fix(calendar): remove hardcoded api key and inject via env var

[TineoC]

This PR addresses the security issue of having a hardcoded Google Calendar API key in the source code and improves the robustness of the implementation.

Changes

• Removed Hardcoded Key: The API key has been removed from static/js/calendar.js.
• Flexible Key Injection: The key is now injected into the calendar script with the following priority:
  1. HUGO_GOOGLE_CALENDAR_API_KEY environment variable.
  2. google_calendar_api_key site parameter in hugo.yaml.
• Fixed Template Bug: Replaced the Hugo js filter with jsonify | safeJS to correctly handle empty strings (previously it rendered an empty object {}, which was truthy in JS and caused 400 errors).
• Improved Debugging: Added masked logging (AIza...) in the browser console to verify which key is being used without exposing it entirely.
• Graceful Degradation: The renderCalendar function now properly detects missing keys and displays a Bootstrap alert instead of attempting a failed API call.
• Production Build Enforcement: For production builds, the build will fail if no API key is set, ensuring that we don't accidentally deploy a broken calendar.

Setup Instructions

1. Google Cloud Console (Obtain API Key)

1. Log in to the Google Cloud Console.
2. Select your project.
3. Navigate to APIs & Services > Credentials.
4. Click + CREATE CREDENTIALS and select API key.
5. Copy the generated key (should start with AIza).
6. (Recommended) Click Edit API key to add restrictions:
   • API restrictions: Select "Google Calendar API".
   • Website restrictions: Add kubernetes.dev and your Netlify preview domains.

2. Netlify Dashboard

1. Log in to your Netlify dashboard.
2. Select the kubernetes-contributor-site site.
3. Navigate to Site configuration > Environment variables.
4. Click Add a variable.
5. Key: HUGO_GOOGLE_CALENDAR_API_KEY
6. Value: Enter the valid Google API key (AIza...).
7. Click Create variable.
8. Trigger a new deploy for the changes to take effect.

Local Development

For local development, the calendar will show a placeholder message by default. To test functionality locally:

1. Obtain a valid API key.
2. Run the server with the environment variable:

   export HUGO_GOOGLE_CALENDAR_API_KEY="AIza..."
   hugo server

   Alternatively, use netlify dev if you have the CLI linked.

Closes #45

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: TineoC
Once this PR has been reviewed and has the lgtm label, please assign stmcginnis for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TineoC]

Before merging this changes. Please follow the steps mentioned in "Production Setup Instructions (Netlify)"

[lmktfy]

Partial feedback

[lmktfy]

Why this addition?

[TineoC]

for allowing devs add their Google Calendar keys for local development. but is simpler to just use them in prod. I agree with you

[lmktfy]

Can we make the requirement conditional on whether it is a production build?

[lmktfy]

Avoid embedding CSS here

[lmktfy]

Here's how I'd do it

• Always try to fetch the value
• If not production, it doesn't matter
• If it's missing *in production", call errorf to outright fail the build

[lmktfy]

A trick: we can set eg data-isproduction on the root <html> element. But we only do that for production builds, and then client side we know if a calendar / API key is expected.

[TineoC]

like this?

<html {{ if hugo.IsProduction }}data-isproduction="true"{{ end }}>

[TineoC]

@mrbobbytables @mfahlandt @stmcginnis Who would be the best person to reach out to for providing and setting the GOOGLE_CALENDAR_API_KEY in the production environment (Netlify) of the webpage?

[jberkus]

@mrbobbytables @mfahlandt @stmcginnis Who would be the best person to reach out to for providing and setting the GOOGLE_CALENDAR_API_KEY in the production environment (Netlify) of the webpage?

@ameukam ?

[ameukam]

@mrbobbytables @mfahlandt @stmcginnis Who would be the best person to reach out to for providing and setting the GOOGLE_CALENDAR_API_KEY in the production environment (Netlify) of the webpage?

@ameukam ?

That will be @kubernetes/steering-committee which is the current admin group of the Google Workspace org we use: https://github.com/kubernetes/steering#google-workspace

[BenTheElder]

Specifically: https://github.com/kubernetes/steering#top-level-accounts

[BenTheElder]

Though steering doesn't have access to the Netlify side, just the Google Workspace.

[TineoC]

@katcosgrove @aojea @soltysh Hi! we need to set up a Google API Key for our Calendar to remove this public key for being stored in the source code.

What needs to be done?

• Create a Google Calendar key behind the K8s Google Workspace
• Store it securely in Netflify. (from our SIG the only person I know has access to it is @reylejano there could be more).

[soltysh]

This is being handled in this slack thread.

[lmktfy]

/uncc

Happy to approve this change once it's ready for that. I recommend adding a hold before asking for approval, because the unhold is easier to secure than approval.

[TineoC]

/hold

[reylejano]

The Netlify steps are done. The GOOGLE_CALENDAR_API_KEY env var is added and a deploy is triggered

[TineoC]

@reylejano could you double check the preview in netlify?

Is getting 400 error:

{
  "error": {
    "code": 400,
    "message": "API key not valid. Please pass a valid API key.",
    "errors": [
      {
        "message": "API key not valid. Please pass a valid API key.",
        "domain": "global",
        "reason": "badRequest"
      }
    ],
    "status": "INVALID_ARGUMENT",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "API_KEY_INVALID",
        "domain": "googleapis.com",
        "metadata": {
          "service": "calendar-json.googleapis.com"
        }
      },
      {
        "@type": "type.googleapis.com/google.rpc.LocalizedMessage",
        "locale": "en-US",
        "message": "API key not valid. Please pass a valid API key."
      }
    ]
  }
}

[TineoC]

#623 (comment) @reylejano my bad! the description was incorrect. The right key is: HUGO_GOOGLE_CALENDAR_API_KEY

[reylejano]

#623 (comment) @reylejano my bad! the description was incorrect. The right key is: HUGO_GOOGLE_CALENDAR_API_KEY

I changed it to the right key