11 files changed, 153 insertions, 93 deletions

diff --git a/doc/administration/auth/atlassian.md b/doc/administration/auth/atlassian.md
index 45617b9965c..27e33c85761 100644
--- a/doc/administration/auth/atlassian.md
+++ b/doc/administration/auth/atlassian.md
@@ -29,13 +29,13 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu
 
 1. On your GitLab server, open the configuration file:
 
-   For Omnibus GitLab installations:
+   For Linux package installations:
 
    ```shell
    sudo editor /etc/gitlab/gitlab.rb
    ```
 
-   For installations from source:
+   For self-compiled installations:
 
    ```shell
    sudo -u git -H editor /home/git/gitlab/config/gitlab.yml
@@ -47,7 +47,7 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu
    GitLab account.
 1. Add the provider configuration for Atlassian:
 
-   For Omnibus GitLab installations:
+   For Linux package installations:
 
    ```ruby
    gitlab_rails['omniauth_providers'] = [
@@ -61,7 +61,7 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu
    ]
    ```
 
-   For installations from source:
+   For self-compiled installations:
 
    ```yaml
    - { name: "atlassian_oauth2",
@@ -76,8 +76,8 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu
 1. Save the configuration file.
 
 1. For the changes to take effect:
-   - If you installed via Omnibus, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
-   - If you installed from source, [restart GitLab](../restart_gitlab.md#installations-from-source).
+   - If you installed using the Linux package, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+   - If you self-compiled your installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
 
 On the sign-in page there should now be an Atlassian icon below the regular sign in form. Select the icon to begin the authentication process.
 
diff --git a/doc/administration/auth/cognito.md b/doc/administration/auth/cognito.md
index cfac958e297..d821a1e9cfe 100644
--- a/doc/administration/auth/cognito.md
+++ b/doc/administration/auth/cognito.md
@@ -37,16 +37,14 @@ To enable AWS Cognito as an authentication provider, complete the following step
 
 1. Save changes for the app client settings.
 1. Under **Domain name**, include the AWS domain name for your AWS Cognito application.
-1. Under **App Clients**, find your app client ID. Select **Show details* to display the app client secret. These values correspond to the OAuth 2.0 Client ID and Client Secret. Save these values.
+1. Under **App Clients**, find your app client ID. Select **Show details** to display the app client secret. These values correspond to the OAuth 2.0 Client ID and Client Secret. Save these values.
 
 ## Configure GitLab
 
 1. Configure the [common settings](../../integration/omniauth.md#configure-common-settings)
    to add `cognito` as a single sign-on provider. This enables Just-In-Time
    account provisioning for users who do not have an existing GitLab account.
-1. On your GitLab server, open the configuration file.
-
-   **For Omnibus installations**
+1. On your GitLab server, open the configuration file. For Linux package installations:
 
    ```shell
    sudo editor /etc/gitlab/gitlab.rb
diff --git a/doc/administration/auth/crowd.md b/doc/administration/auth/crowd.md
index f89e1a00928..c4ebb9a5dee 100644
--- a/doc/administration/auth/crowd.md
+++ b/doc/administration/auth/crowd.md
@@ -26,19 +26,19 @@ this provider also allows Crowd authentication for Git-over-https requests.
 
 1. On your GitLab server, open the configuration file.
 
-   **Omnibus:**
+   - Linux package installations:
 
-   ```shell
-     sudo editor /etc/gitlab/gitlab.rb
-   ```
+     ```shell
+       sudo editor /etc/gitlab/gitlab.rb
+     ```
 
-   **Source:**
+   - Self-compiled installations:
 
-   ```shell
-     cd /home/git/gitlab
+     ```shell
+       cd /home/git/gitlab
 
-     sudo -u git -H editor config/gitlab.yml
-   ```
+       sudo -u git -H editor config/gitlab.yml
+     ```
 
 1. Configure the [common settings](../../integration/omniauth.md#configure-common-settings)
    to add `crowd` as a single sign-on provider. This enables Just-In-Time
@@ -46,39 +46,39 @@ this provider also allows Crowd authentication for Git-over-https requests.
 
