142 files changed, 650 insertions, 188 deletions

diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 65d7bf8485f..dc6779942cb 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-a8520a1568f0c0515eef6931c01b3fa8e55e7985
+ff6a28eeb5c58185a178f7bbacc5617ac6b80ef4
diff --git a/app/assets/javascripts/merge_request_tabs.js b/app/assets/javascripts/merge_request_tabs.js
index 1d1c0a23fab..14e5e96d7b0 100644
--- a/app/assets/javascripts/merge_request_tabs.js
+++ b/app/assets/javascripts/merge_request_tabs.js
@@ -82,9 +82,9 @@ export default class MergeRequestTabs {
       this.mergeRequestTabPanes && this.mergeRequestTabPanes.querySelectorAll
         ? this.mergeRequestTabPanes.querySelectorAll('.tab-pane')
         : null;
-    const navbar = document.querySelector('.navbar-gitlab');
-    const peek = document.getElementById('js-peek');
-    const paddingTop = 16;
+    this.navbar = document.querySelector('.navbar-gitlab');
+    this.peek = document.getElementById('js-peek');
+    this.paddingTop = 16;
 
     this.commitsTab = document.querySelector('.tab-content .commits.tab-pane');
 
@@ -99,15 +99,6 @@ export default class MergeRequestTabs {
     this.setCurrentAction = this.setCurrentAction.bind(this);
     this.tabShown = this.tabShown.bind(this);
     this.clickTab = this.clickTab.bind(this);
-    this.stickyTop = navbar ? navbar.offsetHeight - paddingTop : 0;
-
-    if (peek) {
-      this.stickyTop += peek.offsetHeight;
-    }
-
-    if (this.mergeRequestTabs) {
-      this.stickyTop += this.mergeRequestTabs.offsetHeight;
-    }
 
     if (stubLocation) {
       location = stubLocation;
@@ -520,4 +511,18 @@ export default class MergeRequestTabs {
       }
     }, 0);
   }
+
+  get stickyTop() {
+    let stickyTop = this.navbar ? this.navbar.offsetHeight : 0;
+
+    if (this.peek) {
+      stickyTop += this.peek.offsetHeight;
+    }
+
+    if (this.mergeRequestTabs) {
+      stickyTop += this.mergeRequestTabs.offsetHeight;
+    }
+
+    return stickyTop;
+  }
 }
diff --git a/app/assets/stylesheets/framework/diffs.scss b/app/assets/stylesheets/framework/diffs.scss
index f8b1735207c..36bf9a98932 100644
--- a/app/assets/stylesheets/framework/diffs.scss
+++ b/app/assets/stylesheets/framework/diffs.scss
@@ -854,12 +854,12 @@ table.code {
   @include media-breakpoint-up(sm) {
     position: -webkit-sticky;
     position: sticky;
-    top: $header-height;
+    top: $header-height + $mr-tabs-height;
     background-color: $white;
     z-index: 200;
 
     .with-performance-bar & {
-      top: $header-height + $performance-bar-height;
+      top: $header-height + $mr-tabs-height + $performance-bar-height;
     }
 
     &.is-stuck {
diff --git a/app/assets/stylesheets/pages/merge_requests.scss b/app/assets/stylesheets/pages/merge_requests.scss
index 8807ab5e597..071a5be073f 100644
--- a/app/assets/stylesheets/pages/merge_requests.scss
+++ b/app/assets/stylesheets/pages/merge_requests.scss
@@ -1003,10 +1003,10 @@ $tabs-holder-z-index: 250;
 
 .mr-compare {
   .diff-file .file-title-flex-parent {
-    top: $header-height + 51px;
+    top: $header-height + $mr-tabs-height + 36px;
 
     .with-performance-bar & {
-      top: $performance-bar-height + $header-height + 51px;
+      top: $performance-bar-height + $header-height + $mr-tabs-height + 36px;
     }
   }
 }
diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb
index 3a4f617b03f..9c378f4c883 100644
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@@ -71,7 +71,7 @@ class Admin::SessionsController < ApplicationController
       ::Users::ValidateOtpService.new(user).execute(user_params[:otp_attempt])
     valid_otp_attempt = otp_validation_result[:status] == :success
 
-    return valid_otp_attempt if Gitlab::Database.main.read_only?
+    return valid_otp_attempt if Gitlab::Database.read_only?
 
     valid_otp_attempt || user.invalidate_otp_backup_code!(user_params[:otp_attempt])
   end
diff --git a/app/controllers/boards/issues_controller.rb b/app/controllers/boards/issues_controller.rb
index 20c96f45298..f0f074792ed 100644
--- a/app/controllers/boards/issues_controller.rb
+++ b/app/controllers/boards/issues_controller.rb
@@ -27,7 +27,7 @@ module Boards
       list_service = Boards::Issues::ListService.new(board_parent, current_user, filter_params)
       issues = issues_from(list_service)
 
-      if Gitlab::Database.main.read_write? && !board.disabled_for?(current_user)
+      if Gitlab::Database.read_write? && !board.disabled_for?(current_user)
         Issue.move_nulls_to_end(issues)
       end
 
diff --git a/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb b/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb
index f00ac971573..574fc6c0f37 100644
--- a/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb
@@ -47,7 +47,7 @@ module AuthenticatesWithTwoFactorForAdminMode
       # Remove any lingering user data from login
       session.delete(:otp_user_id)
 
-      user.save! unless Gitlab::Database.main.read_only?
+      user.save! unless Gitlab::Database.read_only?
 
       # The admin user has successfully passed 2fa, enable admin mode ignoring password
       enable_admin_mode
diff --git a/app/controllers/concerns/issuable_actions.rb b/app/controllers/concerns/issuable_actions.rb
index b5d27de8fa0..2664a7b7151 100644
--- a/app/controllers/concerns/issuable_actions.rb
+++ b/app/controllers/concerns/issuable_actions.rb
@@ -148,7 +148,7 @@ module IssuableActions
       # on GET requests.
       # This is just a fail-safe in case notes_filter is sent via GET request in GitLab Geo.
       # In some cases, we also force the filter to not be persisted with the `persist_filter` param
-      if Gitlab::Database.main.read_only? || params[:persist_filter] == 'false'
+      if Gitlab::Database.read_only? || params[:persist_filter] == 'false'
         notes_filter_param || current_user&.notes_filter_for(issuable)
       else
         notes_filter = current_user&.set_notes_filter(notes_filter_param, issuable) || notes_filter_param
diff --git a/app/controllers/concerns/record_user_last_activity.rb b/app/controllers/concerns/record_user_last_activity.rb
index 0fcfff9b801..29164df4516 100644
--- a/app/controllers/concerns/record_user_last_activity.rb
+++ b/app/controllers/concerns/record_user_last_activity.rb
@@ -17,7 +17,7 @@ module RecordUserLastActivity
 
   def set_user_last_activity
     return unless request.get?
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     if current_user && current_user.last_activity_on != Date.today
       Users::ActivityService.new(current_user).execute
diff --git a/app/controllers/concerns/sorting_preference.rb b/app/controllers/concerns/sorting_preference.rb
index d62ed15e6aa..8d8845e2f41 100644
--- a/app/controllers/concerns/sorting_preference.rb
+++ b/app/controllers/concerns/sorting_preference.rb
@@ -41,7 +41,7 @@ module SortingPreference
     sort_param = params[:sort]
     sort_param ||= user_preference[field]
 
-    return sort_param if Gitlab::Database.main.read_only?
+    return sort_param if Gitlab::Database.read_only?
 
     if user_preference[field] != sort_param
       user_preference.update(field => sort_param)
diff --git a/app/controllers/repositories/git_http_controller.rb b/app/controllers/repositories/git_http_controller.rb
index 8cbb20cad77..e51bfe6a37e 100644
--- a/app/controllers/repositories/git_http_controller.rb
+++ b/app/controllers/repositories/git_http_controller.rb
@@ -77,7 +77,7 @@ module Repositories
 
     def update_fetch_statistics
       return unless project
-      return if Gitlab::Database.main.read_only?
+      return if Gitlab::Database.read_only?
       return unless repo_type.project?
 
       OnboardingProgressService.async(project.namespace_id).execute(action: :git_pull)
diff --git a/app/controllers/repositories/lfs_api_controller.rb b/app/controllers/repositories/lfs_api_controller.rb
index 55c0d2b0ac8..4f2e02c78c3 100644
--- a/app/controllers/repositories/lfs_api_controller.rb
+++ b/app/controllers/repositories/lfs_api_controller.rb
@@ -126,7 +126,7 @@ module Repositories
 
     # Overridden in EE
     def batch_operation_disallowed?
-      upload_request? && Gitlab::Database.main.read_only?
+      upload_request? && Gitlab::Database.read_only?
     end
 
     # Overridden in EE
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
index cafd4ca7c01..5de042f78d6 100644
--- a/app/graphql/mutations/base_mutation.rb
+++ b/app/graphql/mutations/base_mutation.rb
@@ -29,7 +29,7 @@ module Mutations
     end
 
     def ready?(**args)
-      raise_resource_not_available_error! ERROR_MESSAGE if Gitlab::Database.main.read_only?
+      raise_resource_not_available_error! ERROR_MESSAGE if Gitlab::Database.read_only?
 
       missing_args = self.class.arguments.values
         .reject { |arg| arg.accepts?(args.fetch(arg.keyword, :not_given)) }
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 6ff9f713393..58f933a7fe0 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -344,7 +344,7 @@ module ApplicationHelper
 
   # Overridden in EE
   def read_only_message
-    return unless Gitlab::Database.main.read_only?
+    return unless Gitlab::Database.read_only?
 
     _('You are on a read-only GitLab instance.')
   end
diff --git a/app/helpers/commits_helper.rb b/app/helpers/commits_helper.rb
index d2ac1e8f985..53017beee85 100644
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -215,7 +215,7 @@ module CommitsHelper
     path = project_blob_path(project, tree_join(commit_sha, diff_new_path))
     title = replaced ? _('View replaced file @ ') : _('View file @ ')
 
-    link_to(path, class: 'btn gl-button btn-default') do
+    link_to(path, class: 'btn gl-button btn-default gl-ml-3') do
       raw(title) + content_tag(:span, truncate_sha(commit_sha), class: 'commit-sha')
     end
   end
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index b9901c2f729..76a533feebe 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -554,6 +554,7 @@ module Ci
           .concat(persisted_variables)
           .concat(dependency_proxy_variables)
           .concat(job_jwt_variables)
+          .concat(kubernetes_variables)
           .concat(scoped_variables)
           .concat(job_variables)
           .concat(persisted_environment_variables)
@@ -1172,6 +1173,10 @@ module Ci
       end
     end
 
+    def kubernetes_variables
+      [] # Overridden in EE
+    end
+
     def conditionally_allow_failure!(exit_code)
       return unless exit_code
 
diff --git a/app/models/concerns/deprecated_assignee.rb b/app/models/concerns/deprecated_assignee.rb
index 2454bd0c08c..3f557ee9b48 100644
--- a/app/models/concerns/deprecated_assignee.rb
+++ b/app/models/concerns/deprecated_assignee.rb
@@ -34,7 +34,7 @@ module DeprecatedAssignee
   end
 
   def assignee_ids
-    if Gitlab::Database.main.read_only? && pending_assignees_population?
+    if Gitlab::Database.read_only? && pending_assignees_population?
       return Array(deprecated_assignee_id)
     end
 
@@ -43,7 +43,7 @@ module DeprecatedAssignee
   end
 
   def assignees
-    if Gitlab::Database.main.read_only? && pending_assignees_population?
+    if Gitlab::Database.read_only? && pending_assignees_population?
       return User.where(id: deprecated_assignee_id)
     end
 
@@ -56,7 +56,7 @@ module DeprecatedAssignee
   # This will make the background migration process quicker (#26496) as it'll have less
   # assignee_id rows to look through.
   def nullify_deprecated_assignee
-    return unless persisted? && Gitlab::Database.main.read_only?
+    return unless persisted? && Gitlab::Database.read_only?
 
