DEV Community: m1s1ma The latest articles on DEV Community by m1s1ma (@m1s1ma). https://dev.to/m1s1ma https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4002925%2Faf7d5987-ebbb-4673-a8ba-bdda4c59a2c2.jpg DEV Community: m1s1ma https://dev.to/m1s1ma en Generating and publishing Go gRPC stubs as separate modules via GitLab CI/CD m1s1ma Thu, 25 Jun 2026 19:53:15 +0000 https://dev.to/m1s1ma/generating-and-publishing-go-grpc-stubs-as-separate-modules-via-gitlab-cicd-48b2 https://dev.to/m1s1ma/generating-and-publishing-go-grpc-stubs-as-separate-modules-via-gitlab-cicd-48b2 <h1> Setting up gRPC stub generation for Go and connecting them as a module </h1> <p>Keeping proto contracts in a single repository is convenient, but pulling the entire thing into every service is not. Let's walk through how to automatically generate Go stubs from proto files, version them as standalone Go modules, and publish them via GitLab CI/CD. Bonus: Swagger documentation and GitLab Pages.</p> <p>Everything described here targets private free-tier GitLab. For self-hosted, paid plans, or public repositories the setup is considerably simpler — a number of the limitations simply don't apply.</p> <h2> Notes before you start </h2> <p>The approach requires some dev environment setup: standard SSH access to the repository and a few environment variables on each developer's machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">GOPRIVATE</span><span class="o">=</span>gitlab.com/your-group <span class="nv">GOPROXY</span><span class="o">=</span>direct <span class="nv">GONOSUMDB</span><span class="o">=</span>gitlab.com/your-group </code></pre> </div> <p>Services that consume the stubs will need a vendor directory — both for local runs and in pipelines during linting, testing, and builds. This is because Go can't download private modules from GitLab without additional auth configuration bypassing the proxy.</p> <p>In CI environments, access is handled via <code>CI_JOB_TOKEN</code>. A typical <code>before_script</code> for services consuming the stubs looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">default</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">golang:${GO_VERSION}</span> <span class="na">cache</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">go-mod</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go/pkg/mod</span> <span class="pi">-</span> <span class="s">.cache/go-build</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go version</span> <span class="pi">-</span> <span class="s">git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/".insteadOf "https://gitlab.com/"</span> <span class="pi">-</span> <span class="s">go env -w GOPRIVATE=gitlab.com/chichilaki</span> <span class="pi">-</span> <span class="s">go env -w GONOSUMDB=gitlab.com/chichilaki</span> <span class="pi">-</span> <span class="s">go mod vendor</span> </code></pre> </div> <h2> Repository structure </h2> <p>Create the following groups and repositories:</p> <ul> <li> <code>group/proto</code> — proto contracts; the only repository you'll edit by hand.</li> <li> <code>group/proto-stubs</code> — a group for generated stubs; create the repositories inside it ahead of time, empty.</li> <li> <code>group/proto-stubs/common</code>, <code>group/proto-stubs/user</code>, <code>group/proto-stubs/admin</code>, etc. — one repository per module.</li> <li> <code>group/service</code> — any service that consumes the stubs.</li> </ul> <h2> Stub repositories </h2> <p>Each stub gets its own Go module repository. In my case there's a contract for shared entities (<code>common</code>) and contracts for services: <code>user</code>, <code>admin</code>, <code>runner</code>.</p> <p><strong>Configuring access for CI_JOB_TOKEN</strong></p> <p>Since every service uses <code>CI_JOB_TOKEN</code> in its pipeline to access stub repositories, you need to explicitly allow that access.</p> <p>For each stub repository, go to <code>Settings -&gt; CI/CD -&gt; Job token permissions</code> and add the proto contracts repository and the group containing services that consume the stubs.</p> <p>One important nuance: if some stubs depend on others — for example, <code>admin</code> imports <code>common</code> — you also need to add the stub repositories group to the access settings of <code>admin.git</code>. Otherwise <code>go get</code> in CI will fail with an authentication error, and the reason won't be obvious at all.</p> <blockquote> <p><strong>Paid and self-hosted GitLab</strong> lets you grant access at the group level — everything is configured in one place.</p> </blockquote> <p><strong>Why <code>.git</code> in the module name</strong></p> <p>The module name includes a <code>.git</code> suffix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gitlab.com/chichilaki/mgs/proto-go-stubs/common.git </code></pre> </div> <p>This is intentional. When resolving a module path from GitLab, Go can't figure out on its own where the repository path ends and the in-repo package path begins. The <code>.git</code> suffix gives it an explicit hint. Without it, <code>go get</code> will try to fetch module metadata from the wrong path and fail.</p> <h2> Proto contracts repository </h2> <p>This is the repository that triggers the stub generation and publishing pipeline.