save

mist_infra/scripts/backup_k8s_storage_to_s3.sh

@@ -12,6 +12,7 @@ PG_POD_SELECTOR="app=postgres"
 
 K8S_STORAGE_ROOT="/k8s_storage"
 
+# NEVER touch Postgres raw data
 TAR_EXCLUDES=(
   "$K8S_STORAGE_ROOT/postgres"
 )
@@ -25,7 +26,7 @@ mkdir -p "$BACKUP_DIR"
 echo "=== Backup started at $(date -u) ==="
 
 # -----------------------------
-# Postgres pg_dump
+# Postgres pg_dump (SAFE)
 # -----------------------------
 if [[ "$PG_ENABLED" == "true" ]]; then
   echo "=== Postgres pg_dump enabled ==="
@@ -59,12 +60,15 @@ if [[ "$PG_ENABLED" == "true" ]]; then
 fi
 
 # -----------------------------
-# Normalise permissions (IMPORTANT)
+# Normalise permissions (EXCLUDING POSTGRES)
 # -----------------------------
-echo "=== Normalising permissions on $K8S_STORAGE_ROOT ==="
+echo "=== Normalising permissions (excluding Postgres) ==="
 
-# Ensure backup user can read everything, without breaking apps
+sudo find "$K8S_STORAGE_ROOT" \
-sudo chmod -R a+rX "$K8S_STORAGE_ROOT" || true
+  -mindepth 1 \
+  -maxdepth 1 \
+  ! -name postgres \
+  -exec chmod -R a+rX {} \; || true
 
 # -----------------------------
 # Build tar exclude args
@@ -75,7 +79,7 @@ for path in "${TAR_EXCLUDES[@]}"; do
 done
 
 # -----------------------------
-# Archive k8s storage (safe)
+# Archive k8s storage (SAFE)
 # -----------------------------
 echo "=== Archiving k8s storage ==="