feat: restore topic selection and per-CR job service account (0.2.8)

[sionsmith]

Summary

Two additive CRD features, released together as 0.2.8:

KafkaRestore.spec.topics — restore specific topics (#26)

The kafka-backup CLI has always honoured target.topics include/exclude filtering on restore, but the operator never exposed it — every restore pulled all topics from the backup. KafkaRestore now accepts the same TopicSelection the KafkaBackup CRD uses:

spec:
  topics:
    include:
      - "orders-*"          # glob, or "~orders-\d+" for regex
    exclude:
      - "*-internal"

Patterns match source topic names in the backup manifest, before topicMapping renames. Omitted = restore everything (unchanged default). Verified the pinned default image (kafka-backup:v0.15.6) supports this on both restore paths.

spec.template.pod.serviceAccountName on both CRDs (#27)

Backup/restore Jobs run in the CR's namespace but always referenced the operator-wide service account (BACKUP_JOB_SERVICE_ACCOUNT). Service accounts are namespace-scoped, so any CR outside the operator's namespace produced Jobs whose pods could never be created:

Error creating: pods "..." is forbidden: error looking up service account
kafka/strimzi-backup-operator: serviceaccount "strimzi-backup-operator" not found

Both CRDs now accept a per-resource override that takes precedence over the operator-wide default, applied uniformly to backup Jobs, restore Jobs, and scheduled CronJobs:

spec:
  template:
    pod:
      serviceAccountName: kafka-backup-jobs   # must exist in the CR's namespace

Compatibility

• Both fields are optional; omitting them produces byte-identical configs and job specs to 0.2.7.
• helm template output is unchanged for existing values (default and custom backupJobs.serviceAccountName).
• The chart-bundled CRDs (deploy/helm/.../crds/) are synced with the regenerated deploy/crds/. As usual, Helm only installs CRDs on first install — existing deployments should kubectl apply -f deploy/crds/ when upgrading.

Verification

• 46 cargo tests pass, including new builder- and config-level tests: topic selection emitted / omitted by default; SA override on Job, CronJob, and restore Job; fallback to the operator SA. cargo fmt --check, clippy (zero warnings), helm lint, and scripts/release-gate.sh all pass.
• End-to-end in a kind cluster with this branch's image helm-installed into backup-system:
  • KafkaBackup/KafkaRestore in a different namespace (kafka) with the SA override: Jobs created with the per-CR SA, pods scheduled (SuccessfulCreate) — previously a hard FailedCreate.
  • A CR in the operator's own namespace without the override still uses the operator SA — no regression for single-namespace installs.
  • Generated restore ConfigMap contains target.topics with the include/exclude lists; a spec.topics manifest that the API server previously rejected with unknown field now validates.

Follow-up (not in this PR)

A missing service account currently leaves the CR reporting the job as running while the Job controller retries pod creation forever. Worth a separate issue: surface FailedCreate Job events as a Ready=False condition.

Fixes #26. Fixes #27.

🤖 Generated with Claude Code