 1. Add the provider configuration:
 
-   **Omnibus:**
-
-   ```ruby
-     gitlab_rails['omniauth_providers'] = [
-       {
-         name: "crowd",
-         # label: "Provider name", # optional label for login button, defaults to "Crowd"
-         args: {
-           crowd_server_url: "CROWD_SERVER_URL",
-           application_name: "YOUR_APP_NAME",
-           application_password: "YOUR_APP_PASSWORD"
+   - Linux package installations:
+
+     ```ruby
+       gitlab_rails['omniauth_providers'] = [
+         {
+           name: "crowd",
+           # label: "Provider name", # optional label for login button, defaults to "Crowd"
+           args: {
+             crowd_server_url: "CROWD_SERVER_URL",
+             application_name: "YOUR_APP_NAME",
+             application_password: "YOUR_APP_PASSWORD"
+           }
          }
-       }
-     ]
-   ```
+       ]
+     ```
 
-   **Source:**
+   - Self-compiled installations:
 
-   ```yaml
-      - { name: 'crowd',
-          # label: 'Provider name', # optional label for login button, defaults to "Crowd"
-          args: {
-            crowd_server_url: 'CROWD_SERVER_URL',
-            application_name: 'YOUR_APP_NAME',
-            application_password: 'YOUR_APP_PASSWORD' } }
-   ```
+     ```yaml
+        - { name: 'crowd',
+            # label: 'Provider name', # optional label for login button, defaults to "Crowd"
+            args: {
+              crowd_server_url: 'CROWD_SERVER_URL',
+              application_name: 'YOUR_APP_NAME',
+              application_password: 'YOUR_APP_PASSWORD' } }
+     ```
 
 1. Change `CROWD_SERVER_URL` to the [base URL of your Crowd server](https://confluence.atlassian.com/crowdkb/how-to-change-the-crowd-base-url-245827278.html).
 1. Change `YOUR_APP_NAME` to the application name from Crowd applications page.
 1. Change `YOUR_APP_PASSWORD` to the application password you've set.
 1. Save the configuration file.
-1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) (Omnibus GitLab) or [restart](../restart_gitlab.md#installations-from-source) (source installations) for
-   the changes to take effect.
+1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) (Linux package installations) or
+   [restart](../restart_gitlab.md#installations-from-source) (self-compiled installations) for the changes to take effect.
 
 On the sign in page there should now be a Crowd tab in the sign in form.
 
diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md
index bdcd6fc89cc..0f2036bea04 100644
--- a/doc/administration/auth/jwt.md
+++ b/doc/administration/auth/jwt.md
@@ -12,13 +12,13 @@ JWT provides you with a secret key for you to use.
 
 1. On your GitLab server, open the configuration file.
 
-   For Omnibus GitLab:
+   For Linux package installations:
 
    ```shell
    sudo editor /etc/gitlab/gitlab.rb
    ```
 
-   For installations from source:
+   For self-compiled installations:
 
    ```shell
    cd /home/git/gitlab
@@ -30,7 +30,7 @@ JWT provides you with a secret key for you to use.
    account provisioning for users who do not have an existing GitLab account.
 1. Add the provider configuration.
 
-   For Omnibus GitLab:
+   For Linux package installations:
 
    ```ruby
    gitlab_rails['omniauth_providers'] = [
@@ -49,7 +49,7 @@ JWT provides you with a secret key for you to use.
    ]
    ```
 
-   For installation from source:
+   For self-compiled installations:
 
    ```yaml
    - { name: 'jwt',
@@ -75,9 +75,9 @@ JWT provides you with a secret key for you to use.
 
