1 files changed, 32 insertions, 4 deletions

diff --git a/doc/administration/geo/setup/database.md b/doc/administration/geo/setup/database.md
index bc4128deb4a..fa343f7eb40 100644
--- a/doc/administration/geo/setup/database.md
+++ b/doc/administration/geo/setup/database.md
@@ -69,11 +69,14 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
    sudo -i
    ```
 
-1. Edit `/etc/gitlab/gitlab.rb` and add a **unique** name for your node:
+1. Edit `/etc/gitlab/gitlab.rb` and add a **unique** name for your site:
 
    ```ruby
-   # The unique identifier for the Geo node.
-   gitlab_rails['geo_node_name'] = '<node_name_here>'
+   ##
+   ## The unique identifier for the Geo site. See
+   ## https://docs.gitlab.com/ee/user/admin_area/geo_nodes.html#common-settings
+   ##
+   gitlab_rails['geo_node_name'] = '<site_name_here>'
    ```
 
 1. Reconfigure the **primary** node for the change to take effect:
@@ -207,7 +210,12 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
    ```ruby
    ##
    ## Geo Primary role
-   ## - configure dependent flags automatically to enable Geo
+   ## - Configures Postgres settings for replication
+   ## - Prevents automatic upgrade of Postgres since it requires downtime of
+   ##   streaming replication to Geo secondary sites
+   ## - Enables standard single-node GitLab services like NGINX, Puma, Redis,
+   ##   Sidekiq, etc. If you are segregating services, then you will need to
+   ##   explicitly disable unwanted services.
    ##
    roles(['geo_primary_role'])
 
@@ -571,6 +579,13 @@ Leader instance**:
    patroni['password'] = 'PATRONI_API_PASSWORD'
    patroni['replication_password'] = 'PLAIN_TEXT_POSTGRESQL_REPLICATION_PASSWORD'
 
+   # Add all patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_PRIMARY1_IP/32 PATRONI_PRIMARY2_IP/32 PATRONI_PRIMARY3_IP/32
+     PATRONI_SECONDARY1_IP/32 PATRONI_SECONDARY2_IP/32 PATRONI_SECONDARY3_IP/32
+   ]
+
    # We list all secondary instances as they can all become a Standby Leader
    postgresql['md5_auth_cidr_addresses'] = %w[
      PATRONI_PRIMARY1_IP/32 PATRONI_PRIMARY2_IP/32 PATRONI_PRIMARY3_IP/32 PATRONI_PRIMARY_PGBOUNCER/32
@@ -725,6 +740,13 @@ For each Patroni instance on the secondary site:
      # Any other instance that needs access to the database as per documentation
    ]
 
+
+   # Add patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_SECONDARY1_IP/32 PATRONI_SECONDARY2_IP/32 PATRONI_SECONDARY3_IP/32
+   ]
+
    patroni['standby_cluster']['enable'] = true
    patroni['standby_cluster']['host'] = 'INTERNAL_LOAD_BALANCER_PRIMARY_IP'
    patroni['standby_cluster']['port'] = INTERNAL_LOAD_BALANCER_PRIMARY_PORT
@@ -903,6 +925,12 @@ For each Patroni instance on the secondary site for the tracking database:
       # Any other instance that needs access to the database as per documentation
    ]
 
+   # Add patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_TRACKINGDB1_IP/32 PATRONI_TRACKINGDB2_IP/32 PATRONI_TRACKINGDB3_IP/32
+   ]
+
    # Patroni configuration
    patroni['username'] = 'PATRONI_API_USERNAME'
    patroni['password'] = 'PATRONI_API_PASSWORD'