Increase nginx-ingress + oauth2_proxy to replicas=2

nginx-ingress and oauth2_proxy are expected to be in the serving path,
and so should be redundant to single-machine failure (as per the BKPR
default HA target).

Accordingly:
- increase replicas for each to 2
- add (weak) host/zone/region anti-affinity
- configure a `PodDisruptionBudget` that ensures at least 1 replica of
  each is healthy before draining a node.

Fixes #373

manifests/components/nginx-ingress.jsonnet

@@ -18,6 +18,7 @@
  */
 
 local kube = import "../lib/kube.libsonnet";
+local utils = import "../lib/utils.libsonnet";
 
 local NGNIX_INGRESS_IMAGE = (import "images.json")["nginx-ingress-controller"];
 
@@ -141,11 +142,23 @@ local NGNIX_INGRESS_IMAGE = (import "images.json")["nginx-ingress-controller"];
 
   hpa: kube.HorizontalPodAutoscaler($.p + "nginx-ingress-controller") + $.metadata {
     target: $.controller,
-    spec+: {maxReplicas: 10},
+    spec+: {
+      // Put a cap on growth due to (eg) DoS attacks.
+      // Large sites will want to increase this to cover legitimate demand.
+      maxReplicas: 10,
+    },
+  },
+
+  pdb: kube.PodDisruptionBudget($.p + "nginx-ingress-controller") + $.metadata {
+    target_pod: $.controller.spec.template,
+    spec+: {minAvailable: $.controller.spec.replicas - 1},
   },
 
   controller: kube.Deployment($.p + "nginx-ingress-controller") + $.metadata {
+    local this = self,
     spec+: {
+      // Ensure at least n+1.  NB: HPA will increase replicas dynamically.
+      replicas: 2,
       template+: {
         metadata+: {
           annotations+: {
@@ -158,6 +171,7 @@ local NGNIX_INGRESS_IMAGE = (import "images.json")["nginx-ingress-controller"];
           serviceAccountName: $.serviceAccount.metadata.name,
           //hostNetwork: true, // access real source IPs, IPv6, etc
           terminationGracePeriodSeconds: 60,
+          affinity+: utils.weakNodeDiversity(this.spec.selector),
           containers_+: {
             default: kube.Container("nginx") {
               image: NGNIX_INGRESS_IMAGE,

manifests/components/oauth2-proxy.jsonnet

@@ -18,6 +18,7 @@
  */
 
 local kube = import "../lib/kube.libsonnet";
+local utils = import "../lib/utils.libsonnet";
 
 local OAUTH2_PROXY_IMAGE = (import "images.json")["oauth2_proxy"];
 
@@ -44,13 +45,26 @@ local OAUTH2_PROXY_IMAGE = (import "images.json")["oauth2_proxy"];
 
   hpa: kube.HorizontalPodAutoscaler($.p + "oauth2-proxy") + $.metadata {
     target: $.deploy,
-    spec+: {maxReplicas: 10},
+    spec+: {
+      // Put a cap on growth due to (eg) DoS attacks.
+      // Large sites will want to increase this to cover legitimate demand.
+      maxReplicas: 10,
+    },
+  },
+
+  pdb: kube.PodDisruptionBudget($.p + "oauth2-proxy") + $.metadata {
+    target_pod: $.deploy.spec.template,
+    spec+: {minAvailable: $.deploy.spec.replicas - 1},
   },
 
   deploy: kube.Deployment($.p + "oauth2-proxy") + $.metadata {
+    local this = self,
     spec+: {
+      // Ensure at least n+1.  NB: HPA will increase replicas dynamically.
+      replicas: 2,
       template+: {
         spec+: {
+          affinity+: utils.weakNodeDiversity(this.spec.selector),
           containers_+: {
             proxy: kube.Container("oauth2-proxy") {
               image: OAUTH2_PROXY_IMAGE,

manifests/lib/utils.libsonnet

@@ -45,6 +45,24 @@ local kube = import "kube.libsonnet";
     std.join(".", tail)
   ),
 
+  // affinity=weakNodeDiversity to Try to spread across separate
+  // nodes/zones (for fault-tolerance)
+  weakNodeDiversity(selector):: {
+    podAntiAffinity+: {
+      preferredDuringSchedulingIgnoredDuringExecution+: [{
+        weight: 70,
+        podAffinityTerm: {
+          labelSelector: selector,
+          topologyKey: k,
+        },
+      } for k in [
+        "kubernetes.io/hostname",
+        "failure-domain.beta.kubernetes.io/zone",
+        "failure-domain.beta.kubernetes.io/region",
+      ]],
+    },
+  },
+
   TlsIngress(name):: kube.Ingress(name) {
     local this = self,
     metadata+: {