chore: dns quotas (#132)

zachsmith1 · web-flow · commit 473e47f0ccdc · 2025-12-10T11:05:53.000-08:00
This pull request introduces quota management for DNS resources in the
`dns.networking.miloapis.com` service. It adds resource registrations,
claim and grant policies, and organizes them using kustomize components
to ensure correct application order. The changes enable automatic quota
enforcement for DNS zones and record sets at the project and
organization level, with special handling for personal organizations.

Key changes:

**Quota System Structure and Organization**
- Added the `dns.networking.miloapis.com` service as a component to the
main `kustomization.yaml` to integrate DNS quota management into the
broader system.
- Introduced a new `quota` component for the DNS service, further split
into `registrations`, `grant-policies`, and `claim-policies`
subcomponents, each with their own kustomization files for resource
ordering.

**Resource Registration**
- Defined `ResourceRegistration` objects for `dnszones` and
`dnsrecordsets`, specifying how quota is counted and which resources can
claim against these quotas.

**Quota Policies**
- Added `ClaimCreationPolicy` resources for both `DNSZone` and
`DNSRecordSet`, enforcing that these resources must be labeled with
project and organization identifiers, and automatically generating quota
claims upon creation.
- Created a `GrantCreationPolicy` for allocating default DNS quotas to
projects in personal organizations, with specific limits for DNS zones
and record sets.
diff --git a/config/services/dns.networking.miloapis.com/kustomization.yaml b/config/services/dns.networking.miloapis.com/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee order in which resources are
+# applied.
+sortOptions:
+  order: fifo
+
+components:
+  - quota/
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/claim-policies/dnsrecordset-claim-policy.yaml b/config/services/dns.networking.miloapis.com/quota/claim-policies/dnsrecordset-claim-policy.yaml
@@ -0,0 +1,28 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ClaimCreationPolicy
+metadata:
+  name: project-dnsrecordset-claim-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: dns.networking.miloapis.com/v1alpha1
+      kind: DNSRecordSet
+  target:
+    resourceClaimTemplate:
+      metadata:
+        name: "dnsrecordset-{{ trigger.metadata.name }}"
+        namespace: "{{requestInfo.namespace}}"
+        labels:
+          app.kubernetes.io/name: datum
+          app.kubernetes.io/component: quota-system
+        annotations:
+          kubernetes.io/description: "Automatic quota claim for DNSRecordSet creation"
+      spec:
+        requests:
+          - resourceType: dns.networking.miloapis.com/dnsrecordsets
+            amount: 1
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/claim-policies/dnszone-claim-policy.yaml b/config/services/dns.networking.miloapis.com/quota/claim-policies/dnszone-claim-policy.yaml
@@ -0,0 +1,28 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ClaimCreationPolicy
+metadata:
+  name: project-dnszone-claim-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: dns.networking.miloapis.com/v1alpha1
+      kind: DNSZone
+  target:
+    resourceClaimTemplate:
+      metadata:
+        name: "dnszone-{{ trigger.metadata.name }}"
+        namespace: "{{requestInfo.namespace}}"
+        labels:
+          app.kubernetes.io/name: datum
+          app.kubernetes.io/component: quota-system
+        annotations:
+          kubernetes.io/description: "Automatic quota claim for DNSZone creation"
+      spec:
+        requests:
+          - resourceType: dns.networking.miloapis.com/dnszones
+            amount: 1
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/claim-policies/kustomization.yaml b/config/services/dns.networking.miloapis.com/quota/claim-policies/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee order in which resources are
+# applied.
+sortOptions:
+  order: fifo
+
+resources:
+  - dnszone-claim-policy.yaml
+  - dnsrecordset-claim-policy.yaml
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/grant-policies/kustomization.yaml b/config/services/dns.networking.miloapis.com/quota/grant-policies/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee order in which resources are
+# applied.
+sortOptions:
+  order: fifo
+
+resources:
