fix: surface precise admission errors and clear stale ResourceClaims (#573)

## The bug

Ref: #512

Users occasionally saw

> `Error from server (Forbidden): ... Insufficient quota resources
available. Review your quota usage and reach out to support if you need
additional resources.`

when creating resources such as DNS record sets, even though their
project quota showed only a handful of resources in use (for example
6/500). The message was misleading because the admission plugin returned
it for *every* failure inside the ResourceClaim pipeline, not just
actual denials.

## Root cause

The `ResourceQuotaEnforcementPlugin` has three distinct failure paths,
all of which were collapsed into the same 403 body:

1. **Actual denial** — `AllowanceBucketController` marks `Granted=False`
with reason `QuotaExceeded`.
2. **Watch timeout** — the admission watch manager times out after 30 s
because the bucket controller is still reconciling, or grants are still
propagating.
3. **Stale `ResourceClaim`** — claim names are deterministic, so a
leftover claim from a prior admission timeout blocks every retry with
`AlreadyExists`. `DeniedAutoClaimCleanupController` only reaped `Denied`
claims, not pending/timed-out ones, so these orphans could linger
indefinitely.

Case 3 produced the "insufficient quota" message even when the user had
plenty of quota available, which is exactly what the reporter hit.

## The fix (one PR, three coordinated pieces)

### 1. Typed claim-failure kinds with distinct user-facing messages
`internal/quota/admission/errors.go` (new) introduces `claimFailure`
with four kinds: `Denied`, `Timeout`, `Conflict`, `Internal`.
`createAndWaitForResourceClaim` now returns these and
`processResourceWithPolicy` maps each to a warm, actionable 403 body:

| Kind | Message |
|---|---|
| Denied | _You've reached your quota for this resource type (...).
Delete unused resources to free up capacity, or contact support to
request a higher limit._ |
| Timeout | _Your request took too long to be checked against your
quota. Please try again in a moment — if this keeps happening, contact
support._ |
| Conflict | _We're still cleaning up from a previous attempt to create
this resource (...). Please try again in a few seconds._ |
| Internal | _Something went wrong while checking your quota for this
request. Please try again — if this keeps happening, contact support._ |

### 2. Pre-create handling of existing claims
Before `Create`, `createResourceClaim` now does a `Get` at the
deterministic name and branches:

| Existing claim state | Action |
|---|---|
| `Granted=True` | Short-circuit admission to allow (capacity already
reserved for this resource) |
| `Granted=False` / `QuotaExceeded` | Return `Conflict` so the user gets
a retry message, not "insufficient quota" |
| Pending or no condition | Delete inline, then Create a fresh claim |
| `AlreadyExists` on Create | Also mapped to `Conflict` |

Only auto-created claims (label `quota.miloapis.com/auto-created=true`)
are touched, so hand-authored claims sharing a name are never disturbed.

### 3. Garbage collection for stale pending auto-created claims
`DeniedAutoClaimCleanupController` now also deletes auto-created claims
that remain in a non-final state for longer than
`DefaultStalePendingClaimAge` (5 min, well above the 30 s admission
watch timeout). Fresh pending claims are requeued for the remaining time
rather than deleted, so in-flight admissions are never disturbed.
Denied-claim behavior is unchanged.

### Observability
New counter
`milo_quota_admission_existing_claim_resolution_total{resolution=...}`
tracks how often each pre-create path fires (`granted`, `denied`,
`deleted_pending`, `create_conflict`), so the stale-claim behavior is no
longer invisible.

## Files touched

- `internal/quota/admission/errors.go` (new)
- `internal/quota/admission/plugin.go`
- `internal/quota/admission/plugin_test.go`
- `internal/quota/controllers/lifecycle/cleanup.go`
- `internal/quota/controllers/lifecycle/cleanup_test.go` (new)

## Test plan

- [x] \`go test ./internal/quota/...\` passes locally
- [x] \`TestResolveExistingClaim\` covers granted short-circuit, denied
conflict, pending delete+recreate, and clean-slate create
- [x] \`TestUserFacingClaimError\` asserts each claim-failure kind
produces its expected message
- [x] \`TestClaimWaitScenarios\` extended with a \`timeout\` case (plus
the mock now matches \`watchManager.evaluateClaimStatus\` semantics)
- [x] \`TestDeniedAutoClaimCleanupController\` covers denied-deleted,
stale-pending-deleted, fresh-pending-requeued,
no-condition-pending-deleted, granted-ignored, and manual-ignored
- [x] Manual verification: create a DNS record set, kill the admission
plugin mid-flight to leave a pending claim, then retry and confirm the
retry succeeds rather than returning "insufficient quota"
- [x] Check the new
\`milo_quota_admission_existing_claim_resolution_total\` counter on a
staging cluster