</p> <h3> Versioning </h3> <p>The publish job runs only for branches named <code>vX.X.X</code>. On publish, a matching tag is created in the stub repository. This means the branch name in the proto repo directly becomes the Go module version. Want to release <code>v1.2.3</code> — create a branch called <code>v1.2.3</code> and run the pipeline.</p> <h3> Setting up a Personal Access Token </h3> <blockquote> <p><strong>Note:</strong> GitLab Next recently added the ability to configure <code>CI_JOB_TOKEN</code> access for pushing to repositories — worth checking, this step may soon become unnecessary.</p> </blockquote> <p>In the free tier of GitLab you can't issue an access token scoped to a group of repositories, so we use a Personal Access Token instead.</p> <p>Go to Profile Settings -&gt; Access Tokens and create a token with the following permissions: <code>api</code>, <code>read_api</code>, <code>read_repository</code>, <code>write_repository</code>. The token is shown only once — save it immediately.</p> <p>Then in the proto contracts repository: Settings -&gt; CI/CD -&gt; Variables. Create a variable with:</p> <ul> <li>type: <code>Variable</code> </li> <li>visibility: <code>Masked and hidden</code> </li> <li>flag: <code>Protected</code> </li> </ul> <p>If there are multiple developers on the team — each person creates their own token and their own variable, e.g. <code>CI_PUSH_TOKEN_USERNAME</code>. In the pipeline, the right token is selected via <code>rules</code> with a condition on <code>GITLAB_USER_LOGIN</code> — more on that below.</p> <h3> Setting up Branch Rules </h3> <p>To make protected variables available outside the main branch: Settings -&gt; Repository -&gt; Branch Rules -&gt; Add rule. The mask <code>v*</code> gives any branch starting with <code>v</code> access to protected variables and tokens. Without this step, the pipeline on branch <code>v1.0.0</code> simply won't see the token.</p> <h2> buf configuration </h2> <p><code>buf.yaml</code> describes dependencies and linting rules; <code>buf.gen.yaml</code> covers the generation plugins.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">// buf.yaml</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">buf.build/googleapis/googleapis</span> <span class="pi">-</span> <span class="s">buf.build/grpc-ecosystem/grpc-gateway</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">use</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">STANDARD</span> <span class="na">breaking</span><span class="pi">:</span> <span class="na">use</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FILE</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">// buf.gen.yaml</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">plugins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">local</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">go"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">run"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.11"</span><span class="pi">]</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/go</span> <span class="pi">-</span> <span class="na">local</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">go"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">run"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.6.1"</span><span class="pi">]</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/go</span> <span class="pi">-</span> <span class="na">local</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">go"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">run"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway@v2.29.0"</span><span class="pi">]</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/go</span> <span class="pi">-</span> <span class="na">local</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">go"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">run"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2@v2.29.0"</span><span class="pi">]</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/openapiv2</span> <span class="na">opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">output_format=json</span> <span class="pi">-</span> <span class="s">allow_merge=false</span> </code></pre> </div> <p>In <code>buf.gen.yaml</code> we use <code>local</code> with <code>go run</code> instead of a globally installed <code>protoc</code> and plugins — Go will download the required versions on first run. This eliminates version mismatch issues between developer machines and CI.</p> <p>Both files are included in full in the appendix.</p> <h3> Proto file examples </h3> <p>The <code>go_package</code> option must include the <code>.git</code> suffix — that's how Go will resolve the module import:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="c1">// common.proto</span> <span class="na">syntax</span> <span class="o">=</span> <span class="s">"proto3"</span><span class="p">;</span> <span class="kn">package</span> <span class="nn">common</span><span class="o">.</span><span class="n">v1</span><span class="p">;</span> <span class="k">option</span> <span class="na">go_package</span> <span class="o">=</span> <span class="s">"gitlab.com/chichilaki/mgs/proto-go-stubs/common.git/v1"</span><span class="p">;</span> </code></pre> </div> <p>For service contracts with grpc-gateway HTTP annotations and Swagger options, the structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="c1">// admin.proto</span> <span class="na">syntax</span> <span class="o">=</span> <span class="s">"proto3"</span><span class="p">;</span> <span class="kn">package</span> <span class="nn">admin</span><span class="o">.