4 files changed, 61 insertions, 4 deletions

diff --git a/doc/administration/geo/replication/datatypes.md b/doc/administration/geo/replication/datatypes.md
index dd1c7730791..62b366e9a4a 100644
--- a/doc/administration/geo/replication/datatypes.md
+++ b/doc/administration/geo/replication/datatypes.md
@@ -200,7 +200,7 @@ successfully, you must replicate their data using some other means.
 |[Package Registry for generic packages](../../../user/packages/generic_packages/index.md)                      | **Yes** (13.5)                                                          | [**Yes**](#limitation-of-verification-for-files-in-object-storage) (13.10)                                                         | Via Object Storage provider if supported. Native Geo support (Beta).          | Behind feature flag `geo_package_file_replication`, enabled by default. |
 |[Versioned Terraform State](../../terraform_state.md)                                                          | **Yes** (13.5)                                                          | [**Yes**](#limitation-of-verification-for-files-in-object-storage) (13.12)                                                                     | Via Object Storage provider if supported. Native Geo support (Beta).          | Replication is behind the feature flag `geo_terraform_state_version_replication`, enabled by default. Verification was behind the feature flag `geo_terraform_state_version_verification`, which was removed in 14.0|
 |[External merge request diffs](../../merge_request_diffs.md)                                                   | **Yes** (13.5)                                                          | No                                                                      | Via Object Storage provider if supported. Native Geo support (Beta).          | Replication is behind the feature flag `geo_merge_request_diff_replication`, enabled by default. Verification is under development, behind the feature flag `geo_merge_request_diff_verification`, introduced in 14.0.|
-|[Versioned snippets](../../../user/snippets.md#versioned-snippets)                                             | [**Yes** (13.7)](https://gitlab.com/groups/gitlab-org/-/epics/2809)     | [**Yes**](https://gitlab.com/groups/gitlab-org/-/epics/2810)            | No                                                                            | Verification was implemented behind the feature flag `geo_snippet_repository_verification` in 13.11, and the feature flag was removed in 14.2. |
+|[Versioned snippets](../../../user/snippets.md#versioned-snippets)                                             | [**Yes** (13.7)](https://gitlab.com/groups/gitlab-org/-/epics/2809)     | [**Yes** (14.2)](https://gitlab.com/groups/gitlab-org/-/epics/2810)            | No                                                                            | Verification was implemented behind the feature flag `geo_snippet_repository_verification` in 13.11, and the feature flag was removed in 14.2. |
 |[Server-side Git hooks](../../server_hooks.md)                                                                 | [No](https://gitlab.com/groups/gitlab-org/-/epics/1867)                 | No                                                                      | No                                                                            |       |
 |[Elasticsearch integration](../../../integration/elasticsearch.md)                                             | [No](https://gitlab.com/gitlab-org/gitlab/-/issues/1186)                | No                                                                      | No                                                                            |       |
 |[GitLab Pages](../../pages/index.md)                                                                           | [No](https://gitlab.com/groups/gitlab-org/-/epics/589)                  | No                                                                      | Via Object Storage provider if supported. **No** native Geo support (Beta).                                                                            |       |
diff --git a/doc/administration/lfs/index.md b/doc/administration/lfs/index.md
index edf0e324a5c..682352d8f59 100644
--- a/doc/administration/lfs/index.md
+++ b/doc/administration/lfs/index.md
@@ -323,7 +323,7 @@ See more information in [!19581](https://gitlab.com/gitlab-org/gitlab-foss/-/mer
 