 1. Change `YOUR_APP_SECRET` to the client secret and set `auth_url` to your redirect URL.
 1. Save the configuration file.
-1. For the changes to take effect:
-   - If you installed via Omnibus, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
-   - If you installed from source, [restart GitLab](../restart_gitlab.md#installations-from-source).
+1. For changes to take effect, if you:
+   - Used the Linux package to install GitLab, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
 
 On the sign in page there should now be a JWT icon below the regular sign in form.
 Select the icon to begin the authentication process. JWT asks the user to
diff --git a/doc/administration/auth/ldap/google_secure_ldap.md b/doc/administration/auth/ldap/google_secure_ldap.md
index 042a65be500..8084633c3ba 100644
--- a/doc/administration/auth/ldap/google_secure_ldap.md
+++ b/doc/administration/auth/ldap/google_secure_ldap.md
@@ -72,7 +72,7 @@ values obtained during the LDAP client configuration earlier:
 - `cert`: The `.crt` file text from the downloaded certificate bundle
 - `key`: The `.key` file text from the downloaded certificate bundle
 
-**For Omnibus installations**
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -142,9 +142,7 @@ values obtained during the LDAP client configuration earlier:
 
 1. Save the file and [reconfigure](../../restart_gitlab.md#omnibus-gitlab-reconfigure) GitLab for the changes to take effect.
 
----
-
-**For installations from source**
+For self-compiled installations:
 
 1. Edit `config/gitlab.yml`:
 
diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md
index efed9d76746..a4484da5940 100644
--- a/doc/administration/auth/ldap/index.md
+++ b/doc/administration/auth/ldap/index.md
@@ -1037,8 +1037,8 @@ For more information on synchronizing users and groups between LDAP and GitLab,
 ## Move from LDAP to SAML
 
 1. [Configure SAML](../../../integration/saml.md). Add `auto_link_ldap_user` to:
-   - [`gitlab.rb` for Omnibus](../../../integration/saml.html?tab=Linux+package+%28Omnibus%29).
-   - [`values.yml` for Kubernetes](../../../integration/saml.html?tab=Helm+chart+%28Kubernetes%29).
+   - [`gitlab.rb` for Linux package installations](../../../integration/saml.html?tab=Linux+package+%28Omnibus%29).
+   - [`values.yml` for Helm chart installations](../../../integration/saml.html?tab=Helm+chart+%28Kubernetes%29).
    For more information, see the [initial settings for all providers](../../../integration/omniauth.md#configure-initial-settings).
 
 1. Optional. [Disable the LDAP auth from the sign-in page](#disable-ldap-web-sign-in).
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md
index 106cc6c23eb..88c9a669441 100644
--- a/doc/administration/auth/oidc.md
+++ b/doc/administration/auth/oidc.md
@@ -16,7 +16,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
 
 1. On your GitLab server, open the configuration file.
 
-   For Omnibus GitLab:
+   For Linux package installations:
 
    ```shell
    sudo editor /etc/gitlab/gitlab.rb
@@ -35,7 +35,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
 
 1. Add the provider configuration.
 
-   For Omnibus GitLab:
+   For Linux package installations:
 
    ```ruby
    gitlab_rails['omniauth_providers'] = [
@@ -63,7 +63,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
    ]
    ```
 
-   For Omnibus GitLab with multiple identity providers:
+   For Linux package installations with multiple identity providers:
 
    ```ruby
    { 'name' => 'openid_connect',
@@ -108,7 +108,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
    NOTE:
    For more information on using multiple identity providers with OIDC, see [issue 5992](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5992).
 
-   For installation from source:
+   For self-compiled installations:
 
    ```yaml
      - { name: 'openid_connect', # do not change this parameter
@@ -184,10 +184,10 @@ The OpenID Connect provides you with a client's details and secret for you to us
        - `jwks_uri` is the URL to the endpoint where the Token signer publishes its keys.
 
 1. Save the configuration file.
-1. For changes to take effect, if you installed GitLab:
+1. For changes to take effect, if you:
 
-   - With Omnibus, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
-   - From source, [restart GitLab](../restart_gitlab.md#installations-from-source).
+   - Used the Linux package to install GitLab, [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
 
 On the sign in page, you have an OpenID Connect option below the regular sign in form.
 Select this option to begin the authentication process. The OpenID Connect provider
@@ -197,7 +197,7 @@ by the client. You are redirected to GitLab and signed in.
 ## Example configurations
 
 The following configurations illustrate how to set up OpenID with
-different providers with Omnibus GitLab.
+different providers when using the GitLab Linux package installation.
 
