Merge branch '329533-update-patroni-reference-architecture-docs' into 'master'

Patroni: Update reference architecture documentation for patroni

See merge request gitlab-org/gitlab!63580

doc/administration/geo/setup/database.md

@@ -209,7 +209,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
    ## Geo Primary role
    ## - configure dependent flags automatically to enable Geo
    ##
-   roles ['geo_primary_role']
+   roles(['geo_primary_role'])
 
    ##
    ## Primary address
@@ -382,7 +382,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
    ## Geo Secondary role
    ## - configure dependent flags automatically to enable Geo
    ##
-   roles ['geo_secondary_role']
+   roles(['geo_secondary_role'])
 
    ##
    ## Secondary address
@@ -401,7 +401,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
    ```
 
    For external PostgreSQL instances, see [additional instructions](external_database.md).
-   If you bring a former **primary** node back online to serve as a **secondary** node, then you also need to remove `roles ['geo_primary_role']` or `geo_primary_role['enable'] = true`.
+   If you bring a former **primary** node back online to serve as a **secondary** node, then you also need to remove `roles(['geo_primary_role'])` or `geo_primary_role['enable'] = true`.
 
 1. Reconfigure GitLab for the changes to take effect:
 
@@ -541,13 +541,13 @@ Leader instance**:
 1. Edit `/etc/gitlab/gitlab.rb` and add the following:
 
    ```ruby
-   consul['enable'] = true
+   roles(['patroni_role'])
+   
+   consul['services'] = %w(postgresql)
    consul['configuration'] = {
      retry_join: %w[CONSUL_PRIMARY1_IP CONSUL_PRIMARY2_IP CONSUL_PRIMARY3_IP]
    }
    
-   roles ['patroni_role']
-   
    # You need one entry for each secondary, with a unique name following PostgreSQL slot_name constraints:
    #
    # Configuration syntax is: 'unique_slotname' => { 'type' => 'physical' },
@@ -644,7 +644,7 @@ Follow the minimal configuration for the PgBouncer node:
 
    ```ruby
    # Disable all components except Pgbouncer and Consul agent
-   roles ['pgbouncer_role']
+   roles(['pgbouncer_role'])
 
    # PgBouncer configuration
    pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)
@@ -703,7 +703,7 @@ For each Patroni instance on the secondary site:
 1. Edit `/etc/gitlab/gitlab.rb` and add the following:
 
    ```ruby
-   roles ['consul_role', 'patroni_role']
+   roles(['consul_role', 'patroni_role'])
 
    consul['enable'] = true
    consul['configuration'] = {
@@ -768,7 +768,7 @@ by following the same instructions above.
 
 Secondary sites use a separate PostgreSQL installation as a tracking database to
 keep track of replication status and automatically recover from potential replication issues.
-Omnibus automatically configures a tracking database when `roles ['geo_secondary_role']` is set.
+Omnibus automatically configures a tracking database when `roles(['geo_secondary_role'])` is set.
 If you want to run this database in a highly available configuration, follow the instructions below.
 
 A production-ready and secure setup requires at least three Consul nodes, three
@@ -793,7 +793,7 @@ Follow the minimal configuration for the PgBouncer node for the tracking databas
 
    ```ruby
    # Disable all components except Pgbouncer and Consul agent
-   roles ['pgbouncer_role']
+   roles(['pgbouncer_role'])
 
    # PgBouncer configuration
    pgbouncer['users'] = {
@@ -855,7 +855,7 @@ For each Patroni instance on the secondary site for the tracking database:
 
    ```ruby
    # Disable all components except PostgreSQL, Patroni, and Consul
-   roles ['patroni_role']
+   roles(['patroni_role'])
 
    # Consul configuration
    consul['services'] = %w(postgresql)

doc/administration/postgresql/replication_and_failover.md

@@ -127,15 +127,18 @@ Few notes on the service itself:
 
 #### PostgreSQL information
 
-When configuring PostgreSQL, we will set `max_wal_senders` to one more than
-the number of database nodes in the cluster.
-This is used to prevent replication from using up all of the
-available database connections.
+When configuring PostgreSQL, we do the following:
+
+- Set `max_replication_slots` to double the number of database nodes.
+  Patroni uses one extra slot per node when initiating the replication.
+- Set `max_wal_senders` to one more than the allocated number of replication slots in the cluster.
+  This prevents replication from using up all of the available database connections.
 