     update_column(:assignee_id, nil)
   end
diff --git a/app/models/concerns/token_authenticatable_strategies/base.rb b/app/models/concerns/token_authenticatable_strategies/base.rb
index cd0f15cf079..f72a41f06b1 100644
--- a/app/models/concerns/token_authenticatable_strategies/base.rb
+++ b/app/models/concerns/token_authenticatable_strategies/base.rb
@@ -41,7 +41,7 @@ module TokenAuthenticatableStrategies
     # Resets the token, but only saves when the database is in read & write mode
     def reset_token!(instance)
       write_new_token(instance)
-      instance.save! if Gitlab::Database.main.read_write?
+      instance.save! if Gitlab::Database.read_write?
     end
 
     def self.fabricate(model, field, options)
diff --git a/app/models/project.rb b/app/models/project.rb
index f2f47000c41..6d7e9ddbe9a 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2818,11 +2818,11 @@ class Project < ApplicationRecord
   end
 
   def cache_has_external_wiki
-    update_column(:has_external_wiki, integrations.external_wikis.any?) if Gitlab::Database.main.read_write?
+    update_column(:has_external_wiki, integrations.external_wikis.any?) if Gitlab::Database.read_write?
   end
 
   def cache_has_external_issue_tracker
-    update_column(:has_external_issue_tracker, integrations.external_issue_trackers.any?) if Gitlab::Database.main.read_write?
+    update_column(:has_external_issue_tracker, integrations.external_issue_trackers.any?) if Gitlab::Database.read_write?
   end
 
   def active_runners_with_tags
diff --git a/app/models/project_statistics.rb b/app/models/project_statistics.rb
index 846049180b3..387732cf151 100644
--- a/app/models/project_statistics.rb
+++ b/app/models/project_statistics.rb
@@ -38,7 +38,7 @@ class ProjectStatistics < ApplicationRecord
   end
 
   def refresh!(only: [])
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     COLUMNS_TO_REFRESH.each do |column, generator|
       if only.empty? || only.include?(column)
diff --git a/app/models/snippet_statistics.rb b/app/models/snippet_statistics.rb
index 31d2855b984..6fb6f0ef713 100644
--- a/app/models/snippet_statistics.rb
+++ b/app/models/snippet_statistics.rb
@@ -34,7 +34,7 @@ class SnippetStatistics < ApplicationRecord
   end
 
   def refresh!
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     update_commit_count
     update_repository_size
diff --git a/app/models/user.rb b/app/models/user.rb
index bfb0c29a023..a2e9768eb94 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -80,7 +80,7 @@ class User < ApplicationRecord
   # to limit database writes to at most once every hour
   # rubocop: disable CodeReuse/ServiceClass
   def update_tracked_fields!(request)
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     update_tracked_fields(request)
 
@@ -363,7 +363,7 @@ class User < ApplicationRecord
     end
 
     before_transition do
-      !Gitlab::Database.main.read_only?
+      !Gitlab::Database.read_only?
     end
 
     # rubocop: disable CodeReuse/ServiceClass
@@ -848,11 +848,11 @@ class User < ApplicationRecord
   end
 
   def remember_me!
-    super if ::Gitlab::Database.main.read_write?
+    super if ::Gitlab::Database.read_write?
   end
 
   def forget_me!
-    super if ::Gitlab::Database.main.read_write?
+    super if ::Gitlab::Database.read_write?
   end
 
   def disable_two_factor!
@@ -1751,7 +1751,7 @@ class User < ApplicationRecord
   #
   # rubocop: disable CodeReuse/ServiceClass
   def increment_failed_attempts!
-    return if ::Gitlab::Database.main.read_only?
+    return if ::Gitlab::Database.read_only?
 
     increment_failed_attempts
 
@@ -1995,7 +1995,7 @@ class User < ApplicationRecord
   def consume_otp!
     if self.consumed_timestep != current_otp_timestep
       self.consumed_timestep = current_otp_timestep
-      return Gitlab::Database.main.read_only? ? true : save(validate: false)
+      return Gitlab::Database.read_only? ? true : save(validate: false)
     end
 
     false
diff --git a/app/services/audit_event_service.rb b/app/services/audit_event_service.rb
index 2fc32c1ba85..558798c830d 100644
--- a/app/services/audit_event_service.rb
+++ b/app/services/audit_event_service.rb
@@ -111,7 +111,7 @@ class AuditEventService
   end
 
   def log_security_event_to_database
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     event = AuditEvent.new(base_payload.merge(details: @details))
     save_or_track event
@@ -120,7 +120,7 @@ class AuditEventService
   end
 
   def log_authentication_event_to_database
-    return unless Gitlab::Database.main.read_write? && authentication_event?
+    return unless Gitlab::Database.read_write? && authentication_event?
 
     event = AuthenticationEvent.new(authentication_event_payload)
     save_or_track event
diff --git a/app/services/boards/visits/create_service.rb b/app/services/boards/visits/create_service.rb
index f096ca2597d..4d659596803 100644
--- a/app/services/boards/visits/create_service.rb
+++ b/app/services/boards/visits/create_service.rb
@@ -4,7 +4,7 @@ module Boards
   module Visits
     class CreateService < Boards::BaseService
       def execute(board)
-        return unless current_user && Gitlab::Database.main.read_write?
+        return unless current_user && Gitlab::Database.read_write?
         return unless board
 
         model.visited!(current_user, board)
diff --git a/app/services/keys/last_used_service.rb b/app/services/keys/last_used_service.rb
index e9139346df4..daef544bac0 100644
--- a/app/services/keys/last_used_service.rb
+++ b/app/services/keys/last_used_service.rb
@@ -18,7 +18,7 @@ module Keys
     end
 
     def update?
-      return false if ::Gitlab::Database.main.read_only?
+      return false if ::Gitlab::Database.read_only?
 
       last_used = key.last_used_at
 
diff --git a/app/services/merge_requests/mergeability_check_service.rb b/app/services/merge_requests/mergeability_check_service.rb
index 6c8a2f31d75..3e294aeaa07 100644
--- a/app/services/merge_requests/mergeability_check_service.rb
+++ b/app/services/merge_requests/mergeability_check_service.rb
@@ -166,7 +166,7 @@ module MergeRequests
       strong_memoize(:service_error) do
         if !merge_request
           ServiceResponse.error(message: 'Invalid argument')
-        elsif Gitlab::Database.main.read_only?
+        elsif Gitlab::Database.read_only?
           ServiceResponse.error(message: 'Unsupported operation')
         end
       end
diff --git a/app/services/packages/create_event_service.rb b/app/services/packages/create_event_service.rb
index cb38a2fea8f..8fed6e2def8 100644
--- a/app/services/packages/create_event_service.rb
+++ b/app/services/packages/create_event_service.rb
@@ -11,7 +11,7 @@ module Packages
         ::Gitlab::UsageDataCounters::PackageEventCounter.count(event_name)
       end
 
-      if Feature.enabled?(:collect_package_events) && Gitlab::Database.main.read_write?
+      if Feature.enabled?(:collect_package_events) && Gitlab::Database.read_write?
         ::Packages::Event.create!(
           event_type: event_name,
           originator: current_user&.id,
diff --git a/app/services/personal_access_tokens/last_used_service.rb b/app/services/personal_access_tokens/last_used_service.rb
index ed76236c5c7..9066fd1acdf 100644
--- a/app/services/personal_access_tokens/last_used_service.rb
+++ b/app/services/personal_access_tokens/last_used_service.rb
@@ -18,7 +18,7 @@ module PersonalAccessTokens
     private
 
     def update?
-      return false if ::Gitlab::Database.main.read_only?
+      return false if ::Gitlab::Database.read_only?
 
       last_used = @personal_access_token.last_used_at
 
diff --git a/app/services/repositories/destroy_service.rb b/app/services/repositories/destroy_service.rb
index c73c556d1da..1e34dfbe398 100644
--- a/app/services/repositories/destroy_service.rb
+++ b/app/services/repositories/destroy_service.rb
@@ -19,7 +19,7 @@ class Repositories::DestroyService < Repositories::BaseService
       # never be triggered on a read-only instance.
       #
       # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/223272
-      if Gitlab::Database.main.read_only?
+      if Gitlab::Database.read_only?
         Repositories::ShellDestroyService.new(current_repository).execute
       else
         container.run_after_commit do
diff --git a/app/services/users/activity_service.rb b/app/services/users/activity_service.rb
index a1ef412d7c8..20594bec28d 100644
--- a/app/services/users/activity_service.rb
+++ b/app/services/users/activity_service.rb
@@ -23,7 +23,7 @@ module Users
     private
 
     def record_activity
-      return if Gitlab::Database.main.read_only?
+      return if Gitlab::Database.read_only?
 
       today = Date.today
 
diff --git a/app/views/projects/diffs/_file.html.haml b/app/views/projects/diffs/_file.html.haml
index 35e2fe1b398..418a65118f5 100644
--- a/app/views/projects/diffs/_file.html.haml
+++ b/app/views/projects/diffs/_file.html.haml
@@ -16,7 +16,7 @@
     - unless diff_file.submodule?
       .file-actions.gl-display-none.gl-sm-display-flex
         - if diff_file.blob&.readable_text?
-          %span.has-tooltip.gl-mr-3{ title: _("Toggle comments for this file") }
+          %span.has-tooltip{ title: _("Toggle comments for this file") }
             = link_to '#', class: 'js-toggle-diff-comments btn gl-button btn-default btn-icon selected', disabled: @diff_notes_disabled do
               = sprite_icon('comment')
           \
diff --git a/app/views/projects/merge_requests/creations/_new_submit.html.haml b/app/views/projects/merge_requests/creations/_new_submit.html.haml
index 7e1ca19d9b6..4aca13ae74a 100644
--- a/app/views/projects/merge_requests/creations/_new_submit.html.haml
+++ b/app/views/projects/merge_requests/creations/_new_submit.html.haml
@@ -40,7 +40,7 @@
     #diff-notes-app.tab-content
       #new.commits.tab-pane.active
         = render "projects/merge_requests/commits"
-      #diffs.diffs.tab-pane
+      #diffs.diffs.tab-pane{ class: "gl-m-0!" }
         -# This tab is always loaded via AJAX
       - if @pipelines.any?
         #pipelines.pipelines.tab-pane
diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml
index 4c64ccb259c..583da304048 100644
--- a/app/workers/all_queues.yml
+++ b/app/workers/all_queues.yml
@@ -1077,7 +1077,7 @@
   :feature_category: :incident_management
   :has_external_dependencies:
   :urgency: :low
-  :resource_boundary: :unknown
+  :resource_boundary: :cpu
   :weight: 2
   :idempotent:
   :tags:
@@ -1096,7 +1096,7 @@
   :feature_category: :incident_management
   :has_external_dependencies:
   :urgency: :low
-  :resource_boundary: :unknown
+  :resource_boundary: :cpu
   :weight: 2
   :idempotent: true
   :tags: []
@@ -2141,7 +2141,7 @@
   :feature_category: :metrics
   :has_external_dependencies:
   :urgency: :low
-  :resource_boundary: :unknown
+  :resource_boundary: :cpu
   :weight: 1
   :idempotent: true
   :tags:
diff --git a/app/workers/concerns/git_garbage_collect_methods.rb b/app/workers/concerns/git_garbage_collect_methods.rb
index c8eb8368762..c46deeb716f 100644
--- a/app/workers/concerns/git_garbage_collect_methods.rb
+++ b/app/workers/concerns/git_garbage_collect_methods.rb
@@ -124,7 +124,7 @@ module GitGarbageCollectMethods
   def update_repository_statistics(resource)
     resource.repository.expire_statistics_caches
 
