feat(update-security-json): Update security.json when secret is updated

[mcarroll1]

This feature is targeting this issue

• Added Ovewrite flag (defaults to false). If flag is true, setup-zk initContainer will check applied security.json against version in the secret and apply if there is a diff
• Updated descriptions about maxPodsUnavailable, as negative numbers don't appear to be work
• Was running into issues with GINGKO_PARAMS when running integration tests, so added a default

The integration test is a bit blunt, but I wasn't sure how to demonstrate auth being applied. I tried creating a curl pod to curl solr, but was facing issues connecting to the two. I ended up changing the auth that the operator connects to solr with as a means of demonstrating.

The test takes a couple minutes to run. Please give any feedback on what I could do differently there. You can see the curl attempt in 1a7bb57. Also I'm unsure if I updated the CRD correctly, as it's generating some unexpected diffs.

This feature is important to the CI for my team, hence me adding two features around security.json in short order.

[gerlowskija]

Hey @mcarroll1 - sorry this sat for awhile before I was able to give it a look 😬

The code here looks pretty good IMO 👍. Aside from the few comments I left, the biggest thing that jumps out to me are "docs" - we've got a number of places that discuss our security.json support, and those will definitely need updated. Let me kick the tires a bit and think through the functionality before you tackle any of that though; I still need to think a bit deeper about the overall approach for my review to be worth much haha.

Hoping to chime back in here sometime next week with more thorough thoughts.

[gerlowskija]

[-0] If I'm reading this right, the YAML path for this property would be .solrSecurity.bootstrapSecurityJson.bootstrapSecurityJson?

Would have to think a bit about how to fix it, but the redundancy there feels like it'd be confusing to users IMO.

[mcarroll1]

Agreed, this is a bit ugly. I'll wait for resolution on the naming change before changing this

[gerlowskija]

[0] I'm a bit torn on the CRD/interface for this functionality. Continuing to have "bootstrap" in the name feels a little misleading if this becomes something that isn't just about initial creation.

But is it worth the hassle of deprecating this section and creating a nearly identical one with a clearer name, idk.

Ignore my musing here, just thinking aloud.

[gerlowskija]

[Q] I guess the unmatched ] is a bash syntax error that pre-exists your PR? I wonder how we didn't notice it sooner: presumably it would've caused errors for the initContainer or elsewhere?

Anyways, great catch!

[gerlowskija]

[Q] Am I reading this correctly, that the first two blocks both upload the JSON and only differ in the message they echo out? There might be a better way to structure that to avoid the duplication...

[mcarroll1]

Agreed that this bit of bash could probably be optimized. I don't immediately see a way of re-arranging the conditions. Maybe I can just create function that takes "message" as an input?

[gerlowskija]

[0] I've run into the "RAW_GINKGO unset" error before but was never sure whether it was a bad/unnecessary assumption made by the script, or whether it indicated an actual environmental issue on my part.

I don't understand the GINKGO stuff in general well enough to chime in. Curious if you had any thoughts @HoustonPutman ?