From 8538ca6e0b48caf0367cc81cc91d0d5c71e15845 Mon Sep 17 00:00:00 2001
From: shenlan <manbuzhe2009@qq.com>
Date: Sun, 14 Sep 2025 18:03:22 +0800
Subject: [PATCH] fix: ensure arm64 offline package uses arm images

---
 .../offline-package-k3s-installer.yaml        | 17 ++++++++
 scripts/make_k3s_offline_package.sh           | 43 +++++++++----------
 2 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/offline-package-k3s-installer.yaml b/.github/workflows/offline-package-k3s-installer.yaml
index e1f5227..45a2cbe 100644
--- a/.github/workflows/offline-package-k3s-installer.yaml
+++ b/.github/workflows/offline-package-k3s-installer.yaml
@@ -57,6 +57,23 @@ jobs:
             chmod +x scripts/make_k3s_offline_package.sh
             ./scripts/make_k3s_offline_package.sh
 
+      - name: Validate airgap image tar
+        run: |
+          set -euo pipefail
+          TAR="k3s-offline-package/images/k3s-airgap-images-${{ matrix.arch }}.tar"
+          tmp=$(mktemp -d)
+          tar -xf "$TAR" -C "$tmp" manifest.json
+          configs=$(jq -r '.[].Config' "$tmp/manifest.json")
+          for cfg in $configs; do
+            tar -xf "$TAR" -C "$tmp" "$cfg"
+            arch=$(jq -r '.architecture' "$tmp/$cfg")
+            if [ "$arch" != "${{ matrix.arch }}" ]; then
+              echo "unexpected arch $arch in $cfg" >&2
+              exit 1
+            fi
+          done
+          rm -rf "$tmp"
+
       - name: Pack final installer
         run: |
           set -euo pipefail
diff --git a/scripts/make_k3s_offline_package.sh b/scripts/make_k3s_offline_package.sh
index abd33a6..530feb5 100644
--- a/scripts/make_k3s_offline_package.sh
+++ b/scripts/make_k3s_offline_package.sh
@@ -59,7 +59,13 @@ pull_and_save_images() {
   log "拉取核心镜像（runtime=$rt）…"
   case "$rt" in
     docker)
-      for i in "${imgs[@]}"; do docker pull --platform=linux/${ARCH} "$i"; done
+      for i in "${imgs[@]}"; do
+        docker rmi -f "$i" >/dev/null 2>&1 || true
+        docker pull --platform=linux/${ARCH} "$i"
+        local arch
+        arch=$(docker image inspect "$i" --format '{{.Architecture}}')
+        [[ "$arch" == "$ARCH" ]] || err "镜像 $i 架构不匹配：$arch"
+      done
       log "保存镜像 → $out_tar"
       docker save -o "$out_tar" "${imgs[@]}"
       ;;
@@ -70,6 +76,20 @@ pull_and_save_images() {
       ;;
   esac
   [[ -s "$out_tar" ]] || err "未生成镜像包：$out_tar"
+
+  if command -v jq >/dev/null 2>&1; then
+    local tmp cfg arch_in_tar
+    tmp=$(mktemp -d)
+    tar -xf "$out_tar" -C "$tmp" manifest.json
+    for cfg in $(jq -r '.[].Config' "$tmp/manifest.json"); do
+      tar -xf "$out_tar" -C "$tmp" "$cfg"
+      arch_in_tar=$(jq -r '.architecture' "$tmp/$cfg")
+      [[ "$arch_in_tar" == "$ARCH" ]] || err "镜像包架构不匹配：$arch_in_tar"
+    done
+    rm -rf "$tmp"
+  else
+    log "jq 未安装，跳过镜像包架构校验"
+  fi
 }
 
 write_node_exporter_yaml() {
@@ -211,27 +231,6 @@ check_images(){
   fi
 }
 
-check_images(){
-  echo "[INFO] 验证已加载镜像架构"
-  local out
-  out=$(sudo nerdctl --namespace k8s.io --address /run/k3s/containerd/containerd.sock images -a --format '{{.Repository}}:{{.Tag}} {{.ID}} {{.Platform}}')
-  echo "$out"
-  if echo "$out" | awk '{print $3}' | grep -v "linux/${ARCH}" >/dev/null; then
-    echo "[ERROR] 发现非 ${ARCH} 架构镜像" >&2
-    exit 1
-  fi
-}
-check_images(){
-  echo "[INFO] 验证已加载镜像架构"
-  local out
-  out=$(sudo nerdctl --namespace k8s.io --address /run/k3s/containerd/containerd.sock images -a --format '{{.Repository}}:{{.Tag}} {{.ID}} {{.Platform}}')
-  echo "$out"
-  if echo "$out" | awk '{print $3}' | grep -v "linux/${ARCH}" >/dev/null; then
-    echo "[ERROR] 发现非 ${ARCH} 架构镜像" >&2
-    exit 1
-  fi
-}
-
 echo "[INFO] 安装 CLI → /usr/local/bin"
 install_bin "${BIN_DIR}/k3s-${ARCH}" /usr/local/bin/k3s
 install_bin "${BIN_DIR}/helm-${ARCH}" /usr/local/bin/helm