Containerize baton-cloudflare-zero-trust connector

[laurenleach]

Containerizes the connector following baton-databricks#35 and baton-contentful#48.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Added Cloudflare Zero Trust configuration: Account ID, API Key, API Token, and Email fields with validation and inter-field relationships; type-safe accessors for those config values.

• Bug Fixes

  • Fixed credential selection so API Key and API Token are handled exclusively to avoid unintended overrides.

• Chores

  • Upgraded Go toolchain and refreshed numerous dependencies for compatibility and maintenance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@laurenleach has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 15 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Upgrades Go toolchain and dependencies (notably Baton SDK), adds a Cloudflare Zero Trust configuration module with typed accessors and field relationships, and refactors credential-selection logic to an if/else flow preventing client override.

Changes

Cohort / File(s)	Summary
Go Module Dependencies go.mod	Bumped Go version to 1.25.2. Upgraded github.com/conductorone/baton-sdk v0.3.35→v0.7.10 and numerous indirects (e.g., gopsutil→v4, otter→v2, semver/v3, purego); adjusted transitive dependency versions.
Configuration Schema & Generated Accessors pkg/config/config.go, pkg/config/conf.gen.go	Added Cloudflare Zero Trust config: fields (account-id, api-key, api-token, email), schema relationships (mutual exclusion, dependency, at-least-one), and generated type-safe accessors (GetString, GetStringSlice, GetInt, GetBool, GetStringMap) with reflection-based lookup. Review generated code and relationship rules for correctness.
Connector Credential Logic pkg/connector/connector.go	Changed credential selection from two independent if blocks to an if/else chain so apiToken is only used when apiKey path is not taken, preventing client override; small formatting adjustments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through go.mod with a grin so wide,
New fields sprouted where configs abide,
Tokens and keys now politely decide,
SDKs updated — I nibbled bugs aside,
Hooray! Cloudflare’s garden grows with pride 🌱

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'Containerize baton-cloudflare-zero-trust connector' does not match the actual changes, which are primarily dependency updates (Go 1.25.2, baton-sdk v0.7.10) and configuration scaffolding additions.	Revise the title to reflect the actual changes, such as 'Update Go toolchain and baton-sdk, add Cloudflare Zero Trust config' or 'Upgrade dependencies and add configuration framework for Cloudflare Zero Trust'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch containerize-cloudflare-zero-trust

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/connector/connector.go (1)

47-60: Guard against missing/partial credentials to avoid a nil client.

Line 52-56 only initializes the client for valid credential paths; otherwise client stays nil and err nil, so New returns a connector that will crash later. Consider returning a clear error when credentials are missing or incomplete.

🔧 Proposed fix

 import (
 	"context"
+	"errors"

 	"github.com/cloudflare/cloudflare-go"
 	v2 "github.com/conductorone/baton-sdk/pb/c1/connector/v2"
 	"github.com/conductorone/baton-sdk/pkg/annotations"
 	"github.com/conductorone/baton-sdk/pkg/connectorbuilder"
 )
@@
-	if apiKey != "" && email != "" {
-		client, err = cloudflare.New(apiKey, email)
-	} else if apiToken != "" {
-		client, err = cloudflare.NewWithAPIToken(apiToken)
-	}
+	if apiKey != "" || email != "" {
+		if apiKey == "" || email == "" {
+			return nil, errors.New("api-key and email must be provided together")
+		}
+		client, err = cloudflare.New(apiKey, email)
+	} else if apiToken != "" {
+		client, err = cloudflare.NewWithAPIToken(apiToken)
+	} else {
+		return nil, errors.New("missing credentials: provide api-token or api-key+email")
+	}

🤖 Fix all issues with AI agents

In `@pkg/config/conf.gen.go`:
- Around line 13-15: In findFieldByTag, add a nil check for the receiver c
before calling reflect.ValueOf(c).Elem(): if c == nil return nil,false to avoid
a panic when the generated accessor is called with a nil receiver; update the
generated method (CloudflareZeroTrust.findFieldByTag) to guard early and return
a safe zero value and false when c is nil.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a nil receiver guard to avoid panics in reflection.