-    return if Gitlab::Database.main.read_only? # GitGarbageCollectWorker may be run on a Geo secondary
+    return if Gitlab::Database.read_only? # GitGarbageCollectWorker may be run on a Geo secondary
 
     update_db_repository_statistics(resource)
   end
diff --git a/app/workers/gitlab_performance_bar_stats_worker.rb b/app/workers/gitlab_performance_bar_stats_worker.rb
index c4720c3400b..4e8bcb9af7b 100644
--- a/app/workers/gitlab_performance_bar_stats_worker.rb
+++ b/app/workers/gitlab_performance_bar_stats_worker.rb
@@ -4,6 +4,7 @@ class GitlabPerformanceBarStatsWorker
   include ApplicationWorker
 
   data_consistency :always
+  worker_resource_boundary :cpu
 
   sidekiq_options retry: 3
 
diff --git a/app/workers/incident_management/add_severity_system_note_worker.rb b/app/workers/incident_management/add_severity_system_note_worker.rb
index a79a942de9c..31da7b0bcfe 100644
--- a/app/workers/incident_management/add_severity_system_note_worker.rb
+++ b/app/workers/incident_management/add_severity_system_note_worker.rb
@@ -5,6 +5,7 @@ module IncidentManagement
     include ApplicationWorker
 
     data_consistency :always
+    worker_resource_boundary :cpu
 
     sidekiq_options retry: 3
 
diff --git a/app/workers/incident_management/process_alert_worker_v2.rb b/app/workers/incident_management/process_alert_worker_v2.rb
index 973d27c4396..f3049560bcd 100644
--- a/app/workers/incident_management/process_alert_worker_v2.rb
+++ b/app/workers/incident_management/process_alert_worker_v2.rb
@@ -5,6 +5,7 @@ module IncidentManagement
     include ApplicationWorker
 
     data_consistency :always
+    worker_resource_boundary :cpu
 
     queue_namespace :incident_management
     feature_category :incident_management
diff --git a/app/workers/pages_domain_verification_cron_worker.rb b/app/workers/pages_domain_verification_cron_worker.rb
index 5bbe890f0ee..56339d50a40 100644
--- a/app/workers/pages_domain_verification_cron_worker.rb
+++ b/app/workers/pages_domain_verification_cron_worker.rb
@@ -11,7 +11,7 @@ class PagesDomainVerificationCronWorker # rubocop:disable Scalability/Idempotent
   worker_resource_boundary :cpu
 
   def perform
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     PagesDomain.needs_verification.with_logging_info.find_each do |domain|
       with_context(project: domain.project) do
diff --git a/app/workers/pages_domain_verification_worker.rb b/app/workers/pages_domain_verification_worker.rb
index ee21282222a..f9504a7c1d2 100644
--- a/app/workers/pages_domain_verification_worker.rb
+++ b/app/workers/pages_domain_verification_worker.rb
@@ -12,7 +12,7 @@ class PagesDomainVerificationWorker # rubocop:disable Scalability/IdempotentWork
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(domain_id)
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
 
     domain = PagesDomain.find_by(id: domain_id)
 
diff --git a/app/workers/project_cache_worker.rb b/app/workers/project_cache_worker.rb
index 3618bc78d82..328fdc4717c 100644
--- a/app/workers/project_cache_worker.rb
+++ b/app/workers/project_cache_worker.rb
@@ -44,7 +44,7 @@ class ProjectCacheWorker
   # statistics to become accurate if they were already updated once in the
   # last 15 minutes.
   def update_statistics(project, statistics = [])
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
     return unless try_obtain_lease_for(project.id, statistics)
 
     Projects::UpdateStatisticsService.new(project, nil, statistics: statistics).execute
diff --git a/app/workers/projects/git_garbage_collect_worker.rb b/app/workers/projects/git_garbage_collect_worker.rb
index 97fb66aac1d..0d67a8ac30e 100644
--- a/app/workers/projects/git_garbage_collect_worker.rb
+++ b/app/workers/projects/git_garbage_collect_worker.rb
@@ -23,7 +23,7 @@ module Projects
     end
 
     def cleanup_orphan_lfs_file_references(resource)
-      return if Gitlab::Database.main.read_only? # GitGarbageCollectWorker may be run on a Geo secondary
+      return if Gitlab::Database.read_only? # GitGarbageCollectWorker may be run on a Geo secondary
 
       ::Gitlab::Cleanup::OrphanLfsFileReferences.new(resource, dry_run: false, logger: logger).run!
     rescue StandardError => err
diff --git a/app/workers/schedule_merge_request_cleanup_refs_worker.rb b/app/workers/schedule_merge_request_cleanup_refs_worker.rb
index e00b5efcb66..46a6e0ef01f 100644
--- a/app/workers/schedule_merge_request_cleanup_refs_worker.rb
+++ b/app/workers/schedule_merge_request_cleanup_refs_worker.rb
@@ -12,7 +12,7 @@ class ScheduleMergeRequestCleanupRefsWorker
   idempotent!
 
   def perform
-    return if Gitlab::Database.main.read_only?
+    return if Gitlab::Database.read_only?
     return unless Feature.enabled?(:merge_request_refs_cleanup, default_enabled: false)
 
     MergeRequestCleanupRefsWorker.perform_with_capacity
diff --git a/config/feature_flags/development/agent_kubeconfig_ci_variable.yml b/config/feature_flags/development/agent_kubeconfig_ci_variable.yml
new file mode 100644
index 00000000000..78a10a094c6
--- /dev/null
+++ b/config/feature_flags/development/agent_kubeconfig_ci_variable.yml
@@ -0,0 +1,8 @@
+---
+name: agent_kubeconfig_ci_variable
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67089
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/337164
+milestone: '14.2'
+type: development
+group: group::configure
+default_enabled: false
diff --git a/config/initializers/fill_shards.rb b/config/initializers/fill_shards.rb
index dbfb1a3c501..e2889f59574 100644
--- a/config/initializers/fill_shards.rb
+++ b/config/initializers/fill_shards.rb
@@ -4,6 +4,6 @@
 # `Shard.connected?` could be cached and return true even though the table doesn't exist
 return unless Shard.connected?
 return unless ActiveRecord::Migrator.current_version >= 20190402150158
-return if Gitlab::Database.main.read_only?
+return if Gitlab::Database.read_only?
 