 ### Configure Google
 
@@ -240,7 +240,7 @@ you need the following information:
   [Microsoft Quickstart Register an Application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) documentation
   to obtain the tenant ID, client ID, and client secret for your app.
 
-Example Omnibus configuration block:
+Example configuration block for Linux package installations:
 
 ```ruby
 gitlab_rails['omniauth_providers'] = [
@@ -372,7 +372,7 @@ but `LocalAccounts` authenticates against local Active Directory accounts. Befor
    ```
 
 1. Configure the issuer URL with the custom policy used for `signup_signin`. For example, this is
-   the Omnibus configuration with a custom policy for `b2c_1a_signup_signin`:
+   the configuration with a custom policy for `b2c_1a_signup_signin` for Linux package installations:
 
    ```ruby
    gitlab_rails['omniauth_providers'] = [
@@ -432,7 +432,7 @@ HS256 or HS358) to sign tokens. Public key encryption algorithms are:
 1. Select **Realm Settings > Tokens > Default Signature Algorithm**.
 1. Configure the signature algorithm.
 
-Example Omnibus configuration block:
+Example configuration block for Linux package installations:
 
 ```ruby
 gitlab_rails['omniauth_providers'] = [
@@ -556,7 +556,7 @@ For your app, complete the following steps on Casdoor:
 
 See the [Casdoor documentation](https://casdoor.org/docs/integration/ruby/gitlab) for more details.
 
-Example Omnibus GitLab configuration (file path: `/etc/gitlab/gitlab.rb`):
+Example configuration for Linux package installations (file path: `/etc/gitlab/gitlab.rb`):
 
 ```ruby
 gitlab_rails['omniauth_providers'] = [
@@ -617,7 +617,7 @@ This is not compatible with [configuring users based on OIDC group membership](#
 
 The following example configurations show how to offer different levels of authentication, one option with 2FA and one without 2FA.
 
-For Omnibus GitLab:
+For Linux package installations:
 
 ```ruby
 gitlab_rails['omniauth_providers'] = [
@@ -668,7 +668,7 @@ gitlab_rails['omniauth_providers'] = [
 ]
 ```
 
-For installation from source:
+For self-compiled installations:
 
 ```yaml
   - { name: 'openid_connect',
@@ -774,7 +774,7 @@ response to require users to be members of a certain group, configure GitLab to
 
 If you do not set `required_groups` or leave the setting empty, any user authenticated by the IdP through OIDC can use GitLab.
 
-For Omnibus GitLab:
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -808,7 +808,7 @@ For Omnibus GitLab:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    for the changes to take effect.
 
-For installation from source:
+For self-compiled installations:
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -853,7 +853,7 @@ based on group membership, configure GitLab to identify:
   [external user](../../user/admin_area/external_users.md), using the
  `external_groups` setting.
 
-For Omnibus GitLab:
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -887,7 +887,7 @@ For Omnibus GitLab:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    for the changes to take effect.
 
-For installation from source:
+For self-compiled installations:
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -930,7 +930,7 @@ response to assign users as administrator based on group membership, configure G
 - Which group memberships grant the user administrator access, using the
  `admin_groups` setting.
 
-For Omnibus GitLab:
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -964,7 +964,7 @@ For Omnibus GitLab:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    for the changes to take effect.
 
-For installation from source:
+For self-compiled installations:
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
diff --git a/doc/administration/auth/smartcard.md b/doc/administration/auth/smartcard.md
index 5b6d299f171..0fa585bace5 100644
--- a/doc/administration/auth/smartcard.md
+++ b/doc/administration/auth/smartcard.md
@@ -115,7 +115,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 
 ## Configure GitLab for smartcard authentication
 
-**For Omnibus installations**
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -140,9 +140,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    GitLab for the changes to take effect.
 