Line 14 will panic if c is nil. Even if callers are expected to pass non-nil, a defensive guard makes generated accessors safer.

🛡️ Proposed fix (apply in generator)

 func (c *CloudflareZeroTrust) findFieldByTag(tagValue string) (any, bool) {
+	if c == nil {
+		return nil, false
+	}
 	v := reflect.ValueOf(c).Elem() // Dereference pointer to struct
 	t := v.Type()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func (c *CloudflareZeroTrust) findFieldByTag(tagValue string) (any, bool) {
	v := reflect.ValueOf(c).Elem() // Dereference pointer to struct
	t := v.Type()
	func (c *CloudflareZeroTrust) findFieldByTag(tagValue string) (any, bool) {
	if c == nil {
	return nil, false
	}
	v := reflect.ValueOf(c).Elem() // Dereference pointer to struct
	t := v.Type()

🤖 Prompt for AI Agents

In `@pkg/config/conf.gen.go` around lines 13 - 15, In findFieldByTag, add a nil
check for the receiver c before calling reflect.ValueOf(c).Elem(): if c == nil
return nil,false to avoid a panic when the generated accessor is called with a
nil receiver; update the generated method (CloudflareZeroTrust.findFieldByTag)
to guard early and return a safe zero value and false when c is nil.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 3: The CI test job is hardcoded to Go 1.23.x causing a mismatch with
go.mod (go 1.25.2); edit the test job's Install Go step (the "test" job and its
"Install Go" step in ci.yaml) and replace the go-version: 1.23.x setting with
go-version-file: 'go.mod' so the action reads the Go version from go.mod and
aligns the pipeline versions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for Go version references in configs
rg -n -C 2 'go 1\.25\.2|GOLANG_VERSION|golang:1\.25|1\.25\.2|go 1\.|Go version' --type=toml --type=yaml --type=dockerfile --type=sh .

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
# Also look for CI workflow files
fd -e yaml -e yml . .github/workflows 2>/dev/null | head -20

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 187

---

🏁 Script executed:

#!/bin/bash
# Check for Dockerfiles
fd -i dockerfile . | head -20

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
# Check for any build/CI related files
find . -maxdepth 3 -type f \( -name ".gitlab-ci.yml" -o -name "*.mk" -o -name "Makefile" -o -name "tox.ini" -o -name ".travis.yml" \) 2>/dev/null

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 94

---

🏁 Script executed:

cat .github/workflows/ci.yaml

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 2312

---

🏁 Script executed:

cat .github/workflows/release.yaml

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 720

---

🏁 Script executed:

cat .github/workflows/capabilities_and_config.yaml

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 1129

---

🏁 Script executed:

cat Makefile

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 963

---

🏁 Script executed:

# Check if there's any docker-compose or other container config
fd -i docker-compose . --maxdepth 2

Repository: ConductorOne/baton-cloudflare-zero-trust

Length of output: 66

---

Update test job in ci.yaml to use Go 1.25.2 from go.mod.

The test job hardcodes go-version: 1.23.x while other CI jobs and go.mod specify 1.25.2. This version mismatch can cause build inconsistencies. Update it to go-version-file: 'go.mod' to align with the rest of the pipeline.

ci.yaml test job (line ~39)

test:
  runs-on: ubuntu-latest
  steps:
    - name: Install Go
      uses: actions/setup-go@v5
      with:
        go-version: 1.23.x  # Change to: go-version-file: 'go.mod'

🤖 Prompt for AI Agents

In `@go.mod` at line 3, The CI test job is hardcoded to Go 1.23.x causing a
mismatch with go.mod (go 1.25.2); edit the test job's Install Go step (the
"test" job and its "Install Go" step in ci.yaml) and replace the go-version:
1.23.x setting with go-version-file: 'go.mod' so the action reads the Go version
from go.mod and aligns the pipeline versions.

[jugonzalez12]

CI workflow go versions seem to be in a weird state, but this otherwise looks good