 Shard.populate!
diff --git a/doc/api/members.md b/doc/api/members.md
index b066421cf48..8a6d97343e3 100644
--- a/doc/api/members.md
+++ b/doc/api/members.md
@@ -292,7 +292,8 @@ Example response:
     "web_url": "http://192.168.1.8:3000/root",
     "last_activity_on": "2021-01-27",
     "membership_type": "group_member",
-    "removable": true
+    "removable": true,
+    "created_at": "2021-01-03T12:16:02.000Z"
   },
   {
     "id": 2,
@@ -304,7 +305,8 @@ Example response:
     "email": "john@example.com",
     "last_activity_on": "2021-01-25",
     "membership_type": "group_member",
-    "removable": true
+    "removable": true,
+    "created_at": "2021-01-04T18:46:42.000Z"
   },
   {
     "id": 3,
@@ -315,7 +317,8 @@ Example response:
     "web_url": "http://192.168.1.8:3000/root",
     "last_activity_on": "2021-01-20",
     "membership_type": "group_invite",
-    "removable": false
+    "removable": false,
+    "created_at": "2021-01-09T07:12:31.000Z"
   }
 ]
 ```
diff --git a/doc/ci/img/add_file_template_11_10.png b/doc/ci/img/add_file_template_11_10.png
deleted file mode 100644
index ca04d72615b..00000000000
--- a/doc/ci/img/add_file_template_11_10.png
+++ /dev/null
diff --git a/doc/development/ee_features.md b/doc/development/ee_features.md
index f19c2ad706e..42fb9fd42fc 100644
--- a/doc/development/ee_features.md
+++ b/doc/development/ee_features.md
@@ -445,7 +445,7 @@ module EE
 
         override :perform
         def perform(table_name = EVENT_TABLES.first)
-          return if ::Gitlab::Database.main.read_only?
+          return if ::Gitlab::Database.read_only?
 
           deleted_rows = prune_orphaned_rows(table_name)
           table_name   = next_table(table_name) if deleted_rows.zero?
diff --git a/doc/development/geo.md b/doc/development/geo.md
index 91e3722d1d6..38245e5f4e5 100644
--- a/doc/development/geo.md
+++ b/doc/development/geo.md
@@ -368,12 +368,12 @@ All Geo **secondary** nodes are read-only.
 
 The general principle of a [read-only database](verifying_database_capabilities.md#read-only-database)
 applies to all Geo **secondary** nodes. So the
-`Gitlab::Database.main.read_only?` method will always return `true` on a
+`Gitlab::Database.read_only?` method will always return `true` on a
 **secondary** node.
 
 When some write actions are not allowed because the node is a
-**secondary**, consider adding the `Gitlab::Database.main.read_only?` or
-`Gitlab::Database.main.read_write?` guard, instead of `Gitlab::Geo.secondary?`.
+**secondary**, consider adding the `Gitlab::Database.read_only?` or
+`Gitlab::Database.read_write?` guard, instead of `Gitlab::Geo.secondary?`.
 
 The database itself will already be read-only in a replicated setup,
 so we don't need to take any extra step for that.
diff --git a/doc/development/maintenance_mode.md b/doc/development/maintenance_mode.md
index 4d29e6c6777..e308ab26c27 100644
--- a/doc/development/maintenance_mode.md
+++ b/doc/development/maintenance_mode.md
@@ -11,7 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 GitLab Maintenance Mode **only** blocks writes from HTTP and SSH requests at the application level in a few key places within the rails application.
 [Search the codebase for `maintenance_mode?`.](https://gitlab.com/search?search=maintenance_mode%3F&group_id=9970&project_id=278964&scope=blobs&search_code=false&snippets=false&repository_ref=)
 
-- [the read-only database method](https://gitlab.com/gitlab-org/gitlab/-/blob/2425e9de50c678413ceaad6ee3bf66f42b7e228c/ee/lib/ee/gitlab/database.rb#L13), which toggles special behavior when we are not allowed to write to the database. [Search the codebase for `Gitlab::Database.main.read_only?`.](https://gitlab.com/search?search=Gitlab%3A%3ADatabase.read_only%3F&group_id=9970&project_id=278964&scope=blobs&search_code=false&snippets=false&repository_ref=)
+- [the read-only database method](https://gitlab.com/gitlab-org/gitlab/-/blob/2425e9de50c678413ceaad6ee3bf66f42b7e228c/ee/lib/ee/gitlab/database.rb#L13), which toggles special behavior when we are not allowed to write to the database. [Search the codebase for `Gitlab::Database.read_only?`.](https://gitlab.com/search?search=Gitlab%3A%3ADatabase.read_only%3F&group_id=9970&project_id=278964&scope=blobs&search_code=false&snippets=false&repository_ref=)
 - [the read-only middleware](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/ee/gitlab/middleware/read_only/controller.rb), where HTTP requests that cause database writes are blocked, unless explicitly allowed.
 - [Git push access via SSH is denied](https://gitlab.com/gitlab-org/gitlab/-/blob/2425e9de50c678413ceaad6ee3bf66f42b7e228c/ee/lib/ee/gitlab/git_access.rb#L13) by returning 401 when `gitlab-shell` POSTs to [`/internal/allowed`](internal_api.md) to [check if access is allowed](internal_api.md#git-authentication).
 - [Container registry authentication service](https://gitlab.com/gitlab-org/gitlab/-/blob/2425e9de50c678413ceaad6ee3bf66f42b7e228c/ee/app/services/ee/auth/container_registry_authentication_service.rb#L12), where updates to the container registry are blocked.
diff --git a/doc/development/verifying_database_capabilities.md b/doc/development/verifying_database_capabilities.md
index a6575dc79f8..c5e854701c2 100644
--- a/doc/development/verifying_database_capabilities.md
+++ b/doc/development/verifying_database_capabilities.md
@@ -30,7 +30,7 @@ end
 The database can be used in read-only mode. In this case we have to
 make sure all GET requests don't attempt any write operations to the
 database. If one of those requests wants to write to the database, it needs
-to be wrapped in a `Gitlab::Database.main.read_only?` or `Gitlab::Database.main.read_write?`
+to be wrapped in a `Gitlab::Database.read_only?` or `Gitlab::Database.read_write?`
 guard, to make sure it doesn't for read-only databases.
 
 We have a Rails Middleware that filters any potentially writing
diff --git a/doc/operations/metrics/img/linked_runbooks_on_charts.png b/doc/operations/metrics/img/linked_runbooks_on_charts.png
deleted file mode 100644
index 335ba5dc172..00000000000
--- a/doc/operations/metrics/img/linked_runbooks_on_charts.png
+++ /dev/null
diff --git a/doc/operations/metrics/img/prometheus_alert.png b/doc/operations/metrics/img/prometheus_alert.png
deleted file mode 100644
index 08680c88b23..00000000000
--- a/doc/operations/metrics/img/prometheus_alert.png
+++ /dev/null
diff --git a/doc/topics/autodevops/img/guide_cluster_apps_v12_3.png b/doc/topics/autodevops/img/guide_cluster_apps_v12_3.png
deleted file mode 100644
index 9be414434c7..00000000000
--- a/doc/topics/autodevops/img/guide_cluster_apps_v12_3.png
+++ /dev/null
diff --git a/doc/topics/autodevops/img/guide_first_pipeline_v12_3.png b/doc/topics/autodevops/img/guide_first_pipeline_v12_3.png
deleted file mode 100644
index 9b51b5cfdd8..00000000000
--- a/doc/topics/autodevops/img/guide_first_pipeline_v12_3.png
+++ /dev/null
diff --git a/doc/topics/autodevops/img/guide_gitlab_gke_details_v12_3.png b/doc/topics/autodevops/img/guide_gitlab_gke_details_v12_3.png
deleted file mode 100644
index 2f3f8259316..00000000000
--- a/doc/topics/autodevops/img/guide_gitlab_gke_details_v12_3.png
+++ /dev/null
diff --git a/doc/topics/autodevops/img/guide_google_auth_v12_3.png b/doc/topics/autodevops/img/guide_google_auth_v12_3.png
deleted file mode 100644
index b97b2be9f15..00000000000
--- a/doc/topics/autodevops/img/guide_google_auth_v12_3.png
+++ /dev/null
diff --git a/doc/topics/autodevops/img/guide_google_signin_v12_3.png b/doc/topics/autodevops/img/guide_google_signin_v12_3.png
deleted file mode 100644
index 58bcc5e67b6..00000000000
--- a/doc/topics/autodevops/img/guide_google_signin_v12_3.png
+++ /dev/null
diff --git a/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png b/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png
deleted file mode 100644
index 80c550a3ae7..00000000000
--- a/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png
+++ /dev/null
diff --git a/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png b/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png
deleted file mode 100644
index 05ca74c3d5c..00000000000
--- a/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png
+++ /dev/null
diff --git a/doc/user/application_security/sast/img/sast_v13_2.png b/doc/user/application_security/sast/img/sast_v13_2.png
deleted file mode 100644
index 5697ed9beb0..00000000000
--- a/doc/user/application_security/sast/img/sast_v13_2.png
+++ /dev/null
diff --git a/doc/user/clusters/img/jupyter-git-extension.gif b/doc/user/clusters/img/jupyter-git-extension.gif
deleted file mode 100644
index 14dc567af2a..00000000000
--- a/doc/user/clusters/img/jupyter-git-extension.gif
+++ /dev/null
diff --git a/doc/user/clusters/img/jupyter-gitclone.png b/doc/user/clusters/img/jupyter-gitclone.png
deleted file mode 100644
index aff194dea43..00000000000
--- a/doc/user/clusters/img/jupyter-gitclone.png
+++ /dev/null
diff --git a/doc/user/clusters/img/threat_monitoring_v12_9.png b/doc/user/clusters/img/threat_monitoring_v12_9.png
deleted file mode 100644
index 9097f9334a8..00000000000
--- a/doc/user/clusters/img/threat_monitoring_v12_9.png
+++ /dev/null
diff --git a/doc/user/discussions/img/only_allow_merge_if_all_threads_are_resolved.png b/doc/user/discussions/img/only_allow_merge_if_all_threads_are_resolved.png
deleted file mode 100644
index bd0aaca79b2..00000000000
--- a/doc/user/discussions/img/only_allow_merge_if_all_threads_are_resolved.png
+++ /dev/null
diff --git a/doc/user/group/saml_sso/img/saml_group_links_v13_6.png b/doc/user/group/saml_sso/img/saml_group_links_v13_6.png
deleted file mode 100644
index c78b77b8fcf..00000000000
--- a/doc/user/group/saml_sso/img/saml_group_links_v13_6.png
+++ /dev/null
diff --git a/doc/user/project/clusters/runbooks/img/ingress-install.png b/doc/user/project/clusters/runbooks/img/ingress-install.png
deleted file mode 100644
index 08256a65138..00000000000
--- a/doc/user/project/clusters/runbooks/img/ingress-install.png
+++ /dev/null
diff --git a/doc/user/project/clusters/runbooks/img/jupyterhub-install.png b/doc/user/project/clusters/runbooks/img/jupyterhub-install.png
deleted file mode 100644
index 784e508ff25..00000000000
--- a/doc/user/project/clusters/runbooks/img/jupyterhub-install.png
+++ /dev/null
diff --git a/doc/user/project/clusters/serverless/img/dns-entry.png b/doc/user/project/clusters/serverless/img/dns-entry.png
deleted file mode 100644
index 7b5d6497f0e..00000000000
--- a/doc/user/project/clusters/serverless/img/dns-entry.png
+++ /dev/null
diff --git a/doc/user/project/clusters/serverless/img/install-knative.png b/doc/user/project/clusters/serverless/img/install-knative.png
deleted file mode 100644
index 1dc830848f2..00000000000
--- a/doc/user/project/clusters/serverless/img/install-knative.png
+++ /dev/null
diff --git a/doc/user/project/img/protected_branches_devs_can_push_v12_3.png b/doc/user/project/img/protected_branches_devs_can_push_v12_3.png
deleted file mode 100644
index adc03a41abb..00000000000
--- a/doc/user/project/img/protected_branches_devs_can_push_v12_3.png
+++ /dev/null
diff --git a/doc/user/project/integrations/img/prometheus_deploy.png b/doc/user/project/integrations/img/prometheus_deploy.png
deleted file mode 100644
index 3f19f23b0cc..00000000000
--- a/doc/user/project/integrations/img/prometheus_deploy.png
+++ /dev/null
diff --git a/doc/user/project/integrations/img/services_templates_redmine_example.png b/doc/user/project/integrations/img/services_templates_redmine_example.png
deleted file mode 100644
index 34594dfdd55..00000000000
--- a/doc/user/project/integrations/img/services_templates_redmine_example.png
+++ /dev/null
diff --git a/doc/user/project/merge_requests/img/checkout_button.png b/doc/user/project/merge_requests/img/checkout_button.png
deleted file mode 100644
index 9850795c9b4..00000000000
--- a/doc/user/project/merge_requests/img/checkout_button.png
+++ /dev/null
diff --git a/doc/user/project/merge_requests/img/code_quality_mr_diff_report_v13_11.png b/doc/user/project/merge_requests/img/code_quality_mr_diff_report_v13_11.png
deleted file mode 100644
index 0fcdc252735..00000000000
--- a/doc/user/project/merge_requests/img/code_quality_mr_diff_report_v13_11.png
+++ /dev/null
diff --git a/doc/user/project/merge_requests/reviews/img/pending_review_comment.png b/doc/user/project/merge_requests/reviews/img/pending_review_comment.png
deleted file mode 100644
index 70a66b3f4f0..00000000000
--- a/doc/user/project/merge_requests/reviews/img/pending_review_comment.png
+++ /dev/null
diff --git a/lib/api/v3/github.rb b/lib/api/v3/github.rb
index be5caa86510..29e4a79110f 100644
--- a/lib/api/v3/github.rb
+++ b/lib/api/v3/github.rb
@@ -42,7 +42,7 @@ module API
         def update_project_feature_usage_for(project)
           # Prevent errors on GitLab Geo not allowing
           # UPDATE statements to happen in GET requests.
-          return if Gitlab::Database.main.read_only?
+          return if Gitlab::Database.read_only?
 
           project.log_jira_dvcs_integration_usage(cloud: jira_cloud?)
         end
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 3967c0df9b3..0877a31e0f9 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -394,7 +394,7 @@ module Gitlab
       end
 
       def user_auth_attempt!(user, success:)
-        return unless user && Gitlab::Database.main.read_write?
+        return unless user && Gitlab::Database.read_write?
         return user.unlock_access! if success
 
         user.increment_failed_attempts!
diff --git a/lib/gitlab/auth/ldap/access.rb b/lib/gitlab/auth/ldap/access.rb
index 13bed3bf179..62a817d7c4d 100644
