1 files changed, 41 insertions, 30 deletions
diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md
index 0d9c761e078..e0b0d52fe3f 100644
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -1,7 +1,7 @@
 ---
 stage: Create
 group: Gitaly
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference
 ---
 
@@ -22,10 +22,15 @@ In the Gitaly documentation:
 GitLab end users do not have direct access to Gitaly. Gitaly only manages Git
 repository access for GitLab. Other types of GitLab data aren't accessed using Gitaly.
 
-CAUTION: **Caution:**
-From GitLab 13.0, Gitaly support for NFS is deprecated. In GitLab 14.0, Gitaly support
-for NFS is scheduled to be removed. Upgrade to [Gitaly Cluster](praefect.md) as soon as
-possible.
+<!-- vale gitlab.FutureTense = NO -->
+
+WARNING:
+From GitLab 13.0, Gitaly support for NFS is deprecated. As of GitLab 14.0, NFS-related issues
+with Gitaly will no longer be addressed. Upgrade to [Gitaly Cluster](praefect.md) as soon as
+possible. Tools to [enable bulk moves](https://gitlab.com/groups/gitlab-org/-/epics/4916)
+of projects to Gitaly Cluster are planned.
+
+<!-- vale gitlab.FutureTense = YES -->
 
 ## Architecture
 
@@ -68,7 +73,7 @@ this default configuration used by:
 However, Gitaly can be deployed to its own server, which can benefit GitLab installations that span
 multiple machines.
 
-NOTE: **Note:**
+NOTE:
 When configured to run on their own servers, Gitaly servers
 [must be upgraded](https://docs.gitlab.com/omnibus/update/#upgrading-gitaly-servers) before Gitaly
 clients in your cluster.
@@ -121,7 +126,7 @@ The following list depicts the network architecture of Gitaly:
 - Authentication is done through a static token which is shared among the Gitaly and GitLab Rails
   nodes.
 
-DANGER: **Warning:**
+WARNING:
 Gitaly servers must not be exposed to the public internet as Gitaly's network traffic is unencrypted
 by default. The use of firewall is highly recommended to restrict access to the Gitaly server.
 Another option is to [use TLS](#enable-tls-support).
@@ -140,7 +145,7 @@ We assume your GitLab installation has three repository storages:
 
 You can use as few as one server with one repository storage if desired.
 
-NOTE: **Note:**
+NOTE:
 The token referred to throughout the Gitaly documentation is just an arbitrary password selected by
 the administrator. It is unrelated to tokens created for the GitLab API or other similar web API
 tokens.
@@ -433,9 +438,9 @@ server (with `gitaly_address`) unless you setup with special
            path: /some/local/path
    ```
 
-   NOTE: **Note:**
-   `/some/local/path` should be set to a local folder that exists, however no data will be stored in
-   this folder. This will no longer be necessary after
+   NOTE:
+   `/some/local/path` should be set to a local folder that exists, however no data is stored in
+   this folder. This requirement is scheduled to be removed when
    [this issue](https://gitlab.com/gitlab-org/gitaly/-/issues/1282) is resolved.
 
 1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source).
@@ -450,7 +455,7 @@ server (with `gitaly_address`) unless you setup with special
 When you tail the Gitaly logs on your Gitaly server, you should see requests coming in. One sure way
 to trigger a Gitaly request is to clone a repository from GitLab over HTTP or HTTPS.
 
-DANGER: **Warning:**
+WARNING:
 If you have [server hooks](../server_hooks.md) configured, either per repository or globally, you
 must move these to the Gitaly servers. If you have multiple Gitaly servers, copy your server hooks
 to all Gitaly servers.
@@ -461,7 +466,7 @@ GitLab can reside on the same server as one of many Gitaly servers, but doesn't
 configuration that mixes local and remote configuration. The following setup is incorrect, because:
 
 - All addresses must be reachable from the other Gitaly servers.
-- `storage1` will be assigned a Unix socket for `gitaly_address` which is
+- `storage1` is assigned a Unix socket for `gitaly_address` which is
   invalid for some of the Gitaly servers.
 
 ```ruby
@@ -493,7 +498,7 @@ gitaly['key_path'] = "/etc/gitlab/ssl/key.pem"
 ```
 
 `path` can only be included for storage shards on the local Gitaly server.
-If it's excluded, default Git storage directory will be used for that storage shard.
+If it's excluded, default Git storage directory is used for that storage shard.
 
 ### Disable Gitaly where not required (optional)
 
@@ -529,12 +534,18 @@ To disable Gitaly on a GitLab server:
 
 ## Enable TLS support
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3160) in GitLab 13.6, outgoing TLS connections to GitLab provide client certificates if configured.
 
 Gitaly supports TLS encryption. To communicate with a Gitaly instance that listens for secure
 connections, you must use `tls://` URL scheme in the `gitaly_address` of the corresponding
 storage entry in the GitLab configuration.
 
+Gitaly provides the same server certificates as client certificates in TLS
+connections to GitLab. This can be used as part of a mutual TLS authentication strategy
+when combined with reverse proxies (for example, NGINX) that validate client certificate
+to grant access to GitLab.
+
 You must supply your own certificates as this isn't provided automatically. The certificate
 corresponding to each Gitaly server must be installed on that Gitaly server.
 
