This patch introduces a new component that can be used to restrict all
ingress resources to a predefined set of whitelisted IP addresses. This
reduces the duplication in ingress objects for the same rule sets over
and over again.

This patch adjusts the component for oauth2-proxy to also include a
patching mechism for all kustomize-defined Ingress objects to be
restricted.

The first patch that "adds" `{}` to `/metadata/labels` would replace any
existing labels resulting in unexpected behaviour. Instead we rely on
the preexistence of the labels field in the namespace.

This patch moves from labelSelectors to matchExpressions since they are
immune to kustomize commonLabels, which prevents them from being
overwritten by accident.

References:
https://github.com/kubernetes-sigs/kustomize/issues/157
https://github.com/kubernetes-sigs/kustomize/issues/1009

This patch should help to make sure, that nothing uses plaintext
signatures.

The usage of the trusted-ip config resulted in a security incident that
allowed access to any oauth2-proxy protected endpoint without requiring
authentication.

Thankfully all significant endpoints had been protected by additional
measures such as network restrictions and are therefore not affected.
Only the prometheus and alertmanager endpoints have been exposed to the
public internet, but are not exposing sensitive data beyond metrics.

A check of the relevant logs didn't provide any indication of
compromise.

This patch adjusts the central oauth2-proxy resource to use
`topologySpreadConstraints` instead of using `podAntiAffinity`. This
helps with reducing the risk of Pending Pods e.g. during updates when
also a pod config is adjusted.