+  - personal-org-grant-policy.yaml
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/grant-policies/personal-org-grant-policy.yaml b/config/services/dns.networking.miloapis.com/quota/grant-policies/personal-org-grant-policy.yaml
@@ -0,0 +1,37 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: GrantCreationPolicy
+metadata:
+  name: personal-organization-dns-quota-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: resourcemanager.miloapis.com/v1alpha1
+      kind: Project
+  target:
+    parentContext:
+      apiGroup: "resourcemanager.miloapis.com"
+      kind: "Project"
+      nameExpression: "trigger.metadata.name"
+    resourceGrantTemplate:
+      metadata:
+        name: "default-dns-quota-{{ trigger.metadata.name }}"
+        namespace: milo-system
+        annotations:
+          kubernetes.io/description: "DNS quota allocation for Personal org project"
+      spec:
+        consumerRef:
+          apiGroup: resourcemanager.miloapis.com
+          kind: Project
+          name: "{{ trigger.metadata.name }}"
+        allowances:
+          - resourceType: dns.networking.miloapis.com/dnszones
+            buckets:
+              - amount: 25
+          - resourceType: dns.networking.miloapis.com/dnsrecordsets
+            buckets:
+              - amount: 500
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/kustomization.yaml b/config/services/dns.networking.miloapis.com/quota/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee that resource registrations
+# are applied before grant / claim creation policies that reference the
+# resources being created.
+sortOptions:
+  order: fifo
+
+components:
+  - registrations/
+  - grant-policies/
+  - claim-policies/
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/registrations/dnsrecordset-registration.yaml b/config/services/dns.networking.miloapis.com/quota/registrations/dnsrecordset-registration.yaml
@@ -0,0 +1,32 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ResourceRegistration
+metadata:
+  name: dnsrecordsets-per-project
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  # Project is the consumer of DNS record set quota
+  consumerType:
+    apiGroup: resourcemanager.miloapis.com
+    kind: Project
+
+  # Count-based quota for DNS record sets
+  type: Entity
+
+  # The resource type being managed
+  resourceType: dns.networking.miloapis.com/dnsrecordsets
+
+  description: "Maximum number of DNS record sets that can be created within a project"
+
+  # Simple counting units
+  baseUnit: recordset
+  displayUnit: recordsets
+  unitConversionFactor: 1
+
+  # DNSRecordSet resources can claim quota against this registration
+  claimingResources:
+    - apiGroup: dns.networking.miloapis.com
+      kind: DNSRecordSet
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/registrations/dnszone-registration.yaml b/config/services/dns.networking.miloapis.com/quota/registrations/dnszone-registration.yaml
@@ -0,0 +1,32 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: ResourceRegistration
+metadata:
+  name: dnszones-per-project
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  # Project is the consumer of DNS zone quota
+  consumerType:
+    apiGroup: resourcemanager.miloapis.com
+    kind: Project
+
+  # Count-based quota for DNS zones
+  type: Entity
+
+  # The resource type being managed
+  resourceType: dns.networking.miloapis.com/dnszones
+
+  description: "Maximum number of DNS zones that can be created within a project"
+
+  # Simple counting units
+  baseUnit: zone
+  displayUnit: zones
+  unitConversionFactor: 1
+
+  # DNSZone resources can claim quota against this registration
+  claimingResources:
+    - apiGroup: dns.networking.miloapis.com
+      kind: DNSZone
+
+
diff --git a/config/services/dns.networking.miloapis.com/quota/registrations/kustomization.yaml b/config/services/dns.networking.miloapis.com/quota/registrations/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee order in which resources are
+# applied.
+sortOptions:
+  order: fifo
+
+resources:
+  - dnszone-registration.yaml
+  - dnsrecordset-registration.yaml
+
+
diff --git a/config/services/kustomization.yaml b/config/services/kustomization.yaml
@@ -10,4 +10,5 @@ sortOptions:
 
 components:
   - resourcemanager.miloapis.com/
-  - iam.miloapis.com/
+  - iam.miloapis.com/
+  - dns.networking.miloapis.com/