--- a/lib/gitlab/auth/ldap/access.rb
+++ b/lib/gitlab/auth/ldap/access.rb
@@ -21,7 +21,7 @@ module Gitlab
             # Whether user is allowed, or not, we should update
             # permissions to keep things clean
             if access.allowed?
-              unless Gitlab::Database.main.read_only?
+              unless Gitlab::Database.read_only?
                 access.update_user
                 Users::UpdateService.new(user, user: user, last_credential_check_at: Time.now).execute
               end
diff --git a/lib/gitlab/ci/config.rb b/lib/gitlab/ci/config.rb
index 24d84ac36bf..98f9f25330a 100644
--- a/lib/gitlab/ci/config.rb
+++ b/lib/gitlab/ci/config.rb
@@ -20,7 +20,7 @@ module Gitlab
       attr_reader :root, :context, :ref, :source
 
       def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
-        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
+        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline, ref: ref)
         @context.set_deadline(TIMEOUT_SECONDS)
 
         @ref = ref
@@ -108,13 +108,13 @@ module Gitlab
         end
       end
 
-      def build_context(project:, sha:, user:, parent_pipeline:)
+      def build_context(project:, sha:, user:, parent_pipeline:, ref:)
         Config::External::Context.new(
           project: project,
           sha: sha || find_sha(project),
           user: user,
           parent_pipeline: parent_pipeline,
-          variables: build_variables(project: project, ref: sha))
+          variables: build_variables(project: project, ref: ref))
       end
 
       def build_variables(project:, ref:)
diff --git a/lib/gitlab/database.rb b/lib/gitlab/database.rb
index 160a261c1df..8ae68e2a8a0 100644
--- a/lib/gitlab/database.rb
+++ b/lib/gitlab/database.rb
@@ -173,6 +173,14 @@ module Gitlab
       ActiveRecord::Base.prepend(ActiveRecordBaseTransactionMetrics)
     end
 
+    def self.read_only?
+      false
+    end
+
+    def self.read_write?
+      !read_only?
+    end
+
     # MonkeyPatch for ActiveRecord::Base for adding observability
     module ActiveRecordBaseTransactionMetrics
       extend ActiveSupport::Concern
@@ -189,3 +197,5 @@ module Gitlab
     end
   end
 end
+
+Gitlab::Database.prepend_mod_with('Gitlab::Database')
diff --git a/lib/gitlab/database/connection.rb b/lib/gitlab/database/connection.rb
index 521512f5644..1b9d49fe376 100644
--- a/lib/gitlab/database/connection.rb
+++ b/lib/gitlab/database/connection.rb
@@ -80,14 +80,6 @@ module Gitlab
         scope.establish_connection(config.merge(prepared_statements: false))
       end
 
-      def read_only?
-        false
-      end
-
-      def read_write?
-        !read_only?
-      end
-
       # Check whether the underlying database is in read-only mode
       def db_read_only?
         pg_is_in_recovery =
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 6d8f630d999..759c6b93d9a 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -257,7 +257,7 @@ module Gitlab
     def check_db_accessibility!
       return unless receive_pack?
 
-      if Gitlab::Database.main.read_only?
+      if Gitlab::Database.read_only?
         raise ForbiddenError, push_to_read_only_message
       end
     end
diff --git a/lib/gitlab/gpg/commit.rb b/lib/gitlab/gpg/commit.rb
index d6c720f5ee2..1abbd6dc45b 100644
--- a/lib/gitlab/gpg/commit.rb
+++ b/lib/gitlab/gpg/commit.rb
@@ -71,7 +71,7 @@ module Gitlab
       def create_cached_signature!
         using_keychain do |gpg_key|
           attributes = attributes(gpg_key)
-          break GpgSignature.new(attributes) if Gitlab::Database.main.read_only?
+          break GpgSignature.new(attributes) if Gitlab::Database.read_only?
 
           GpgSignature.safe_create!(attributes)
         end
diff --git a/lib/gitlab/kas.rb b/lib/gitlab/kas.rb
index 86c0aa2b48d..06ab0e78d9b 100644
--- a/lib/gitlab/kas.rb
+++ b/lib/gitlab/kas.rb
@@ -5,6 +5,7 @@ module Gitlab
     INTERNAL_API_REQUEST_HEADER = 'Gitlab-Kas-Api-Request'
     VERSION_FILE = 'GITLAB_KAS_VERSION'
     JWT_ISSUER = 'gitlab-kas'
+    K8S_PROXY_PATH = 'k8s-proxy'
 
     include JwtAuthenticatable
 
@@ -39,6 +40,10 @@ module Gitlab
         Gitlab.config.gitlab_kas.external_url
       end
 
+      def tunnel_url
+        URI.join(external_url, K8S_PROXY_PATH).to_s
+      end
+
       # Return GitLab KAS internal_url
       #
       # @return [String] internal_url
diff --git a/lib/gitlab/kubernetes/kubeconfig/entry/cluster.rb b/lib/gitlab/kubernetes/kubeconfig/entry/cluster.rb
new file mode 100644
index 00000000000..836517d4e1f
--- /dev/null
+++ b/lib/gitlab/kubernetes/kubeconfig/entry/cluster.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    module Kubeconfig
+      module Entry
+        class Cluster
+          attr_reader :name
+
+          def initialize(name:, url:, ca_pem: nil)
+            @name = name
+            @url = url
+            @ca_pem = ca_pem
+          end
+
+          def to_h
+            {
+              name: name,
+              cluster: cluster
+            }
+          end
+
+          private
+
+          attr_reader :url, :ca_pem
+
+          def cluster
+            {
+              server: url,
+              'certificate-authority-data': certificate_authority_data
+            }.compact
+          end
+
+          def certificate_authority_data
+            return unless ca_pem.present?
+
+            Base64.strict_encode64(ca_pem)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/kubernetes/kubeconfig/entry/context.rb b/lib/gitlab/kubernetes/kubeconfig/entry/context.rb
new file mode 100644
index 00000000000..8ff17ab9cff
--- /dev/null
+++ b/lib/gitlab/kubernetes/kubeconfig/entry/context.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    module Kubeconfig
+      module Entry
+        class Context
+          attr_reader :name
+
+          def initialize(name:, cluster:, user:, namespace: nil)
+            @name = name
+            @cluster = cluster
+            @user = user
+            @namespace = namespace
+          end
+
+          def to_h
+            {
+              name: name,
+              context: context
+            }
+          end
+
+          private
+
+          attr_reader :cluster, :user, :namespace
+
+          def context
+            {
+              cluster: cluster,
+              namespace: namespace,
+              user: user
+            }.compact
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/kubernetes/kubeconfig/entry/user.rb b/lib/gitlab/kubernetes/kubeconfig/entry/user.rb
new file mode 100644
index 00000000000..784f6d67802
--- /dev/null
+++ b/lib/gitlab/kubernetes/kubeconfig/entry/user.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    module Kubeconfig
+      module Entry
+        class User
+          attr_reader :name
+
+          def initialize(name:, token:)
+            @name = name
+            @token = token
+          end
+
+          def to_h
+            {
+              name: name,
+              user: { token: token }
+            }
+          end
+
+          private
+
+          attr_reader :token
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/kubernetes/kubeconfig/template.rb b/lib/gitlab/kubernetes/kubeconfig/template.rb
new file mode 100644
index 00000000000..da0861ee86a
--- /dev/null
+++ b/lib/gitlab/kubernetes/kubeconfig/template.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    module Kubeconfig
+      class Template
+        ENTRIES = {
+          cluster: Gitlab::Kubernetes::Kubeconfig::Entry::Cluster,
+          user: Gitlab::Kubernetes::Kubeconfig::Entry::User,
+          context: Gitlab::Kubernetes::Kubeconfig::Entry::Context
+        }.freeze
+
+        def initialize
+          @clusters = []
+          @users = []
+          @contexts = []
+        end
+
+        def valid?
+          contexts.present?
+        end
+
+        def add_cluster(**args)
+          clusters << new_entry(:cluster, **args)
+        end
+
+        def add_user(**args)
+          users << new_entry(:user, **args)
+        end
+
+        def add_context(**args)
+          contexts << new_entry(:context, **args)
+        end
+
+        def to_h
+          {
+            apiVersion: 'v1',
+            kind: 'Config',
+            clusters: clusters.map(&:to_h),
+            users: users.map(&:to_h),
+            contexts: contexts.map(&:to_h)
+          }
+        end
+
+        def to_yaml
+          YAML.dump(to_h.deep_stringify_keys)
+        end
+
+        private
+
+        attr_reader :clusters, :users, :contexts
+
+        def new_entry(entry, **args)
+          ENTRIES.fetch(entry).new(**args)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/lets_encrypt/client.rb b/lib/gitlab/lets_encrypt/client.rb
index aabf819e4a8..ad2921ed555 100644
--- a/lib/gitlab/lets_encrypt/client.rb
+++ b/lib/gitlab/lets_encrypt/client.rb
@@ -71,7 +71,7 @@ module Gitlab
       end
 
       def generate_private_key
-        return if Gitlab::Database.main.read_only?
+        return if Gitlab::Database.read_only?
 
         application_settings = Gitlab::CurrentSettings.current_application_settings
         application_settings.with_lock do
diff --git a/lib/gitlab/markdown_cache/active_record/extension.rb b/lib/gitlab/markdown_cache/active_record/extension.rb
index c2962d8d129..af94884f1a7 100644
--- a/lib/gitlab/markdown_cache/active_record/extension.rb
+++ b/lib/gitlab/markdown_cache/active_record/extension.rb
@@ -38,7 +38,7 @@ module Gitlab
         end
 
         def save_markdown(updates)
-          return unless persisted? && Gitlab::Database.main.read_write?
+          return unless persisted? && Gitlab::Database.read_write?
 
           update_columns(updates)
         end
diff --git a/lib/gitlab/middleware/read_only/controller.rb b/lib/gitlab/middleware/read_only/controller.rb
index fd95b59d8d8..65c08664a2b 100644
--- a/lib/gitlab/middleware/read_only/controller.rb
+++ b/lib/gitlab/middleware/read_only/controller.rb
@@ -59,7 +59,7 @@ module Gitlab
 
         # Overridden in EE module
         def read_only?
-          Gitlab::Database.main.read_only?
+          Gitlab::Database.read_only?
         end
 
         def json_request?
diff --git a/lib/gitlab/x509/commit.rb b/lib/gitlab/x509/commit.rb
index 5932170748a..91951a3e505 100644
--- a/lib/gitlab/x509/commit.rb
+++ b/lib/gitlab/x509/commit.rb
@@ -49,7 +49,7 @@ module Gitlab
       def create_cached_signature!
         return if attributes.nil?
 
-        return X509CommitSignature.new(attributes) if Gitlab::Database.main.read_only?
+        return X509CommitSignature.new(attributes) if Gitlab::Database.read_only?
 
         X509CommitSignature.safe_create!(attributes)
       end
diff --git a/lib/tasks/gitlab/storage.rake b/lib/tasks/gitlab/storage.rake
index e79d78f655a..fb9f9b9fe67 100644
--- a/lib/tasks/gitlab/storage.rake
+++ b/lib/tasks/gitlab/storage.rake
@@ -4,7 +4,7 @@ namespace :gitlab do
   namespace :storage do
     desc 'GitLab | Storage | Migrate existing projects to Hashed Storage'
     task migrate_to_hashed: :environment do
-      if Gitlab::Database.main.read_only?
+      if Gitlab::Database.read_only?
         abort 'This task requires database write access. Exiting.'
       end
 
@@ -50,7 +50,7 @@ namespace :gitlab do
 
     desc 'GitLab | Storage | Rollback existing projects to Legacy Storage'
     task rollback_to_legacy: :environment do
-      if Gitlab::Database.main.read_only?
+      if Gitlab::Database.read_only?
         abort 'This task requires database write access. Exiting.'
       end
 
diff --git a/spec/controllers/admin/sessions_controller_spec.rb b/spec/controllers/admin/sessions_controller_spec.rb
index dc1bed63850..5fa7a7f278d 100644
--- a/spec/controllers/admin/sessions_controller_spec.rb
+++ b/spec/controllers/admin/sessions_controller_spec.rb
@@ -179,7 +179,7 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
 
         context 'on a read-only instance' do
           before do
-            allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+            allow(Gitlab::Database).to receive(:read_only?).and_return(true)
           end
 
           it 'does not attempt to write to the database with valid otp' do
diff --git a/spec/controllers/repositories/git_http_controller_spec.rb b/spec/controllers/repositories/git_http_controller_spec.rb
index f80f5956c43..04d5008cb34 100644
--- a/spec/controllers/repositories/git_http_controller_spec.rb
+++ b/spec/controllers/repositories/git_http_controller_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Repositories::GitHttpController do
 
         context 'on a read-only instance' do
           before do
-            allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+            allow(Gitlab::Database).to receive(:read_only?).and_return(true)
           end
 
           it 'does not update project statistics' do
diff --git a/spec/features/admin/admin_mode/logout_spec.rb b/spec/features/admin/admin_mode/logout_spec.rb
index 5e0c43cdee2..58bea5c4b5f 100644
--- a/spec/features/admin/admin_mode/logout_spec.rb
+++ b/spec/features/admin/admin_mode/logout_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe 'Admin Mode Logout', :js do
 
   context 'on a read-only instance' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
     end
 
     it 'disable removes admin mode and redirects to root page' do
diff --git a/spec/features/admin/admin_mode_spec.rb b/spec/features/admin/admin_mode_spec.rb
index e2653e6b3a8..24a10d3677d 100644
--- a/spec/features/admin/admin_mode_spec.rb
+++ b/spec/features/admin/admin_mode_spec.rb
@@ -57,7 +57,7 @@ RSpec.describe 'Admin mode', :js do
 
