Merge remote-tracking branch 'upstream/master' into ce-to-ee-2017-10-05

Gemfile

@@ -23,7 +23,7 @@ gem 'faraday', '~> 0.12'
 # Authentication libraries
 gem 'devise', '~> 4.2'
 gem 'doorkeeper', '~> 4.2.0'
-gem 'doorkeeper-openid_connect', '~> 1.1.0'
+gem 'doorkeeper-openid_connect', '~> 1.2.0'
 gem 'omniauth', '~> 1.4.2'
 gem 'omniauth-auth0', '~> 1.4.1'
 gem 'omniauth-azure-oauth2', '~> 0.0.9'

Gemfile.lock

@@ -88,7 +88,7 @@ GEM
       coderay (>= 1.0.0)
       erubis (>= 2.6.6)
       rack (>= 0.9.0)
-    bindata (2.3.5)
+    bindata (2.4.1)
     binding_of_caller (0.7.2)
       debug_inspector (>= 0.0.1)
     bootstrap-sass (3.3.6)
@@ -174,9 +174,9 @@ GEM
     docile (1.1.5)
     domain_name (0.5.20161021)
       unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (4.2.0)
+    doorkeeper (4.2.6)
       railties (>= 4.2)
-    doorkeeper-openid_connect (1.1.2)
+    doorkeeper-openid_connect (1.2.0)
       doorkeeper (~> 4.0)
       json-jwt (~> 1.6)
     dropzonejs-rails (0.7.2)
@@ -438,7 +438,7 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     json (1.8.6)
-    json-jwt (1.7.1)
+    json-jwt (1.7.2)
       activesupport
       bindata
       multi_json (>= 1.3)
@@ -710,7 +710,7 @@ GEM
     rainbow (2.2.2)
       rake
     raindrops (0.18.0)
-    rake (12.0.0)
+    rake (12.1.0)
     rblineprof (0.3.6)
       debugger-ruby_core_source (~> 1.3)
     rbnacl (4.0.2)
@@ -1033,7 +1033,7 @@ DEPENDENCIES
   devise-two-factor (~> 3.0.0)
   diffy (~> 3.1.0)
   doorkeeper (~> 4.2.0)
-  doorkeeper-openid_connect (~> 1.1.0)
+  doorkeeper-openid_connect (~> 1.2.0)
   dropzonejs-rails (~> 0.7.1)
   elasticsearch-api (= 5.0.3)
   elasticsearch-model (~> 0.1.9)

app/assets/javascripts/environments/components/deploy_board_component.vue

@@ -8,7 +8,9 @@
    * - Button Actions.
    * [Mockup](https://gitlab.com/gitlab-org/gitlab-ce/uploads/2f655655c0eadf655d0ae7467b53002a/environments__deploy-graphic.png)
    */
+  import _ from 'underscore';
   import deployBoardSvg from 'empty_states/icons/_deploy_board.svg';
+  import { n__ } from '../../locale';
   import instanceComponent from './deploy_board_instance_component.vue';
   import loadingIcon from '../../vue_shared/components/loading_icon.vue';
 
@@ -26,40 +28,27 @@
         type: Boolean,
         required: true,
       },
-      hasError: {
+      isEmpty: {
         type: Boolean,
         required: true,
       },
     },
-    data() {
-      return {
-        deployBoardSvg,
-      };
-    },
     computed: {
       canRenderDeployBoard() {
-        return !this.isLoading && !this.hasError && this.deployBoardData.valid;
+        return !this.isLoading && !this.isEmpty && !_.isEmpty(this.deployBoardData);
       },
       canRenderEmptyState() {
-        return !this.isLoading && !this.hasError && !this.deployBoardData.valid;
-      },
-      canRenderErrorState() {
-        return !this.isLoading && this.hasError;
+        return !this.isLoading && this.isEmpty;
       },
       instanceTitle() {
-        let title;
-
-        if (this.deployBoardData.instances.length === 1) {
-          title = 'Instance';
-        } else {
-          title = 'Instances';
-        }
-
-        return title;
+        return n__('Instance', 'Instances', this.deployBoardData.instances.length);
       },
       projectName() {
         return '<projectname>';
       },
+      deployBoardSvg() {
+        return deployBoardSvg;
+      },
     },
   };
 </script>
@@ -128,11 +117,5 @@
         </span>
       </section>
     </div>
-
-    <div
-      v-if="canRenderErrorState"
-      class="deploy-board-error-message">
-      We can't fetch the data right now. Please try again later.
-    </div>
   </div>
 </script>

app/assets/javascripts/environments/components/environment.vue

@@ -127,16 +127,10 @@ export default {
 
     /**
      * Toggles the visibility of the deploy boards of the clicked environment.
-     *
      * @param {Object} model
-     * @return {Object}
      */
     toggleDeployBoard(model) {
       this.store.toggleDeployBoard(model.id);
-
-      if (!model.isDeployboardVisible) {
-        this.fetchDeployBoard(model, true);
-      }
     },
 
     toggleFolder(folder) {
@@ -203,11 +197,6 @@ export default {
       if (openFolders.length) {
         openFolders.forEach(folder => this.fetchChildEnvironments(folder));
       }
-
-      const openDeployBoards = this.store.getOpenDeployBoards();
-      if (openDeployBoards.length) {
-        openDeployBoards.forEach(env => this.fetchDeployBoard(env));
-      }
     },
 
     errorCallback() {
@@ -215,23 +204,6 @@ export default {
       // eslint-disable-next-line no-new
       new Flash('An error occurred while fetching the environments.');
     },
-
-    fetchDeployBoard(environment, showLoader = false) {
-      this.store.updateEnvironmentProp(environment, 'isLoadingDeployBoard', showLoader);
-
-      this.service.getDeployBoard(environment.rollout_status_path)
-        .then(resp => resp.json())
-        .then((data) => {
-          this.store.storeDeployBoard(environment.id, data);
-          this.store.updateEnvironmentProp(environment, 'isLoadingDeployBoard', false);
-        })
-        .catch(() => {
-          this.store.updateEnvironmentProp(environment, 'isLoadingDeployBoard', false);
-          this.store.updateEnvironmentProp(environment, 'hasErrorDeployBoard', true);
-          // eslint-disable-next-line no-new
-          new Flash('An error occurred while fetching the deploy board.');
-        });
-    },
   },
 };
 </script>

app/assets/javascripts/environments/components/environments_table.vue

@@ -74,7 +74,7 @@ export default {
           <deploy-board
             :deploy-board-data="model.deployBoardData"
             :is-loading="model.isLoadingDeployBoard"
-            :has-error="model.hasErrorDeployBoard"
+            :is-empty="model.isEmptyDeployBoard"
             />
         </div>
       </div>

app/assets/javascripts/environments/stores/environments_store.js

@@ -30,7 +30,7 @@ export default class EnvironmentsStore {
    * If the `size` is bigger than 1, it means it should be rendered as a folder.
    * In those cases we add `isFolder` key in order to render it properly.
    *
-   * Top level environments - when the size is 1 - with `rollout_status_path`
+   * Top level environments - when the size is 1 - with `rollout_status`
    * can render a deploy board. We add `isDeployBoardVisible` and `deployBoardData`
    * keys to those environments.
    * The first key will let's us know if we should or not render the deploy board.
@@ -65,13 +65,15 @@ export default class EnvironmentsStore {
         filtered = Object.assign(filtered, env);
       }
 
-      if (filtered.size === 1 && filtered.rollout_status_path) {
+      if (filtered.size === 1 && filtered.rollout_status) {
         filtered = Object.assign({}, filtered, {
           hasDeployBoard: true,
-          isDeployBoardVisible: oldEnvironmentState.isDeployBoardVisible || false,
-          deployBoardData: oldEnvironmentState.deployBoardData || {},
-          isLoadingDeployBoard: oldEnvironmentState.isLoadingDeployBoard || false,
-          hasErrorDeployBoard: oldEnvironmentState.hasErrorDeployBoard || false,
+          isDeployBoardVisible: oldEnvironmentState.isDeployBoardVisible === false ?
+            oldEnvironmentState.isDeployBoardVisible :
+            true,
+          deployBoardData: filtered.rollout_status.status === 'found' ? filtered.rollout_status : {},
+          isLoadingDeployBoard: filtered.rollout_status.status === 'loading',
+          isEmptyDeployBoard: filtered.rollout_status.status === 'not_found',
         });
       }
       return filtered;

app/controllers/admin/application_controller.rb

@@ -3,18 +3,23 @@
 # Automatically sets the layout and ensures an administrator is logged in
 class Admin::ApplicationController < ApplicationController
   before_action :authenticate_admin!
-  before_action :display_geo_information
+  before_action :display_read_only_information
   layout 'admin'
 
   def authenticate_admin!
     render_404 unless current_user.admin?
   end
 
-  def display_geo_information
-    return unless Gitlab::Geo.secondary?
-    return unless Gitlab::Geo.primary_node_configured?
+  def display_read_only_information
+    return unless Gitlab::Database.read_only?
 
-    primary_node = view_context.link_to('primary node', Gitlab::Geo.primary_node.url)
-    flash.now[:notice] = "You are on a secondary (read-only) Geo node. If you want to make any changes, you must visit the #{primary_node}.".html_safe
+    flash.now[:notice] = read_only_message
+  end
+
+  private
+
+  # Overridden in EE
+  def read_only_message
+    _('You are on a read-only GitLab instance.')
   end
 end

app/controllers/boards/issues_controller.rb

@@ -12,7 +12,7 @@ module Boards
     def index
       issues = Boards::Issues::ListService.new(board_parent, current_user, filter_params).execute
       issues = issues.page(params[:page]).per(params[:per] || 20)
-      make_sure_position_is_set(issues) unless Gitlab::Geo.secondary?
+      make_sure_position_is_set(issues) if Gitlab::Database.read_write?
       issues = issues.preload(:project,
                               :milestone,
                               :assignees,

app/controllers/projects/environments_controller.rb

 class Projects::EnvironmentsController < Projects::ApplicationController
   layout 'project'
   before_action :authorize_read_environment!
-  before_action :authorize_read_deploy_board!, only: :status
   before_action :authorize_create_environment!, only: [:new, :create]
   before_action :authorize_create_deployment!, only: [:stop]
   before_action :authorize_update_environment!, only: [:edit, :update]
   before_action :authorize_admin_environment!, only: [:terminal, :terminal_websocket_authorize]
-  before_action :environment, only: [:show, :edit, :update, :stop, :terminal, :terminal_websocket_authorize, :metrics, :status]
+  before_action :environment, only: [:show, :edit, :update, :stop, :terminal, :terminal_websocket_authorize, :metrics]
   before_action :verify_api_request!, only: :terminal_websocket_authorize
+  before_action :expire_etag_cache, only: [:index]
 
   def index
     @environments = project.environments
@@ -132,25 +132,6 @@ class Projects::EnvironmentsController < Projects::ApplicationController
     end
   end
 
-  # The rollout status of an enviroment
-  def status
-    unless @environment.deployment_service_ready?
-      render text: 'Not found', status: 404
-      return
-    end
-
-    rollout_status = @environment.rollout_status
-
-    Gitlab::PollingInterval.set_header(response, interval: 3000) unless rollout_status.try(:complete?)
-
-    if rollout_status.nil?
-      render body: nil, status: 204 # no result yet
-    else
-      serializer = RolloutStatusSerializer.new(project: @project, current_user: @current_user)
-      render json: serializer.represent(rollout_status)
-    end
-  end
-
   def additional_metrics
     respond_to do |format|
       format.json do
@@ -167,6 +148,15 @@ class Projects::EnvironmentsController < Projects::ApplicationController
     Gitlab::Workhorse.verify_api_request!(request.headers)
   end
 
+  def expire_etag_cache
+    return if request.format.json?
+
+    # this forces to reload json content
+    Gitlab::EtagCaching::Store.new.tap do |store|
+      store.touch(project_environments_path(project, format: :json))
+    end
+  end
+
   def environment_params
     params.require(:environment).permit(:name, :external_url)
   end

app/controllers/projects/lfs_api_controller.rb

@@ -4,6 +4,8 @@ class Projects::LfsApiController < Projects::GitHttpClientController
   include GitlabRoutingHelper
   include LfsRequest
 
