/test/config/etcd.yaml
+2-2 b/‎doc/code_snippets/test/config/etcd.yaml
+2-2
diff --git a/‎doc/code_snippets/test/config/etcd_full.yaml
+12 b/‎doc/code_snippets/test/config/etcd_full.yaml
+12
diff --git a/‎doc/concepts/configuration/configuration_etcd.rst
+126-61 b/‎doc/concepts/configuration/configuration_etcd.rst
+126-61
@@ -1,5 +1,5 @@
 config:
   etcd:
-    prefix: /example
     endpoints:
-    - http://localhost:2379
+      - http://localhost:2379
+    prefix: /example
@@ -0,0 +1,12 @@
+config:
+  etcd:
+    endpoints:
+      - http://localhost:2379
+    prefix: /example
+    username: testuser
+    password: foobar
+    ssl:
+      ca_file: ca.crt
+    http:
+      request:
+        timeout: 3
@@ -6,92 +6,157 @@ Storing configuration in etcd
 ..  admonition:: Enterprise Edition
     :class: fact
 
-    Centralized configuration is supported by the `Enterprise Edition <https://www.tarantool.io/compare/>`_ only.
+    Storing configuration in etcd is supported by the `Enterprise Edition <https://www.tarantool.io/compare/>`_ only.
 
-..  TODO
-    https://github.com/tarantool/doc/issues/3658
+Tarantool enables you to store configuration data in one place using etcd.
+To achieve this, you need to define how to access etcd and put a :ref:`YAML configuration <configuration_file>` to an etcd server.
 
-    - Install and configure etcd (authentication, TLS)
-    - Local etcd configuration (mention env vars)
-        - endpoints
-        - key prefix
-        - auth
-        - TLS
-        - http (timeout, socket)
-    - Put a remote config
-        - etcdctl put
-        - tt cluster publish
-    - Show cluster config
-        - etcdctl get
-        - tt cluster show
-    - Start app
-        - Local config
-        - Env vars
-    - Reload config
-        - auto
-        - manual (config.reload)
 
+.. _etcd_local_configuration:
 
-    Local config (``config.yaml``):
+Local etcd configuration
+------------------------
 
-    ..  literalinclude:: /code_snippets/test/config/etcd.yaml
-        :language: yaml
-        :dedent:
+To store a cluster's configuration in etcd, you need to provide etcd connection settings in a local configuration file.
+These settings are used to :ref:`publish <etcd_publishing_configuration>` a cluster's configuration and :ref:`show <etcd_showing_configuration>` it.
 
-    Remote config (``remote_config.yaml``):
+Connection options for etcd should be specified in the ``config.etcd`` section of the configuration file.
+At least, the following options should be specified:
 
-    ..  literalinclude:: /code_snippets/test/config/replicaset_manual.yaml
-        :language: yaml
-        :dedent:
+..  literalinclude:: /code_snippets/test/config/etcd.yaml
+    :language: yaml
+    :dedent:
 
-    Put a remote config:
+-   :ref:`config.etcd.endpoints <config_etcd_endpoints>` specifies the list of etcd endpoints.
+-   :ref:`config.etcd.prefix <config_etcd_prefix>` sets a key prefix used to search a configuration. Tarantool searches keys by the following path: ``/prefix/config/*``.
 
-    .. code-block:: console
 
-        $ etcdctl put /example/config/all.yaml < remote_config.yaml
+You can also provide additional etcd connection options:
 
-    Put a remote config using ``tt cluster``:
+..  literalinclude:: /code_snippets/test/config/etcd_full.yaml
+    :language: yaml
+    :dedent:
 
-    .. code-block:: console
+In this example, the following options are configured in addition to an etcd endpoint and key prefix:
 
-        $ tt cluster publish "http://localhost:2379/tt" remote_config.yaml
+-   :ref:`config.etcd.username <config_etcd_username>` and :ref:`config.etcd.password <config_etcd_password>` specify credentials used for authentication.
+-   :ref:`config.etcd.ssl.ca_file <config_etcd_ssl_ca_file>` specifies a path to a trusted certificate authorities (CA) file.
+-   :ref:`config.etcd.http.request.timeout <config_etcd_http_request_timeout>` configures a timeout for connecting to an etcd server.
 
-    Searches keys by the following path: ``/prefix/config/*``.
-    See https://github.com/tarantool/doc/issues/3725
+You can find all the available configuration options in the :ref:`etcd <configuration_reference_config_etcd>` section.
 
