NO-JIRA: Fix oc builds on Mac OS X Apple Silicon machines

[tchap]

Homebrew uses a different prefix path than is hard-coded in the gssapi library.

This change sets the include path dynamically based on Homebrew, when available.

Fixes #2136

I also cleaned up the Makefile a bit in a separate commit.

[openshift-ci-robot]

@tchap: This pull request explicitly references no jira issue.

Details

In response to this:

Homebrew uses a different prefix path than is hard-coded in the gssapi library.

This change sets the include path dynamically based on Homebrew, when available.

Fixes #2136

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Consolidated Makefile Go build tag variables into a common set and introduced separate flags for normal and cross builds; updated cross-build targets to use the cross flags. Updated go.mod to replace github.com/apcera/gssapi with github.com/tchap/gssapi (new version and comment).

Changes

Cohort / File(s)	Summary
Makefile Build Configuration Makefile	Replaced per-OS GO_BUILD_FLAGS_* with GO_BUILD_TAGS_COMMON; added GO_BUILD_FLAGS (includes gssapi) and GO_BUILD_FLAGS_CROSS (excludes gssapi); updated cross-build-* targets to pass GO_BUILD_FLAGS_CROSS.
Go module replacement go.mod	Replaced github.com/apcera/gssapi replace directive to point to github.com/tchap/gssapi at v0.0.0-20260403121208-047531cb33ea and added an inline branch comment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Fix make oc build failures on macOS 26.1 by resolving missing gss_const_name_t type in system GSSAPI headers [#2136]	❓	PR updates the gssapi module replacement, but does not modify CGO include flags or add Heimdal include path; unclear if the new module alone resolves the macOS header/type errors.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign ingvagabund for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 47-50: The Makefile currently overwrites CGO_CFLAGS when setting
the Heimdal include path; update the assignment so it appends the brew-provided
include directory instead of replacing existing flags. Locate the
export/assignment that references CGO_CFLAGS and the Heimdal path (the line
using brew --prefix and opt/heimdal/include) and change it to append the
-I$(shell brew --prefix)/opt/heimdal/include to the existing CGO_CFLAGS value
(preserving any caller/CI-provided flags) and keep the export so CGO_CFLAGS
remains exported.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 2fadb9a2-bc1b-4bde-a702-1726062f5781

📥 Commits

Reviewing files that changed from the base of the PR and between bb4c3de and f6ccb70.

📒 Files selected for processing (1)

• Makefile

[tchap]

/retest

[ardaguclu]

I know that I resisted hard to not touch https://github.com/openshift/gssapi repository and forced you updating here.

But these changes look like either we need to simply update https://github.com/openshift/gssapi/blob/5fb4217df13b8e6878046fe1e5c10e560e1b86dc/name.go#L21 as you mentioned before or leave this issue opened rather than adding a hacky change in oc.

[tchap]

/hold

until openshift/gssapi#4 is merged. I will update the dep after.

[ardaguclu]

We can't merge openshift/gssapi#4 without verifying it works. I'd recommend replace

oc/go.mod

Line 223 in 075cd27

replace github.com/apcera/gssapi => github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b

with your fork&branch and get the signal from CI (to ensure that there is no regression). I'd also run all payload blocking jobs.

Lastly, we should find a way to test this on darwin/arm64. Once everything is great, we can start seeking staff engineer to merge openshift/gssapi#4 :)

[tchap]