+  prepend ::EE::Projects::LfsApiController
+
   skip_before_action :lfs_check_access!, only: [:deprecated]
   before_action :lfs_check_batch_operation!, only: [:batch]
 
@@ -96,14 +98,19 @@ class Projects::LfsApiController < Projects::GitHttpClientController
   end
 
   def lfs_check_batch_operation!
-    if upload_request? && Gitlab::Geo.secondary?
+    if upload_request? && Gitlab::Database.read_only?
       render(
         json: {
-          message: "You cannot write to a secondary GitLab Geo instance. Please use #{geo_primary_default_url_to_repo(project)} instead."
+          message: lfs_read_only_message
         },
-        content_type: "application/vnd.git-lfs+json",
+        content_type: 'application/vnd.git-lfs+json',
         status: 403
       )
     end
   end
+
+  # Overridden in EE
+  def lfs_read_only_message
+    _('You cannot write to this read-only GitLab instance.')
+  end
 end

app/controllers/projects/merge_requests/application_controller.rb

@@ -15,7 +15,7 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont
   # Make sure merge requests created before 8.0
   # have head file in refs/merge-requests/
   def ensure_ref_fetched
-    @merge_request.ensure_ref_fetched
+    @merge_request.ensure_ref_fetched if Gitlab::Database.read_write?
   end
 
   def merge_request_params

app/controllers/sessions_controller.rb

@@ -9,9 +9,7 @@ class SessionsController < Devise::SessionsController
   prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor,
     if: :two_factor_enabled?, only: [:create]
-  prepend_before_action :store_redirect_path, only: [:new]
-  before_action :gitlab_geo_login, only: [:new]
-  before_action :gitlab_geo_logout, only: [:destroy]
+  prepend_before_action :store_redirect_uri, only: [:new]
   before_action :auto_sign_in_with_provider, only: [:new]
   before_action :load_recaptcha
 
@@ -88,7 +86,11 @@ class SessionsController < Devise::SessionsController
     end
   end
 
-  def store_redirect_path
+  def stored_redirect_uri
+    @redirect_to ||= stored_location_for(:redirect)
+  end
+
+  def store_redirect_uri
     redirect_uri =
       if request.referer.present? && (params['redirect_to_referer'] == 'yes')
         URI(request.referer)
@@ -98,40 +100,22 @@ class SessionsController < Devise::SessionsController
 
     # Prevent a 'you are already signed in' message directly after signing:
     # we should never redirect to '/users/sign_in' after signing in successfully.
-    if redirect_uri.path == new_user_session_path
-      return true
-    elsif redirect_uri.host == Gitlab.config.gitlab.host && redirect_uri.port == Gitlab.config.gitlab.port
-      redirect_to = redirect_uri.to_s
-    elsif Gitlab::Geo.geo_node?(host: redirect_uri.host, port: redirect_uri.port)
-      redirect_to = redirect_uri.to_s
-    end
+    return true if redirect_uri.path == new_user_session_path
+
+    redirect_to = redirect_uri.to_s if redirect_allowed_to?(redirect_uri)
 
     @redirect_to = redirect_to
     store_location_for(:redirect, redirect_to)
   end
 
-  def two_factor_enabled?
-    find_user.try(:two_factor_enabled?)
-  end
-
-  def gitlab_geo_login
-    return unless Gitlab::Geo.secondary?
-    return if signed_in?
-
-    oauth = Gitlab::Geo::OauthSession.new
-
-    # share full url with primary node by oauth state
-    user_return_to = URI.join(root_url, session[:user_return_to].to_s).to_s
-    oauth.return_to = @redirect_to || user_return_to
-
-    redirect_to oauth_geo_auth_url(state: oauth.generate_oauth_state)
+  # Overridden in EE
+  def redirect_allowed_to?(uri)
+    uri.host == Gitlab.config.gitlab.host &&
+      uri.port == Gitlab.config.gitlab.port
   end
 
-  def gitlab_geo_logout
-    return unless Gitlab::Geo.secondary?
-
-    oauth = Gitlab::Geo::OauthSession.new(access_token: session[:access_token])
-    @geo_logout_state = oauth.generate_logout_state
+  def two_factor_enabled?
+    find_user&.two_factor_enabled?
   end
 
   def auto_sign_in_with_provider

app/models/concerns/cache_markdown_field.rb

@@ -59,7 +59,7 @@ module CacheMarkdownField
 
   # Update every column in a row if any one is invalidated, as we only store
   # one version per row
-  def refresh_markdown_cache!(do_update: false)
+  def refresh_markdown_cache
     options = { skip_project_check: skip_project_check? }
 
     updates = cached_markdown_fields.markdown_fields.map do |markdown_field|
@@ -71,8 +71,14 @@ module CacheMarkdownField
     updates['cached_markdown_version'] = CacheMarkdownField::CACHE_VERSION
 
     updates.each {|html_field, data| write_attribute(html_field, data) }
+  end
+
+  def refresh_markdown_cache!
+    updates = refresh_markdown_cache
+
+    return unless persisted? && Gitlab::Database.read_write?
 
-    update_columns(updates) if persisted? && do_update
+    update_columns(updates)
   end
 
   def cached_html_up_to_date?(markdown_field)
@@ -124,8 +130,8 @@ module CacheMarkdownField
     end
 
     # Using before_update here conflicts with elasticsearch-model somehow
-    before_create :refresh_markdown_cache!, if: :invalidated_markdown_cache?
-    before_update :refresh_markdown_cache!, if: :invalidated_markdown_cache?
+    before_create :refresh_markdown_cache, if: :invalidated_markdown_cache?
+    before_update :refresh_markdown_cache, if: :invalidated_markdown_cache?
   end
 
   class_methods do

app/models/concerns/reactive_caching.rb

@@ -59,6 +59,9 @@ module ReactiveCaching
       raise NotImplementedError
     end
 
+    def reactive_cache_updated(*args)
+    end
+
     def with_reactive_cache(*args, &blk)
       within_reactive_cache_lifetime(*args) do
         data = Rails.cache.read(full_reactive_cache_key(*args))
@@ -77,8 +80,11 @@ module ReactiveCaching
       locking_reactive_cache(*args) do
         within_reactive_cache_lifetime(*args) do
           enqueuing_update(*args) do
-            value = calculate_reactive_cache(*args)
-            Rails.cache.write(full_reactive_cache_key(*args), value)
+            key = full_reactive_cache_key(*args)
+            new_value = calculate_reactive_cache(*args)
+            old_value = Rails.cache.read(key)
+            Rails.cache.write(key, new_value)
+            reactive_cache_updated(*args) if new_value != old_value
           end
         end
       end

app/models/concerns/routable.rb

@@ -156,7 +156,7 @@ module Routable
   end
 
   def update_route
-    return if Gitlab::Geo.secondary?
+    return if Gitlab::Database.read_only?
 
     prepare_route
     route.save

app/models/concerns/token_authenticatable.rb

@@ -43,15 +43,17 @@ module TokenAuthenticatable
         write_attribute(token_field, token) if token
       end
 
+      # Returns a token, but only saves when the database is in read & write mode
       define_method("ensure_#{token_field}!") do
         send("reset_#{token_field}!") if read_attribute(token_field).blank? # rubocop:disable GitlabSecurity/PublicSend
 
         read_attribute(token_field)
       end
 
+      # Resets the token, but only saves when the database is in read & write mode
       define_method("reset_#{token_field}!") do
         write_new_token(token_field)
-        save!
+        save! if Gitlab::Database.read_write?
       end
     end
   end

app/models/merge_request.rb

@@ -501,7 +501,7 @@ class MergeRequest < ActiveRecord::Base
   end
 
   def check_if_can_be_merged
-    return unless unchecked? && !Gitlab::Geo.secondary?
+    return unless unchecked? && Gitlab::Database.read_write?
 
     can_be_merged =
       !broken? && project.repository.can_be_merged?(diff_head_sha, target_branch)

app/models/project.rb

@@ -812,7 +812,7 @@ class Project < ActiveRecord::Base
   end
 
   def cache_has_external_issue_tracker
-    update_column(:has_external_issue_tracker, services.external_issue_trackers.any?)
+    update_column(:has_external_issue_tracker, services.external_issue_trackers.any?) if Gitlab::Database.read_write?
   end
 
   def has_wiki?
@@ -832,7 +832,7 @@ class Project < ActiveRecord::Base
   end
 
   def cache_has_external_wiki
-    update_column(:has_external_wiki, services.external_wikis.any?)
+    update_column(:has_external_wiki, services.external_wikis.any?) if Gitlab::Database.read_write?
   end
 
   def find_or_initialize_services(exceptions: [])

app/models/project_services/mock_deployment_service.rb

@@ -17,12 +17,14 @@ class MockDeploymentService < DeploymentService
   end
 
   def rollout_status(environment)
-    OpenStruct.new(
-      instances: rollout_status_instances,
-      completion: 80,
-      valid?: true,
-      complete?: true
-    )
+    case environment.name
+    when 'staging'
+      Gitlab::Kubernetes::RolloutStatus.new([], status: :not_found)
+    when 'test'
+      Gitlab::Kubernetes::RolloutStatus.new([], status: :loading)
+    else
+      Gitlab::Kubernetes::RolloutStatus.new(rollout_status_deployments)
+    end
   end
 
   private
@@ -31,4 +33,8 @@ class MockDeploymentService < DeploymentService
     data = File.read(Rails.root.join('spec', 'fixtures', 'rollout_status_instances.json'))
     JSON.parse(data)
   end
+
+  def rollout_status_deployments
+    [OpenStruct.new(instances: rollout_status_instances)]
+  end
 end

app/models/user.rb

@@ -478,6 +478,14 @@ class User < ActiveRecord::Base
     reset_password_sent_at.present? && reset_password_sent_at >= 1.minute.ago
   end
 
+  def remember_me!
+    super if ::Gitlab::Database.read_write?
+  end
+
+  def forget_me!
+    super if ::Gitlab::Database.read_write?
+  end
+
   def disable_two_factor!
     transaction do
       update_attributes(

app/serializers/environment_entity.rb

@@ -9,7 +9,9 @@ class EnvironmentEntity < Grape::Entity
   expose :last_deployment, using: DeploymentEntity
   expose :stop_action?
 
-  expose :metrics_path, if: -> (environment, _) { environment.has_metrics? } do |environment|
+  expose :rollout_status, if: -> (*) { can_read_deploy_board? }, using: RolloutStatusEntity
+
+  expose :metrics_path, if: -> (*) { environment.has_metrics? } do |environment|
     metrics_project_environment_path(environment.project, environment)
   end
 
@@ -21,19 +23,26 @@ class EnvironmentEntity < Grape::Entity
     stop_project_environment_path(environment.project, environment)
   end
 
-  expose :terminal_path, if: ->(environment, _) { environment.deployment_service_ready? } do |environment|
+  expose :terminal_path, if: ->(*) { environment.deployment_service_ready? } do |environment|
     can?(request.current_user, :admin_environment, environment.project) &&
       terminal_project_environment_path(environment.project, environment)
   end
 
-  expose :rollout_status_path, if: ->(environment, _) { environment.deployment_service_ready? } do |environment|
-    can?(request.current_user, :read_deploy_board, environment.project) &&
-      status_project_environment_path(environment.project, environment, format: :json)
-  end
-
   expose :folder_path do |environment|
     folder_project_environments_path(environment.project, environment.folder_name)
   end
 
   expose :created_at, :updated_at
+
+  private
+
+  alias_method :environment, :object
+
+  def current_user
+    request.current_user
+  end
+
+  def can_read_deploy_board?
+    can?(current_user, :read_deploy_board, environment.project)
+  end
 end

app/serializers/rollout_status_entity.rb

 class RolloutStatusEntity < Grape::Entity
   include RequestAwareEntity
 
-  expose :instances
-  expose :completion
-  expose :valid?, as: :valid
+  expose :status, as: :status
 
-  expose :is_completed do |rollout_status|
-    rollout_status.complete?
-  end
+  expose :instances, if: -> (rollout_status, _) { rollout_status.found? }
+  expose :completion, if: -> (rollout_status, _) { rollout_status.found? }
+  expose :complete?, as: :is_completed, if: -> (rollout_status, _) { rollout_status.found? }
 end

app/serializers/rollout_status_serializer.rb

-class RolloutStatusSerializer < BaseSerializer
-  entity RolloutStatusEntity
-end

app/services/keys/last_used_service.rb

 module Keys
   class LastUsedService
-    prepend ::EE::Keys::LastUsedService
-
     TIMEOUT = 1.day.to_i
 
     attr_reader :key
@@ -18,6 +16,8 @@ module Keys
     end
 
     def update?
+      return false if ::Gitlab::Database.read_only?
+
       last_used = key.last_used_at
 
       return false if last_used && (Time.zone.now - last_used) <= TIMEOUT

app/services/users/activity_service.rb

@@ -14,7 +14,7 @@ module Users
     private
 
     def record_activity
-      Gitlab::UserActivities.record(@author.id) unless Gitlab::Geo.secondary?
+      Gitlab::UserActivities.record(@author.id) if Gitlab::Database.read_write?
 