 In this document we are assuming 3 database nodes, which makes this configuration:
 
 ```ruby
-patroni['postgresql']['max_wal_senders'] = 4
+patroni['postgresql']['max_replication_slots'] = 6
+patroni['postgresql']['max_wal_senders'] = 7
 ```
 
 As previously mentioned, you'll have to prepare the network subnets that will
@@ -211,11 +214,8 @@ repmgr-specific configuration as well. Especially, make sure that you remove `po
 Here is an example:
 
 ```ruby
-# Disable all components except PostgreSQL, Patroni, and Consul
-roles['postgres_role']
-
-# Enable Patroni
-patroni['enable'] = true
+# Disable all components except Patroni and Consul
+roles(['patroni_role'])
 
 # PostgreSQL configuration
 postgresql['listen_address'] = '0.0.0.0'
@@ -231,13 +231,20 @@ consul['services'] = %w(postgresql)
 #
 # Replace PGBOUNCER_PASSWORD_HASH with a generated md5 value
 postgresql['pgbouncer_user_password'] = 'PGBOUNCER_PASSWORD_HASH'
+# Replace POSTGRESQL_REPLICATION_PASSWORD_HASH with a generated md5 value
+postgresql['sql_replication_password'] = 'POSTGRESQL_REPLICATION_PASSWORD_HASH'
 # Replace POSTGRESQL_PASSWORD_HASH with a generated md5 value
 postgresql['sql_user_password'] = 'POSTGRESQL_PASSWORD_HASH'
 
-# Replace X with value of number of db nodes + 1 (OPTIONAL the default value is 5)
-patroni['postgresql']['max_wal_senders'] = X
+# Sets `max_replication_slots` to double the number of database nodes.
+# Patroni uses one extra slot per node when initiating the replication.
 patroni['postgresql']['max_replication_slots'] = X
 
+# Set `max_wal_senders` to one more than the number of replication slots in the cluster.
+# This is used to prevent replication from using up all of the
+# available database connections.
+patroni['postgresql']['max_wal_senders'] = X+1
+
 # Replace XXX.XXX.XXX.XXX/YY with Network Address
 postgresql['trust_auth_cidr_addresses'] = %w(XXX.XXX.XXX.XXX/YY)
 
@@ -289,7 +296,7 @@ If you enable Monitoring, it must be enabled on **all** database servers.
 
    ```ruby
    # Disable all components except PgBouncer and Consul agent
-   roles ['pgbouncer_role']
+   roles(['pgbouncer_role'])
 
    # Configure PgBouncer
    pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)
@@ -486,7 +493,7 @@ On each server edit `/etc/gitlab/gitlab.rb`:
 
 ```ruby
 # Disable all components except Consul
-roles ['consul_role']
+roles(['consul_role'])
 
 consul['configuration'] = {
   server: true,
@@ -503,7 +510,7 @@ On each server edit `/etc/gitlab/gitlab.rb`:
 
 ```ruby
 # Disable all components except Pgbouncer and Consul agent
-roles ['pgbouncer_role']
+roles(['pgbouncer_role'])
 
 # Configure PgBouncer
 pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)
@@ -518,7 +525,6 @@ pgbouncer['users'] = {
 }
 
 consul['watchers'] = %w(postgresql)
-consul['enable'] = true
 consul['configuration'] = {
   retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
 }
@@ -536,29 +542,26 @@ An internal load balancer (TCP) is then required to be setup to serve each PgBou
 On database nodes edit `/etc/gitlab/gitlab.rb`:
 