@@ -584,7 +595,7 @@ To configure Gitaly with TLS:
    ```
 
 1. Copy all Gitaly server certificates (or their certificate authority) to
-   `/etc/gitlab/trusted-certs` so that Gitaly servers will trust the certificate when calling into themselves
+   `/etc/gitlab/trusted-certs` so that Gitaly servers trust the certificate when calling into themselves
    or other Gitaly servers:
 
    ```shell
@@ -640,9 +651,9 @@ To configure Gitaly with TLS:
            path: /some/local/path
    ```
 
-   NOTE: **Note:**
-   `/some/local/path` should be set to a local folder that exists, however no data will be stored
-   in this folder. This will no longer be necessary after
+   NOTE:
+   `/some/local/path` should be set to a local folder that exists, however no data is stored
+   in this folder. This requirement is scheduled to be removed when
    [Gitaly issue #1282](https://gitlab.com/gitlab-org/gitaly/-/issues/1282) is resolved.
 
 1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source).
@@ -662,7 +673,7 @@ To configure Gitaly with TLS:
    ```
 
 1. Copy all Gitaly server certificates (or their certificate authority) to the system trusted
-   certificates folder so Gitaly server will trust the certificate when calling into itself or other Gitaly
+   certificates folder so Gitaly server trusts the certificate when calling into itself or other Gitaly
    servers.
 
    ```shell
@@ -716,7 +727,7 @@ We recommend:
 - At least 300MB memory per worker.
 - No more than one worker per core.
 
-NOTE: **Note:**
+NOTE:
 `gitaly-ruby` is planned to be eventually removed. To track progress, see the
 [Remove the Gitaly-Ruby sidecar](https://gitlab.com/groups/gitlab-org/-/epics/2862) epic.
 
@@ -798,9 +809,9 @@ You can observe the behavior of this queue using the Gitaly logs and Prometheus:
   - `gitaly_rate_limiting_queued`.
   - `gitaly_rate_limiting_seconds`.
 
-NOTE: **Note:**
+NOTE:
 Though the name of the Prometheus metric contains `rate_limiting`, it is a concurrency limiter, not
-a rate limiter. If a Gitaly client makes 1000 requests in a row very quickly, concurrency will not
+a rate limiter. If a Gitaly client makes 1000 requests in a row very quickly, concurrency does not
 exceed 1 and the concurrency limiter has no effect.
 
 ## Rotate Gitaly authentication token
@@ -829,7 +840,7 @@ behavior of your GitLab installation using Prometheus. Use the following Prometh
 sum(rate(gitaly_authentications_total[5m])) by (enforced, status)
 ```
 
-In a system where authentication is configured correctly and where you have live traffic, you will
+In a system where authentication is configured correctly and where you have live traffic, you
 see something like this:
 
 ```prometheus
@@ -885,7 +896,7 @@ To update to a new Gitaly authentication token, on each Gitaly client **and** Gi
    ```
 
 If you run your [Prometheus query](#verify-authentication-monitoring) while this change is
-being rolled out, you will see non-zero values for the `enforced="false",status="denied"` counter.
+being rolled out, you see non-zero values for the `enforced="false",status="denied"` counter.
 
 ### Ensure there are no authentication failures
 
@@ -908,7 +919,7 @@ your Gitaly servers as follows:
 gitaly['auth_transitioning'] = false
 ```
 
-CAUTION: **Caution:**
+WARNING:
 Without completing this step, you have **no Gitaly authentication**.
 
 ### Verify authentication is enforced
@@ -959,7 +970,7 @@ not an external process, there was very little overhead between:
 - GitLab application code that tried to look up data in Git repositories.
 - The Git implementation itself.
 
-Because the combination of Rugged and Unicorn was so efficient, GitLab's application code ended up with lots of
+Because the combination of Rugged and Unicorn was so efficient, the GitLab application code ended up with lots of
 duplicate Git object lookups. For example, looking up the `master` commit a dozen times in one
 request. We could write inefficient code without poor performance.
 
@@ -995,9 +1006,9 @@ enables direct Git access.
 When GitLab calls a function that has a "Rugged patch", it performs two checks:
 
 - Is the feature flag for this patch set in the database? If so, the feature flag setting controls
-  GitLab's use of "Rugged patch" code.
+  the GitLab use of "Rugged patch" code.
 - If the feature flag is not set, GitLab tries accessing the filesystem underneath the
-  Gitaly server directly. If it can, it will use the "Rugged patch":
+  Gitaly server directly. If it can, it uses the "Rugged patch":
   - If using Unicorn.
   - If using Puma and [thread count](../../install/requirements.md#puma-threads) is set
     to `1`.
@@ -1070,7 +1081,7 @@ gitaly-debug -h
 remote: GitLab: 401 Unauthorized
 ```
 
-You will need to sync your `gitlab-secrets.json` file with your Gitaly clients (GitLab
+You need to sync your `gitlab-secrets.json` file with your Gitaly clients (GitLab
 app nodes).
 
 ### Client side gRPC logs