</span><span class="n">v1</span><span class="p">;</span> <span class="k">option</span> <span class="na">go_package</span> <span class="o">=</span> <span class="s">"gitlab.com/chichilaki/mgs/proto-go-stubs/admin.git/v1"</span><span class="p">;</span> <span class="k">import</span> <span class="s">"common/v1/common.proto"</span><span class="p">;</span> <span class="k">import</span> <span class="s">"google/api/annotations.proto"</span><span class="p">;</span> <span class="k">import</span> <span class="s">"protoc-gen-openapiv2/options/annotations.proto"</span><span class="p">;</span> <span class="k">option</span> <span class="p">(</span><span class="n">grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger</span><span class="p">)</span> <span class="o">=</span> <span class="p">{</span> <span class="n">info</span><span class="o">:</span> <span class="p">{</span> <span class="n">title</span><span class="o">:</span> <span class="s">"Control Plane ADMIN API"</span><span class="p">;</span> <span class="n">version</span><span class="o">:</span> <span class="s">"1.0"</span><span class="p">;</span> <span class="p">};</span> <span class="n">security_definitions</span><span class="o">:</span> <span class="p">{</span> <span class="n">security</span><span class="o">:</span> <span class="p">{</span> <span class="n">key</span><span class="o">:</span> <span class="s">"Bearer"</span><span class="p">;</span> <span class="n">value</span><span class="o">:</span> <span class="p">{</span> <span class="n">type</span><span class="o">:</span> <span class="n">TYPE_API_KEY</span><span class="p">;</span> <span class="n">in</span><span class="o">:</span> <span class="n">IN_HEADER</span><span class="p">;</span> <span class="n">name</span><span class="o">:</span> <span class="s">"Authorization"</span><span class="p">;</span> <span class="n">description</span><span class="o">:</span> <span class="s">"Admin Bearer token"</span><span class="p">;</span> <span class="p">};</span> <span class="p">};</span> <span class="p">};</span> <span class="n">security</span><span class="o">:</span> <span class="p">{</span> <span class="n">security_requirement</span><span class="o">:</span> <span class="p">{</span> <span class="n">key</span><span class="o">:</span> <span class="s">"Bearer"</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="p">};</span> <span class="kd">service</span> <span class="n">AdminService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">ListRunners</span><span class="p">(</span><span class="n">ListRunnersRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">ListRunnersResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">option</span> <span class="p">(</span><span class="n">google.api.http</span><span class="p">)</span> <span class="o">=</span> <span class="p">{</span> <span class="n">get</span><span class="o">:</span> <span class="s">"/v1/runners"</span> <span class="p">};</span> <span class="p">}</span> <span class="k">rpc</span> <span class="n">GetRunnerStatus</span><span class="p">(</span><span class="n">GetRunnerStatusRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">GetRunnerStatusResponse</span><span class="p">)</span> <span class="p">{</span> <span class="k">option</span> <span class="p">(</span><span class="n">google.api.http</span><span class="p">)</span> <span class="o">=</span> <span class="p">{</span> <span class="n">get</span><span class="o">:</span> <span class="s">"/v1/runners/{runner_id.runner_id}/status"</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <h2> CI/CD pipeline </h2> <p>The proto repository pipeline has three stages: <code>lint</code>, <code>generate</code>, <code>commit</code>. The full version is in the appendix.</p> <h3> The generate job </h3> <p>Runs <code>buf generate</code>, then creates a <code>go.mod</code> with the correct module name (including <code>.git</code>) for each module. Artifacts are passed to the next job via <code>artifacts.paths</code>.</p> <p>Key detail: <code>go mod init</code> is only called if <code>go.mod</code> doesn't already exist, to avoid overwriting the file on re-runs. Otherwise the module would be re-initialized on every run and lose its dependencies.</p> <h3> The commit-generated job </h3> <p>Clones each target repository, replaces its contents with the generated files, copies <code>swagger.json</code>, updates dependencies via <code>go mod tidy</code>, commits, and creates a version tag.</p> <p>Token selection per user is handled via <code>rules</code> with a condition on <code>GITLAB_USER_LOGIN</code> — this lets each developer use their own Personal Access Token without sharing it with teammates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH =~ /^v\d+\.\d+\.