       Rails.logger.debug("Recorded activity: #{@activity} for User ID: #{@author.id} (username: #{@author.username})")
     end

app/views/admin/geo_nodes/index.html.haml

@@ -84,7 +84,7 @@
                 %p
                   .js-health
 
-          - unless Gitlab::Geo.secondary?
+          - if Gitlab::Database.read_write?
             .node-actions
               - if Gitlab::Geo.license_allows?
                 - if node.missing_oauth_application?

app/workers/concerns/project_start_import.rb

+module ProjectStartImport
+  def start(project)
+    if project.import_started? && project.import_jid == self.jid
+      return true
+    end
+
+    project.import_start
+  end
+end

app/workers/repository_fork_worker.rb

@@ -4,6 +4,7 @@ class RepositoryForkWorker
   include Sidekiq::Worker
   include Gitlab::ShellAdapter
   include DedicatedSidekiqQueue
+  include ProjectStartImport
 
   sidekiq_options status_expiration: StuckImportJobsWorker::IMPORT_JOBS_EXPIRATION
 
@@ -37,7 +38,7 @@ class RepositoryForkWorker
   private
 
   def start_fork(project)
-    return true if project.import_start
+    return true if start(project)
 
     Rails.logger.info("Project #{project.full_path} was in inconsistent state (#{project.import_status}) while forking.")
     false

app/workers/repository_import_worker.rb

@@ -4,6 +4,7 @@ class RepositoryImportWorker
   include Sidekiq::Worker
   include DedicatedSidekiqQueue
   include ExceptionBacktrace
+  include ProjectStartImport
 
   sidekiq_options status_expiration: StuckImportJobsWorker::IMPORT_JOBS_EXPIRATION
 
@@ -38,7 +39,7 @@ class RepositoryImportWorker
   private
 
   def start_import(project)
-    return true if project.import_start
+    return true if start(project)
 
     Rails.logger.info("Project #{project.full_path} was in inconsistent state (#{project.import_status}) while importing.")
     false

app/workers/repository_update_mirror_worker.rb

@@ -4,6 +4,7 @@ class RepositoryUpdateMirrorWorker
   include Sidekiq::Worker
   include Gitlab::ShellAdapter
   include DedicatedSidekiqQueue
+  include ProjectStartImport
 
   LEASE_KEY = 'repository_update_mirror_worker_start_scheduler'.freeze
   LEASE_TIMEOUT = 2.seconds
@@ -45,7 +46,7 @@ class RepositoryUpdateMirrorWorker
   end
 
   def start_mirror(project)
-    if project.import_start
+    if start(project)
       Rails.logger.info("Mirror update for #{project.full_path} started. Waiting duration: #{project.mirror_waiting_duration}")
       Gitlab::Metrics.add_event_with_values(
         :mirrors_running,

changelogs/unreleased-ee/3230-reduce-sync-delay.yml

+---
+title: Schedule repository synchronization when processing events on a Geo secondary
+  node
+merge_request: 2838
+author:
+type: changed

changelogs/unreleased-ee/3328-one-request-deploy-boards.yml

+---
+title: Improves visibility of deploy boards
+merge_request:
+author:
+type: changed

changelogs/unreleased-ee/tc-geo-read-only-to-ce.yml

+---
+title: Create idea of read-only database and add method to check for it
+merge_request: 2954
+author:
+type: changed

changelogs/unreleased/fix-update-doorkeeper-openid-connect.yml

+---
+title: Upgrade doorkeeper-openid_connect
+merge_request: 14372
+author: Markus Koller
+type: other

config/application.rb

@@ -175,8 +175,8 @@ module Gitlab
     ENV['GITLAB_PATH_OUTSIDE_HOOK'] = ENV['PATH']
     ENV['GIT_TERMINAL_PROMPT'] = '0'
 
-    # Gitlab Geo Middleware support
-    config.middleware.insert_after ActionDispatch::Flash, 'Gitlab::Middleware::ReadonlyGeo'
+    # Gitlab Read-only middleware support
+    config.middleware.insert_after ActionDispatch::Flash, 'Gitlab::Middleware::ReadOnly'
 
     config.generators do |g|
       g.factory_girl false

config/initializers/doorkeeper_openid_connect.rb

 Doorkeeper::OpenidConnect.configure do
   issuer Gitlab.config.gitlab.url
 
-  jws_private_key Rails.application.secrets.jws_private_key
+  signing_key Rails.application.secrets.openid_connect_signing_key
 
   resource_owner_from_access_token do |access_token|
     User.active.find_by(id: access_token.resource_owner_id)

config/initializers/secret_token.rb

@@ -25,7 +25,7 @@ def create_tokens
     secret_key_base: file_secret_key || generate_new_secure_token,
     otp_key_base: env_secret_key || file_secret_key || generate_new_secure_token,
     db_key_base: generate_new_secure_token,
-    jws_private_key: generate_new_rsa_private_key
+    openid_connect_signing_key: generate_new_rsa_private_key
   }
 
   missing_secrets = set_missing_keys(defaults)

config/routes/project.rb

@@ -224,7 +224,6 @@ constraints(ProjectUrlConstrainer.new) do
           get :terminal
           get :metrics
           get :additional_metrics
-          get :status, constraints: { format: :json }
           get '/terminal.ws/authorize', to: 'environments#terminal_websocket_authorize', constraints: { format: nil }
         end
 

doc/administration/auth/ldap.md

@@ -395,13 +395,12 @@ your installation compares before proceeding.
 
 There are two encryption methods, `simple_tls` and `start_tls`.
 
-For either encryption method, if setting `validate_certificates: false`, TLS
+For either encryption method, if setting `verify_certificates: false`, TLS
 encryption is established with the LDAP server before any LDAP-protocol data is
 exchanged but no validation of the LDAP server's SSL certificate is performed.
 
->**Note**: Before GitLab 9.5, `validate_certificates: false` is the default if
+>**Note**: Before GitLab 9.5, `verify_certificates: false` is the default if
 unspecified.
->>>>>>> upstream/master
 
 ## Limitations
 

doc/development/geo.md

@@ -78,19 +78,20 @@ to see if there are changes since the last time the log was checked
 and will handle repository updates, deletes, changes & renames.
 
 
-## Readonly
+## Read-only
 
 All **Secondary** nodes are read-only.
 
-We have a Rails Middleware that filters any potentially writing operations
-and prevent user from trying to update the database and getting a 500 error
-(see `Gitlab::Middleware::ReadonlyGeo`).
+The general principle of a [read-only database](verifying_database_capabilities.md#read-only-database)
+applies to all Geo secondary nodes. So `Gitlab::Database.read_only?`
+will always return `true` on a secondary node.
 
-Database will already be read-only in a replicated setup, so we don't need to
-take any extra step for that.
+When some write actions are not allowed, because the node is a
+secondary, consider the `Gitlab::Database.read_only?` or `Gitlab::Database.read_write?`
+guard, instead of `Gitlab::Geo.secondary?`.
 
-We do use our feature toggle `.secondary?` to coordinate Git operations and do
-the correct authorization (denying writing on any secondary node).
+Database itself will already be read-only in a replicated setup, so we
+don't need to take any extra step for that.
 