 ```ruby
-# Disable all components except PostgreSQL, Patroni (or Repmgr), and Consul
-roles ['postgres_role']
+# Disable all components except Patroni and Consul
+roles(['patroni_role'])
 
 # PostgreSQL configuration
 postgresql['listen_address'] = '0.0.0.0'
 postgresql['hot_standby'] = 'on'
 postgresql['wal_level'] = 'replica'
 
-# Enable Patroni (which automatically disables Repmgr).
-patroni['enable'] = true
-
 # Disable automatic database migrations
 gitlab_rails['auto_migrate'] = false
 
 postgresql['pgbouncer_user_password'] = '771a8625958a529132abe6f1a4acb19c'
 postgresql['sql_user_password'] = '450409b85a0223a214b5fb1484f34d0f'
-patroni['postgresql']['max_wal_senders'] = 4
+patroni['postgresql']['max_replication_slots'] = 6
+patroni['postgresql']['max_wal_senders'] = 7
 
 postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/16)
 
 # Configure the Consul agent
 consul['services'] = %w(postgresql)
-consul['enable'] = true
 consul['configuration'] = {
   retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
 }
@@ -577,19 +580,6 @@ After deploying the configuration follow these steps:
    gitlab-ctl get-postgresql-primary
    ```
 
-1. On the primary database node:
-
-   Enable the `pg_trgm` and `btree_gist` extensions:
-
-   ```shell
-   gitlab-psql -d gitlabhq_production
-   ```
-
-   ```shell
-   CREATE EXTENSION pg_trgm;
-   CREATE EXTENSION btree_gist;
-   ```
-
 1. On `10.6.0.41`, our application server:
 