\d+$/</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">PROTO_VERSION</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span> <span class="na">when</span><span class="pi">:</span> <span class="s">never</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$GITLAB_USER_LOGIN == "End1essRage"</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">PUSH_TOKEN</span><span class="pi">:</span> <span class="s">$CI_PUSH_TOKEN</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$GITLAB_USER_LOGIN == "stivvhuys"</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">PUSH_TOKEN</span><span class="pi">:</span> <span class="s">$CI_PUSH_TOKEN_GENGAVSOV</span> <span class="pi">-</span> <span class="na">when</span><span class="pi">:</span> <span class="s">never</span> </code></pre> </div> <p>If <code>PUSH_TOKEN</code> ends up empty — the job fails in <code>before_script</code> with an explicit error rather than a cryptic <code>403</code> somewhere mid-script. This is an intentional check.</p> <p>For modules that depend on <code>common</code>, the script explicitly adds a <code>require</code> with the correct version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$module</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"common"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>go get gitlab.com/chichilaki/mgs/proto-go-stubs/common.git@<span class="nv">$PROTO_VERSION</span> <span class="k">fi</span> </code></pre> </div> <p>This matters: without an explicit <code>go get</code> with the tag, <code>go mod tidy</code> will pull in <code>latest</code> instead of the version we just published.</p> <h2> The service consuming stubs </h2> <p>Let's look at the consumer side — a service that wants to host its own Swagger documentation, serve it over HTTP, and interact with the API through Swagger UI.</p> <h3> Embedding swagger.json via go:embed </h3> <p>A <code>docs</code> package is created at the project root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">docs</span> <span class="k">import</span> <span class="n">_</span> <span class="s">"embed"</span> <span class="c">//go:embed control-plane-admin.swagger.json</span> <span class="k">var</span> <span class="n">AdminSwaggerJSON</span> <span class="p">[]</span><span class="kt">byte</span> <span class="c">//go:embed control-plane-user.swagger.json</span> <span class="k">var</span> <span class="n">UserSwaggerJSON</span> <span class="p">[]</span><span class="kt">byte</span> </code></pre> </div> <p>Imported in <code>main.go</code> as a side-effect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="n">_</span> <span class="s">"gitlab.com/chichilaki/mgs/control-plane/docs"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/swagger/admin/doc.json"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">docs</span><span class="o">.</span><span class="n">AdminSwaggerJSON</span><span class="p">)</span> <span class="p">})</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/swagger/user/doc.json"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">docs</span><span class="o">.</span><span class="n">UserSwaggerJSON</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p><code>go:embed</code> compiles the files directly into the binary — no separate static file serving needed, and no risk of the documentation going out of sync with the code.</p> <h3> Syncing swagger.json </h3> <p>Documentation is synced in three places: a pre-commit hook, a Taskfile, and the service CI pipeline. The logic is the same in all three: clone the stub repository into a temp directory, grab <code>v1/&lt;service&gt;.swagger.json</code>, and put it in <code>docs/</code>.</p> <p>Locally we use SSH; in CI — <code>CI_JOB_TOKEN</code>. The corresponding Taskfile and CI configs are in the appendix.</p> <h3> Local stack: Traefik + Swagger UI </h3> <p>Brought up via Compose. Note: the <code>BASE_URL</code> in the Swagger UI config and the <code>PathPrefix</code> in the Traefik rule must match — otherwise the UI will load but won't be able to resolve its own assets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">swagger-ui</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swaggerapi/swagger-ui:v5.9.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">BASE_URL</span><span class="pi">:</span> <span class="s">/swagger</span> <span class="na">URLS</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">[</span> <span class="s">{ "url": "/cp-swagger/swagger/admin/doc.json", "name": "ADMIN control-plane" },</span> <span class="s">{ "url": "/cp-swagger/swagger/user/doc.json", "name": "USER control-plane" }</span> <span class="s">]</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.swagger.rule=Host(`localhost`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/swagger`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.swagger.entrypoints=web"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.swagger.loadbalancer.server.port=8080"</span> </code></pre> </div> <p>Service route with <code>/cp</code> prefix stripping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">control-plane</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1"># ===== API =====</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-api.rule=Host(`localhost`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/cp`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-api.entrypoints=web"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-api.service=cp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.middlewares.cp-strip.stripprefix.prefixes=/cp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-api.middlewares=cp-strip"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp.loadbalancer.server.port=9100"</span> <span