 ## File Transfers
 

doc/development/verifying_database_capabilities.md

@@ -24,3 +24,15 @@ else
   run_query
 end
 ```
+
+# Read-only database
+
+The database can be used in read-only mode. In this case we have to
+make sure all GET requests don't attempt any write operations to the
+database. If one of those requests wants to write to the database, it needs
+to be wrapped in a `Gitlab::Database.read_only?` or `Gitlab::Database.read_write?`
+guard, to make sure it doesn't for read-only databases.
+
+We have a Rails Middleware that filters any potentially writing
+operations (the CUD operations of CRUD) and prevent the user from trying
+to update the database and getting a 500 error (see `Gitlab::Middleware::ReadOnly`).

doc/gitlab-geo/updating_the_geo_nodes.md

@@ -48,6 +48,13 @@ chown git:git /var/opt/gitlab/gitlab-rails/working
 
 You may delete `/var/opt/gitlab/gitlab-rails/working.old` any time.
 
+Once this is done, we advise restarting GitLab on the secondary nodes for the
+new working directory to be used:
+
+```
+sudo gitlab-ctl restart
+```
+
 ## Upgrading from GitLab 9.3 or older
 
 If you started running Geo on GitLab 9.3 or older, we recommend that you

ee/app/controllers/ee/admin/application_controller.rb

+module EE
+  module Admin
+    module ApplicationController
+      def read_only_message
+        raise NotImplementedError unless defined?(super)
+
+        return super unless Gitlab::Geo.secondary_with_primary?
+
+        link_to_primary_node = view_context.link_to('primary node', Gitlab::Geo.primary_node.url)
+        (_('You are on a read-only GitLab instance. If you want to make any changes, you must visit the %{link_to_primary_node}.') % { link_to_primary_node: link_to_primary_node }).html_safe
+      end
+    end
+  end
+end

ee/app/controllers/ee/projects/lfs_api_controller.rb

+module EE
+  module Projects
+    module LfsApiController
+      def lfs_read_only_message
+        raise NotImplementedError unless defined?(super)
+
+        return super unless ::Gitlab::Geo.secondary_with_primary?
+
+        (_('You cannot write to a read-only secondary GitLab Geo instance. Please use %{link_to_primary_node} instead.') % { link_to_primary_node: geo_primary_default_url_to_repo(project) }).html_safe
+      end
+    end
+  end
+end

ee/app/controllers/ee/sessions_controller.rb

@@ -2,13 +2,45 @@ module EE
   module SessionsController
     extend ActiveSupport::Concern
 
+    prepended do
+      before_action :gitlab_geo_login, only: [:new]
+      before_action :gitlab_geo_logout, only: [:destroy]
+    end
+
     private
 
+    def gitlab_geo_login
+      return unless ::Gitlab::Geo.secondary?
+      return if signed_in?
+
+      oauth = ::Gitlab::Geo::OauthSession.new
+
+      # share full url with primary node by oauth state
+      user_return_to = URI.join(root_url, session[:user_return_to].to_s).to_s
+      oauth.return_to = stored_redirect_uri || user_return_to
+
+      redirect_to oauth_geo_auth_url(state: oauth.generate_oauth_state)
+    end
+
+    def gitlab_geo_logout
+      return unless ::Gitlab::Geo.secondary?
+
+      oauth = ::Gitlab::Geo::OauthSession.new(access_token: session[:access_token])
+      @geo_logout_state = oauth.generate_logout_state
+    end
+
     def log_failed_login
       ::AuditEventService.new(request.filtered_parameters['user']['login'], nil, ip_address: request.remote_ip)
           .for_failed_login.unauth_security_event
 
       super
     end
+
+    def redirect_allowed_to?(uri)
+      raise NotImplementedError unless defined?(super)
+
+      # Redirect is not only allowed to current host, but also to other Geo nodes
+      super || ::Gitlab::Geo.geo_node?(host: uri.host, port: uri.port)
+    end
   end
 end

ee/app/models/concerns/ee/kubernetes_service.rb

 module EE
   module KubernetesService
     def rollout_status(environment)
-      with_reactive_cache do |data|
+      result = with_reactive_cache do |data|
         specs = filter_by_label(data[:deployments], app: environment.slug)
 
         ::Gitlab::Kubernetes::RolloutStatus.from_specs(*specs)
       end
+      result || ::Gitlab::Kubernetes::RolloutStatus.loading
     end
 
     def calculate_reactive_cache
@@ -15,6 +16,15 @@ module EE
       result
     end
 
+    def reactive_cache_updated
+      super
+
+      ::Gitlab::EtagCaching::Store.new.tap do |store|
+        store.touch(
+          ::Gitlab::Routing.url_helpers.project_environments_path(project, format: :json))
+      end
+    end
+
     def read_deployments
       kubeclient = build_kubeclient!(api_path: 'apis/extensions', api_version: 'v1beta1')
 

ee/app/models/ee/project.rb

@@ -273,14 +273,6 @@ module EE
         .order(order % quoted_values) # `order` cannot escape for us!
     end
 
-    def cache_has_external_issue_tracker
-      super unless ::Gitlab::Geo.secondary?
-    end
-
-    def cache_has_external_wiki
-      super unless ::Gitlab::Geo.secondary?
-    end
-
     def execute_hooks(data, hooks_scope = :push_hooks)
       super
 

ee/app/models/ee/user.rb

@@ -84,16 +84,6 @@ module EE
       super || auditor?
     end
 
-    def remember_me!
-      return if ::Gitlab::Geo.secondary?
-      super
-    end
-
-    def forget_me!
-      return if ::Gitlab::Geo.secondary?
-      super
-    end
-
     def email_opted_in_source
       email_opted_in_source_id == EMAIL_OPT_IN_SOURCE_ID_GITLAB_COM ? 'GitLab.com' : ''
     end

ee/app/services/ee/keys/last_used_service.rb → ee/lib/ee/gitlab/database.rb

 module EE
-  module Keys
-    module LastUsedService
-      def update?
+  module Gitlab
+    module Database
+      def self.read_only?
         raise NotImplementedError unless defined?(super)
 
-        !::Gitlab::Geo.secondary? && super
+        Gitlab::Geo.secondary? || super
       end
     end
   end

lib/banzai/renderer.rb

@@ -40,7 +40,7 @@ module Banzai
         return cacheless_render_field(object, field)
       end
 
-      object.refresh_markdown_cache!(do_update: update_object?(object)) unless object.cached_html_up_to_date?(field)
+      object.refresh_markdown_cache! unless object.cached_html_up_to_date?(field)
 
       object.cached_html_for(field)
     end
@@ -162,10 +162,5 @@ module Banzai
       return unless cache_key
       Rails.cache.__send__(:expanded_key, full_cache_key(cache_key, pipeline_name)) # rubocop:disable GitlabSecurity/PublicSend
     end
-
-    # GitLab EE needs to disable updates on GET requests in Geo
-    def self.update_object?(object)
-      !Gitlab::Geo.secondary?
-    end
   end
 end

lib/gitlab/database.rb

 module Gitlab
   module Database
+    extend ::EE::Gitlab::Database
+
     # The max value of INTEGER type is the same between MySQL and PostgreSQL:
     # https://www.postgresql.org/docs/9.2/static/datatype-numeric.html
     # http://dev.mysql.com/doc/refman/5.7/en/integer-types.html
@@ -29,6 +31,15 @@ module Gitlab
       adapter_name.casecmp('postgresql').zero?
     end
 
+    # Overridden in EE
+    def self.read_only?
+      false
+    end
+
+    def self.read_write?
+      !self.read_only?
+    end
+
     def self.version
       database_version.match(/\A(?:PostgreSQL |)([^\s]+).*\z/)[1]
     end

lib/gitlab/geo.rb

@@ -54,6 +54,10 @@ module Gitlab
       Gitlab::Geo.primary_node.present?
     end
 
+    def self.secondary_with_primary?
+      self.secondary? && self.primary_node_configured?
+    end
+
     def self.license_allows?
       ::License.feature_available?(:geo)
     end

lib/gitlab/geo/log_cursor/daemon.rb

@@ -65,15 +65,15 @@ module Gitlab
             next unless can_replay?(event_log)
 
             if event_log.repository_updated_event
-              handle_repository_update(event_log)
+              handle_repository_updated(event_log)
             elsif event_log.repository_created_event
               handle_repository_created(event_log)
             elsif event_log.repository_deleted_event
-              handle_repository_delete(event_log)
+              handle_repository_deleted(event_log)
             elsif event_log.repositories_changed_event
               handle_repositories_changed(event_log.repositories_changed_event)
             elsif event_log.repository_renamed_event
-              handle_repository_rename(event_log)
+              handle_repository_renamed(event_log)
             end
           end
         end
@@ -107,95 +107,98 @@ module Gitlab
         end
 
         def handle_repository_created(event_log)
-          created_event = event_log.repository_created_event
-          registry = ::Geo::ProjectRegistry.find_or_initialize_by(project_id: created_event.project_id)
-          registry.resync_repository = true
-          registry.resync_wiki = created_event.wiki_path.present?
+          event = event_log.repository_created_event
+          registry = find_or_initialize_registry(event.project_id, resync_repository: true, resync_wiki: event.wiki_path.present?)
 
           log_event_info(
             event_log.created_at,
             message: 'Repository created',
-            project_id: created_event.project_id,
-            repo_path: created_event.repo_path,
-            wiki_path: created_event.wiki_path,
+            project_id: event.project_id,
+            repo_path: event.repo_path,
+            wiki_path: event.wiki_path,
             resync_repository: registry.resync_repository,
             resync_wiki: registry.resync_wiki)
 
           registry.save!
-        end
-
-        def handle_repository_update(event)
-          updated_event = event.repository_updated_event
-          registry = ::Geo::ProjectRegistry.find_or_initialize_by(project_id: updated_event.project_id)
 
-          case updated_event.source
-          when 'repository'
-            registry.resync_repository = true
-          when 'wiki'
-            registry.resync_wiki = true
+          ::Geo::ProjectSyncWorker.perform_async(event.project_id, Time.now)
         end
 
+        def handle_repository_updated(event_log)
+          event = event_log.repository_updated_event
+          registry = find_or_initialize_registry(event.project_id, "resync_#{event.source}" => true)
+
           log_event_info(
-            event.created_at,
-            message: "Repository update",
-            project_id: updated_event.project_id,
-            source: updated_event.source,
+            event_log.created_at,
+            message: 'Repository update',
+            project_id: event.project_id,
+            source: event.source,
             resync_repository: registry.resync_repository,
             resync_wiki: registry.resync_wiki)
 
           registry.save!
+
+          ::Geo::ProjectSyncWorker.perform_async(event.project_id, Time.now)
         end
 
-        def handle_repository_delete(event)
-          deleted_event = event.repository_deleted_event
-          full_path = File.join(deleted_event.repository_storage_path,
-                                deleted_event.deleted_path)
+        def handle_repository_deleted(event_log)
+          event = event_log.repository_deleted_event
+
+          disk_path = File.join(event.repository_storage_path, event.deleted_path)
+
           job_id = ::Geo::RepositoryDestroyService
-                     .new(deleted_event.project_id,
-                          deleted_event.deleted_project_name,
-                          full_path,
-                          deleted_event.repository_storage_name)
+                     .new(event.project_id, event.deleted_project_name, disk_path, event.repository_storage_name)
                      .async_execute
-          log_event_info(event.created_at,
-                         message: "Deleted project",
-                         project_id: deleted_event.project_id,
-                         full_path: full_path,
+
+          log_event_info(
+            event_log.created_at,
+            message: 'Deleted project',
+            project_id: event.project_id,
+            disk_path: disk_path,
             job_id: job_id)
+
           # No need to create a project entry if it doesn't exist
-          ::Geo::ProjectRegistry.where(project_id: deleted_event.project_id).delete_all
+          ::Geo::ProjectRegistry.where(project_id: event.project_id).delete_all
         end
 
-        def handle_repositories_changed(changed_event)
-          return unless Gitlab::Geo.current_node.id == changed_event.geo_node_id
+        def handle_repositories_changed(event)
+          return unless Gitlab::Geo.current_node.id == event.geo_node_id
 
-          job_id = ::Geo::RepositoriesCleanUpWorker.perform_in(1.hour, changed_event.geo_node_id)
+          job_id = ::Geo::RepositoriesCleanUpWorker.perform_in(1.hour, event.geo_node_id)
 
           if job_id
-            log_info('Scheduled repositories clean up for Geo node', geo_node_id: changed_event.geo_node_id, job_id: job_id)
+            log_info('Scheduled repositories clean up for Geo node', geo_node_id: event.geo_node_id, job_id: job_id)
           else
-            log_error('Could not schedule repositories clean up for Geo node', geo_node_id: changed_event.geo_node_id)
+            log_error('Could not schedule repositories clean up for Geo node', geo_node_id: event.geo_node_id)
           end
         end
 
-        def handle_repository_rename(event)
-          renamed_event = event.repository_renamed_event
-          return unless renamed_event.project_id
+        def handle_repository_renamed(event_log)
+          event = event_log.repository_renamed_event
+          return unless event.project_id
 
-          old_path = renamed_event.old_path_with_namespace
-          new_path = renamed_event.new_path_with_namespace