    Set `gitlab-consul` user's PgBouncer password to `toomanysecrets`:
@@ -631,17 +621,14 @@ Please note that after the initial configuration, if a failover occurs, the Post
 On database nodes edit `/etc/gitlab/gitlab.rb`:
 
 ```ruby
-# Disable all components except PostgreSQL, Repmgr, and Consul
-roles ['postgres_role']
+# Disable all components except Patroni and Consul
+roles(['patroni_role'])
 
 # PostgreSQL configuration
 postgresql['listen_address'] = '0.0.0.0'
 postgresql['hot_standby'] = 'on'
 postgresql['wal_level'] = 'replica'
 
-# Enable Patroni (which automatically disables Repmgr).
-patroni['enable'] = true
-
 # Disable automatic database migrations
 gitlab_rails['auto_migrate'] = false
 
@@ -650,7 +637,15 @@ consul['services'] = %w(postgresql)
 
 postgresql['pgbouncer_user_password'] = '771a8625958a529132abe6f1a4acb19c'
 postgresql['sql_user_password'] = '450409b85a0223a214b5fb1484f34d0f'
-patroni['postgresql']['max_wal_senders'] = 4
+
+# Sets `max_replication_slots` to double the number of database nodes.
+# Patroni uses one extra slot per node when initiating the replication.
+patroni['postgresql']['max_replication_slots'] = 6
+
+# Set `max_wal_senders` to one more than the number of replication slots in the cluster.
+# This is used to prevent replication from using up all of the
+# available database connections.
+patroni['postgresql']['max_wal_senders'] = 7
 
 postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/16)
 

doc/administration/postgresql/standalone.md

@@ -36,9 +36,7 @@ together with Omnibus GitLab. This is recommended as part of our
 
    ```ruby
    # Disable all components except PostgreSQL
-   roles ['postgres_role']
-   repmgr['enable'] = false
-   consul['enable'] = false
+   roles(['postgres_role'])
    prometheus['enable'] = false
    alertmanager['enable'] = false
    pgbouncer_exporter['enable'] = false
@@ -59,9 +57,6 @@ together with Omnibus GitLab. This is recommended as part of our
    gitlab_rails['auto_migrate'] = false
    ```
 
-   NOTE:
-   The role `postgres_role` was introduced with GitLab 10.3
-
 1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
 1. Note the PostgreSQL node's IP address or hostname, port, and
    plain text password. These are necessary when configuring the GitLab

doc/administration/reference_architectures/2k_users.md

@@ -269,10 +269,8 @@ further configuration steps.
      database. Example: `%w(123.123.123.123/32 123.123.123.234/32)`
 
    ```ruby
-   # Disable all components except PostgreSQL
-   roles ['postgres_role']
-   patroni['enable'] = false
-   consul['enable'] = false
+   # Disable all components except PostgreSQL related ones
+   roles(['postgres_role'])
    prometheus['enable'] = false
    alertmanager['enable'] = false
    pgbouncer_exporter['enable'] = false
@@ -642,7 +640,7 @@ On each node perform the following:
    })
 
    ## Disable components that will not be on the GitLab application server
-   roles ['application_role']
+   roles(['application_role'])
    gitaly['enable'] = false
    nginx['enable'] = true
 
@@ -790,7 +788,7 @@ running [Prometheus](../monitoring/prometheus/index.md) and
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   roles ['monitoring_role']
+   roles(['monitoring_role'])
 
    external_url 'http://gitlab.example.com'
 

doc/administration/reference_architectures/3k_users.md

@@ -475,8 +475,8 @@ a node and change its status from primary to replica (and vice versa).
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   # Specify server role as 'redis_master_role'
-   roles ['redis_master_role']
+   # Specify server role as 'redis_master_role' and enable Consul agent
+   roles(['redis_master_role', 'consul_role'])
 
    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
@@ -492,7 +492,6 @@ a node and change its status from primary to replica (and vice versa).
    redis['password'] = 'redis-password-goes-here'
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -554,8 +553,8 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   # Specify server role as 'redis_replica_role'
-   roles ['redis_replica_role']
+   # Specify server role as 'redis_replica_role' and enable Consul agent
+   roles(['redis_replica_role', 'consul_role'])
 
    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
@@ -578,7 +577,6 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
    #redis['master_port'] = 6379
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -607,7 +605,7 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
    make sure to set up the IPs correctly.
 
 You can specify multiple roles, like sentinel and Redis, as:
-`roles ['redis_sentinel_role', 'redis_master_role']`. Read more about
