fix(calendar): remove hardcoded api key and inject via env var#623
fix(calendar): remove hardcoded api key and inject via env var#623TineoC wants to merge 6 commits intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
the
do-not-merge/invalid-commit-message
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: TineoC The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/S
TineoC
force-pushed
the
fix/remove-hardcoded-api-key
branch
from
71e96f0 to
eefacc4
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
Before merging this changes. Please follow the steps mentioned in "Production Setup Instructions (Netlify)" |
- Removes the hardcoded Google Calendar API key from JS. - Injects the key via 'GOOGLE_CALENDAR_API_KEY' environment variable. - Adds a fallback to 'site.Params.google_calendar_api_key' in hugo.yaml. - Sets a default 'PLACEHOLDER_VALUE' in hugo.yaml. - Implements graceful degradation: if the key is missing or is the placeholder, the calendar displays a 'not available' message instead of crashing.
TineoC
force-pushed
the
fix/remove-hardcoded-api-key
branch
from
b315ccc to
6b4e71d
Compare
hugo.yaml
Outdated
|
|
||
| # Everything below this are Site Params | ||
| params: | ||
| google_calendar_api_key: 'PLACEHOLDER_VALUE' |
There was a problem hiding this comment.
for allowing devs add their Google Calendar keys for local development. but is simpler to just use them in prod. I agree with you
layouts/calendar/baseof.html
Outdated
| <script src='{{ .Site.BaseURL }}/js/calendar.js'></script> | ||
| <script> | ||
| renderCalendar(); | ||
| {{ $apiKey := getenv "HUGO_GOOGLE_CALENDAR_API_KEY" | default .Site.Params.google_calendar_api_key | default "" }} |
There was a problem hiding this comment.
Can we make the requirement conditional on whether it is a production build?
static/js/calendar.js
Outdated
|
|
||
| if (!apiKey || apiKey === 'PLACEHOLDER_VALUE') { | ||
| console.warn('Google Calendar API key is missing. Calendar will not render.'); | ||
| calendarEl.innerHTML = '<div style="padding: 20px; border: 1px solid #ccc; background: #f9f9f9; text-align: center;">Community Calendar is not available in this environment (missing API Key).</div>'; |
- Removed the placeholder value for the Google Calendar API key from hugo.yaml. - Modified the JavaScript in baseof.html to conditionally render the calendar based on the production environment, ensuring that the API key is only used in production and defaults to an empty string otherwise.
- Removed the check for the placeholder value in the Google Calendar API key validation.
layouts/calendar/baseof.html
Outdated
| <script> | ||
| renderCalendar(); | ||
| {{ if hugo.IsProduction }} | ||
| {{ $apiKey := getenv "HUGO_GOOGLE_CALENDAR_API_KEY" | default "" }} |
There was a problem hiding this comment.
Here's how I'd do it
- Always try to fetch the value
- If not production, it doesn't matter
- If it's missing *in production", call
errorfto outright fail the build
| document.addEventListener('DOMContentLoaded', function() { | ||
| var calendarEl = document.getElementById('calendar'); | ||
|
|
||
| if (!calendarEl) { |
There was a problem hiding this comment.
A trick: we can set eg data-isproduction on the root <html> element. But we only do that for production builds, and then client side we know if a calendar / API key is expected.
There was a problem hiding this comment.
like this?
<html {{ if hugo.IsProduction }}data-isproduction="true"{{ end }}>- Added a check for the presence of the Google Calendar API key in production environments, ensuring that an error is logged if it is missing. - Updated the JavaScript to differentiate between production and non-production warnings for the missing API key.
k8s-ci-robot
added
size/M
|
@mrbobbytables @mfahlandt @stmcginnis Who would be the best person to reach out to for providing and setting the |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
@ameukam ? |
That will be @kubernetes/steering-committee which is the current admin group of the Google Workspace org we use: https://github.com/kubernetes/steering#google-workspace |
|
Though steering doesn't have access to the Netlify side, just the Google Workspace. |
6 participants
This PR addresses the security issue of having a hardcoded Google Calendar API key in the source code.
Changes
static/js/calendar.js.GOOGLE_CALENDAR_API_KEYenvironment variable inlayouts/calendar/baseof.html.renderCalendarfunction now checks if the key is valid. If it's missing or set to the defaultPLACEHOLDER_VALUE, it displays a user-friendly "Community Calendar is not available" message instead of crashing or showing a console error.google_calendar_api_key: 'PLACEHOLDER_VALUE'tohugo.yamlto serve as a default and documentation.Production Setup Instructions (Netlify)
To ensure the calendar works in the production environment, follow these steps:
GOOGLE_CALENDAR_API_KEYLocal Development
For local development, the calendar will show a placeholder message by default. To test the calendar functionality locally:
Closes #45