----
-
-**For installations from source**
+For self-compiled installations:
 
 1. Configure NGINX to request a client side certificate
 
@@ -237,7 +235,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 
 ### Additional steps when using SAN extensions
 
-**For Omnibus installations**
+For Linux package installations:
 
 1. Add to `/etc/gitlab/gitlab.rb`:
 
@@ -248,7 +246,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    GitLab for the changes to take effect.
 
-**For installations from source**
+For self-compiled installations:
 
 1. Add the `san_extensions` line to `config/gitlab.yml` within the smartcard section:
 
@@ -267,7 +265,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 
 ### Additional steps when authenticating against an LDAP server
 
-**For Omnibus installations**
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -284,7 +282,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    GitLab for the changes to take effect.
 
-**For installations from source**
+For self-compiled installations:
 
 1. Edit `config/gitlab.yml`:
 
@@ -304,7 +302,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 
 ### Require browser session with smartcard sign-in for Git access
 
-**For Omnibus installations**
+For Linux package installations:
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -315,7 +313,7 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
 1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    GitLab for the changes to take effect.
 
-**For installations from source**
+For self-compiled installations:
 
 1. Edit `config/gitlab.yml`:
 
diff --git a/doc/administration/clusters/kas.md b/doc/administration/clusters/kas.md
index 6d6e8e5513c..cbd32dea95c 100644
--- a/doc/administration/clusters/kas.md
+++ b/doc/administration/clusters/kas.md
@@ -21,12 +21,12 @@ If you use self-managed GitLab, you must install an agent server or specify an e
 
 As a GitLab administrator, you can install the agent server:
 
-- For [Omnibus installations](#for-omnibus).
-- For [GitLab Helm Chart installations](#for-gitlab-helm-chart).
+- For [Linux package installations](#for-linux-package-installations).
+- For [GitLab Helm chart installations](#for-gitlab-helm-chart).
 
-### For Omnibus
+### For Linux package installations
 
-You can enable the agent server for [Omnibus](https://docs.gitlab.com/omnibus/) package installations on a single node, or on multiple nodes at once.
+You can enable the agent server for Linux package installations on a single node, or on multiple nodes at once.
 
 #### Enable on a single node
 
@@ -167,7 +167,7 @@ service logs by running the following command:
 kubectl logs -f -l=app=kas -n <YOUR-GITLAB-NAMESPACE>
 ```
 
-In Omnibus GitLab, find the logs in `/var/log/gitlab/gitlab-kas/`.
+In Linux package installations, find the logs in `/var/log/gitlab/gitlab-kas/`.
 
 You can also [troubleshoot issues with individual agents](../../user/clusters/agent/troubleshooting.md).
 
@@ -212,7 +212,7 @@ When the agent server tries to connect to the GitLab API, the following error mi
 {"level":"error","time":"2021-08-16T14:56:47.289Z","msg":"GetAgentInfo()","correlation_id":"01FD7QE35RXXXX8R47WZFBAXTN","grpc_service":"gitlab.agent.reverse_tunnel.rpc.ReverseTunnel","grpc_method":"Connect","error":"Get \"https://gitlab.example.com/api/v4/internal/kubernetes/agent_info\": dial tcp 172.17.0.4:443: connect: connection refused"}
 ```
 
