Add low level api cookie passing

What does this MR do and why?

Adds low level cookie passing functionality in API calls that previously ignored the "gitlab_canary" cookie.

How to set up and validate locally

1. Execute an end-to-end test that features an API call with the QA_COOKIES ENV variable set.

   CHROME_HEADLESS=false QA_COOKIES=gitlab_canary=true bundle exec bin/qa Test::Instance::All http://localhost:3000 qa/specs/features/browser_ui/3_create/merge_request/create_merge_request_spec.rb

2. Open Chrome devtools and inspect the Cookie values in the header of the API call(s)
3. Alternatively, you could install a proxy such as mitmproxy to inspect traffic.

    brew install mitmproxy

These methods can be difficult to track and implement due to the speed of the tests. You may need to insert pauses within the test to more easily capture the network calls. Wireshark is another option that would capture even calls missed through devtools. The other alternative is to run the test locally using pry-byebug and inserting breakpoints/stepping through the test and inspecting the values.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

Closes #343654 (closed)

qa/qa/support/api.rb

@@ -23,7 +23,7 @@ def post(url, payload, args = {})
             verify_ssl: false
           }
 
-          RestClient::Request.execute(default_args.merge(args))
+          RestClient::Request.execute(default_args.merge(with_canary(args)))
         rescue StandardError => e
           return_response_or_raise(e)
         end
@@ -37,21 +37,22 @@ def get(url, args = {})
             verify_ssl: false
           }
 
-          RestClient::Request.execute(
-            default_args.merge(args)
-          )
+          RestClient::Request.execute(default_args.merge(with_canary(args)))
         rescue StandardError => e
           return_response_or_raise(e)
         end
       end
 
-      def patch(url, payload = nil)
+      def patch(url, payload = nil, args = {})
         with_retry_on_too_many_requests do
-          RestClient::Request.execute(
+          default_args = {
             method: :patch,
             url: url,
             payload: payload,
-            verify_ssl: false)
+            verify_ssl: false
+          }
+
+          RestClient::Request.execute(default_args.merge(with_canary(args)))
         rescue StandardError => e
           return_response_or_raise(e)
         end
@@ -66,7 +67,7 @@ def put(url, payload = nil, args = {})
             verify_ssl: false
           }
 
-          RestClient::Request.execute(default_args.merge(args))
+          RestClient::Request.execute(default_args.merge(with_canary(args)))
         rescue StandardError => e
           return_response_or_raise(e)
         end
@@ -98,6 +99,14 @@ def masked_url(url)
         url.sub(/private_token=[^&]*/, "private_token=[****]")
       end
 
+      # Merges the gitlab_canary cookie into existing cookies for mixed environment testing.
+      #
+      # @param [Hash] args the existing args passed to method
+      # @return [Hash] args or args with merged canary cookie if it exists
+      def with_canary(args)
+        args.deep_merge(cookies: QA::Runtime::Env.canary_cookie)
+      end
+
       def with_retry_on_too_many_requests
         response = nil