+          old_path = event.old_path_with_namespace
+          new_path = event.new_path_with_namespace
 
           job_id = ::Geo::MoveRepositoryService
-                     .new(renamed_event.project_id, "", old_path, new_path)
+                     .new(event.project_id, '', old_path, new_path)
                      .async_execute
 
-          log_event_info(event.created_at,
-                         message: "Renaming project",
-                         project_id: renamed_event.project_id,
+          log_event_info(
+            event_log.created_at,
+            message: 'Renaming project',
+            project_id: event.project_id,
             old_path: old_path,
             new_path: new_path,
             job_id: job_id)
         end
 
+        def find_or_initialize_registry(project_id, attrs)
+          registry = ::Geo::ProjectRegistry.find_or_initialize_by(project_id: project_id)
+          registry.assign_attributes(attrs)
+          registry
+        end
+
         def cursor_delay(created_at)
           (Time.now - created_at).to_f.round(3)
         end

lib/gitlab/geo/oauth_session.rb

@@ -58,7 +58,7 @@ module Gitlab
         return false unless access_token
 
         api = OAuth2::AccessToken.from_hash(oauth_client, access_token: access_token)
-        api.get('/api/v3/user').parsed
+        api.get('/api/v4/user').parsed
       end
 
       private

lib/gitlab/git_access.rb

@@ -19,8 +19,8 @@ module Gitlab
       command_not_allowed: "The command you're trying to execute is not allowed.",
       upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.',
       receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.',
-      readonly: 'The repository is temporarily read-only. Please try again later.',
-      cannot_push_to_secondary_geo: "You can't push code to a secondary GitLab Geo node."
+      read_only: 'The repository is temporarily read-only. Please try again later.',
+      cannot_push_to_read_only: "You can't push code to a read-only GitLab instance."
     }.freeze
 
     DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }.freeze
@@ -173,11 +173,11 @@ module Gitlab
     # TODO: please clean this up
     def check_push_access!(changes)
       if project.repository_read_only?
-        raise UnauthorizedError, ERROR_MESSAGES[:readonly]
+        raise UnauthorizedError, ERROR_MESSAGES[:read_only]
       end
 
-      if Gitlab::Geo.secondary?
-        raise UnauthorizedError, ERROR_MESSAGES[:cannot_push_to_secondary_geo]
+      if Gitlab::Database.read_only?
+        raise UnauthorizedError, ERROR_MESSAGES[:cannot_push_to_read_only]
       end
 
       if deploy_key

lib/gitlab/git_access_wiki.rb

 module Gitlab
   class GitAccessWiki < GitAccess
     ERROR_MESSAGES = {
-      geo:           "You can't push code to a secondary GitLab Geo node.",
+      read_only:     "You can't push code to a read-only GitLab instance.",
       write_to_wiki: "You are not allowed to write to this project's wiki."
     }.freeze
 
@@ -18,8 +18,8 @@ module Gitlab
         raise UnauthorizedError, ERROR_MESSAGES[:write_to_wiki]
       end
 
-      if Gitlab::Geo.enabled? && Gitlab::Geo.secondary?
-        raise UnauthorizedError, ERROR_MESSAGES[:geo]
+      if Gitlab::Database.read_only?
+        raise UnauthorizedError, ERROR_MESSAGES[:read_only]
       end
 
       true

lib/gitlab/kubernetes/rollout_status.rb

@@ -6,26 +6,38 @@ module Gitlab
     # other resources, unified by an `app=` label. The rollout status sums the
     # Kubernetes deployments together.
     class RolloutStatus
-      attr_reader :deployments, :instances, :completion
+      attr_reader :deployments, :instances, :completion, :status
 
       def complete?
         completion == 100
       end
 
-      def valid?
-        @valid
+      def loading?
+        @status == :loading
+      end
+
+      def not_found?
+        @status == :not_found
+      end
+
+      def found?
+        @status == :found
       end
 
       def self.from_specs(*specs)
-        return new([], valid: false) if specs.empty?
+        return new([], status: :not_found) if specs.empty?
 
         deployments = specs.map { |spec| ::Gitlab::Kubernetes::Deployment.new(spec) }
         deployments.sort_by!(&:order)
         new(deployments)
       end
 
-      def initialize(deployments, valid: true)
-        @valid        = valid
+      def self.loading
+        new([], status: :loading)
+      end
+
+      def initialize(deployments, status: :found)
+        @status       = status
         @deployments  = deployments
         @instances    = deployments.flat_map(&:instances)
 

lib/gitlab/middleware/readonly_geo.rb → lib/gitlab/middleware/read_only.rb

 module Gitlab
   module Middleware
-    class ReadonlyGeo
+    class ReadOnly
       DISALLOWED_METHODS = %w(POST PATCH PUT DELETE).freeze
       APPLICATION_JSON = 'application/json'.freeze
       API_VERSIONS = (3..4)
@@ -13,9 +13,9 @@ module Gitlab
       def call(env)
         @env = env
 
-        if disallowed_request? && Gitlab::Geo.secondary?
-          Rails.logger.debug('GitLab Geo: preventing possible non readonly operation')
-          error_message = 'You cannot do writing operations on a secondary GitLab Geo instance'
+        if disallowed_request? && Gitlab::Database.read_only?
+          Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')
+          error_message = 'You cannot do writing operations on a read-only GitLab instance'
 
           if json_request?
             return [403, { 'Content-Type' => 'application/json' }, [{ 'message' => error_message }.to_json]]

lib/tasks/migrate/setup_postgresql.rake

+require Rails.root.join('ee/lib/ee/gitlab/database')
 require Rails.root.join('lib/gitlab/database')
 require Rails.root.join('lib/gitlab/database/migration_helpers')
 require Rails.root.join('db/migrate/20151007120511_namespaces_projects_path_lower_indexes')

spec/controllers/projects/environments_controller_spec.rb

 require 'spec_helper'
 
 describe Projects::EnvironmentsController do
+  include KubernetesHelpers
+
   set(:user) { create(:user) }
   set(:project) { create(:project) }
 
@@ -21,11 +23,19 @@ describe Projects::EnvironmentsController do
 
         expect(response).to have_http_status(:ok)
       end
+
+      it 'expires etag cache to force reload environments list' do
+        expect_any_instance_of(Gitlab::EtagCaching::Store)
+          .to receive(:touch).with(project_environments_path(project, format: :json))
+
+        get :index, environment_params
+      end
     end
 
     context 'when requesting JSON response for folders' do
       before do
         allow_any_instance_of(Environment).to receive(:deployment_service_ready?).and_return(true)
+        allow_any_instance_of(Environment).to receive(:rollout_status).and_return(kube_deployment_rollout_status)
 
         create(:environment, project: project,
                              name: 'staging/review-1',
@@ -49,14 +59,18 @@ describe Projects::EnvironmentsController do
           get :index, environment_params(format: :json, scope: :available)
         end
 
+        it 'responds with matching schema' do
+          expect(response).to match_response_schema('environments')
+        end
+
         it 'responds with a payload describing available environments' do
           expect(environments.count).to eq 2
           expect(environments.first['name']).to eq 'production'
-          expect(environments.first['latest']['rollout_status_path']).to be_present
+          expect(environments.first['latest']['rollout_status']).to be_present
           expect(environments.second['name']).to eq 'staging'
           expect(environments.second['size']).to eq 2
           expect(environments.second['latest']['name']).to eq 'staging/review-2'
-          expect(environments.second['latest']['rollout_status_path']).to be_present
+          expect(environments.second['latest']['rollout_status']).to be_present
         end
 
         it 'contains values describing environment scopes sizes' do
@@ -96,8 +110,8 @@ describe Projects::EnvironmentsController do
         end
 
         it 'does not return the rollout_status_path attribute' do
-          expect(environments.first['latest']['rollout_status_path']).to be_blank
-          expect(environments.second['latest']['rollout_status_path']).to be_blank
+          expect(environments.first['latest']['rollout_status']).not_to be_present
+          expect(environments.second['latest']['rollout_status']).not_to be_present
         end
       end
     end
@@ -289,59 +303,6 @@ describe Projects::EnvironmentsController do
     end
   end
 
-  describe 'GET #status' do
-    context 'without deployment service' do
-      it 'returns 404' do
-        get :status, environment_params
-
-        expect(response.status).to eq(404)
-      end
-    end
-
-    context 'with deployment service' do
-      let(:project) { create(:kubernetes_project) }
-      let(:environment) { create(:environment, name: 'production', project: project) }
-
-      before do
-        stub_licensed_features(deploy_board: true)
-        allow_any_instance_of(Environment).to receive(:deployment_service_ready?).and_return(true)
-      end
-
-      it 'returns 204 until the rollout status is present' do
-        expect_any_instance_of(Environment)
-          .to receive(:rollout_status)
-          .and_return(nil)
-
-        get :status, environment_params
-
-        expect(response.status).to eq(204)
-        expect(response.headers['Poll-Interval']).to eq("3000")
-      end
-
-      it 'returns the rollout status when present' do
-        expect_any_instance_of(Environment)
-          .to receive(:rollout_status)
-          .and_return(::Gitlab::Kubernetes::RolloutStatus.new([]))
-
-        get :status, environment_params
-
-        expect(response.status).to eq(200)
-      end
-    end
-
-    context 'when license does not has the GitLab_DeployBoard add-on' do
-      before do
-        stub_licensed_features(deploy_board: false)
-      end
-
-      it 'does not return any data' do
-        get :status, environment_params
-
-        expect(response).to have_http_status(:not_found)
-      end
-    end
-  end
-
   describe 'GET #metrics' do
     before do
       allow(controller).to receive(:environment).and_return(environment)

spec/ee/spec/models/ee/user_spec.rb

@@ -83,8 +83,8 @@ describe EE::User do
       expect(subject.reload.remember_created_at).to be_nil
     end
 
-    it 'does not clear remember_created_at when in a Geo secondary node' do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+    it 'does not clear remember_created_at when in a GitLab read-only instance' do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect { subject.forget_me! }.not_to change(subject, :remember_created_at)
     end
@@ -99,8 +99,8 @@ describe EE::User do
       expect(subject.reload.remember_created_at).not_to be_nil
     end
 
-    it 'does not update remember_created_at when in a Geo secondary node' do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+    it 'does not update remember_created_at when in a Geo read-only instance' do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect { subject.remember_me! }.not_to change(subject, :remember_created_at)
     end

spec/ee/spec/models/project_services/kubernetes_service_spec.rb

@@ -9,6 +9,7 @@ describe KubernetesService, models: true, use_clean_rails_memory_store_caching:
 
   describe '#rollout_status' do
     let(:environment) { build(:environment, project: project, name: "env", slug: "env-000000") }
+
     subject(:rollout_status) { service.rollout_status(environment) }
 
     context 'with valid deployments' do
@@ -24,5 +25,30 @@ describe KubernetesService, models: true, use_clean_rails_memory_store_caching:
         expect(rollout_status.deployments.map(&:labels)).to eq([{ 'app' => 'env-000000' }])
       end
     end
+
+    context 'with empty list of deployments' do
+      before do
+        stub_reactive_cache(
+          service,
+          deployments: []
+        )
+      end
+
+      it 'creates a matching RolloutStatus' do
+        expect(rollout_status).to be_kind_of(::Gitlab::Kubernetes::RolloutStatus)
+        expect(rollout_status).to be_not_found
+      end
+    end
+
+    context 'not yet loaded deployments' do
+      before do
+        stub_reactive_cache
+      end
+
+      it 'creates a matching RolloutStatus' do
+        expect(rollout_status).to be_kind_of(::Gitlab::Kubernetes::RolloutStatus)
+        expect(rollout_status).to be_loading
+      end
+    end
   end
 end

spec/ee/spec/services/ee/keys/last_used_service_spec.rb

 require 'spec_helper'
 
 describe Keys::LastUsedService do
-  it 'does not run on Geo secondaries', :clean_gitlab_redis_shared_state do
+  it 'does not run on read-only GitLab instances', :clean_gitlab_redis_shared_state do
     key = create(:key, last_used_at: 1.year.ago)
     original_time = key.last_used_at
 
-    allow(::Gitlab::Geo).to receive(:secondary?).and_return(true)
+    allow(::Gitlab::Database).to receive(:read_only?).and_return(true)
     described_class.new(key).execute
 
     expect(key.reload.last_used_at).to be_like_time(original_time)

spec/factories/projects.rb

@@ -174,7 +174,7 @@ FactoryGirl.define do
       end
     end
 
-    trait :readonly do
+    trait :read_only do
       repository_read_only true
     end
 

spec/fixtures/api/schemas/deployment.json

+{
+    "additionalProperties": false,
+    "properties": {
+        "created_at": {
+            "type": "string"
+        },
+        "id": {
+            "type": "integer"
