Use Google CDN if enabled for CI job artifacts

What does this MR do and why?

This builds upon !96336 (merged) to provide configuration support and hooks to serve CI artifacts via Google CDN if it is configured in front of a Google Cloud Storage bucket.

This is currently behind the ci_job_artifacts_cdn feature flag.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/360462

How to set up and validate locally

As described in https://gitlab.com/gitlab-org/container-registry/-/issues/535#note_792288038:

Setting up Google CDN

1. Created an GCS test bucket.
2. Followed https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket to create an HTTPS load balancer with a static IP. I let Google create the HTTPS certs and assigned the domain stanhu-cdn.example.org.
3. Registered the load balancer IP with that domain.
4. Continued https://cloud.google.com/cdn/docs/using-signed-urls with registering a signing key and giving permissions to the bucket.

Testing this merge request

1. Create a GCS VM and install the latest GitLab nightly build.
2. Per https://docs.gitlab.com/ee/administration/object_storage.html#google-example-with-adc-consolidated-form, I had to stop the VM and grant it Allow full access to all Cloud APIs.
3. Tweaked the default service account permissions by limiting access with Service Account Token Creator and giving it access to read/write storage buckets.
4. Enabled IAM Service Account Credentials API in https://console.cloud.google.com/apis/library/iamcredentials.googleapis.com. (This wasn't documented; I ran into error messages before I enabled it).
5. Download the latest nightly build and apply this patch. In my Omnibus config, I have:

external_url 'https://gitlab.example.com'
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['connection'] = {
    'provider' => 'Google',
    'google_project' => 'stan-redacted',
    'google_application_default' => true
}
gitlab_rails['object_store']['proxy_download'] = false

bucket = 'stanhu-test'
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = "#{bucket}/artifacts"

gitlab_rails['object_store']['objects']['artifacts']['cdn'] = {
  'provider' => 'Google',
  'url' => 'https://stanhu-cdn.example.org',
  'key_name' => 'stanhu-key',
  'key' => '<REDACTED KEY>'
}

gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = "#{bucket}/external_diffs"
gitlab_rails['object_store']['objects']['lfs']['bucket'] = "#{bucket}/lfs"
gitlab_rails['object_store']['objects']['uploads']['bucket'] = "#{bucket}/uploads"
gitlab_rails['object_store']['objects']['packages']['bucket'] = "#{bucket}/packages"
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = "#{bucket}/dependency_proxy"
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = "#{bucket}/terraform_state"
gitlab_rails['object_store']['objects']['ci_secure_files']['bucket'] = "#{bucket}/ci_secure_files"

7. Enable the feature flag: Feature.enable(:ci_job_artifacts_cdn).

8. Use the artifacts API (e.g. https://stanhu.example.org/api/v4/projects/2/jobs/4/artifacts) to download the file. Notice the URL has the CDN.

9. Check that /var/log/gitlab/gitlab-rails/api_json.log has meta.artifact_used_cdn:

  "meta.feature_category": "build_artifacts",
  "meta.user": "root",
  "meta.project": "root/simple-ci",
  "meta.root_namespace": "root",
  "meta.client_id": "user/1",
  "meta.artifact_size": 209,
  "meta.artifact_used_cdn": true,

10. If you use a runner within Google Cloud (or localhost), you'll notice meta.artifact_used_cdn is omitted because a CDN is not needed.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.