feat: add networking quota grant policies (#192)

## Summary

- Add GrantCreationPolicy for all 13 NSO user-facing resources
- Triggered on Project creation, allocates default quota amounts
- Single default tier (personal-level) — standard org overrides deferred
until org-type label propagation exists
- Companion to
datum-cloud/network-services-operator#129 which
defines the registrations and claim policies in the NSO repo

### Default quotas per project

| Resource | apiGroup | Amount |
|----------|----------|--------|
| Domain | `networking.datumapis.com` | 25 |
| HTTPProxy | `networking.datumapis.com` | 10 |
| TrafficProtectionPolicy | `networking.datumapis.com` | 0 (disabled) |
| Connector | `networking.datumapis.com` | 5 |
| ConnectorAdvertisement | `networking.datumapis.com` | 10 |
| Gateway | `gateway.networking.k8s.io` | 10 |
| HTTPRoute | `gateway.networking.k8s.io` | 25 |
| BackendTLSPolicy | `gateway.networking.k8s.io` | 10 |
| Backend | `gateway.envoyproxy.io` | 10 |
| BackendTrafficPolicy | `gateway.envoyproxy.io` | 10 |
| SecurityPolicy | `gateway.envoyproxy.io` | 10 |
| HTTPRouteFilter | `gateway.envoyproxy.io` | 10 |
| EndpointSlice | `discovery.k8s.io` | 25 |

Note: Domains aligned with existing DNS zone quota (25). HTTPProxies and
Gateways are 1-to-1 with each other (10).

## Test plan

- [ ] Verify kustomize build succeeds
- [ ] Deploy alongside NSO registrations/claim policies and verify grant
creation on project creation

Ref: datum-cloud/enhancements#664

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: zachsmith1

config/services/kustomization.yaml

@@ -12,4 +12,5 @@ components:
   - resourcemanager.miloapis.com/
   - iam.miloapis.com/
   - dns.networking.miloapis.com/
+  - networking.datumapis.com/
   - search.miloapis.com/

config/services/networking.datumapis.com/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+components:
+  - quota/

config/services/networking.datumapis.com/quota/grant-policies/default-project-grant-policy.yaml

@@ -0,0 +1,68 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: GrantCreationPolicy
+metadata:
+  name: default-networking-quota-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: resourcemanager.miloapis.com/v1alpha1
+      kind: Project
+  target:
+    parentContext:
+      apiGroup: "resourcemanager.miloapis.com"
+      kind: "Project"
+      nameExpression: "trigger.metadata.name"
+    resourceGrantTemplate:
+      metadata:
+        name: "default-networking-quota-{{ trigger.metadata.name }}"
+        namespace: milo-system
+        annotations:
+          kubernetes.io/description: "Networking quota allocation for project"
+      spec:
+        consumerRef:
+          apiGroup: resourcemanager.miloapis.com
+          kind: Project
+          name: "{{ trigger.metadata.name }}"
+        allowances:
+          - resourceType: networking.datumapis.com/domains
+            buckets:
+              - amount: 25
+          - resourceType: networking.datumapis.com/httpproxies
+            buckets:
+              - amount: 10
+          - resourceType: networking.datumapis.com/trafficprotectionpolicies
+            buckets:
+              - amount: 0
+          - resourceType: networking.datumapis.com/connectors
+            buckets:
+              - amount: 5
+          - resourceType: networking.datumapis.com/connectoradvertisements
+            buckets:
+              - amount: 10
+          - resourceType: gateway.networking.k8s.io/gateways
+            buckets:
+              - amount: 10
+          - resourceType: gateway.networking.k8s.io/httproutes
+            buckets:
+              - amount: 25
+          - resourceType: gateway.networking.k8s.io/backendtlspolicies
+            buckets:
+              - amount: 10
+          - resourceType: gateway.envoyproxy.io/backends
+            buckets:
+              - amount: 10
+          - resourceType: gateway.envoyproxy.io/backendtrafficpolicies
+            buckets:
+              - amount: 10
+          - resourceType: gateway.envoyproxy.io/securitypolicies
+            buckets:
+              - amount: 10
+          - resourceType: gateway.envoyproxy.io/httproutefilters
+            buckets:
+              - amount: 10
+          - resourceType: discovery.k8s.io/endpointslices
+            buckets:
+              - amount: 25

config/services/networking.datumapis.com/quota/grant-policies/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+resources:
+  - default-project-grant-policy.yaml

config/services/networking.datumapis.com/quota/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Use explicit sorting options so we can guarantee that grant creation
+# policies are applied correctly.
+sortOptions:
+  order: fifo
+
+components:
+  - grant-policies/