+        },
+        "iid": {
+            "type": "integer"
+        },
+        "last?": {
+            "type": "boolean"
+        },
+        "ref": {
+            "additionalProperties": false,
+            "properties": {
+                "name": {
+                    "type": "string"
+                }
+            },
+            "required": [
+                "name"
+            ],
+            "type": "object"
+        },
+        "sha": {
+            "type": "string"
+        },
+        "tag": {
+            "type": "boolean"
+        }
+    },
+    "required": [
+        "sha",
+        "created_at",
+        "iid",
+        "tag",
+        "last?",
+        "ref",
+        "id"
+    ],
+    "type": "object"
+}

spec/fixtures/api/schemas/deployments.json

@@ -3,49 +3,7 @@
   "properties": {
     "deployments": {
       "items": {
-        "additionalProperties": false,
-        "properties": {
-          "created_at": {
-            "type": "string"
-          },
-          "id": {
-            "type": "integer"
-          },
-          "iid": {
-            "type": "integer"
-          },
-          "last?": {
-            "type": "boolean"
-          },
-          "ref": {
-            "additionalProperties": false,
-            "properties": {
-              "name": {
-                "type": "string"
-              }
-            },
-            "required": [
-              "name"
-            ],
-            "type": "object"
-          },
-          "sha": {
-            "type": "string"
-          },
-          "tag": {
-            "type": "boolean"
-          }
-        },
-        "required": [
-          "sha",
-          "created_at",
-          "iid",
-          "tag",
-          "last?",
-          "ref",
-          "id"
-        ],
-        "type": "object"
+        "$ref": "deployment.json"
       },
       "minItems": 1,
       "type": "array"

spec/fixtures/api/schemas/environment.json

+{
+    "type": "object",
+    "additionalProperties": false,
+    "required": [
+        "id",
+        "name",
+        "state",
+        "last_deployment",
+        "environment_path",
+        "created_at",
+        "updated_at"
+    ],
+    "properties": {
+        "id": {
+            "type": "integer"
+        },
+        "name": {
+            "type": "string"
+        },
+        "state": {
+            "type": "string"
+        },
+        "external_url": {
+            "type": "string"
+        },
+        "environment_type": {
+            "type": [
+                "string",
+                "null"
+            ]
+        },
+        "last_deployment": {
+            "oneOf": [
+                {
+                    "$ref": "deployment.json"
+                },
+                {
+                    "type": ["null"]
+                }
+            ]
+        },
+        "stop_action?": {
+            "type": "boolean"
+        },
+        "rollout_status": {
+            "$ref": "rollout_status.json"
+        },
+        "environment_path": {
+            "type": "string"
+        },
+        "stop_path": {
+            "type": "string"
+        },
+        "terminal_path": {
+            "type": "string"
+        },
+        "folder_path": {
+            "type": "string"
+        },
+        "created_at": {
+            "type": "date"
+        },
+        "updated_at": {
+            "type": "date"
+        }
+    }
+}

spec/fixtures/api/schemas/environments.json

+{
+    "additionalProperties": false,
+    "properties": {
+        "environments": {
+            "items": {
+                "$ref": "environments_group.json"
+            },
+            "minItems": 1,
+            "type": "array"
+        },
+        "available_count": {
+            "type": "integer"
+        },
+        "stopped_count": {
+            "type": "integer"
+        }
+    },
+    "required": [
+        "environments",
+        "available_count",
+        "stopped_count"
+    ],
+    "type": "object"
+}

spec/fixtures/api/schemas/environments_group.json

+{
+    "type": "object",
+    "required": [
+        "name",
+        "size",
+        "latest"
+    ],
+    "additionalProperties": false,
+    "properties": {
+        "name": {
+            "type": "string"
+        },
+        "size": {
+            "type": "integer"
+        },
+        "latest": {
+            "$ref": "environment.json"
+        }
+    }
+}

spec/fixtures/api/schemas/rollout_status.json

+{
+    "type": "object",
+    "additionalProperties": false,
+    "required": [
+        "status"
+    ],
+    "properties": {
+        "status": {
+            "type": "string"
+        },
+        "completion": {
+            "type": "integer"
+        },
+        "is_completed": {
+            "type": "boolean"
+        },
+        "instances": {
+            "type": "array",
+            "items": {
+                "additionalProperties": false,
+                "type": "object",
+                "required": [
+                    "status",
+                    "tooltip",
+                    "track",
+                    "stable"
+                ],
+                "properties": {
+                    "status": {
+                        "type": "string"
+                    },
+                    "tooltip": {
+                        "type": "string"
+                    },
+                    "track": {
+                        "type": "string"
+                    },
+                    "stable": {
+                        "type": "boolean"
+                    }
+                }
+            }
+        }
+    }
+}

spec/initializers/secret_token_spec.rb

@@ -36,10 +36,10 @@ describe 'create_tokens' do
         expect(keys).to all(match(HEX_KEY))
       end
 
-      it 'generates an RSA key for jws_private_key' do
+      it 'generates an RSA key for openid_connect_signing_key' do
         create_tokens
 
-        keys = secrets.values_at(:jws_private_key)
+        keys = secrets.values_at(:openid_connect_signing_key)
 
         expect(keys.uniq).to eq(keys)
         expect(keys).to all(match(RSA_KEY))
@@ -49,7 +49,7 @@ describe 'create_tokens' do
         expect(self).to receive(:warn_missing_secret).with('secret_key_base')
         expect(self).to receive(:warn_missing_secret).with('otp_key_base')
         expect(self).to receive(:warn_missing_secret).with('db_key_base')
-        expect(self).to receive(:warn_missing_secret).with('jws_private_key')
+        expect(self).to receive(:warn_missing_secret).with('openid_connect_signing_key')
 
         create_tokens
       end
@@ -61,7 +61,7 @@ describe 'create_tokens' do
           expect(new_secrets['secret_key_base']).to eq(secrets.secret_key_base)
           expect(new_secrets['otp_key_base']).to eq(secrets.otp_key_base)
           expect(new_secrets['db_key_base']).to eq(secrets.db_key_base)
-          expect(new_secrets['jws_private_key']).to eq(secrets.jws_private_key)
+          expect(new_secrets['openid_connect_signing_key']).to eq(secrets.openid_connect_signing_key)
         end
 
         create_tokens
@@ -77,7 +77,7 @@ describe 'create_tokens' do
     context 'when the other secrets all exist' do
       before do
         secrets.db_key_base = 'db_key_base'
-        secrets.jws_private_key = 'jws_private_key'
+        secrets.openid_connect_signing_key = 'openid_connect_signing_key'
 
         allow(File).to receive(:exist?).with('.secret').and_return(true)
         allow(File).to receive(:read).with('.secret').and_return('file_key')
@@ -88,7 +88,7 @@ describe 'create_tokens' do
           stub_env('SECRET_KEY_BASE', 'env_key')
           secrets.secret_key_base = 'secret_key_base'
           secrets.otp_key_base = 'otp_key_base'
-          secrets.jws_private_key = 'jws_private_key'
+          secrets.openid_connect_signing_key = 'openid_connect_signing_key'
         end
 
         it 'does not issue a warning' do
@@ -114,7 +114,7 @@ describe 'create_tokens' do
         before do
           secrets.secret_key_base = 'secret_key_base'
           secrets.otp_key_base = 'otp_key_base'
-          secrets.jws_private_key = 'jws_private_key'
+          secrets.openid_connect_signing_key = 'openid_connect_signing_key'
         end
 
         it 'does not write any files' do
@@ -129,7 +129,7 @@ describe 'create_tokens' do
           expect(secrets.secret_key_base).to eq('secret_key_base')
           expect(secrets.otp_key_base).to eq('otp_key_base')
           expect(secrets.db_key_base).to eq('db_key_base')
-          expect(secrets.jws_private_key).to eq('jws_private_key')
+          expect(secrets.openid_connect_signing_key).to eq('openid_connect_signing_key')
         end
 
         it 'deletes the .secret file' do
@@ -153,7 +153,7 @@ describe 'create_tokens' do
             expect(new_secrets['secret_key_base']).to eq('file_key')
             expect(new_secrets['otp_key_base']).to eq('file_key')
             expect(new_secrets['db_key_base']).to eq('db_key_base')
-            expect(new_secrets['jws_private_key']).to eq('jws_private_key')
+            expect(new_secrets['openid_connect_signing_key']).to eq('openid_connect_signing_key')
           end
 
           create_tokens

spec/javascripts/environments/deploy_board_component_spec.js

 import Vue from 'vue';
 import DeployBoard from '~/environments/components/deploy_board_component.vue';
-import { deployBoardMockData, invalidDeployBoardMockData } from './mock_data';
+import { deployBoardMockData } from './mock_data';
 
 describe('Deploy Board', () => {
   let DeployBoardComponent;
@@ -17,7 +17,7 @@ describe('Deploy Board', () => {
         propsData: {
           deployBoardData: deployBoardMockData,
           isLoading: false,
-          hasError: false,
+          isEmpty: false,
         },
       }).$mount();
     });
@@ -46,15 +46,15 @@ describe('Deploy Board', () => {
     });
   });
 
-  describe('without valid data', () => {
+  describe('with empty state', () => {
     let component;
 
     beforeEach(() => {
       component = new DeployBoardComponent({
         propsData: {
-          deployBoardData: invalidDeployBoardMockData,
+          deployBoardData: {},
           isLoading: false,
-          hasError: false,
+          isEmpty: true,
         },
       }).$mount();
     });
@@ -65,21 +65,21 @@ describe('Deploy Board', () => {
     });
   });
 
-  describe('with error', () => {
+  describe('with loading state', () => {
     let component;
 
     beforeEach(() => {
       component = new DeployBoardComponent({
         propsData: {
           deployBoardData: {},
-          isLoading: false,
-          hasError: true,
+          isLoading: true,
+          isEmpty: false,
         },
       }).$mount();
     });
 
-    it('should render empty state', () => {
-      expect(component.$el.children.length).toEqual(1);
+    it('should render loading spinner', () => {
+      expect(component.$el.querySelector('.fa-spin')).toBeDefined();
     });
   });
 });

spec/javascripts/environments/environment_table_spec.js

@@ -37,12 +37,11 @@ describe('Environment item', () => {
       size: 1,
       environment_path: 'url',
       id: 1,
-      rollout_status_path: 'url',
       hasDeployBoard: true,
       deployBoardData: deployBoardMockData,
       isDeployBoardVisible: true,
       isLoadingDeployBoard: false,
-      hasErrorDeployBoard: false,
+      isEmptyDeployBoard: false,
     };
 
     const component = new EnvironmentTable({
@@ -66,7 +65,6 @@ describe('Environment item', () => {
       size: 1,
       environment_path: 'url',
       id: 1,
-      rollout_status_path: 'url',
       hasDeployBoard: true,
       deployBoardData: {
         instances: [

spec/javascripts/environments/environments_store_spec.js

@@ -29,12 +29,12 @@ describe('Store', () => {
       stop_path: '/root/review-app/environments/7/stop',
       created_at: '2017-01-31T10:53:46.894Z',
       updated_at: '2017-01-31T10:53:46.894Z',
-      rollout_status_path: '/path',
+      rollout_status: {},
       hasDeployBoard: true,
-      isDeployBoardVisible: false,
+      isDeployBoardVisible: true,
       deployBoardData: {},
       isLoadingDeployBoard: false,
-      hasErrorDeployBoard: false,
+      isEmptyDeployBoard: false,
     };
 
     store.storeEnvironments(serverData);
@@ -58,20 +58,20 @@ describe('Store', () => {
       expect(store.state.environments.length).toEqual(serverData.length);
     });
 
-    it('should store a non folder environment with deploy board if rollout_status_path key is provided', () => {
+    it('should store a non folder environment with deploy board if rollout_status key is provided', () => {
       const environment = {
         name: 'foo',
         size: 1,
         latest: {
           id: 1,
-          rollout_status_path: 'url',
+          rollout_status: deployBoardMockData,
         },
       };
 
       store.storeEnvironments([environment]);
       expect(store.state.environments[0].hasDeployBoard).toEqual(true);
-      expect(store.state.environments[0].isDeployBoardVisible).toEqual(false);
-      expect(store.state.environments[0].deployBoardData).toEqual({});
+      expect(store.state.environments[0].isDeployBoardVisible).toEqual(true);
+      expect(store.state.environments[0].deployBoardData).toEqual(deployBoardMockData);
     });
 
     it('should add folder keys when environment is a folder', () => {
@@ -192,7 +192,7 @@ describe('Store', () => {
         latest: {
           id: 1,
         },
-        rollout_status_path: 'path',
+        rollout_status: deployBoardMockData,
       };
 
       store.storeEnvironments([environment]);
