fix: add gcs compatibility flag to fix s3proxy GCS SigV4 signature mismatch

The AWS SDK v2 includes Accept-Encoding in SigV4 signed headers
which causes GCS to return a SignatureDoesNotMatch error because
GCS rewrites that header internally before verifying the signature.

Add a --gcs-compatibility / VGW_S3_GCS_COMPATIBILITY option for the s3proxy
backend that injects two Smithy finalize-layer middlewares: one removes
Accept-Encoding from the request immediately before the Signing step, and
a second restores it after signing so the header is still sent on the wire.

see: https://github.com/aws/aws-sdk-go-v2/issues/1816

This can be removed once GCS fixes this incompatibility.

cmd/versitygw/s3.go

@@ -33,6 +33,7 @@ var (
 	s3proxySslSkipVerify             bool
 	s3proxyUsePathStyle              bool
 	s3proxyDebug                     bool
+	s3proxyGCSCompatibility          bool
 )
 
 func s3Command() *cli.Command {
@@ -121,13 +122,20 @@ to an s3 storage backend service.`,
 				EnvVars:     []string{"VGW_S3_DEBUG"},
 				Destination: &s3proxyDebug,
 			},
+			&cli.BoolFlag{
+				Name:        "gcs-compatibility",
+				Usage:       "enable GCS S3 compatibility mode",
+				Value:       false,
+				EnvVars:     []string{"VGW_S3_GCS_COMPATIBILITY"},
+				Destination: &s3proxyGCSCompatibility,
+			},
 		},
 	}
 }
 
 func runS3(ctx *cli.Context) error {
 	be, err := s3proxy.New(ctx.Context, s3proxyAccess, s3proxySecret, s3proxyEndpoint, s3proxyRegion,
-		s3proxyMetaBucket, s3proxyAnonymousCredentials, s3proxyDisableChecksum, s3proxyDisableDataIntegrityCheck, s3proxySslSkipVerify, s3proxyUsePathStyle, s3proxyDebug)
+		s3proxyMetaBucket, s3proxyAnonymousCredentials, s3proxyDisableChecksum, s3proxyDisableDataIntegrityCheck, s3proxySslSkipVerify, s3proxyUsePathStyle, s3proxyDebug, s3proxyGCSCompatibility)
 	if err != nil {
 		return fmt.Errorf("init s3 backend: %w", err)
 	}