-    Manual:
 
-    .. code-block:: yaml
 
-        config:
-          reload: 'manual'
+.. _etcd_publishing_configuration:
 
-    Reload config (on all instances):
+Publishing cluster's configuration to etcd
+------------------------------------------
 
-    .. code-block:: lua
+.. _etcd_publishing_configuration_tt:
 
-        require('config'):reload()
+Publishing configuration using the tt utility
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    Authentication:
+The tt utility provides the :ref:`tt cluster <tt-cluster>` command for managing a cluster's configuration.
+The ``tt cluster publish`` command can be used to publish a cluster's configuration to etcd.
 
-    .. code-block:: console
+The example below shows how a :ref:`layout <admin-start_stop_instance-multi-instance-layout>` of the application called ``app`` might look:
 
-        $ etcdctl --user root --password foobar role grant-permission tt readwrite /tt/config/all
-        $ etcdctl --user root --password foobar role grant-permission tt --prefix=true readwrite /tt/
+.. code-block:: none
 
-        $ etcdctl --user root --password foobar user grant-role testuser tt
+    instances.enabled
+    └── app
+        ├── config.yaml
+        ├── cluster.yaml
+        └── instances.yml
 
+*   ``config.yaml`` contains a :ref:`local configuration <etcd_local_configuration>` used to connect to etcd.
+*   ``cluster.yaml`` contains a cluster's configuration to be published.
+*   ``instances.yml`` specifies :ref:`instances <admin-start_stop_instance-multi-instance>` to run in the current environment. ``tt cluster publish`` ignores the configured instances.
 
-    .. code-block:: yaml
+To publish a cluster's configuration (``cluster.yaml``) to an etcd server, execute ``tt cluster publish`` as follows:
 
-        config:
-          etcd:
-            http:
-              request:
-                timeout: 3
-            prefix: /tt
-            endpoints:
-            - http://localhost:2379
-            username: testuser
-            password: foobar
+.. code-block:: console
 
+    $ tt cluster publish "http://localhost:2379/example" instances.enabled/app/cluster.yaml
+
+
+.. _etcd_publishing_configuration_etcdctl:
+
+Publishing configuration using etcdctl
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To publish a cluster's configuration using the ``etcdctl`` utility, use the ``put`` command:
+
+.. code-block:: console
+
+    $ etcdctl put /example/config/all < cluster.yaml
+
+
+
+
+.. _etcd_showing_configuration:
+
+Showing a cluster's configuration
+---------------------------------
+
+As for :ref:`publishing configuration <etcd_publishing_configuration>`, you can see a cluster's configuration in two ways:
+
+-   Using the :ref:`tt cluster show <tt-cluster>` command.
+-   Using the ``etcdctl get`` command.
+
+
+.. _etcd_starting_instances:
+
+Starting Tarantool instances
+----------------------------
+
+To learn how to start Tarantool instances, see the :ref:`Starting Tarantool instances <configuration_run_instance>` section.
+
+
+.. _etcd_reloading_configuration:
+
+Reloading configuration
+-----------------------
+
+By default, Tarantool watches etcd keys with the :ref:`specified prefix <etcd_local_configuration>` for changes in a cluster's configuration and reloads a changed configuration automatically.
+If necessary, you can set the :ref:`config.reload <configuration_reference_config_reload>` option to ``manual`` to turn off configuration reloading:
+
+.. code-block:: yaml
+
+    config:
+      reload: 'manual'
+      etcd:
+        # ...
+
+In this case, you can reload a configuration in the :ref:`application code <configuration_application>` using the ``reload()`` function provided by the :ref:`config <config-module>` module:
+
+.. code-block:: lua
+
+    require('config'):reload()
+
+
+
+
+
+
+
+
+
+..
+    Generating certificates for testing:
+    1) openssl genrsa -out ca.key 2048
+    2) openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cr
+    3) openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
+    4) openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+    5) sudo cp server.crt /etc/ssl/certs
+    6) sudo cp server.key /etc/ssl/private
+
+    Starting etcd:
+    etcd --cert-file=ssl/server.crt --key-file=ssl/server.key --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379
+
+    Get keys:
+    etcdctl get /tt/config/all --cert=ssl/server.crt --key=ssl/server.key
+
+    Test using curl:
+    curl --cacert ssl/ca.crt https://localhost:2379/v2/keys/foo -XPUT -d value=bar -v