Summary
The crm-note-contact-lifecycle chainsaw test consistently fails with:
Insufficient quota resources available
The test is currently skipped (via spec.skip: true) pending a proper fix.
Root Cause
Notes created outside a project context (directly in a chainsaw namespace) never receive a populated ConsumerRef on their ResourceClaim, which means quota can never be granted.
Trace through the quota system:
-
internal/quota/admission/plugin.go:694-703 — ConsumerRef on the ResourceClaim is only set when projectID is non-empty in the admission context. If the request comes in without a project context, ConsumerRef is empty.
-
internal/quota/controllers/core/bucket.go:132-135 — AllowanceBucket matches ResourceGrant by exact ConsumerRef.Kind + ConsumerRef.Name. With an empty ConsumerRef, no grant can ever match the bucket.
-
The test creates Note resources directly in the chainsaw namespace — no Organization → Project hierarchy, no project kubeconfig, no project ID in the request context.
Required Fix
Two changes are needed:
1. Add a GrantCreationPolicy for Notes
Add a GrantCreationPolicy in config/services/quota/ (alongside the existing ones for other resource types) that auto-creates a ResourceGrant for notes when a Project is created. This ensures every project gets note quota automatically.
2. Refactor the test to use a full project hierarchy
The crm-note-contact-lifecycle test needs to be rewritten to follow the same pattern as note-multicluster-subject and clusternote-multicluster-subject:
- Create an Organization in the main cluster
- Create a Project in the org control plane
- Create Notes in the project control plane (using a
project cluster kubeconfig)
This ensures the admission plugin can extract a projectID from the request context and populate ConsumerRef on the ResourceClaim.
References
Summary
The
crm-note-contact-lifecyclechainsaw test consistently fails with:The test is currently skipped (via
spec.skip: true) pending a proper fix.Root Cause
Notes created outside a project context (directly in a chainsaw namespace) never receive a populated
ConsumerRefon theirResourceClaim, which means quota can never be granted.Trace through the quota system:
internal/quota/admission/plugin.go:694-703—ConsumerRefon theResourceClaimis only set whenprojectIDis non-empty in the admission context. If the request comes in without a project context,ConsumerRefis empty.internal/quota/controllers/core/bucket.go:132-135—AllowanceBucketmatchesResourceGrantby exactConsumerRef.Kind+ConsumerRef.Name. With an emptyConsumerRef, no grant can ever match the bucket.The test creates
Noteresources directly in the chainsaw namespace — no Organization → Project hierarchy, no project kubeconfig, no project ID in the request context.Required Fix
Two changes are needed:
1. Add a
GrantCreationPolicyfor NotesAdd a
GrantCreationPolicyinconfig/services/quota/(alongside the existing ones for other resource types) that auto-creates aResourceGrantfor notes when aProjectis created. This ensures every project gets note quota automatically.2. Refactor the test to use a full project hierarchy
The
crm-note-contact-lifecycletest needs to be rewritten to follow the same pattern asnote-multicluster-subjectandclusternote-multicluster-subject:projectcluster kubeconfig)This ensures the admission plugin can extract a
projectIDfrom the request context and populateConsumerRefon theResourceClaim.References
internal/quota/admission/plugin.go:694-703internal/quota/controllers/core/bucket.go:132-135test/notes/note-multicluster-subject/