Handle Operator API secret Updates

[BlairCurrey]

Currently we do not handle operator secret updates correctly. The operator is identified by the api secret from the config (coming from environment variable). As a result:

• If we update the operators api secret use it for subsequent api requests, we get a 401 instead of success.
• If we updated the operators api secret and use the original secret on subsequent requests, it works instead of 401ing.

We concluded that we do not want to support updates at run time due to the coordination required with the integration server operator to update on their end as well, and the infrequency of the need to rotate.

TODO:

• Disallow operator secret updates via admin api.
• Allow updating secret via environment variable by updating operator's secret database field to the config value on application start
• Document this behavior and note that it requires coordination with the integration sever operator, who needs to update the secret as well