Geo secondary proxying with unified URLs on Staging

Background

As decided in #325732 (comment 712711610), we're going forward with Geo secondary proxying for unified URLs by default, when configured, and separate URLs under a feature flag.

In &6418 (closed), we're also discussing asking teams to smoke test their features on the Staging Geo site.

Thus, we want to enable unified URLs for the Staging Geo setup, meaning both primary and secondary sites in Geo will have the external_url https://staging.gitlab.com, and traffic can be directed to either one.

Proposals

To enable this, there are a few approaches we could take, to make gstg-geo use unified URLs:

1. Implement a mechanism similar to canary that would route only specific requests to the Geo site instead of the primary (which we could potentially reuse at a later point to implement a transparent Geo site for prod as @fzimmer suggested a while ago), based on something like username, cookie etc
2. Use something like an IP allowlist and direct traffic based on this at the Cloudflare (not sure if possible, as it's "just DNS"), or load-balancer level.
3. Take the plunge and direct all staging traffic through the Geo site (potentially disruptive to QA tests, scaling problems since gstg-geo is 1 single node)

Short term potential solutions

1. Ask people to manually rewrite staging.gitlab.com to the IP of geo.staging.gitlab.com in /etc/hosts when testing and then we change the external_url.

/cc @mkozono @nhxnguyen