-To fix this issue for [Omnibus](https://docs.gitlab.com/omnibus/) package installations,
+To fix this issue for Linux package installations,
 set the following parameter in `/etc/gitlab/gitlab.rb`. Replace `gitlab.example.com` with your GitLab instance's hostname:
 
 ```ruby
diff --git a/doc/administration/operations/puma.md b/doc/administration/operations/puma.md
index efc55a5fbc3..63f3c66622d 100644
--- a/doc/administration/operations/puma.md
+++ b/doc/administration/operations/puma.md
@@ -211,6 +211,71 @@ make Prometheus scrape them over HTTPS, and support for it is being discussed
 Hence, it is not technically possible to turn off this HTTP listener without
 losing Prometheus metrics.
 
+### Using an encrypted SSL key
+
+> [Introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7799) in GitLab 16.1.
+
+Puma supports the use of an encrypted private SSL key, which can be
+decrypted at runtime. The following instructions illustrate how to
+configure this:
+
+1. Encrypt the key with a password if it is not already:
+
+   ```shell
+   openssl rsa -aes256 -in /path/to/ssl-key.pem -out /path/to/encrypted-ssl-key.pem
+   ```
+
+   Enter in a password twice to write the encrypted file. In this
+   example, we use `some-password-here`.
+
+1. Create a script or executable that prints the password. For
+   example, create a basic script in
+   `/var/opt/gitlab/gitlab-rails/etc/puma-ssl-key-password` that echoes
+   the password:
+
+   ```shell
+   #!/bin/sh
+   echo some-password-here
+   ```
+
+   Note that in production, you should avoid storing the password on
+   disk and use a secure mechanism for retrieving a password, such as
+   Vault. For example, the script might look like:
+
+   ```shell
+   #!/bin/sh
+   export VAULT_ADDR=http://vault-password-distribution-point:8200
+   export VAULT_TOKEN=<some token>
+
+   echo "$(vault kv get -mount=secret puma-ssl-password)"
+   ```
+
+1. Ensure the Puma process has sufficient permissions to execute the
+   script and to read the encrypted key:
+
+   ```shell
+   chown git:git /var/opt/gitlab/gitlab-rails/etc/puma-ssl-key-password
+   chmod 770 /var/opt/gitlab/gitlab-rails/etc/puma-ssl-key-password
+   chmod 660 /path/to/encrypted-ssl-key.pem
+   ```
+
+1. Edit `/etc/gitlab/gitlab.rb`, and replace `puma['ssl_certificate_key']` with the encrypted key and specify
+   `puma['ssl_key_password_command]`:
+
+   ```ruby
+   puma['ssl_certificate_key'] = '/path/to/encrypted-ssl-key.pem'
+   puma['ssl_key_password_command'] = '/var/opt/gitlab/gitlab-rails/etc/puma-ssl-key-password'
+   ```
+
+1. Reconfigure GitLab:
+
+   ```shell
+   sudo gitlab-ctl reconfigure
+   ```
+
+1. If GitLab comes up successfully, you should be able to remove the
+   unencrypted SSL key that was stored on the GitLab instance.
+
 ## Switch from Unicorn to Puma
 
 NOTE:
diff --git a/doc/administration/package_information/postgresql_versions.md b/doc/administration/package_information/postgresql_versions.md
index c1e9f7320ea..44032883eb4 100644
--- a/doc/administration/package_information/postgresql_versions.md
+++ b/doc/administration/package_information/postgresql_versions.md
@@ -30,6 +30,7 @@ Read more about update policies and warnings in the PostgreSQL
 
 | GitLab version | PostgreSQL versions | Default version for fresh installs | Default version for upgrades | Notes |
 | -------------- | --------------------- | ---------------------------------- | ---------------------------- | ----- |
+| 16.0 | 13.11 | 13.11 | 13.11 | |
 | 15.6 | 12.12, 13.8 | 13.8 | 12.12 | For upgrades, users can manually upgrade to 13.8 following the [upgrade documentation](https://docs.gitlab.com/omnibus/settings/database.html#gitlab-150-and-later). |
 | 15.0 | 12.10, 13.6 | 13.6 | 12.10 | For upgrades, users can manually upgrade to 13.6 following the [upgrade documentation](https://docs.gitlab.com/omnibus/settings/database.html#gitlab-150-and-later). |
 | 14.1 | 12.7, 13.3 | 12.7 | 12.7 | PostgreSQL 13 available for fresh installations if not using [Geo](../geo/index.md#requirements-for-running-geo) or [Patroni](../postgresql/index.md#postgresql-replication-and-failover-with-omnibus-gitlab).