From e6b5f0b7f1fee753a36d543de24fe0392231d07a Mon Sep 17 00:00:00 2001
From: Kai Kummerer <kai.kummerer@stackit.cloud>
Date: Tue, 11 Nov 2025 11:13:40 +0100
Subject: [PATCH] fix(ske/login): add profile email to cacheKey

This solves an issue where the user doesn't directly see that their
current credentials are unable to access the cluster, when they have a
cached and still valid kubeconfig that was retrieved with
different/working credentials earlier.
---
 internal/cmd/ske/kubeconfig/login/login.go | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/internal/cmd/ske/kubeconfig/login/login.go b/internal/cmd/ske/kubeconfig/login/login.go
index e51f69c63..2aa6f8d60 100644
--- a/internal/cmd/ske/kubeconfig/login/login.go
+++ b/internal/cmd/ske/kubeconfig/login/login.go
@@ -18,6 +18,8 @@ import (
 	"k8s.io/client-go/rest"
 
 	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/config"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client"
@@ -149,20 +151,25 @@ func parseClusterConfig(p *print.Printer, cmd *cobra.Command) (*clusterConfig, e
 	if execCredential == nil || execCredential.Spec.Cluster == nil {
 		return nil, fmt.Errorf("ExecCredential contains not all needed fields")
 	}
-	config := &clusterConfig{}
-	err = json.Unmarshal(execCredential.Spec.Cluster.Config.Raw, config)
+	clusterConfig := &clusterConfig{}
+	err = json.Unmarshal(execCredential.Spec.Cluster.Config.Raw, clusterConfig)
 	if err != nil {
 		return nil, fmt.Errorf("unmarshal: %w", err)
 	}
 
-	config.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server)))
+	profile, err := config.GetProfile()
+	if err != nil {
+		return nil, fmt.Errorf("error getting profile: %w", err)
+	}
+
+	clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+auth.GetProfileEmail(profile))))
 
 	// NOTE: Fallback if region is not set in the kubeconfig (this was the case in the past)
-	if config.Region == "" {
-		config.Region = globalflags.Parse(p, cmd).Region
+	if clusterConfig.Region == "" {
+		clusterConfig.Region = globalflags.Parse(p, cmd).Region
 	}
 
-	return config, nil
+	return clusterConfig, nil
 }
 
 func getCachedKubeConfig(key string) *rest.Config {