@@ -201,16 +201,10 @@ describe('Store', () => {
     it('should toggle deploy board property for given environment id', () => {
       store.toggleDeployBoard(1);
 
-      expect(store.state.environments[0].isDeployBoardVisible).toEqual(true);
-    });
-
-    it('should store deploy board data for given environment id', () => {
-      store.storeDeployBoard(1, deployBoardMockData);
-      expect(store.state.environments[0].deployBoardData).toEqual(deployBoardMockData);
+      expect(store.state.environments[0].isDeployBoardVisible).toEqual(false);
     });
 
     it('should keep deploy board data when updating environments', () => {
-      store.storeDeployBoard(1, deployBoardMockData);
       expect(store.state.environments[0].deployBoardData).toEqual(deployBoardMockData);
 
       const environment = {
@@ -219,7 +213,7 @@ describe('Store', () => {
         latest: {
           id: 1,
         },
-        rollout_status_path: 'path',
+        rollout_status: deployBoardMockData,
       };
       store.storeEnvironments([environment]);
       expect(store.state.environments[0].deployBoardData).toEqual(deployBoardMockData);
@@ -243,12 +237,12 @@ describe('Store', () => {
         latest: {
           id: 1,
         },
-        rollout_status_path: 'path',
+        rollout_status: deployBoardMockData,
       };
 
       store.storeEnvironments([environment]);
 
-      expect(store.getOpenDeployBoards().length).toEqual(0);
+      expect(store.getOpenDeployBoards().length).toEqual(1);
     });
   });
 });

spec/javascripts/environments/mock_data.js

@@ -12,7 +12,7 @@ export const environmentsList = [
     stop_path: '/root/review-app/environments/7/stop',
     created_at: '2017-01-31T10:53:46.894Z',
     updated_at: '2017-01-31T10:53:46.894Z',
-    rollout_status_path: '/path',
+    rollout_status: {},
   },
   {
     folderName: 'build',
@@ -28,7 +28,7 @@ export const environmentsList = [
     stop_path: '/root/review-app/environments/12/stop',
     created_at: '2017-02-01T19:42:18.400Z',
     updated_at: '2017-02-01T19:42:18.400Z',
-    rollout_status_path: '/path',
+    rollout_status: {},
   },
 ];
 
@@ -48,7 +48,7 @@ export const serverData = [
       stop_path: '/root/review-app/environments/7/stop',
       created_at: '2017-01-31T10:53:46.894Z',
       updated_at: '2017-01-31T10:53:46.894Z',
-      rollout_status_path: '/path',
+      rollout_status: {},
     },
   },
   {
@@ -100,7 +100,7 @@ export const environment = {
   stop_path: '/root/review-app/environments/7/stop',
   created_at: '2017-01-31T10:53:46.894Z',
   updated_at: '2017-01-31T10:53:46.894Z',
-  rollout_status_path: '/path',
+  rollout_status: {},
 };
 
 export const deployBoardMockData = {
@@ -136,15 +136,7 @@ export const deployBoardMockData = {
   abort_url: 'url',
   rollback_url: 'url',
   completion: 100,
-  valid: true,
-};
-
-export const invalidDeployBoardMockData = {
-  instances: [],
-  abort_url: 'url',
-  rollback_url: 'url',
-  completion: 100,
-  valid: false,
+  status: 'found',
 };
 
 export const folder = {

spec/lib/banzai/renderer_spec.rb

@@ -31,14 +31,14 @@ describe Banzai::Renderer do
         let(:object) { fake_object(fresh: false) }
 
         it 'caches and returns the result' do
-          expect(object).to receive(:refresh_markdown_cache!).with(do_update: true)
+          expect(object).to receive(:refresh_markdown_cache!)
 
           is_expected.to eq('field_html')
         end
 
-        it "skips database caching on a Geo secondary" do
-          allow(Gitlab::Geo).to receive(:secondary?).and_return(true)
-          expect(object).to receive(:refresh_markdown_cache!).with(do_update: false)
+        it "skips database caching on a GitLab read-only instance" do
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
+          expect(object).to receive(:refresh_markdown_cache!)
 
           is_expected.to eq('field_html')
         end

spec/lib/gitlab/geo/database_tasks_spec.rb

@@ -65,7 +65,9 @@ describe Gitlab::Geo::DatabaseTasks do
   describe described_class::Migrate do
     describe '.up' do
       it 'requires ENV["VERSION"] to be set' do
-        expect { subject.up }.to raise_error(String)
+        stub_env('VERSION', nil)
+
+        expect { subject.up }.to raise_error(/VERSION is required/)
       end
 
       it 'calls ActiveRecord::Migrator.run' do
@@ -78,7 +80,9 @@ describe Gitlab::Geo::DatabaseTasks do
 
     describe '.down' do
       it 'requires ENV["VERSION"] to be set' do
-        expect { subject.down }.to raise_error(String)
+        stub_env('VERSION', nil)
+
+        expect { subject.down }.to raise_error(/VERSION is required/)
       end
 
       it 'calls ActiveRecord::Migrator.run' do

spec/lib/gitlab/geo/log_cursor/daemon_spec.rb

@@ -4,7 +4,7 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
   include ::EE::GeoHelpers
 
   describe '#run!' do
-    set(:geo_node) { create(:geo_node) }
+    set(:geo_node) { create(:geo_node, :primary) }
 
     before do
       stub_current_geo_node(geo_node)
@@ -30,7 +30,8 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
     end
 
     context 'when replaying a repository created event' do
-      let(:repository_created_event) { create(:geo_repository_created_event) }
+      let(:project) { create(:project) }
+      let(:repository_created_event) { create(:geo_repository_created_event, project: project) }
       let(:event_log) { create(:geo_event_log, repository_created_event: repository_created_event) }
       let!(:event_log_state) { create(:geo_event_log_state, event_id: event_log.id - 1) }
 
@@ -47,7 +48,7 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
 
         registry = Geo::ProjectRegistry.last
 
-        expect(registry).to have_attributes(resync_repository: true, resync_wiki: true)
+        expect(registry).to have_attributes(project_id: project.id, resync_repository: true, resync_wiki: true)
       end
 
       it 'sets resync_wiki to false if wiki_path is nil' do
@@ -57,14 +58,22 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
 
         registry = Geo::ProjectRegistry.last
 
-        expect(registry).to have_attributes(resync_repository: true, resync_wiki: false)
+        expect(registry).to have_attributes(project_id: project.id, resync_repository: true, resync_wiki: false)
+      end
+
+      it 'performs Geo::ProjectSyncWorker' do
+        expect(Geo::ProjectSyncWorker).to receive(:perform_async)
+          .with(project.id, anything).once
+
+        subject.run!
       end
     end
 
     context 'when replaying a repository updated event' do
-      let(:event_log) { create(:geo_event_log, :updated_event) }
+      let(:project) { create(:project) }
+      let(:repository_updated_event) { create(:geo_repository_updated_event, project: project) }
+      let(:event_log) { create(:geo_event_log, repository_updated_event: repository_updated_event) }
       let!(:event_log_state) { create(:geo_event_log_state, event_id: event_log.id - 1) }
-      let(:repository_updated_event) { event_log.repository_updated_event }
 
       before do
         allow(subject).to receive(:exit?).and_return(false, true)
@@ -91,6 +100,13 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
 
         expect(registry.reload.resync_wiki).to be true
       end
+
+      it 'performs Geo::ProjectSyncWorker' do
+        expect(Geo::ProjectSyncWorker).to receive(:perform_async)
+          .with(project.id, anything).once
+
+        subject.run!
+      end
     end
 
     context 'when replaying a repository deleted event' do
@@ -155,6 +171,7 @@ describe Gitlab::Geo::LogCursor::Daemon, :postgresql do
 
       before do
         allow(subject).to receive(:exit?).and_return(false, true)
+        allow(Geo::ProjectSyncWorker).to receive(:perform_async)
       end
 
       it 'replays events for projects that belong to selected namespaces to replicate' do

spec/lib/gitlab/geo_spec.rb

@@ -110,7 +110,7 @@ describe Gitlab::Geo do
     end
   end
 
-  describe 'readonly?' do
+  describe 'secondary?' do
     context 'when current node is secondary' do
       it 'returns true' do
         stub_current_geo_node(secondary_node)

spec/lib/gitlab/git_access_spec.rb

@@ -744,11 +744,10 @@ describe Gitlab::GitAccess do
       run_permission_checks(admin: matrix)
     end
 
-    context "when in a secondary gitlab geo node" do
+    context "when in a read-only GitLab instance" do
       before do
         create(:protected_branch, name: 'feature', project: project)
-        allow(Gitlab::Geo).to receive(:enabled?) { true }
-        allow(Gitlab::Geo).to receive(:secondary?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
       end
 
       # Only check admin; if an admin can't do it, other roles can't either
@@ -944,7 +943,7 @@ describe Gitlab::GitAccess do
   end
 
   context 'when the repository is read only' do
-    let(:project) { create(:project, :repository, :readonly) }
+    let(:project) { create(:project, :repository, :read_only) }
 
     it 'denies push access' do
       project.add_master(user)

spec/lib/gitlab/git_access_wiki_spec.rb

@@ -25,15 +25,13 @@ describe Gitlab::GitAccessWiki do
 
       it { expect { subject }.not_to raise_error }
 
-      context 'when in a secondary gitlab geo node' do
+      context 'when in a read-only GitLab instance' do
         before do
-          allow(Gitlab::Geo).to receive(:enabled?) { true }
-          allow(Gitlab::Geo).to receive(:secondary?) { true }
-          allow(Gitlab::Geo).to receive(:license_allows?) { true }
+          allow(Gitlab::Database).to receive(:read_only?) { true }
         end
 
         it 'does not give access to upload wiki code' do
-          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "You can't push code to a secondary GitLab Geo node.")
+          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "You can't push code to a read-only GitLab instance.")
         end
       end
     end

spec/lib/gitlab/kubernetes/rollout_status_spec.rb

@@ -94,15 +94,33 @@ describe Gitlab::Kubernetes::RolloutStatus do
     end
   end
 
-  describe '#valid?' do
+  describe '#not_found?' do
     context 'when the specs are passed' do
-      it { is_expected.to be_valid }
+      it { is_expected.not_to be_not_found }
     end
 
-    context 'when no specs are passed' do
+    context 'when list of specs is empty' do
       let(:specs) { specs_none }
 
-      it { is_expected.not_to be_valid }
+      it { is_expected.to be_not_found }
     end
   end
+
+  describe '#found?' do
+    context 'when the specs are passed' do
+      it { is_expected.to be_found }
+    end
+
+    context 'when list of specs is empty' do
+      let(:specs) { specs_none }
+
+      it { is_expected.not_to be_found }
+    end
+  end
+
+  describe '.loading' do
+    subject { described_class.loading }
+
+    it { is_expected.to be_loading }
+  end
 end

spec/lib/gitlab/middleware/readonly_geo_spec.rb → spec/lib/gitlab/middleware/read_only_spec.rb

 require 'spec_helper'
 
-describe Gitlab::Middleware::ReadonlyGeo do
+describe Gitlab::Middleware::ReadOnly do
   include Rack::Test::Methods
 
   RSpec::Matchers.define :be_a_redirect do
@@ -38,11 +38,11 @@ describe Gitlab::Middleware::ReadonlyGeo do
 
   let(:request) { Rack::MockRequest.new(rack_stack) }
 
-  context 'normal requests to a secondary Gitlab Geo' do
+  context 'normal requests to a read-only Gitlab instance' do
     let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'text/plain' }, ['OK']] } }
 
     before do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
     end
 
     it 'expects PATCH requests to be disallowed' do
@@ -98,13 +98,6 @@ describe Gitlab::Middleware::ReadonlyGeo do
         expect(subject).not_to disallow_request
       end
 
-      it 'expects a GET status request to be allowed' do
-        response = request.get("/api/#{API::API.version}/geo/status")
-
-        expect(response).not_to be_a_redirect
-        expect(subject).not_to disallow_request
-      end
-
       it 'expects a POST LFS request to batch URL to be allowed' do
         response = request.post('/root/rouge.git/info/lfs/objects/batch')
 
@@ -114,12 +107,12 @@ describe Gitlab::Middleware::ReadonlyGeo do
     end
   end
 
-  context 'json requests to a secondary Geo node' do
+  context 'json requests to a read-only GitLab instance' do
     let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'application/json' }, ['OK']] } }
     let(:content_json) { { 'CONTENT_TYPE' => 'application/json' } }
 
     before do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
     end
 
     it 'expects PATCH requests to be disallowed' do

spec/lib/rspec_flaky/listener_spec.rb

@@ -45,6 +45,7 @@ describe RspecFlaky::Listener, :aggregate_failures do
     # Stub these env variables otherwise specs don't behave the same on the CI
     stub_env('CI_PROJECT_URL', nil)
     stub_env('CI_JOB_ID', nil)
+    stub_env('SUITE_FLAKY_RSPEC_REPORT_PATH', nil)
   end
 
   describe '#initialize' do

spec/models/concerns/cache_markdown_field_spec.rb

@@ -178,14 +178,13 @@ describe CacheMarkdownField do
     end
   end
 
-  describe '#refresh_markdown_cache!' do
+  describe '#refresh_markdown_cache' do
     before do
       thing.foo = updated_markdown
     end
 
-    context 'do_update: false' do
     it 'fills all html fields' do
-        thing.refresh_markdown_cache!
+      thing.refresh_markdown_cache
 
       expect(thing.foo_html).to eq(updated_html)
       expect(thing.foo_html_changed?).to be_truthy
@@ -195,20 +194,24 @@ describe CacheMarkdownField do
     it 'does not save the result' do
       expect(thing).not_to receive(:update_columns)
 