class="c1"># Enable health check for the load balancer</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp.loadbalancer.healthcheck.path=/health"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp.loadbalancer.healthcheck.interval=10s"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp.loadbalancer.healthcheck.timeout=3s"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp.loadbalancer.healthcheck.scheme=http"</span> <span class="c1"># Swagger proxy via Traefik</span> <span class="c1"># ===== SWAGGER =====</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-swagger.rule=Host(`localhost`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/cp-swagger`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-swagger.entrypoints=web"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-swagger.service=cp-swagger"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.middlewares.cp-swagger-strip.stripprefix.prefixes=/cp-swagger"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.cp-swagger.middlewares=cp-swagger-strip"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.cp-swagger.loadbalancer.server.port=9100"</span> </code></pre> </div> <h2> Bonus: GitLab Pages with Swagger UI </h2> <p>It's handy to have documentation available not just locally but at a permanent URL. GitLab Pages solves this without any separate hosting — just put the artifacts in a <code>public</code> folder.</p> <p>The <code>pages</code> job creates the <code>public</code> folder, places the swagger files there, and generates an <code>index.html</code> with a CDN-hosted Swagger UI. It runs on <code>master</code> and <code>dev</code> branches. The full job is in the appendix.</p> <p>CI: fetch-swagger + pages<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">fetch-swagger</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">prepare</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine:latest</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apk add --no-cache git</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mkdir -p docs</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">for REPO in admin user; do</span> <span class="s">git clone --depth 1 \</span> <span class="s">"https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/chichilaki/mgs/proto-go-stubs/${REPO}.git" \</span> <span class="s">"/tmp/${REPO}"</span> <span class="s">cp "/tmp/${REPO}/v1/${REPO}.swagger.json" "docs/control-plane-${REPO}.swagger.json"</span> <span class="s">rm -rf "/tmp/${REPO}"</span> <span class="s">done</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docs/*.swagger.json</span> <span class="na">pages</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">pages</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mkdir -p public/docs</span> <span class="pi">-</span> <span class="s">cp docs/*.swagger.json public/docs/ || echo "No swagger files"</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">cat &gt; public/index.html &lt;&lt; 'EOF'</span> <span class="s">&lt;!DOCTYPE html&gt;</span> <span class="s">&lt;html&gt;</span> <span class="s">&lt;head&gt;</span> <span class="s">&lt;title&gt;API Documentation&lt;/title&gt;</span> <span class="s">&lt;meta charset="UTF-8"&gt;</span> <span class="s">&lt;link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css"&gt;</span> <span class="s">&lt;/head&gt;</span> <span class="s">&lt;body&gt;</span> <span class="s">&lt;div id="swagger-ui"&gt;&lt;/div&gt;</span> <span class="s">&lt;script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-bundle.js"&gt;&lt;/script&gt;</span> <span class="s">&lt;script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-standalone-preset.js"&gt;&lt;/script&gt;</span> <span class="s">&lt;script&gt;</span> <span class="s">window.onload = function() {</span> <span class="s">window.ui = SwaggerUIBundle({</span> <span class="s">urls: [</span> <span class="s">{ url: "./docs/control-plane-admin.swagger.json", name: "Admin API" },</span> <span class="s">{ url: "./docs/control-plane-user.swagger.json", name: "User API" }</span> <span class="s">],</span> <span class="s">dom_id: '#swagger-ui',</span> <span class="s">deepLinking: true,</span> <span class="s">presets: [SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset],</span> <span class="s">layout: "StandaloneLayout"</span> <span class="s">});</span> <span class="s">}</span> <span class="s">&lt;/script&gt;</span> <span class="s">&lt;/body&gt;</span> <span class="s">&lt;/html&gt;</span> <span class="s">EOF</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">public</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == "master"</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">$CI_COMMIT_BRANCH == "dev"</span> </code></pre> </div> <h2> Conclusion </h2> <p>Here's what we end up with: proto contracts in a single repository, automatic stub generation and publishing triggered by creating a branch like <code>v1.0.0</code>, separate Go modules per service, Swagger documentation as part of the same pipeline, and Pages with a UI for browsing it.</p> <p>The main challenge with free-tier GitLab is token management. On a paid plan or self-hosted, most of that overhead disappears: you can grant access at the group level and use a single token. But even as described, everything works reliably.</p> go devops cicd grpc