Sure, I am gonna update this PR now to match the PR in gssapi.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 223-224: The go.mod replace directive currently pointing at the
personal fork github.com/tchap/gssapi (replace github.com/apcera/gssapi =>
github.com/tchap/gssapi ...) introduces supply-chain risk; update the replace to
point to the official openshift fork (github.com/openshift/gssapi) once
openshift/gssapi#4 is merged, or add a short TODO and create/link an issue to
track migration, and ensure the replace line is removed or updated to the
released tag/commit of github.com/openshift/gssapi in go.mod (reference the
replace directive and the module name github.com/apcera/gssapi to find the
change).
- Around line 223-224: The go.mod replace directive referencing
"github.com/tchap/gssapi" is pointing to a non-public fork and will break public
builds; either confirm the fork is intentionally private and document required
access/authentication, or replace/remove the replace directive so it references
a publicly accessible module. Specifically, update the replace line in go.mod
(the "replace github.com/apcera/gssapi => github.com/tchap/gssapi
v0.0.0-...-047531cb33ea" entry) to the correct public fork/path or revert to the
upstream "github.com/apcera/gssapi", then run "go get" / "go mod tidy" to
refresh go.sum and verify builds succeed; if the private fork is required, add
documentation in the repo explaining how to authenticate and fetch that
dependency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d95104ee-2805-4ed3-83f2-9e1abfdcb325

📥 Commits

Reviewing files that changed from the base of the PR and between 6cde768 and bcc1b73.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/apcera/gssapi/name.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (2)

• Makefile
• go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• Makefile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Personal fork introduces supply chain risk.

Using github.com/tchap/gssapi (a personal fork) instead of an official OpenShift-maintained fork creates a supply chain dependency on an individual's repository. While this may be acceptable as a temporary measure (as noted in PR comments pending merge of openshift/gssapi#4), ensure there's a plan to migrate to an official fork once the upstream changes are merged.

Would you like me to open an issue to track the migration from the personal fork to the official fork after openshift/gssapi#4 is merged?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 223 - 224, The go.mod replace directive currently
pointing at the personal fork github.com/tchap/gssapi (replace
github.com/apcera/gssapi => github.com/tchap/gssapi ...) introduces supply-chain
risk; update the replace to point to the official openshift fork
(github.com/openshift/gssapi) once openshift/gssapi#4 is merged, or add a short
TODO and create/link an issue to track migration, and ensure the replace line is
removed or updated to the released tag/commit of github.com/openshift/gssapi in
go.mod (reference the replace directive and the module name
github.com/apcera/gssapi to find the change).

---

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify the tchap/gssapi fork exists, contains Apple Silicon fixes, and check for API changes

# Check if the fork exists and has recent commits
echo "=== Checking fork existence and recent commits ==="
gh repo view tchap/gssapi --json name,description,pushedAt,defaultBranchRef

# Check for commits related to Apple Silicon or macOS
echo -e "\n=== Checking for Apple Silicon / macOS related commits ==="
gh api repos/tchap/gssapi/commits?per_page=20 | jq -r '.[] | "\(.commit.committer.date) - \(.commit.message)"' | head -20

# Compare exported Go symbols between old and new fork
echo -e "\n=== Comparing API exports between forks ==="
echo "Note: This requires both repositories to be cloned for deep comparison"
echo "Old fork: github.com/openshift/gssapi (commit from 2016)"
echo "New fork: github.com/tchap/gssapi (commit 047531cb33ea)"

# Check if the specific commit exists in the fork
echo -e "\n=== Verifying commit 047531cb33ea exists ==="
gh api repos/tchap/gssapi/commits/047531cb33ea --jq '{sha: .sha, message: .commit.message, date: .commit.committer.date}'

Repository: openshift/oc

Length of output: 799

---

🌐 Web query:

tchap/gssapi github fork apple silicon

💡 Result:

No GitHub repository named tchap/gssapi or a fork by tchap (tchapgouv organization) of any GSSAPI library was found. Tchapgouv (French government Tchap Matrix client org) has many repos like tchap-desktop, tchap-ios (Apple Silicon compatible as iOS app), tchap-web-v4, but none matching "gssapi". General GSSAPI projects support Apple Silicon: golang-auth/go-gssapi-c works on MacOS Apple Kerberos by default (no special fork needed), MacPorts gss builds on arm64, Apple provides GSS.framework. Older Tchap-related LinkedIn mentions (e.g., developers at TCHAP agency) exist but no repo link. If seeking GSSAPI for Tchap on Apple Silicon, use standard Go or C bindings as they natively support macOS ARM64.