+`roles(['redis_sentinel_role', 'redis_master_role'])`. Read more about
 [roles](https://docs.gitlab.com/omnibus/roles/).
 
 These values don't have to be changed again in `/etc/gitlab/gitlab.rb` after
@@ -649,7 +647,7 @@ To configure the Sentinel:
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   roles ['redis_sentinel_role', 'consul_role']
+   roles(['redis_sentinel_role', 'consul_role'])
 
    # Must be the same in every sentinel node
    redis['master_name'] = 'gitlab-redis'
@@ -713,7 +711,6 @@ To configure the Sentinel:
    # sentinel['failover_timeout'] = 60000
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -828,6 +825,15 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    sudo gitlab-ctl pg-password-md5 pgbouncer
    ```
 
+1. Generate a password hash for the PostgreSQL replication username/password pair. This assumes you will use the default
+   username of `gitlab_replicator` (recommended). The command will request a password
+   and a confirmation. Use the value that is output by this command in the next step
+   as the value of `<postgresql_replication_password_hash>`:
+   
+   ```shell
+   sudo gitlab-ctl pg-password-md5 gitlab_replicator
+   ```
+
 1. Generate a password hash for the Consul database username/password pair. This assumes you will use the default
    username of `gitlab-consul` (recommended). The command will request a password
    and confirmation. Use the value that is output by this command in the next
@@ -840,19 +846,21 @@ in the second step, do not supply the `EXTERNAL_URL` value.
 1. On every database node, edit `/etc/gitlab/gitlab.rb` replacing values noted in the `# START user configuration` section:
 
    ```ruby
-   # Disable all components except PostgreSQL, Patroni, and Consul
-   roles ['postgres_role']
+   # Disable all components except Patroni and Consul
+   roles(['patroni_role'])
    
    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
 
-   # Enable Patroni
-   patroni['enable'] = true
-   # Set `max_wal_senders` to one more than the number of database nodes in the cluster.
+   # Sets `max_replication_slots` to double the number of database nodes.
+   # Patroni uses one extra slot per node when initiating the replication.
+   patroni['postgresql']['max_replication_slots'] = 6
+
+   # Set `max_wal_senders` to one more than the number of replication slots in the cluster.
    # This is used to prevent replication from using up all of the
    # available database connections.
-   patroni['postgresql']['max_wal_senders'] = 4
-   patroni['postgresql']['max_replication_slots'] = 4
+   patroni['postgresql']['max_wal_senders'] = 7
+
    # Incoming recommended value for max connections is 500. See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5691.
    patroni['postgresql']['max_connections'] = 500
 
@@ -860,7 +868,6 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    gitlab_rails['auto_migrate'] = false
    
    # Configure the Consul agent
-   consul['enable'] = true
    consul['services'] = %w(postgresql)
    ## Enable service discovery for Prometheus
    consul['monitoring_service_discovery'] =  true
@@ -870,6 +877,8 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    #
    # Replace PGBOUNCER_PASSWORD_HASH with a generated md5 value
    postgresql['pgbouncer_user_password'] = '<pgbouncer_password_hash>'
+   # Replace POSTGRESQL_REPLICATION_PASSWORD_HASH with a generated md5 value
+   postgresql['sql_replication_password'] = '<postgresql_replication_password_hash>'
    # Replace POSTGRESQL_PASSWORD_HASH with a generated md5 value
    postgresql['sql_user_password'] = '<postgresql_password_hash>'
 
@@ -909,22 +918,7 @@ are supported and can be added if needed.
 
 #### PostgreSQL post-configuration
 
-SSH in to the **primary node**:
-
-1. Open a database prompt:
-
-   ```shell
-   gitlab-psql -d gitlabhq_production
-   ```
-
-1. Enable the `pg_trgm` and `btree_gist` extensions:
-
-   ```shell
-   CREATE EXTENSION pg_trgm;
-   CREATE EXTENSION btree_gist;
-   ```
-
-1. Exit the database prompt by typing `\q` and Enter.
+SSH in to any of the Patroni nodes on the **primary site**:
 
 1. Check the status of the leader and cluster:
 
@@ -966,7 +960,7 @@ The following IPs will be used as an example:
 
    ```ruby
    # Disable all components except Pgbouncer and Consul agent
-   roles ['pgbouncer_role']
+   roles(['pgbouncer_role'])
 
    # Configure PgBouncer
    pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)
@@ -983,7 +977,6 @@ The following IPs will be used as an example:
 
    # Configure Consul agent
    consul['watchers'] = %w(postgresql)
-   consul['enable'] = true
    consul['configuration'] = {
    retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