       context 'on a read-only instance' do
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
         end
 
         it 'can enter admin mode' do
@@ -117,7 +117,7 @@ RSpec.describe 'Admin mode', :js do
 
       context 'on a read-only instance' do
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
         end
 
         it 'can leave admin mode' do
diff --git a/spec/features/projects/branches_spec.rb b/spec/features/projects/branches_spec.rb
index 37d76a0a8ed..0a79719f14a 100644
--- a/spec/features/projects/branches_spec.rb
+++ b/spec/features/projects/branches_spec.rb
@@ -315,7 +315,7 @@ RSpec.describe 'Branches' do
 
     context 'on a read-only instance' do
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       end
 
       it_behaves_like 'compares branches'
diff --git a/spec/features/projects/compare_spec.rb b/spec/features/projects/compare_spec.rb
index 0c93f6284bb..bc3ef2af9b0 100644
--- a/spec/features/projects/compare_spec.rb
+++ b/spec/features/projects/compare_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe "Compare", :js do
 
     context 'on a read-only instance' do
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       end
 
       it_behaves_like 'compares branches'
diff --git a/spec/features/projects/settings/registry_settings_spec.rb b/spec/features/projects/settings/registry_settings_spec.rb
index 3f9f2dae453..509729d526d 100644
--- a/spec/features/projects/settings/registry_settings_spec.rb
+++ b/spec/features/projects/settings/registry_settings_spec.rb
@@ -9,12 +9,12 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
   let_it_be(:project, reload: true) { create(:project, namespace: user.namespace) }
 
   let(:container_registry_enabled) { true }
-  let(:container_registry_enabled_on_project) { true }
+  let(:container_registry_enabled_on_project) { ProjectFeature::ENABLED }
 
   subject { visit project_settings_packages_and_registries_path(project) }
 
   before do
-    project.update!(container_registry_enabled: container_registry_enabled_on_project)
+    project.project_feature.update!(container_registry_access_level: container_registry_enabled_on_project)
     project.container_expiration_policy.update!(enabled: true)
 
     sign_in(user)
@@ -104,7 +104,7 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
   end
 
   context 'when container registry is disabled on project' do
-    let(:container_registry_enabled_on_project) { false }
+    let(:container_registry_enabled_on_project) { ProjectFeature::DISABLED }
 
     it 'does not exists' do
       subject
diff --git a/spec/features/read_only_spec.rb b/spec/features/read_only_spec.rb
index 95b8e14c07f..11686552062 100644
--- a/spec/features/read_only_spec.rb
+++ b/spec/features/read_only_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe 'read-only message' do
 
   context 'when database is read-only' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
     end
 
     it_behaves_like 'Read-only instance', /You are on a read\-only GitLab instance./
@@ -19,7 +19,7 @@ RSpec.describe 'read-only message' do
 
   context 'when database is in read-write mode' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(false)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(false)
     end
 
     it_behaves_like 'Read-write instance', /You are on a read\-only GitLab instance./
diff --git a/spec/features/users/logout_spec.rb b/spec/features/users/logout_spec.rb
index b23eeb9b30e..ffb8785b277 100644
--- a/spec/features/users/logout_spec.rb
+++ b/spec/features/users/logout_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe 'Logout/Sign out', :js do
 
   context 'on a read-only instance' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
     end
 
     it 'sign out redirects to sign in page' do
diff --git a/spec/lib/banzai/renderer_spec.rb b/spec/lib/banzai/renderer_spec.rb
index 316f3248b8f..52bf3087875 100644
--- a/spec/lib/banzai/renderer_spec.rb
+++ b/spec/lib/banzai/renderer_spec.rb
@@ -65,7 +65,7 @@ RSpec.describe Banzai::Renderer do
         end
 
         it "skips database caching on a GitLab read-only instance" do
-          allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
           expect(object).to receive(:refresh_markdown_cache!)
 
           is_expected.to eq('field_html')
diff --git a/spec/lib/gitlab/auth/ldap/access_spec.rb b/spec/lib/gitlab/auth/ldap/access_spec.rb
index 9d3c6855e9f..9e269f84b7e 100644
--- a/spec/lib/gitlab/auth/ldap/access_spec.rb
+++ b/spec/lib/gitlab/auth/ldap/access_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe Gitlab::Auth::Ldap::Access do
     end
 
     it "does not update user's `last_credential_check_at` when in a read-only GitLab instance" do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
 
       expect { described_class.allowed?(user) }
         .not_to change { user.last_credential_check_at }
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 94f3710b8d2..2e3dce3f418 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -844,7 +844,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
       context 'when the database is read-only' do
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
         end
 
         it 'does not increment failed_attempts when true and password is incorrect' do
diff --git a/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb b/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
index e8c127f0444..62de4d2e96d 100644
--- a/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do
     context 'when ref is protected' do
       before do
         allow(project).to receive(:protected_for?).with('master').and_return(true)
-        allow(project).to receive(:protected_for?).with('b83d6e391c22777fca1ed3012fce84f633d7fed0').and_return(true)
         allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true)
 
         dependencies.map(&:perform!)
diff --git a/spec/lib/gitlab/database/connection_spec.rb b/spec/lib/gitlab/database/connection_spec.rb
index 4cbc94660c3..517d40deb1c 100644
--- a/spec/lib/gitlab/database/connection_spec.rb
+++ b/spec/lib/gitlab/database/connection_spec.rb
@@ -162,18 +162,6 @@ RSpec.describe Gitlab::Database::Connection do
     end
   end
 
-  describe '#read_only?' do
-    it 'returns false' do
-      expect(connection.read_only?).to eq(false)
-    end
-  end
-
-  describe '#read_write' do
-    it 'returns true' do
-      expect(connection.read_write?).to eq(true)
-    end
-  end
-
   describe '#db_read_only?' do
     it 'detects a read-only database' do
       allow(connection.scope.connection)
diff --git a/spec/lib/gitlab/database_spec.rb b/spec/lib/gitlab/database_spec.rb
index 7487fa0f022..c67b5af5e3c 100644
--- a/spec/lib/gitlab/database_spec.rb
+++ b/spec/lib/gitlab/database_spec.rb
@@ -190,6 +190,18 @@ RSpec.describe Gitlab::Database do
     end
   end
 
+  describe '.read_only?' do
+    it 'returns false' do
+      expect(described_class.read_only?).to eq(false)
+    end
+  end
+
+  describe '.read_write' do
+    it 'returns true' do
+      expect(described_class.read_write?).to eq(true)
+    end
+  end
+
   describe 'ActiveRecordBaseTransactionMetrics' do
     def subscribe_events
       events = []
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index a562865cd16..bf682e4e4c6 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -392,7 +392,7 @@ RSpec.describe Gitlab::GitAccess do
     context 'when in a read-only GitLab instance' do
       before do
         create(:protected_branch, name: 'feature', project: project)
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
       end
 
       it { expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:cannot_push_to_read_only]) }
diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb
index c6e15e4f0cc..5ada8a6ef40 100644
--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -31,7 +31,7 @@ RSpec.describe Gitlab::GitAccessWiki do
         let(:message) { "You can't push code to a read-only GitLab instance." }
 
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?) { true }
+          allow(Gitlab::Database).to receive(:read_only?) { true }
         end
 
         it_behaves_like 'forbidden git access'
diff --git a/spec/lib/gitlab/gpg/commit_spec.rb b/spec/lib/gitlab/gpg/commit_spec.rb
index 917cd5b5a83..55102554508 100644
--- a/spec/lib/gitlab/gpg/commit_spec.rb
+++ b/spec/lib/gitlab/gpg/commit_spec.rb
@@ -91,7 +91,7 @@ RSpec.describe Gitlab::Gpg::Commit do
 
           context 'read-only mode' do
             before do
-              allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+              allow(Gitlab::Database).to receive(:read_only?).and_return(true)
             end
 
             it 'does not create a cached signature' do
diff --git a/spec/lib/gitlab/kas_spec.rb b/spec/lib/gitlab/kas_spec.rb
index 24d2b03fe2a..bf70b83fb73 100644
--- a/spec/lib/gitlab/kas_spec.rb
+++ b/spec/lib/gitlab/kas_spec.rb
@@ -65,6 +65,12 @@ RSpec.describe Gitlab::Kas do
     end
   end
 
+  describe '.tunnel_url' do
+    it 'returns gitlab_kas external_url with proxy path appended' do
+      expect(described_class.tunnel_url).to eq(Gitlab.config.gitlab_kas.external_url + '/k8s-proxy')
+    end
+  end
+
   describe '.internal_url' do
     it 'returns gitlab_kas internal_url config' do
       expect(described_class.internal_url).to eq(Gitlab.config.gitlab_kas.internal_url)
diff --git a/spec/lib/gitlab/kubernetes/kubeconfig/entry/cluster_spec.rb b/spec/lib/gitlab/kubernetes/kubeconfig/entry/cluster_spec.rb
new file mode 100644
index 00000000000..508808be1be
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/kubeconfig/entry/cluster_spec.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Kubernetes::Kubeconfig::Entry::Cluster do
+  describe '#to_h' do
+    let(:name) { 'name' }
+    let(:url) { 'url' }
+
+    subject { described_class.new(name: name, url: url).to_h }
+
+    it { is_expected.to eq({ name: name, cluster: { server: url } }) }
+
+    context 'with a certificate' do
+      let(:cert) { 'certificate' }
+      let(:cert_encoded) { Base64.strict_encode64(cert) }
+
+      subject { described_class.new(name: name, url: url, ca_pem: cert).to_h }
+
+      it { is_expected.to eq({ name: name, cluster: { server: url, 'certificate-authority-data': cert_encoded } }) }
+    end
+  end
+end
diff --git a/spec/lib/gitlab/kubernetes/kubeconfig/entry/context_spec.rb b/spec/lib/gitlab/kubernetes/kubeconfig/entry/context_spec.rb
new file mode 100644
index 00000000000..43d4c46fda1
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/kubeconfig/entry/context_spec.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Kubernetes::Kubeconfig::Entry::Context do
+  describe '#to_h' do
+    let(:name) { 'name' }
+    let(:user) { 'user' }
+    let(:cluster) { 'cluster' }
+
+    subject { described_class.new(name: name, user: user, cluster: cluster).to_h }
+
+    it { is_expected.to eq({ name: name, context: { cluster: cluster, user: user } }) }
+
+    context 'with a namespace' do
+      let(:namespace) { 'namespace' }
+
+      subject { described_class.new(name: name, user: user, cluster: cluster, namespace: namespace).to_h }
+
+      it { is_expected.to eq({ name: name, context: { cluster: cluster, user: user, namespace: namespace } }) }
+    end
+  end
+end
diff --git a/spec/lib/gitlab/kubernetes/kubeconfig/entry/user_spec.rb b/spec/lib/gitlab/kubernetes/kubeconfig/entry/user_spec.rb
new file mode 100644
index 00000000000..3d6acc80823
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/kubeconfig/entry/user_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Kubernetes::Kubeconfig::Entry::User do
+  describe '#to_h' do
+    let(:name) { 'name' }
+    let(:token) { 'token' }
+
+    subject { described_class.new(name: name, token: token).to_h }
+
+    it { is_expected.to eq({ name: name, user: { token: token } }) }
+  end
+end
diff --git a/spec/lib/gitlab/kubernetes/kubeconfig/template_spec.rb b/spec/lib/gitlab/kubernetes/kubeconfig/template_spec.rb
new file mode 100644
index 00000000000..057c4373329
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/kubeconfig/template_spec.rb
@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Kubernetes::Kubeconfig::Template do
+  let(:template) { described_class.new }
+
+  describe '#valid?' do
+    subject { template.valid? }
+
+    it { is_expected.to be_falsey }
+
+    context 'with configuration added' do
+      before do
+        template.add_context(name: 'name', cluster: 'cluster', user: 'user')
+      end
+
+      it { is_expected.to be_truthy }
+    end
+  end
+
+  describe '#to_h' do
+    subject { described_class.new.to_h }
+
+    it do
+      is_expected.to eq(
+        apiVersion: 'v1',
+        kind: 'Config',
+        clusters: [],
+        users: [],
+        contexts: []
+      )
+    end
+  end
+
+  describe '#to_yaml' do
+    subject { template.to_yaml }
+
+    it { is_expected.to eq(YAML.dump(template.to_h.deep_stringify_keys)) }
+  end
+
+  describe 'adding entries' do
+    let(:entry) { instance_double(entry_class, to_h: attributes) }
+    let(:attributes) do
+      { name: 'name', other: 'other' }
+    end
+
+    subject { template.to_h }
+
+    before do
+      expect(entry_class).to receive(:new).with(attributes).and_return(entry)
+    end
+
+    describe '#add_cluster' do
+      let(:entry_class) { Gitlab::Kubernetes::Kubeconfig::Entry::Cluster }
+
+      before do
+        template.add_cluster(**attributes)
+      end
+
+      it { is_expected.to include(clusters: [attributes]) }
+    end
+
+    describe '#add_user' do
+      let(:entry_class) { Gitlab::Kubernetes::Kubeconfig::Entry::User }
+
+      before do
