Expire application settings after encrypting tokens

app/models/concerns/token_authenticatable_strategies/encrypted.rb

@@ -25,6 +25,9 @@ module TokenAuthenticatableStrategies
       #
       # In that case we are using insecure strategy, but this should only happen
       # in tests, because otherwise `encrypted_field` is going to exist.
+      #
+      # Another use case is when we are caching resources / columns, like we do
+      # in case of ApplicationSetting.
 
       return super if instance.has_attribute?(encrypted_field)
 

lib/gitlab/background_migration/models/encrypt_columns/settings.rb

@@ -9,10 +9,15 @@ module Gitlab
         #
         class Settings < ActiveRecord::Base
           include ::EachBatch
+          include ::CacheableAttributes
 
           self.table_name = 'application_settings'
           self.inheritance_column = :_type_disabled
 
+          after_commit do
+            ApplicationSetting.expire
+          end
+
           def runners_registration_token=(value)
             self.runners_registration_token_encrypted =
               ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)