-        thing.refresh_markdown_cache!
+      thing.refresh_markdown_cache
     end
 
     it 'updates the markdown cache version' do
       thing.cached_markdown_version = nil
-        thing.refresh_markdown_cache!
+      thing.refresh_markdown_cache
 
       expect(thing.cached_markdown_version).to eq(CacheMarkdownField::CACHE_VERSION)
     end
   end
 
-    context 'do_update: true' do
+  describe '#refresh_markdown_cache!' do
+    before do
+      thing.foo = updated_markdown
+    end
+
     it 'fills all html fields' do
-        thing.refresh_markdown_cache!(do_update: true)
+      thing.refresh_markdown_cache!
 
       expect(thing.foo_html).to eq(updated_html)
       expect(thing.foo_html_changed?).to be_truthy
@@ -219,7 +222,7 @@ describe CacheMarkdownField do
       expect(thing).to receive(:persisted?).and_return(false)
       expect(thing).not_to receive(:update_columns)
 
-        thing.refresh_markdown_cache!(do_update: true)
+      thing.refresh_markdown_cache!
     end
 
     it 'saves the changes using #update_columns' do
@@ -227,8 +230,7 @@ describe CacheMarkdownField do
       expect(thing).to receive(:update_columns)
         .with("foo_html" => updated_html, "baz_html" => "", "cached_markdown_version" => CacheMarkdownField::CACHE_VERSION)
 
-        thing.refresh_markdown_cache!(do_update: true)
-      end
+      thing.refresh_markdown_cache!
     end
   end
 

spec/models/concerns/reactive_caching_spec.rb

@@ -115,6 +115,13 @@ describe ReactiveCaching, :use_clean_rails_memory_store_caching do
         go!
       end
 
+      it "calls a reactive_cache_updated only once if content did not change on subsequent update" do
+        expect(instance).to receive(:calculate_reactive_cache).twice
+        expect(instance).to receive(:reactive_cache_updated).once
+
+        2.times { instance.exclusively_update_reactive_cache! }
+      end
+
       context 'and #calculate_reactive_cache raises an exception' do
         before do
           stub_reactive_cache(instance, "preexisting")

spec/models/concerns/routable_spec.rb

@@ -12,10 +12,10 @@ describe Group, 'Routable' do
     it { is_expected.to have_many(:redirect_routes).dependent(:destroy) }
   end
 
-  describe 'Geo secondary' do
+  describe 'GitLab read-only instance' do
     it 'does not save route if route is not present' do
       group.route.path = ''
-      allow(Gitlab::Geo).to receive(:secondary?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       expect(group).to receive(:update_route).and_call_original
 
       expect { group.full_path }.to change { Route.count }.by(0)

spec/models/environment_spec.rb

@@ -385,6 +385,7 @@ describe Environment do
 
   describe '#rollout_status' do
     let(:project) { create(:kubernetes_project) }
+
     subject { environment.rollout_status }
 
     context 'when the environment has rollout status' do

spec/models/project_spec.rb

@@ -824,8 +824,8 @@ describe Project do
       end.to change { project.has_external_issue_tracker}.to(false)
     end
 
-    it 'does not cache data when in a secondary gitlab geo node' do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+    it 'does not cache data when in a read-only GitLab instance' do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect do
         project.cache_has_external_issue_tracker
@@ -854,8 +854,8 @@ describe Project do
       end.to change { project.has_external_wiki}.to(false)
     end
 
-    it 'does not cache data when in a secondary gitlab geo node' do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+    it 'does not cache data when in a read-only GitLab instance' do
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect do
         project.cache_has_external_wiki
@@ -2930,7 +2930,7 @@ describe Project do
         expect(project.migrate_to_hashed_storage!).to be_truthy
       end
 
-      it 'flags as readonly' do
+      it 'flags as read-only' do
         expect { project.migrate_to_hashed_storage! }.to change { project.repository_read_only }.to(true)
       end
 
@@ -3057,7 +3057,7 @@ describe Project do
         expect(project.migrate_to_hashed_storage!).to be_nil
       end
 
-      it 'does not flag as readonly' do
+      it 'does not flag as read-only' do
         expect { project.migrate_to_hashed_storage! }.not_to change { project.repository_read_only }
       end
     end

spec/requests/lfs_http_spec.rb

@@ -877,8 +877,7 @@ describe 'Git LFS API and storage' do
     end
   end
 
-  describe 'when handling lfs batch request on a secondary Geo node' do
-    let!(:primary) { create(:geo_node, :primary) }
+  describe 'when handling lfs batch request on a read-only GitLab instance' do
     let(:authorization) { authorize_user }
     let(:project) { create(:project) }
     let(:path) { "#{project.http_url_to_repo}/info/lfs/objects/batch" }
@@ -887,7 +886,7 @@ describe 'Git LFS API and storage' do
     end
 
     before do
-      allow(Gitlab::Geo).to receive(:secondary?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
       project.team << [user, :master]
       enable_lfs
     end
@@ -902,7 +901,7 @@ describe 'Git LFS API and storage' do
       post_lfs_json path, body.merge('operation' => 'upload'), headers
 
       expect(response).to have_gitlab_http_status(403)
-      expect(json_response).to include('message' => "You cannot write to a secondary GitLab Geo instance. Please use #{project.http_url_to_repo} instead.")
+      expect(json_response).to include('message' => 'You cannot write to this read-only GitLab instance.')
     end
   end
 

spec/serializers/environment_entity_spec.rb

 require 'spec_helper'
 
 describe EnvironmentEntity do
+  include KubernetesHelpers
+
   let(:user) { create(:user) }
   let(:environment) { create(:environment) }
 
@@ -50,12 +52,11 @@ describe EnvironmentEntity do
     before do
       stub_licensed_features(deploy_board: true)
       allow(environment).to receive(:deployment_service_ready?).and_return(true)
+      allow(environment).to receive(:rollout_status).and_return(kube_deployment_rollout_status)
     end
 
-    it 'exposes rollout_status_path' do
-      expected = '/' + [environment.project.full_path, 'environments', environment.id, 'status.json'].join('/')
-
-      expect(subject[:rollout_status_path]).to eq(expected)
+    it 'exposes rollout_status' do
+      expect(subject).to include(:rollout_status)
     end
   end
 
@@ -65,7 +66,7 @@ describe EnvironmentEntity do
       allow(environment).to receive(:deployment_service_ready?).and_return(true)
     end
 
-    it 'does not expose rollout_status_path' do
+    it 'does not expose rollout_status' do
       expect(subject[:rollout_status_path]).to be_blank
     end
   end

spec/serializers/environment_serializer_spec.rb

@@ -54,7 +54,7 @@ describe EnvironmentSerializer do
 
   context 'when representing environments within folders' do
     let(:serializer) do
-      described_class.new(project: project).within_folders
+      described_class.new(current_user: user, project: project).within_folders
     end
 
     let(:resource) { Environment.all }
@@ -123,7 +123,7 @@ describe EnvironmentSerializer do
     let(:pagination) { { page: 1, per_page: 2 } }
 
     let(:serializer) do
-      described_class.new(project: project)
+      described_class.new(current_user: user, project: project)
         .with_pagination(request, response)
     end
 
@@ -169,7 +169,7 @@ describe EnvironmentSerializer do
 
       context 'when grouping environments within folders' do
         let(:serializer) do
-          described_class.new(project: project)
+          described_class.new(current_user: user, project: project)
             .with_pagination(request, response)
             .within_folders
         end

spec/serializers/rollout_status_entity_spec.rb

@@ -7,11 +7,29 @@ describe RolloutStatusEntity do
     described_class.new(rollout_status, request: double)
   end
 
-  let(:rollout_status) { ::Gitlab::Kubernetes::RolloutStatus.from_specs(kube_deployment) }
   subject { entity.as_json }
 
-  it { is_expected.to have_key(:instances) }
-  it { is_expected.to have_key(:completion) }
-  it { is_expected.to have_key(:is_completed) }
-  it { is_expected.to have_key(:valid) }
+  context 'when kube deployment is valid' do
+    let(:rollout_status) { kube_deployment_rollout_status }
+
+    it "exposes status" do
+      is_expected.to include(:status)
+    end
+
+    it "exposes deployment data" do
+      is_expected.to include(:instances, :completion, :is_completed)
+    end
+  end
+
+  context 'when kube deployment is empty' do
+    let(:rollout_status) { empty_deployment_rollout_status }
+
+    it "exposes status" do
+      is_expected.to include(:status)
+    end
+
+    it "does not expose deployment data" do
+      is_expected.not_to include(:instances, :completion, :is_completed)
+    end
+  end
 end

spec/services/projects/hashed_storage_migration_service_spec.rb

@@ -20,7 +20,7 @@ describe Projects::HashedStorageMigrationService do
         expect(gitlab_shell.exists?(project.repository_storage_path, "#{hashed_storage.disk_path}.wiki.git")).to be_truthy
       end
 
-      it 'updates project to be hashed and not readonly' do
+      it 'updates project to be hashed and not read-only' do
         service.execute
 
         expect(project.hashed_storage?).to be_truthy

spec/services/users/activity_service_spec.rb

@@ -39,9 +39,9 @@ describe Users::ActivityService do
       end
     end
 
-    context 'when in Geo secondary node' do
+    context 'when in GitLab read-only instance' do
       before do
-        allow(Gitlab::Geo).to receive(:secondary?).and_return(true)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       end
 
       it 'does not update last_activity_at' do

spec/support/kubernetes_helpers.rb

@@ -122,4 +122,12 @@ module KubernetesHelpers
       terminal
     end
   end
+
+  def kube_deployment_rollout_status
+    ::Gitlab::Kubernetes::RolloutStatus.from_specs(kube_deployment)
+  end
+
+  def empty_deployment_rollout_status
+    ::Gitlab::Kubernetes::RolloutStatus.from_specs()
+  end
 end

spec/workers/repository_fork_worker_spec.rb

@@ -12,6 +12,28 @@ describe RepositoryForkWorker do
   end
 
   describe "#perform" do
+    describe 'when a worker was reset without cleanup' do
+      let(:jid) { '12345678' }
+      let(:started_project) { create(:project, :repository, :import_started) }
+
+      it 'creates a new repository from a fork' do
+        allow(subject).to receive(:jid).and_return(jid)
+
+        expect(shell).to receive(:fork_repository).with(
+          '/test/path',
+          project.full_path,
+          project.repository_storage_path,
+          fork_project.namespace.full_path
+        ).and_return(true)
+
+        subject.perform(
+          project.id,
+          '/test/path',
+          project.full_path,
+          fork_project.namespace.full_path)
+      end
+    end
+
     it "creates a new repository from a fork" do
       expect(shell).to receive(:fork_repository).with(
         '/test/path',

spec/workers/repository_import_worker_spec.rb

@@ -6,6 +6,23 @@ describe RepositoryImportWorker do
   subject { described_class.new }
 
   describe '#perform' do
+    context 'when worker was reset without cleanup' do
+      let(:jid) { '12345678' }
+      let(:started_project) { create(:project, :import_started, import_jid: jid) }
+
+      it 'imports the project successfully' do
+        allow(subject).to receive(:jid).and_return(jid)
+
+        expect_any_instance_of(Projects::ImportService).to receive(:execute)
+          .and_return({ status: :ok })
+
+        expect_any_instance_of(Repository).to receive(:expire_emptiness_caches)
+        expect_any_instance_of(Project).to receive(:import_finish)
+
+        subject.perform(project.id)
+      end
+    end
+
     context 'when the import was successful' do
       it 'imports a project' do
         expect_any_instance_of(Projects::ImportService).to receive(:execute)

spec/workers/repository_update_mirror_worker_spec.rb

@@ -2,10 +2,12 @@ require 'rails_helper'
 
 describe RepositoryUpdateMirrorWorker do
   describe '#perform' do
+    let(:jid) { '12345678' }
     let!(:project) { create(:project, :mirror, :import_scheduled) }
 
     before do
       allow_any_instance_of(Gitlab::ExclusiveLease).to receive(:try_obtain).and_return(true)
+      allow(subject).to receive(:jid).and_return(jid)
     end
 
     it 'sets status as finished when update mirror service executes successfully' do
@@ -36,16 +38,22 @@ describe RepositoryUpdateMirrorWorker do
       expect(project.reload.import_status).to eq('failed')
     end
 
+    context 'when worker was reset without cleanup' do
+      let(:started_project) { create(:project, :mirror, :import_started, import_jid: jid) }
+
+      it 'sets status as finished when update mirror service executes successfully' do
+        expect_any_instance_of(Projects::UpdateMirrorService).to receive(:execute).and_return(status: :success)
+
+        expect { subject.perform(started_project.id) }.to change { started_project.reload.import_status }.to('finished')
+      end
+    end
+
     context 'reschedule mirrors' do
       before do
         allow_any_instance_of(Projects::UpdateMirrorService).to receive(:execute).and_return(status: :success)
       end
 
       context 'when we obtain the lease' do
-        before do
-          allow_any_instance_of(Gitlab::ExclusiveLease).to receive(:try_obtain).and_return(true)
-        end
-
         it 'performs UpdateAllMirrorsWorker when reschedule_immediately? returns true' do
           allow(Gitlab::Mirror).to receive(:reschedule_immediately?).and_return(true)