    }
@@ -1114,9 +1107,7 @@ in the second step, do not supply the `EXTERNAL_URL` value.
 
    ```ruby
    # Disable all components except PostgreSQL and Consul
-   roles ['postgres_role']
-   repmgr['enable'] = false
-   patroni['enable'] = false
+   roles(['postgres_role', 'consul_role'])
 
    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
@@ -1126,7 +1117,6 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    gitlab_rails['auto_migrate'] = false
 
    # Configure the Consul agent
-   consul['enable'] = true
    ## Enable service discovery for Prometheus
    consul['monitoring_service_discovery'] =  true
 
@@ -1757,7 +1747,7 @@ On each node perform the following:
    })
 
    ## Disable components that will not be on the GitLab application server
-   roles ['application_role']
+   roles(['application_role'])
    gitaly['enable'] = false
    nginx['enable'] = true
    sidekiq['enable'] = false
@@ -1943,7 +1933,7 @@ running [Prometheus](../monitoring/prometheus/index.md) and
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   roles ['monitoring_role']
+   roles(['monitoring_role', 'consul_role'])
 
    external_url 'http://gitlab.example.com'
 
@@ -1956,7 +1946,6 @@ running [Prometheus](../monitoring/prometheus/index.md) and
    grafana['disable_login_form'] = false
 
    # Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)

doc/administration/reference_architectures/5k_users.md

@@ -467,8 +467,8 @@ a node and change its status from primary to replica (and vice versa).
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   # Specify server role as 'redis_master_role'
-   roles ['redis_master_role']
+   # Specify server role as 'redis_master_role' and enable Consul agent
+   roles(['redis_master_role', 'consul_role'])
 
    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
@@ -484,7 +484,6 @@ a node and change its status from primary to replica (and vice versa).
    redis['password'] = 'redis-password-goes-here'
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -511,7 +510,7 @@ a node and change its status from primary to replica (and vice versa).
 1. [Reconfigure Omnibus GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
 
 You can specify multiple roles, like sentinel and Redis, as:
-`roles ['redis_sentinel_role', 'redis_master_role']`. Read more about
+`roles(['redis_sentinel_role', 'redis_master_role'])`. Read more about
 [roles](https://docs.gitlab.com/omnibus/roles/).
 
 You can list the current Redis Primary, Replica status via:
@@ -546,8 +545,8 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   # Specify server role as 'redis_replica_role'
-   roles ['redis_replica_role']
+   # Specify server role as 'redis_replica_role' and enable Consul agent
+   roles(['redis_replica_role', 'consul_role'])
 
    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
@@ -570,7 +569,6 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
    #redis['master_port'] = 6379
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -599,7 +597,7 @@ run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s
    make sure to set up the IPs correctly.
 
 You can specify multiple roles, like sentinel and Redis, as:
-`roles ['redis_sentinel_role', 'redis_master_role']`. Read more about
+`roles(['redis_sentinel_role', 'redis_master_role'])`. Read more about
 [roles](https://docs.gitlab.com/omnibus/roles/).
 
 These values don't have to be changed again in `/etc/gitlab/gitlab.rb` after
@@ -641,7 +639,7 @@ To configure the Sentinel:
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   roles ['redis_sentinel_role', 'consul_role']
+   roles(['redis_sentinel_role', 'consul_role'])
 
    # Must be the same in every sentinel node
    redis['master_name'] = 'gitlab-redis'
@@ -705,7 +703,6 @@ To configure the Sentinel:
    # sentinel['failover_timeout'] = 60000
 
    ## Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
 
    ## The IPs of the Consul server nodes
@@ -819,6 +816,15 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    sudo gitlab-ctl pg-password-md5 pgbouncer
    ```
 
+1. Generate a password hash for the PostgreSQL replication username/password pair. This assumes you will use the default
+   username of `gitlab_replicator` (recommended). The command will request a password
+   and a confirmation. Use the value that is output by this command in the next step
+   as the value of `<postgresql_replication_password_hash>`:
+
+   ```shell
+   sudo gitlab-ctl pg-password-md5 gitlab_replicator
+   ```
+
 1. Generate a password hash for the Consul database username/password pair. This assumes you will use the default
    username of `gitlab-consul` (recommended). The command will request a password
