From 9c73f9c7994a5f94ef85d2fe00445ec0393355af Mon Sep 17 00:00:00 2001 From: Kai Kummerer Date: Tue, 11 Nov 2025 11:13:40 +0100 Subject: [PATCH 1/2] fix(ske/login): add profile email to cacheKey This solves an issue where the user doesn't directly see that their current credentials are unable to access the cluster, when they have a cached and still valid kubeconfig that was retrieved with different/working credentials earlier. --- internal/cmd/ske/kubeconfig/login/login.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/internal/cmd/ske/kubeconfig/login/login.go b/internal/cmd/ske/kubeconfig/login/login.go index 68775aed3..409088fe3 100644 --- a/internal/cmd/ske/kubeconfig/login/login.go +++ b/internal/cmd/ske/kubeconfig/login/login.go @@ -19,6 +19,8 @@ import ( "k8s.io/client-go/rest" "github.com/stackitcloud/stackit-cli/internal/pkg/args" + "github.com/stackitcloud/stackit-cli/internal/pkg/auth" + "github.com/stackitcloud/stackit-cli/internal/pkg/config" "github.com/stackitcloud/stackit-cli/internal/pkg/examples" "github.com/stackitcloud/stackit-cli/internal/pkg/print" "github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client" @@ -150,20 +152,25 @@ func parseClusterConfig(p *print.Printer, cmd *cobra.Command) (*clusterConfig, e if execCredential == nil || execCredential.Spec.Cluster == nil { return nil, fmt.Errorf("ExecCredential contains not all needed fields") } - config := &clusterConfig{} - err = json.Unmarshal(execCredential.Spec.Cluster.Config.Raw, config) + clusterConfig := &clusterConfig{} + err = json.Unmarshal(execCredential.Spec.Cluster.Config.Raw, clusterConfig) if err != nil { return nil, fmt.Errorf("unmarshal: %w", err) } - config.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server))) + profile, err := config.GetProfile() + if err != nil { + return nil, fmt.Errorf("error getting profile: %w", err) + } + + clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+auth.GetProfileEmail(profile)))) // NOTE: Fallback if region is not set in the kubeconfig (this was the case in the past) - if config.Region == "" { - config.Region = globalflags.Parse(p, cmd).Region + if clusterConfig.Region == "" { + clusterConfig.Region = globalflags.Parse(p, cmd).Region } - return config, nil + return clusterConfig, nil } func getCachedKubeConfig(key string) *rest.Config { From 865ddd7e95d8e567c49dd46fdfed7c205f7b7cea Mon Sep 17 00:00:00 2001 From: Kai Kummerer Date: Mon, 12 Jan 2026 12:50:17 +0100 Subject: [PATCH 2/2] some changes for review comments --- internal/cmd/ske/kubeconfig/login/login.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/internal/cmd/ske/kubeconfig/login/login.go b/internal/cmd/ske/kubeconfig/login/login.go index 409088fe3..711ad56bd 100644 --- a/internal/cmd/ske/kubeconfig/login/login.go +++ b/internal/cmd/ske/kubeconfig/login/login.go @@ -20,7 +20,6 @@ import ( "github.com/stackitcloud/stackit-cli/internal/pkg/args" "github.com/stackitcloud/stackit-cli/internal/pkg/auth" - "github.com/stackitcloud/stackit-cli/internal/pkg/config" "github.com/stackitcloud/stackit-cli/internal/pkg/examples" "github.com/stackitcloud/stackit-cli/internal/pkg/print" "github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client" @@ -158,12 +157,12 @@ func parseClusterConfig(p *print.Printer, cmd *cobra.Command) (*clusterConfig, e return nil, fmt.Errorf("unmarshal: %w", err) } - profile, err := config.GetProfile() + authEmail, err := auth.GetAuthEmail() if err != nil { - return nil, fmt.Errorf("error getting profile: %w", err) + return nil, fmt.Errorf("error getting auth email: %w", err) } - clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+auth.GetProfileEmail(profile)))) + clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+"\x00"+authEmail))) // NOTE: Fallback if region is not set in the kubeconfig (this was the case in the past) if clusterConfig.Region == "" {