+        template.add_user(**attributes)
+      end
+
+      it { is_expected.to include(users: [attributes]) }
+    end
+
+    describe '#add_context' do
+      let(:entry_class) { Gitlab::Kubernetes::Kubeconfig::Entry::Context }
+
+      before do
+        template.add_context(**attributes)
+      end
+
+      it { is_expected.to include(contexts: [attributes]) }
+    end
+  end
+end
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb
index 00c2cee1ef0..642b47fe087 100644
--- a/spec/lib/gitlab/middleware/read_only_spec.rb
+++ b/spec/lib/gitlab/middleware/read_only_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Middleware::ReadOnly do
   context 'when database is read-only' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
     end
 
     it_behaves_like 'write access for a read-only GitLab instance'
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index dca4a4ed0d7..33a88f7c16e 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -3151,6 +3151,17 @@ RSpec.describe Ci::Build do
     end
 
     context 'when container registry is enabled' do
+      let_it_be_with_reload(:project) { create(:project, :public, :repository, group: group) }
+
+      let_it_be_with_reload(:pipeline) do
+        create(:ci_pipeline, project: project,
+                             sha: project.commit.id,
+                             ref: project.default_branch,
+                             status: 'success')
+      end
+
+      let_it_be_with_refind(:build) { create(:ci_build, pipeline: pipeline) }
+
       let(:container_registry_enabled) { true }
       let(:ci_registry) do
         { key: 'CI_REGISTRY', value: 'registry.example.com', public: true, masked: false }
@@ -3162,7 +3173,7 @@ RSpec.describe Ci::Build do
 
       context 'and is disabled for project' do
         before do
-          project.update!(container_registry_enabled: false)
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::DISABLED)
         end
 
         it { is_expected.to include(ci_registry) }
@@ -3171,7 +3182,16 @@ RSpec.describe Ci::Build do
 
       context 'and is enabled for project' do
         before do
-          project.update!(container_registry_enabled: true)
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::ENABLED)
+        end
+
+        it { is_expected.to include(ci_registry) }
+        it { is_expected.to include(ci_registry_image) }
+      end
+
+      context 'and is private for project' do
+        before do
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
         end
 
         it { is_expected.to include(ci_registry) }
diff --git a/spec/models/concerns/deprecated_assignee_spec.rb b/spec/models/concerns/deprecated_assignee_spec.rb
index 5ca741cdfdf..630d9ea601f 100644
--- a/spec/models/concerns/deprecated_assignee_spec.rb
+++ b/spec/models/concerns/deprecated_assignee_spec.rb
@@ -99,7 +99,7 @@ RSpec.describe DeprecatedAssignee do
 
     context 'when DB is read-only' do
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
       end
 
       it 'returns a users relation' do
@@ -139,7 +139,7 @@ RSpec.describe DeprecatedAssignee do
 
     context 'when DB is read-only' do
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
       end
 
       it 'returns a list of user IDs' do
diff --git a/spec/models/project_statistics_spec.rb b/spec/models/project_statistics_spec.rb
index 48097bb3c94..cb1baa02e96 100644
--- a/spec/models/project_statistics_spec.rb
+++ b/spec/models/project_statistics_spec.rb
@@ -214,7 +214,7 @@ RSpec.describe ProjectStatistics do
 
     context 'when the database is read-only' do
       it 'does nothing' do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
 
         expect(statistics).not_to receive(:update_commit_count)
         expect(statistics).not_to receive(:update_repository_size)
diff --git a/spec/models/snippet_statistics_spec.rb b/spec/models/snippet_statistics_spec.rb
index e703de453f1..1fb4ed47169 100644
--- a/spec/models/snippet_statistics_spec.rb
+++ b/spec/models/snippet_statistics_spec.rb
@@ -86,7 +86,7 @@ RSpec.describe SnippetStatistics do
 
     context 'when the database is read-only' do
       it 'does nothing' do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
 
         expect(statistics).not_to receive(:update_commit_count)
         expect(statistics).not_to receive(:update_file_count)
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 8361b523a13..87b3aea178c 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1466,7 +1466,7 @@ RSpec.describe User do
     end
 
     it 'does not write if the DB is in read-only mode' do
-      expect(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      expect(Gitlab::Database).to receive(:read_only?).and_return(true)
 
       expect do
         user.update_tracked_fields!(request)
@@ -2864,7 +2864,7 @@ RSpec.describe User do
 
       context 'on a read-only instance' do
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
         end
 
         it 'does not block user' do
@@ -4968,7 +4968,7 @@ RSpec.describe User do
     end
 
     it 'does not log failed sign-in attempts when in a GitLab read-only instance' do
-      allow(Gitlab::Database.main).to receive(:read_only?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect { user.increment_failed_attempts! }.not_to change(user, :failed_attempts)
     end
diff --git a/spec/requests/api/graphql/project/merge_requests_spec.rb b/spec/requests/api/graphql/project/merge_requests_spec.rb
index 2b5e7b8128d..7fc1ef05fa7 100644
--- a/spec/requests/api/graphql/project/merge_requests_spec.rb
+++ b/spec/requests/api/graphql/project/merge_requests_spec.rb
@@ -331,7 +331,7 @@ RSpec.describe 'getting merge request listings nested in a project' do
 
     before do
       # Confounding factor: makes DB calls in EE
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(false)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(false)
     end
 
     def query_context
diff --git a/spec/requests/api/graphql/read_only_spec.rb b/spec/requests/api/graphql/read_only_spec.rb
index 6dddc16d137..d2a45603886 100644
--- a/spec/requests/api/graphql/read_only_spec.rb
+++ b/spec/requests/api/graphql/read_only_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe 'Requests on a read-only node' do
   context 'when db is read-only' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
     end
 
     it_behaves_like 'graphql on a read-only GitLab instance'
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index c4d1841ffda..02eb4262690 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -625,7 +625,7 @@ RSpec.describe 'Git LFS API and storage' do
         subject { post_lfs_json(batch_url(project), body, headers) }
 
         before do
-          allow(Gitlab::Database.main).to receive(:read_only?) { true }
+          allow(Gitlab::Database).to receive(:read_only?) { true }
 
           project.add_maintainer(user)
 
diff --git a/spec/services/ci/create_pipeline_service_spec.rb b/spec/services/ci/create_pipeline_service_spec.rb
index 74e3b7cbca1..aec51751868 100644
--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -1328,7 +1328,7 @@ RSpec.describe Ci::CreatePipelineService do
             end
 
             context 'when ref is tag' do
-              let(:ref_name) { 'refs/tags/v1.1.0' }
+              let(:ref_name) { 'refs/tags/v1.0.0' }
 
               it 'does not create an extrnal pull request pipeline', :aggregate_failures do
                 expect(response).to be_error
@@ -1516,7 +1516,7 @@ RSpec.describe Ci::CreatePipelineService do
             end
 
             context 'when ref is tag' do
-              let(:ref_name) { 'refs/tags/v1.1.0' }
+              let(:ref_name) { 'refs/tags/v1.0.0' }
 
               it 'does not create a merge request pipeline', :aggregate_failures do
                 expect(response).to be_error
diff --git a/spec/services/merge_requests/mergeability_check_service_spec.rb b/spec/services/merge_requests/mergeability_check_service_spec.rb
index 8300d0383c1..65599b7e046 100644
--- a/spec/services/merge_requests/mergeability_check_service_spec.rb
+++ b/spec/services/merge_requests/mergeability_check_service_spec.rb
@@ -89,7 +89,7 @@ RSpec.describe MergeRequests::MergeabilityCheckService, :clean_gitlab_redis_shar
 
     context 'when read-only DB' do
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
       end
 
       it_behaves_like 'no job is enqueued'
@@ -260,7 +260,7 @@ RSpec.describe MergeRequests::MergeabilityCheckService, :clean_gitlab_redis_shar
 
     context 'when read-only DB' do
       it 'returns ServiceResponse.error' do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
 
         result = subject
 
diff --git a/spec/services/packages/create_event_service_spec.rb b/spec/services/packages/create_event_service_spec.rb
index 6978cf3ec32..122f1e88ad0 100644
--- a/spec/services/packages/create_event_service_spec.rb
+++ b/spec/services/packages/create_event_service_spec.rb
@@ -46,7 +46,7 @@ RSpec.describe Packages::CreateEventService do
 
         context 'on a read-only instance' do
           before do
-            allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+            allow(Gitlab::Database).to receive(:read_only?).and_return(true)
           end
 
           it 'does not create an event' do
diff --git a/spec/services/personal_access_tokens/last_used_service_spec.rb b/spec/services/personal_access_tokens/last_used_service_spec.rb
index 729b631b816..6fc74e27dd9 100644
--- a/spec/services/personal_access_tokens/last_used_service_spec.rb
+++ b/spec/services/personal_access_tokens/last_used_service_spec.rb
@@ -14,7 +14,7 @@ RSpec.describe PersonalAccessTokens::LastUsedService do
       end
 
       it 'does not run on read-only GitLab instances' do
-        allow(::Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        allow(::Gitlab::Database).to receive(:read_only?).and_return(true)
 
         expect { subject }.not_to change { personal_access_token.last_used_at }
       end
diff --git a/spec/services/repositories/destroy_service_spec.rb b/spec/services/repositories/destroy_service_spec.rb
index cba1a5f54c3..240f837e973 100644
--- a/spec/services/repositories/destroy_service_spec.rb
+++ b/spec/services/repositories/destroy_service_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe Repositories::DestroyService do
 
   context 'on a read-only instance' do
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
     end
 
     it 'schedules the repository deletion' do
diff --git a/spec/services/users/activity_service_spec.rb b/spec/services/users/activity_service_spec.rb
index 9af710e3e4f..cfafa9eff45 100644
--- a/spec/services/users/activity_service_spec.rb
+++ b/spec/services/users/activity_service_spec.rb
@@ -66,7 +66,7 @@ RSpec.describe Users::ActivityService do
       let(:last_activity_on) { nil }
 
       before do
-        allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       end
 
       it 'does not update last_activity_on' do
diff --git a/spec/support/shared_examples/controllers/issuable_notes_filter_shared_examples.rb b/spec/support/shared_examples/controllers/issuable_notes_filter_shared_examples.rb
index c377fa992d8..a4eb6a839c0 100644
--- a/spec/support/shared_examples/controllers/issuable_notes_filter_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/issuable_notes_filter_shared_examples.rb
@@ -36,7 +36,7 @@ RSpec.shared_examples 'issuable notes filter' do
   end
 
   it 'does not set notes filter when database is in read-only mode' do
-    allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+    allow(Gitlab::Database).to receive(:read_only?).and_return(true)
     notes_filter = UserPreference::NOTES_FILTERS[:only_comments]
 
     get :discussions, params: params.merge(notes_filter: notes_filter)
diff --git a/spec/support/shared_examples/controllers/set_sort_order_from_user_preference_shared_examples.rb b/spec/support/shared_examples/controllers/set_sort_order_from_user_preference_shared_examples.rb
index 421886d8da8..9b5f957d489 100644
--- a/spec/support/shared_examples/controllers/set_sort_order_from_user_preference_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/set_sort_order_from_user_preference_shared_examples.rb
@@ -7,7 +7,7 @@ RSpec.shared_examples 'set sort order from user preference' do
 
     context 'when database is in read-only mode' do
       it 'does not update user preference' do
-        allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(true)
 
         expect_any_instance_of(UserPreference).not_to receive(:update).with({ controller.send(:sorting_field) => sorting_param })
 
@@ -17,7 +17,7 @@ RSpec.shared_examples 'set sort order from user preference' do
 
     context 'when database is not in read-only mode' do
       it 'updates user preference' do
-        allow(Gitlab::Database.main).to receive(:read_only?).and_return(false)
+        allow(Gitlab::Database).to receive(:read_only?).and_return(false)
 
         expect_any_instance_of(UserPreference).to receive(:update).with({ controller.send(:sorting_field) => sorting_param })
 
diff --git a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
index f27f907a240..0a07a56d417 100644
--- a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
@@ -212,7 +212,7 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do
     let(:content_json) { { 'CONTENT_TYPE' => 'application/json' } }
 
     before do
-      allow(Gitlab::Database.main).to receive(:read_only?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
     end
 
     it 'expects PATCH requests to be disallowed' do
diff --git a/spec/support/shared_examples/services/boards/create_service_shared_examples.rb b/spec/support/shared_examples/services/boards/create_service_shared_examples.rb
