From adf255e574e90a68218a304a43b43884b896ad37 Mon Sep 17 00:00:00 2001
From: Jun-te Kim <junte.kim@mealcraft.com>
Date: Sun, 14 Dec 2025 01:45:23 +0000
Subject: [PATCH] save

---
 mist_infra/scripts/backup_k8s_storage_to_s3.sh | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/mist_infra/scripts/backup_k8s_storage_to_s3.sh b/mist_infra/scripts/backup_k8s_storage_to_s3.sh
index afa59d7..4fb95a7 100644
--- a/mist_infra/scripts/backup_k8s_storage_to_s3.sh
+++ b/mist_infra/scripts/backup_k8s_storage_to_s3.sh
@@ -12,6 +12,7 @@ PG_POD_SELECTOR="app=postgres"
 
 K8S_STORAGE_ROOT="/k8s_storage"
 
+# NEVER touch Postgres raw data
 TAR_EXCLUDES=(
   "$K8S_STORAGE_ROOT/postgres"
 )
@@ -25,7 +26,7 @@ mkdir -p "$BACKUP_DIR"
 echo "=== Backup started at $(date -u) ==="
 
 # -----------------------------
-# Postgres pg_dump
+# Postgres pg_dump (SAFE)
 # -----------------------------
 if [[ "$PG_ENABLED" == "true" ]]; then
   echo "=== Postgres pg_dump enabled ==="
@@ -59,12 +60,15 @@ if [[ "$PG_ENABLED" == "true" ]]; then
 fi
 
 # -----------------------------
-# Normalise permissions (IMPORTANT)
+# Normalise permissions (EXCLUDING POSTGRES)
 # -----------------------------
-echo "=== Normalising permissions on $K8S_STORAGE_ROOT ==="
+echo "=== Normalising permissions (excluding Postgres) ==="
 
-# Ensure backup user can read everything, without breaking apps
-sudo chmod -R a+rX "$K8S_STORAGE_ROOT" || true
+sudo find "$K8S_STORAGE_ROOT" \
+  -mindepth 1 \
+  -maxdepth 1 \
+  ! -name postgres \
+  -exec chmod -R a+rX {} \; || true
 
 # -----------------------------
 # Build tar exclude args
@@ -75,7 +79,7 @@ for path in "${TAR_EXCLUDES[@]}"; do
 done
 
 # -----------------------------
-# Archive k8s storage (safe)
+# Archive k8s storage (SAFE)
 # -----------------------------
 echo "=== Archiving k8s storage ==="