Add vanity URL support to GitLab's built-in Go proxy

Background

Go uses a source-based dependency management system, whereas most other dependency management systems are artifact-based. This is to say, Go dependencies are ultimately fetched directly from their source VCS repository, but dependencies in other systems are artifacts that have been uploaded to a package repository. Another unique feature of the Go ecosystem is the name of a package (excluding stdlib) must be a valid URL, sans the scheme (e.g. golang.org/x/text). Thus, Go modules are defined by the source repository and have unique names.

The Go tool chain's dependency resolution mechanisms allow a package's repository to live at a different URL than the package's name indicates. For example, the repository of rsc.io/quote is https://github.com/rsc/quote. go get rsc.io/quote executes GET https://rsc.io/quote?go-get=1, which responds with a meta tag that points to https://github.com/rsc/quote.

Problem to solve

GitLab's Go module support (!27746 (merged), #27376 (closed)) recognizes that gitlab.com/my/project has Go modules if and only if the module name is or starts with gitlab.com/my/project (e.g. gitlab.com/my/project/xyz) and if the repository contains a go.mod file at the appropriate location (e.g. /go.mod, /xyz/go.mod, etc) and if that file contains a correct moduledirective (e.g.module gitlab.com/my/project`, etc).

This should be expanded to support vanity URLs, such that GitLab will recognize projects that define modules using vanity URLs. This should involve a check to verify that the vanity URL actually points to the project in question, in a similar manner to validating a custom domain for Pages. The simplest way to implement this would be to require a user action, which would then run GET my.com/project?go-get=1 and verify that the response includes a go-import meta tag that points to the GitLab repository.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)

Further details

TODO

Proposal

Essentially, I propose some mechanism that allows the user to assert that GitLab should recognize modules in a project when those modules use a vanity URL instead of gitlab.com/my/project. And that mechanism should verify that GET https://example.com/my/project?go-get=1 includes <meta name="go-import" content="example.com/my/project git https://gitlab.com/my/project.git">. And a second action to revert.

The first step could be an API endpoint that stores a list of valid vanity URLs in the database, which would be used by the Go module finder (currently Packages::GoModule and Packages::GoModuleVersion) to allow those URLs.

The check should probably be periodically repeated. I think Pages does this for custom domains?

Permissions and Security

Maybe reuse the package create/delete permissions?

Documentation

• user/packages/go_proxy/index.md
• development/packages.md
• api/packages.md

Availability & Testing

TODO

What does success look like, and how can we measure that?

Modules that use vanity URLs:

1. Can be fetched from the Go module proxy of the project they are defined by, pending !27746 (merged)
2. Are included in responses from the Package API and in the Package UI, pending #213770 (closed)

What is the type of buyer?

This is mostly a branding thing. I'm not sure if there's a particular level of buyer who would care most about this.

Is this a cross-stage feature?

Not sure.

Links / references

#210141, !27746 (merged), #27376 (closed)