index d899236d19a..63b5e3a5a84 100644
--- a/spec/support/shared_examples/services/boards/create_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/boards/create_service_shared_examples.rb
@@ -12,7 +12,7 @@ RSpec.shared_examples 'boards recent visit create service' do
   end
 
   it 'returns nil when database is read only' do
-    allow(Gitlab::Database.main).to receive(:read_only?) { true }
+    allow(Gitlab::Database).to receive(:read_only?) { true }
 
     expect(service.execute(board)).to be_nil
   end
diff --git a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
index e514afee04f..04596319f38 100644
--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -203,9 +203,7 @@ RSpec.shared_examples 'a container registry auth service' do
       end
     end
 
-    context 'for private project' do
-      let_it_be(:project) { create(:project) }
-
+    shared_examples 'private project' do
       context 'allow to use scope-less authentication' do
         it_behaves_like 'a valid token'
       end
@@ -345,8 +343,20 @@ RSpec.shared_examples 'a container registry auth service' do
       end
     end
 
-    context 'for public project' do
-      let_it_be(:project) { create(:project, :public) }
+    context 'for private project' do
+      let_it_be_with_reload(:project) { create(:project) }
+
+      it_behaves_like 'private project'
+    end
+
+    context 'for public project with private container registry' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+      it_behaves_like 'private project'
+    end
+
+    context 'for public project with container_registry `enabled`' do
+      let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
 
       context 'allow anyone to pull images' do
         let(:current_params) do
@@ -394,8 +404,8 @@ RSpec.shared_examples 'a container registry auth service' do
       end
     end
 
-    context 'for internal project' do
-      let_it_be(:project) { create(:project, :internal) }
+    context 'for internal project with container_registry `enabled`' do
+      let_it_be(:project) { create(:project, :internal, :container_registry_enabled) }
 
       context 'for internal user' do
         context 'allow anyone to pull images' do
@@ -470,6 +480,12 @@ RSpec.shared_examples 'a container registry auth service' do
         end
       end
     end
+
+    context 'for internal project with private container registry' do
+      let_it_be_with_reload(:project) { create(:project, :internal, :container_registry_private) }
+
+      it_behaves_like 'private project'
+    end
   end
 
   context 'delete authorized as maintainer' do
@@ -630,12 +646,8 @@ RSpec.shared_examples 'a container registry auth service' do
           end
         end
 
-        context 'for project with private container registry' do
-          let_it_be(:project, reload: true) { create(:project, :public) }
-
-          before do
-            project.project_feature.update!(container_registry_access_level: ProjectFeature::PRIVATE)
-          end
+        context 'for public project with private container registry' do
+          let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
 
           it_behaves_like 'pullable for being team member'
 
@@ -675,11 +687,7 @@ RSpec.shared_examples 'a container registry auth service' do
     end
 
     context 'for project without container registry' do
-      let_it_be(:project) { create(:project, :public, container_registry_enabled: false) }
-
-      before do
-        project.update!(container_registry_enabled: false)
-      end
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_disabled) }
 
       context 'disallow when pulling' do
         let(:current_params) do
@@ -719,12 +727,16 @@ RSpec.shared_examples 'a container registry auth service' do
   context 'support for multiple scopes' do
     let_it_be(:internal_project) { create(:project, :internal) }
     let_it_be(:private_project) { create(:project, :private) }
+    let_it_be(:public_project) { create(:project, :public) }
+    let_it_be(:public_project_private_container_registry) { create(:project, :public, :container_registry_private) }
 
     let(:current_params) do
       {
         scopes: [
           "repository:#{internal_project.full_path}:pull",
-          "repository:#{private_project.full_path}:pull"
+          "repository:#{private_project.full_path}:pull",
+          "repository:#{public_project.full_path}:pull",
+          "repository:#{public_project_private_container_registry.full_path}:pull"
         ]
       }
     end
@@ -744,13 +756,19 @@ RSpec.shared_examples 'a container registry auth service' do
               'actions' => ['pull'] },
             { 'type' => 'repository',
               'name' => private_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project_private_container_registry.full_path,
               'actions' => ['pull'] }
           ]
         end
       end
     end
 
-    context 'user only has access to internal project' do
+    context 'user only has access to internal and public projects' do
       let_it_be(:current_user) { create(:user) }
 
       it_behaves_like 'a browsable' do
@@ -758,16 +776,35 @@ RSpec.shared_examples 'a container registry auth service' do
           [
             { 'type' => 'repository',
               'name' => internal_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
               'actions' => ['pull'] }
           ]
         end
       end
     end
 
-    context 'anonymous access is rejected' do
+    context 'anonymous user has access only to public project' do
       let(:current_user) { nil }
 
-      it_behaves_like 'a forbidden'
+      it_behaves_like 'a browsable' do
+        let(:access) do
+          [
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
+              'actions' => ['pull'] }
+          ]
+        end
+      end
+
+      context 'with no public container registry' do
+        before do
+          public_project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
+        end
+
+        it_behaves_like 'a forbidden'
+      end
     end
   end
 
@@ -796,8 +833,8 @@ RSpec.shared_examples 'a container registry auth service' do
       it_behaves_like 'a forbidden'
     end
 
-    context 'for public project' do
-      let_it_be(:project) { create(:project, :public) }
+    context 'for public project with container registry `enabled`' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
 
       context 'when pulling and pushing' do
         let(:current_params) do
@@ -818,6 +855,19 @@ RSpec.shared_examples 'a container registry auth service' do
       end
     end
 
+    context 'for public project with container registry `private`' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+      context 'when pulling and pushing' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull,push"] }
+        end
+
+        it_behaves_like 'a forbidden'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
     context 'for registry catalog' do
       let(:current_params) do
         { scopes: ["registry:catalog:*"] }
@@ -898,6 +948,24 @@ RSpec.shared_examples 'a container registry auth service' do
 
         it_behaves_like 'able to login'
       end
+
+      context 'for public project with private container registry' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token }
+          end
+
+          it_behaves_like 'a pushable'
+        end
+
+        it_behaves_like 'able to login'
+      end
     end
 
     context 'when deploy token does not have read_registry scope' do
@@ -919,8 +987,8 @@ RSpec.shared_examples 'a container registry auth service' do
         end
       end
 
-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
 
         context 'when pulling' do
           it_behaves_like 'a pullable'
@@ -929,6 +997,16 @@ RSpec.shared_examples 'a container registry auth service' do
         it_behaves_like 'unable to login'
       end
 
+      context 'for public project with container registry `private`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+
+        it_behaves_like 'unable to login'
+      end
+
       context 'for internal project' do
         let_it_be(:project) { create(:project, :internal) }
 
@@ -960,14 +1038,22 @@ RSpec.shared_examples 'a container registry auth service' do
     context 'when deploy token is not related to the project' do
       let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) }
 
-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
 
         context 'when pulling' do
           it_behaves_like 'a pullable'
         end
       end
 
+      context 'for public project with container registry `private`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
       context 'for internal project' do
         let_it_be(:project) { create(:project, :internal) }
 
@@ -988,12 +1074,18 @@ RSpec.shared_examples 'a container registry auth service' do
     context 'when deploy token has been revoked' do
       let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }
 
-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
 
         it_behaves_like 'a pullable'
       end
 
+      context 'for public project with container registry `private`' do
+        let_it_be(:project) { create(:project, :public, :container_registry_private) }
+
+        it_behaves_like 'an inaccessible'
+      end
+
       context 'for internal project' do
         let_it_be(:project) { create(:project, :internal) }
 
diff --git a/spec/support/shared_examples/workers/concerns/git_garbage_collect_methods_shared_examples.rb b/spec/support/shared_examples/workers/concerns/git_garbage_collect_methods_shared_examples.rb
index 27ee1f799a4..f2314793cb4 100644
--- a/spec/support/shared_examples/workers/concerns/git_garbage_collect_methods_shared_examples.rb
+++ b/spec/support/shared_examples/workers/concerns/git_garbage_collect_methods_shared_examples.rb
@@ -39,7 +39,7 @@ RSpec.shared_examples 'can collect git garbage' do |update_statistics: true|
     end
 
     it 'does nothing if the database is read-only' do
-      allow(Gitlab::Database.main).to receive(:read_only?) { true }
+      allow(Gitlab::Database).to receive(:read_only?) { true }
 
       expect(statistics_service_klass).not_to receive(:new)
 
diff --git a/spec/tasks/gitlab/storage_rake_spec.rb b/spec/tasks/gitlab/storage_rake_spec.rb
index 0fd9071aa6b..570f67c8bb7 100644
--- a/spec/tasks/gitlab/storage_rake_spec.rb
+++ b/spec/tasks/gitlab/storage_rake_spec.rb
@@ -48,7 +48,7 @@ RSpec.describe 'rake gitlab:storage:*', :silence_stdout do
   shared_examples "make sure database is writable" do
     context 'read-only database' do
       it 'does nothing' do
-        expect(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+        expect(Gitlab::Database).to receive(:read_only?).and_return(true)
 
         expect(Project).not_to receive(:with_unmigrated_storage)
 
diff --git a/spec/workers/pages_domain_verification_cron_worker_spec.rb b/spec/workers/pages_domain_verification_cron_worker_spec.rb
index a7e5d02a743..01eaf984c90 100644
--- a/spec/workers/pages_domain_verification_cron_worker_spec.rb
+++ b/spec/workers/pages_domain_verification_cron_worker_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe PagesDomainVerificationCronWorker do
     let!(:disabled) { create(:pages_domain, :disabled) }
 
     it 'does nothing if the database is read-only' do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       expect(PagesDomainVerificationWorker).not_to receive(:perform_async).with(reverify.id)
 
       worker.perform
diff --git a/spec/workers/pages_domain_verification_worker_spec.rb b/spec/workers/pages_domain_verification_worker_spec.rb
index c9a4b7a97b4..6d2f9ee2f8d 100644
--- a/spec/workers/pages_domain_verification_worker_spec.rb
+++ b/spec/workers/pages_domain_verification_worker_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe PagesDomainVerificationWorker do
 
   describe '#perform' do
     it 'does nothing if the database is read-only' do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       expect(PagesDomain).not_to receive(:find_by).with(id: domain.id)
 
       worker.perform(domain.id)
diff --git a/spec/workers/projects/git_garbage_collect_worker_spec.rb b/spec/workers/projects/git_garbage_collect_worker_spec.rb
index 10525cf217b..7b54d7df4b2 100644
--- a/spec/workers/projects/git_garbage_collect_worker_spec.rb
+++ b/spec/workers/projects/git_garbage_collect_worker_spec.rb
@@ -67,7 +67,7 @@ RSpec.describe Projects::GitGarbageCollectWorker do
       end
 
       it 'does nothing if the database is read-only' do
-        allow(Gitlab::Database.main).to receive(:read_only?) { true }
+        allow(Gitlab::Database).to receive(:read_only?) { true }
         expect(Gitlab::Cleanup::OrphanLfsFileReferences).not_to receive(:new)
 
         subject.perform(*params)
diff --git a/spec/workers/schedule_merge_request_cleanup_refs_worker_spec.rb b/spec/workers/schedule_merge_request_cleanup_refs_worker_spec.rb
index 345b3f31353..ef515e43474 100644
--- a/spec/workers/schedule_merge_request_cleanup_refs_worker_spec.rb
+++ b/spec/workers/schedule_merge_request_cleanup_refs_worker_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe ScheduleMergeRequestCleanupRefsWorker do
 
   describe '#perform' do
     it 'does nothing if the database is read-only' do
-      allow(Gitlab::Database.main).to receive(:read_only?).and_return(true)
+      allow(Gitlab::Database).to receive(:read_only?).and_return(true)
       expect(MergeRequestCleanupRefsWorker).not_to receive(:perform_with_capacity)
 
       worker.perform