[Misc]Fix static analysis issues

[pallasathena92]

What this PR does

• Fix staticcheck warnings across pkg/: deprecated APIs, redundant code, style violations
• Delete deprecated cipher.NewCFBEncrypter/NewCFBDecrypter with cipher.NewCTR in vault utils
• Replace deprecated io/ioutil with os package equivalents
• Remove redundant nil check before len() in configmap reconciler (S1009)
• Remove redundant return statement in OCI parallel upload (S1023)
• Use strings.EqualFold instead of manual strings.ToLower comparison (SA6005)
• Lowercase error strings per Go conventions (ST1005)
• Replace panic(err) with proper error return in CFBEncrypt

Deprecation ciper.NewCFBEncrypter/NewCFBDecrypter:

• CFB (Cipher Feedback):
  • Stream cipher mode — only provides confidentiality (encryption)
  • No integrity check — an attacker can flip bits in the ciphertext and you won't know
  • Decryption produces garbage silently if the ciphertext is tampered with
• GCM (Galois/Counter Mode):
  • AEAD mode — provides confidentiality + authentication + integrity
  • Includes an authentication tag — if anyone tampers with the ciphertext, gcm.Open() returns an error instead of silently decrypting garbage
  • This is why Go deprecated CFB and recommends AEAD modes

Simple example of the risk:
CFB: Encrypt("transfer $100") → attacker flips bits → Decrypt succeeds → "transfer $900"
GCM: Encrypt("transfer $100") → attacker flips bits → Decrypt fails → error returned

Why we need it

Fixes #556

How to test

Checklist

• Tests added/updated (if applicable)
• Docs updated (if applicable)
• make test passes locally

[gemini-code-assist]

Code Review

This pull request performs various refactors, such as replacing deprecated ioutil functions with os equivalents, optimizing string comparisons using strings.EqualFold, and standardizing error message casing. Feedback highlights a critical breaking change in the vault utility where switching from CFB to CTR encryption mode without renaming functions will break existing data decryption and lead to misleading API names. Additionally, it is recommended to return errors instead of panicking during JSON unmarshaling in the metrics aggregator to improve error handling.

[gemini-code-assist]

The implementation has been switched from CFB to CTR mode, but the function name CFBEncrypt (and CFBDecrypt at line 77) remains unchanged. This is misleading. More importantly, CTR and CFB are incompatible encryption modes; this change will break decryption for any data previously encrypted with the CFB implementation. If a migration to CTR is intended, the functions should be renamed and a transition plan for existing ciphertexts should be established. If compatibility is required, you should continue using CFB despite its deprecation, or use an AEAD mode like GCM with a proper migration.

[pallasathena92]

Go's deprecation message for CFB suggests CTR as a replacement only because CTR is the "least bad" unauthenticated stream mode (faster, parallelizable, FIPS-validated).
In the code, CFB Only called in util.go (definition) and util_test.go (tests). Zero production callers. No code ever encrypts data with CFB, so no encrypted data exists in the wild.
so deprecated it

[gemini-code-assist]

The function newMetricsAggregator returns an error as its second return value, but it currently panics when JSON unmarshaling fails. It is better practice to return the error to the caller instead of panicking, allowing for more graceful error handling.

Suggested change

	panic(fmt.Errorf("unable to unmarshall %v json string due to %w ", MetricsAggregatorConfigMapKeyName, err))
	return nil, fmt.Errorf("unable to unmarshall %v json string due to %w ", MetricsAggregatorConfigMapKeyName, err)