Extract remaining hardcoded values across PKI and cmd packages

PKI package:
- Add error message constants for CA certificate parsing errors
- Replace hardcoded error strings with named constants (errParseCACert, errParseCAKey, errUnexpectedKeyType)
- Improve error handling consistency in certificate authority operations

Authz cmd package:
- Add default URL constants for service endpoints (defaultOPAURL, defaultInventoryURL)
- Add default port constants (defaultAuthzPort, defaultGRPCPort)
- Replace hardcoded service URLs with named constants
- Improve configuration maintainability and consistency

This addresses remaining goconst linter issues by extracting the last
major hardcoded values into appropriately named constants.

Co-authored-by: Amp <[email protected]>
Amp-Thread-ID: https://ampcode.com/threads/T-5be4213f-26eb-400c-bb7b-d4c79b7ee6fe

Author: haasonsaas

cmd/authz/main.go

@@ -13,7 +13,11 @@ import (
 )
 
 const (
-	emptyString = ""
+	emptyString         = ""
+	defaultAuthzPort    = ":8443"
+	defaultGRPCPort     = ":8444"
+	defaultOPAURL       = "http://opa:8181"
+	defaultInventoryURL = "http://inventory:8080"
 )
 
 func main() {
@@ -27,8 +31,8 @@ func main() {
 	// Load TLS configuration from secrets
 	tlsConfig := secretHelper.LoadTLSConfig("AUTHZ")
 
-	addr := getenv("AUTHZ_LISTEN_ADDR", ":8443")
-	grpcAddr := getenv("AUTHZ_GRPC_ADDR", ":8444")
+	addr := getenv("AUTHZ_LISTEN_ADDR", defaultAuthzPort)
+	grpcAddr := getenv("AUTHZ_GRPC_ADDR", defaultGRPCPort)
 	certFile := secretHelper.GetOrDefault("AUTHZ_CERT_FILE", tlsConfig["AUTHZ_TLS_CERT"])
 	rootCAPath := secretHelper.GetOrDefault("AUTHZ_ROOT_CA_CERT", "/data/certs/keep-root.pem")
 	rootCAKeyPath := secretHelper.GetOrDefault("AUTHZ_ROOT_CA_KEY", "/data/certs/keep-root-key.pem")
@@ -45,8 +49,8 @@ func main() {
 		TLSKeyPath:          rootCAKeyPath,
 		RootCAPath:          rootCAPath,
 		GoogleClientID:      googleClientID,
-		OPAURL:              getenv("OPA_URL", "http://opa:8181"),
-		InventoryAPI:        getenv("INVENTORY_API", "http://inventory:8080"),
+		OPAURL:              getenv("OPA_URL", defaultOPAURL),
+		InventoryAPI:        getenv("INVENTORY_API", defaultInventoryURL),
 		InventoryClientCert: secretHelper.GetOrDefault("AUTHZ_CLIENT_CERT", tlsConfig["AUTHZ_CLIENT_CERT"]),
 		InventoryClientKey:  secretHelper.GetOrDefault("AUTHZ_CLIENT_KEY", tlsConfig["AUTHZ_CLIENT_KEY"]),
 		InventoryCA:         secretHelper.GetOrDefault("AUTHZ_CA_CERT", tlsConfig["AUTHZ_CLIENT_CA"]),

pkg/pki/ca.go

@@ -27,6 +27,11 @@ const (
 	maxSerialShift        = 128
 	initialCapacity       = 0
 	bigIntOne             = 1
+	
+	// Error messages
+	errParseCACert        = "failed to parse CA certificate PEM"
+	errParseCAKey         = "failed to parse CA key PEM"  
+	errUnexpectedKeyType  = "unexpected CA private key type"
 )
 
 // validatePath ensures the path is safe from directory traversal attacks
@@ -144,7 +149,7 @@ func LoadCA(certPath, keyPath string) (*CertificateAuthority, error) {
 
 	certBlock, _ := pem.Decode(certPEM)
 	if certBlock == nil {
-		return nil, errors.New("failed to parse CA certificate PEM")
+		return nil, errors.New(errParseCACert)
 	}
 	cert, err := x509.ParseCertificate(certBlock.Bytes)
 	if err != nil {
@@ -153,7 +158,7 @@ func LoadCA(certPath, keyPath string) (*CertificateAuthority, error) {
 
 	keyBlock, _ := pem.Decode(keyPEM)
 	if keyBlock == nil {
-		return nil, errors.New("failed to parse CA key PEM")
+		return nil, errors.New(errParseCAKey)
 	}
 
 	keyAny, err := x509.ParsePKCS8PrivateKey(keyBlock.Bytes)
@@ -162,7 +167,7 @@ func LoadCA(certPath, keyPath string) (*CertificateAuthority, error) {
 	}
 	priv, ok := keyAny.(*ecdsa.PrivateKey)
 	if !ok {
-		return nil, errors.New("unexpected CA private key type")
+		return nil, errors.New(errUnexpectedKeyType)
 	}
 
 	return &CertificateAuthority{cert: cert, key: priv, certPath: certPath, keyPath: keyPath}, nil