Made with [Cursor](https://cursor.com)

Author: mattdjenkinson

internal/quota/admission/errors.go

@@ -0,0 +1,102 @@
+package admission
+
+import (
+	"errors"
+	"fmt"
+)
+
+// errAlreadyGranted is a sentinel returned by createResourceClaim when an
+// existing ResourceClaim with the predetermined name already has a Granted
+// condition set to True. Its capacity was reserved on a prior admission pass
+// and still applies to this resource, so admission can allow the request
+// without registering a watch waiter or issuing a new Create. Callers
+// compare against this value with == (the sentinel is never wrapped).
+var errAlreadyGranted = errors.New("ResourceClaim already granted")
+
+// claimFailureKind classifies why a ResourceClaim could not be resolved to a
+// Granted outcome during admission. It lets the admission plugin produce a
+// distinct, actionable user-facing message for each root cause rather than
+// collapsing every failure into "Insufficient quota".
+type claimFailureKind int
+
+const (
+	// claimFailureDenied indicates the AllowanceBucketController rejected the
+	// claim because there was not enough available capacity. This is the only
+	// case where "Insufficient quota" is accurate.
+	claimFailureDenied claimFailureKind = iota
+
+	// claimFailureTimeout indicates the claim was created but did not reach a
+	// final Granted condition within the admission plugin's watch timeout.
+	// Typical causes: bucket controller still reconciling, grants still
+	// propagating, or a slow control plane.
+	claimFailureTimeout
+
+	// claimFailureConflict indicates a ResourceClaim with the deterministic
+	// name already exists in a non-usable state (e.g., a previously denied
+	// claim that has not yet been garbage collected). The caller should retry
+	// after the GC controller deletes the stale claim.
+	claimFailureConflict
+
+	// claimFailureInternal covers template render failures, watch manager
+	// startup failures, dynamic client errors, and anything else that is not
+	// attributable to quota capacity.
+	claimFailureInternal
+)
+
+// claimFailure is the structured error returned from the claim creation/wait
+// pipeline. It carries a classification so the admission plugin can surface a
+// tailored message to the caller while still preserving the underlying error
+// for logs and traces.
+type claimFailure struct {
+	kind    claimFailureKind
+	reason  string // machine-readable reason (e.g. condition reason)
+	message string // user-facing message fragment (e.g. denial message)
+	cause   error  // wrapped error for logging/tracing
+}
+
+func (e *claimFailure) Error() string {
+	switch {
+	case e.message != "" && e.cause != nil:
+		return fmt.Sprintf("%s: %v", e.message, e.cause)
+	case e.message != "":
+		return e.message
+	case e.cause != nil:
+		return e.cause.Error()
+	default:
+		return fmt.Sprintf("claim failure (kind=%d)", e.kind)
+	}
+}
+
+func (e *claimFailure) Unwrap() error { return e.cause }
+
+// asClaimFailure unwraps a claimFailure from err if present. It returns the
+// claimFailure and true, or (nil, false) if err does not carry one.
+func asClaimFailure(err error) (*claimFailure, bool) {
+	var f *claimFailure
+	if errors.As(err, &f) {
+		return f, true
+	}
+	return nil, false
+}
+
+// newDeniedFailure constructs a claimFailure for an actual quota denial.
+func newDeniedFailure(reason, message string) *claimFailure {
+	return &claimFailure{kind: claimFailureDenied, reason: reason, message: message}
+}
+
+// newTimeoutFailure constructs a claimFailure for an admission watch timeout.
+func newTimeoutFailure(cause error) *claimFailure {
+	return &claimFailure{kind: claimFailureTimeout, cause: cause}
+}
+
+// newConflictFailure constructs a claimFailure for a pre-existing claim that
+// blocks retry (typically a denied claim awaiting GC).
+func newConflictFailure(message string, cause error) *claimFailure {
+	return &claimFailure{kind: claimFailureConflict, message: message, cause: cause}
+}
+
+// newInternalFailure constructs a claimFailure for infrastructure errors
+// (template render, watch manager, dynamic client, etc).
+func newInternalFailure(cause error) *claimFailure {
+	return &claimFailure{kind: claimFailureInternal, cause: cause}
+}