    and confirmation. Use the value that is output by this command in the next
@@ -831,19 +837,21 @@ in the second step, do not supply the `EXTERNAL_URL` value.
 1. On every database node, edit `/etc/gitlab/gitlab.rb` replacing values noted in the `# START user configuration` section:
 
    ```ruby
-   # Disable all components except PostgreSQL, Patroni, and Consul
-   roles ['postgres_role']
+   # Disable all components except Patroni and Consul
+   roles(['patroni_role'])
 
    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
 
-   # Enable Patroni
-   patroni['enable'] = true
-   # Set `max_wal_senders` to one more than the number of database nodes in the cluster.
+   # Sets `max_replication_slots` to double the number of database nodes.
+   # Patroni uses one extra slot per node when initiating the replication.
+   patroni['postgresql']['max_replication_slots'] = 8
+   
+   # Set `max_wal_senders` to one more than the number of replication slots in the cluster.
    # This is used to prevent replication from using up all of the
    # available database connections.
-   patroni['postgresql']['max_wal_senders'] = 4
-   patroni['postgresql']['max_replication_slots'] = 4
+   patroni['postgresql']['max_wal_senders'] = 9
+
    # Incoming recommended value for max connections is 500. See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5691.
    patroni['postgresql']['max_connections'] = 500
 
@@ -851,7 +859,6 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    gitlab_rails['auto_migrate'] = false
 
    # Configure the Consul agent
-   consul['enable'] = true
    consul['services'] = %w(postgresql)
    ## Enable service discovery for Prometheus
    consul['monitoring_service_discovery'] =  true
@@ -861,6 +868,8 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    #
    # Replace PGBOUNCER_PASSWORD_HASH with a generated md5 value
    postgresql['pgbouncer_user_password'] = '<pgbouncer_password_hash>'
+   # Replace POSTGRESQL_REPLICATION_PASSWORD_HASH with a generated md5 value
+   postgresql['sql_replication_password'] = '<postgresql_replication_password_hash>'
    # Replace POSTGRESQL_PASSWORD_HASH with a generated md5 value
    postgresql['sql_user_password'] = '<postgresql_password_hash>'
 
@@ -900,21 +909,7 @@ are supported and can be added if needed.
 
 #### PostgreSQL post-configuration
 
-SSH in to the **primary node**:
-
-1. Open a database prompt:
-
-   ```shell
-   gitlab-psql -d gitlabhq_production
-   ```
-
-1. Enable the `pg_trgm` extension:
-
-   ```shell
-   CREATE EXTENSION pg_trgm;
-   ```
-
-1. Exit the database prompt by typing `\q` and Enter.
+SSH in to any of the Patroni nodes on the **primary site**:
 
 1. Check the status of the leader and cluster:
 
@@ -956,7 +951,7 @@ The following IPs will be used as an example:
 
    ```ruby
    # Disable all components except Pgbouncer and Consul agent
-   roles ['pgbouncer_role']
+   roles(['pgbouncer_role'])
 
    # Configure PgBouncer
    pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)
@@ -973,7 +968,6 @@ The following IPs will be used as an example:
 
    # Configure Consul agent
    consul['watchers'] = %w(postgresql)
-   consul['enable'] = true
    consul['configuration'] = {
    retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
    }
@@ -1104,9 +1098,7 @@ in the second step, do not supply the `EXTERNAL_URL` value.
 
    ```ruby
    # Disable all components except PostgreSQL and Consul
-   roles ['postgres_role']
-   repmgr['enable'] = false
-   patroni['enable'] = false
+   roles(['postgres_role', 'consul_role'])
 
    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
@@ -1116,7 +1108,6 @@ in the second step, do not supply the `EXTERNAL_URL` value.
    gitlab_rails['auto_migrate'] = false
 
    # Configure the Consul agent
-   consul['enable'] = true
    ## Enable service discovery for Prometheus
    consul['monitoring_service_discovery'] =  true
 
@@ -1747,7 +1738,7 @@ On each node perform the following:
    })
 
    ## Disable components that will not be on the GitLab application server
-   roles ['application_role']
+   roles(['application_role'])
    gitaly['enable'] = false
    nginx['enable'] = true
    sidekiq['enable'] = false
@@ -1936,7 +1927,7 @@ running [Prometheus](../monitoring/prometheus/index.md) and
 1. Edit `/etc/gitlab/gitlab.rb` and add the contents:
 
    ```ruby
-   roles ['monitoring_role']
+   roles(['monitoring_role', 'consul_role'])
 
    external_url 'http://gitlab.example.com'
 
@@ -1949,7 +1940,6 @@ running [Prometheus](../monitoring/prometheus/index.md) and
    grafana['disable_login_form'] = false
 
    # Enable service discovery for Prometheus
-   consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)