Citations:

• 1: https://github.com/orgs/tchapgouv/repositories
• 2: https://github.com/golang-auth/go-gssapi
• 3: https://github.com/gssapi
• 4: https://github.com/golang-auth/go-gssapi-c
• 5: https://github.com/tchapgouv/tchap-ios
• 6: tchap-desktop app is damaged on Apple Silicon tchapgouv/tchap-desktop#124
• 7: https://ports.macports.org/port/gss/builds/
• 8: https://github.com/tchapgouv/tchap-identite
• 9: https://data.code.gouv.fr/hosts/GitHub/owners/tchapgouv
• 10: https://github.com/tchapgouv/tchap-web-v4

---

🏁 Script executed:

# Check the actual gssapi usage in the codebase
find . -name "negotiator_gssapi.go" -type f | head -5

Repository: openshift/oc

Length of output: 106

---

🏁 Script executed:

# Look at the full context of the replacement in go.mod around lines 223-224
cat go.mod | sed -n '215,230p'

Repository: openshift/oc

Length of output: 650

---

🏁 Script executed:

# Search for all gssapi imports and usage patterns
rg "gssapi\." -A 2 -B 1 | head -100

Repository: openshift/oc

Length of output: 5853

---

🏁 Script executed:

# Search for any references to tchap/gssapi in the codebase to understand context
rg "tchap/gssapi" -n

Repository: openshift/oc

Length of output: 663

---

🏁 Script executed:

# Check git history to see when this was added and any PR context
git log -p --all -S "tchap/gssapi" | head -100

Repository: openshift/oc

Length of output: 38

---

🏁 Script executed:

# Look for any comments or documentation about this fork
rg "extend-include-path-apple-silicon" -B 5 -A 5

Repository: openshift/oc

Length of output: 519

---

🏁 Script executed:

# Search GitHub for any fork with similar name or by searching commits
rg "047531cb33ea" .

Repository: openshift/oc

Length of output: 653

---

🏁 Script executed:

# Check if there's any documentation about where this fork comes from
find . -name "*.md" -o -name "*.txt" | xargs grep -l "tchap" 2>/dev/null | head -5

Repository: openshift/oc

Length of output: 76

---

🏁 Script executed:

# Look at PR/issue context in git branches
git branch -a | grep -i apple
git branch -a | grep -i extend

Repository: openshift/oc

Length of output: 38

---

The referenced fork github.com/tchap/gssapi is not publicly accessible on GitHub and will cause builds to fail.

A web search confirms no public tchap/gssapi repository exists under the Tchapgouv organization or any "tchap" user on GitHub. While go.sum contains hash entries indicating the dependency was resolved previously, this fork cannot be publicly resolved now, which breaks reproducibility and prevents any build from successfully fetching dependencies without private access credentials.

Before merging:

• Confirm the fork exists and is intentionally private (if so, document the requirement and authentication method).
• If the fork was deleted or the path is incorrect, use the correct, publicly accessible fork location.
• If this is experimental/WIP code, consider whether merging to a stable branch is appropriate without public fork availability.

This creates a critical supply chain and reproducibility concern regardless of API compatibility between the forks.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 223 - 224, The go.mod replace directive referencing
"github.com/tchap/gssapi" is pointing to a non-public fork and will break public
builds; either confirm the fork is intentionally private and document required
access/authentication, or replace/remove the replace directive so it references
a publicly accessible module. Specifically, update the replace line in go.mod
(the "replace github.com/apcera/gssapi => github.com/tchap/gssapi
v0.0.0-...-047531cb33ea" entry) to the correct public fork/path or revert to the
upstream "github.com/apcera/gssapi", then run "go get" / "go mod tidy" to
refresh go.sum and verify builds succeed; if the private fork is required, add
documentation in the repo explaining how to authenticate and fetch that
dependency.

[openshift-ci]

@tchap: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ovn-cmd	bcc1b73	link	true	/test e2e-agnostic-ovn-cmd

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.