[mariadb][backup-v2] use granular backup/restore permissions

* remove unneeded privileges from the `backup` user
* add `replace_grants` user option: when `true`, revokes all existing privileges before re-granting
* add missing `serviceAccount` configuration for backup-v2 deployment
* `maria-back-me-up` updated to `10.11-20260401122106`

Author: s10

common/mariadb/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## v0.34.0 - 2026/04/01
+* remove unneeded privileges from the `backup` user
+* add `replace_grants` user option: when `true`, revokes all existing privileges before re-granting
+* add missing `serviceAccount` configuration for backup-v2 deployment
+* `maria-back-me-up` updated to `10.11-20260401122106`
+* chart version bumped
+
 ## v0.33.1 - 2026/03/27
 * updated sidecar image:
   * `mysqld-exporter` image updated to `0.19.0`

common/mariadb/Chart.yaml

@@ -2,7 +2,7 @@
 apiVersion: v2
 description: A Helm chart for Kubernetes
 name: mariadb
-version: 0.33.1
+version: 0.34.0
 # scripts/docker-entyrpoint.sh should be updated when appVersion is updated
 appVersion: 10.11.16
 dependencies:

common/mariadb/templates/backup-v2-deployment.yaml

@@ -54,6 +54,7 @@ spec:
 {{- include "mariadb_node_reinstall_affinity" . }}
 {{- end }}
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
+      serviceAccountName: {{ .Values.name }}-db-backup-v2
       containers:
       - name: backup
         image: "{{ required ".Values.global.registryAlternateRegion is missing" .Values.global.registryAlternateRegion }}/{{ .Values.backup_v2.image }}:{{ .Values.backup_v2.image_version }}"

common/mariadb/templates/initdb/_init.sql.tpl

@@ -31,6 +31,9 @@ ALTER USER {{ include "mariadb.resolve_secret_squote" $username }} IDENTIFIED BY
     {{ $k | upper }} {{ $v }}
 {{- end }}
 {{- end }};
+        {{- if $values.replace_grants }}
+REVOKE ALL PRIVILEGES, GRANT OPTION FROM {{ include "mariadb.resolve_secret_squote" $username }}@'%';
+        {{- end }}
         {{- range $values.grants }}
 GRANT {{ . }} TO {{ include "mariadb.resolve_secret_squote" $username }};
         {{- end }}

common/mariadb/values.yaml

@@ -46,16 +46,36 @@ users:
   backup:
     name: backup
     password: null
+    replace_grants: true
     limits:
       max_user_connections: 4
     grants:
-      - ALL PRIVILEGES ON *.*
+      - ALTER ON *.*                    # restore
+      - BINLOG ADMIN ON *.*             # backup; PURGE BINARY LOGS
+      - BINLOG MONITOR ON *.*           # backup; --master-data=1 (SHOW MASTER STATUS)
+      - CREATE ON *.*                   # restore
+      - CREATE VIEW ON *.*              # restore
+      - DROP ON *.*                     # restore
+      - INDEX ON *.*                    # restore
+      - INSERT ON *.*                   # restore
+      - LOCK TABLES ON *.*              # backup & restore
+      - PROCESS ON *.*                  # backup
+      - REFERENCES ON *.*               # restore
+      - RELOAD ON *.*                   # backup
+      - REPLICATION SLAVE ADMIN ON *.*  # restore; CHANGE MASTER TO, RESET SLAVE
+      - REPLICATION SLAVE ON *.*        # backup; BinlogSyncer streams binlogs as a replica
+      - SELECT ON *.*                   # backup & restore
+      - SET USER ON *.*                 # restore; DEFINER= clauses (mysql.user view)
+      - SHOW VIEW ON *.*                # backup & restore
+      - SHUTDOWN ON *.*                 # restore
+      - TRIGGER ON *.*                  # backup & restore
 #  example:
 #    name: example1 # This looks repetitive, but the point is that they key is the name
 #                   # you refer to in your charts, while the field 'name' is the actual name
 #                   # used as credentials. It should be possible to change the latter,
 #                   # without having to change the first.
 #    password: null # Causes users not be be created, and even maybe to get locked
+#    replace_grants: false  # default; set to true to REVOKE ALL before re-granting
 #    grants:
 #    - ALL ON example.*
 
@@ -202,7 +222,7 @@ backup_v2:
   enabled: false
   backup_dir: "./backup"
   image: maria-back-me-up
-  image_version: "20260210150801"
+  image_version: "10.11-20260401122106"
   full_backup_cron_schedule: "0 0 * * *"
   incremental_backup_in_minutes: 5
   purge_binlog_after_minutes: 60