 ### LFS commands fail on TLS v1.3 server
 
-If you configure GitLab to [disable TLS v1.2](https://docs.gitlab.com/omnibus/settings/nginx.md)
+If you configure GitLab to [disable TLS v1.2](https://docs.gitlab.com/omnibus/settings/nginx.html)
 and only enable TLS v1.3 connections, LFS operations require a
 [Git LFS client](https://git-lfs.github.com) version 2.11.0 or later. If you use
 a Git LFS client earlier than version 2.11.0, GitLab displays an error:
@@ -334,7 +334,7 @@ error: failed to fetch some objects from 'https://username:[MASKED]@gitlab.examp
 ```
 
 When using GitLab CI over a TLS v1.3 configured GitLab server, you must
-[upgrade to GitLab Runner](https://docs.gitlab.com/runner/install/index.md) 13.2.0
+[upgrade to GitLab Runner](https://docs.gitlab.com/runner/install/index.html) 13.2.0
 or later to receive an updated Git LFS client version via
 the included [GitLab Runner Helper image](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#helper-image).
 
diff --git a/doc/administration/postgresql/replication_and_failover.md b/doc/administration/postgresql/replication_and_failover.md
index d37d61048e2..b6f028e1326 100644
--- a/doc/administration/postgresql/replication_and_failover.md
+++ b/doc/administration/postgresql/replication_and_failover.md
@@ -303,6 +303,63 @@ If you enable Monitoring, it must be enabled on **all** database servers.
 
 1. Run `sudo gitlab-ctl reconfigure` to compile the configuration.
 
+#### Enable TLS support for the Patroni API
+
+By default, Patroni's [REST API](https://patroni.readthedocs.io/en/latest/rest_api.html#rest-api) is served over HTTP.
+You have the option to enable TLS and use HTTPS over the same [port](https://docs.gitlab.com/omnibus/package-information/defaults.html#patroni).
+
+To enable TLS, you need PEM-formatted certificate and private key files. Both files must be readable by the PostgreSQL user (`gitlab-psql` by default, or the one set by `postgresql['username']`):
+
+```ruby
+patroni['tls_certificate_file'] = '/path/to/server/certificate.pem'
+patroni['tls_key_file'] = '/path/to/server/key.pem'
+```
+
+If the server's private key is encrypted, specify the password to decrypt it:
+
+```ruby
+patroni['tls_key_password'] = 'private-key-password' # This is the plain-text password.
+```
+
+If you are using a self-signed certificate or an internal CA, you need to either disable the TLS verification or pass the certificate of the
+internal CA, otherwise you may run into an unexpected error when using the `gitlab-ctl patroni ....` commands. Omnibus ensures that Patroni API
+clients honor this configuration.
+
+TLS certificate verification is enabled by default. To disable it:
+
+```ruby
+patroni['tls_verify'] = false
+```
+
+Alternatively, you can pass a PEM-formatted certificate of the internal CA. Again, the file must be readable by the PostgreSQL user:
+
+```ruby
+patroni['tls_ca_file'] = '/path/to/ca.pem'
+```
+
+When TLS is enabled, mutual authentication of the API server and client is possible for all endpoints, the extent of which depends on
+the `patroni['tls_client_mode']` attribute:
+
+- `none` (default): the API will not check for any client certificates.
+- `optional`: client certificates are required for all [unsafe](https://patroni.readthedocs.io/en/latest/security.html#protecting-the-rest-api) API calls.
+- `required`: client certificates are required for all API calls.
+
+The client certificates are verified against the CA certificate that is specified with the `patroni['tls_ca_file']` attribute. Therefore,
+this attribute is required for mutual TLS authentication. You also need to specify PEM-formatted client certificate and private key files.
+Both files must be readable by the PostgreSQL user:
+
+```ruby
+patroni['tls_client_mode'] = 'required'
+patroni['tls_ca_file'] = '/path/to/ca.pem'
+
+patroni['tls_client_certificate_file'] = '/path/to/client/certificate.pem'
+patroni['tls_client_key_file'] = '/path/to/client/key.pem'
+```
+
+You can use different certificates and keys for both API server and client on different Patroni nodes as long as they can be verified.
+However, the CA certificate (`patroni['tls_ca_file']`), TLS certificate verification (`patroni['tls_verify']`), and client TLS
+authentication mode (`patroni['tls_client_mode']`), must each have the same value on all nodes.
+
 ### Configuring the PgBouncer node
 
 1. Make sure you collect [`CONSUL_SERVER_NODES`](#consul-information), [`CONSUL_PASSWORD_HASH`](#consul-information), and [`PGBOUNCER_PASSWORD_HASH`](#pgbouncer-information) before executing the next step.
diff --git a/doc/administration/troubleshooting/debug.md b/doc/administration/troubleshooting/debug.md
index 9ec6bd1a9cb..aea891b8a77 100644
--- a/doc/administration/troubleshooting/debug.md
+++ b/doc/administration/troubleshooting/debug.md
@@ -285,5 +285,5 @@ The output in `/tmp/puma.txt` may help diagnose the root cause.
 
 ## More information
 
-- [Debugging Stuck Ruby Processes](https://newrelic.com/blog/engineering/debugging-stuck-ruby-processes-what-to-do-before-you-kill-9/)
+- [Debugging Stuck Ruby Processes](https://newrelic.com/blog/best-practices/debugging-stuck-ruby-processes-what-to-do-before-you-kill-9)
 - [Cheat sheet of using GDB and Ruby processes](gdb-stuck-ruby.txt)