openmcp-project · Diaphteiros · Oct 30, 2025 · Oct 24, 2025 · Oct 29, 2025
diff --git a/docs/libraries/clusteraccess.md b/docs/libraries/clusteraccess.md
@@ -88,6 +88,9 @@ func (c *MyController) Reconcile(ctx context.Context, req reconcile.Request) (re
 The ClusterAccess Reconciler's `SkipWorkloadCluster` method can be used during initialization to disable creation of a `ClusterRequest` for a workload cluster.
 If for some reason the `AccessRequest` resources are required, they can be retrieved via `MCPAccessRequest` and `WorkloadAccessRequest`.
 
+The ClusterAccess Reconciler remembers requests that are in deletion and won't create new resources for them. This means that `Reconcile` can safely be called at the beginning of a reconciliation that is going to delete resources and `ReconcileDelete` at the end of it, without the former one recreating resources the latter one has already removed.
+A request is considered to be 'in deletion' when `ReconcileDelete` is called for it and it stops being 'in deletion' when `ReconcileDelete` returns with a `RequeueAfter` value of zero and no error.
+
 ### ClusterAccess Reconciler - Advanced
 
 Instantiate the ClusterAccess Reconciler during controller setup and store the instance in the controller's struct.
@@ -184,6 +187,9 @@ There are four getter methods that can be called after the cluster access has be
 
 Note that not all of these methods will always return something. For example, a registration created via `ExistingCluster(...)` references a `Cluster` directly and can therefore not return a `ClusterRequest`. `Access` and `AccessRequest` will only work if either token-based access or OIDC-based access has been configured during the registration, otherwise there won't be any `AccessRequest`. Any method which cannot return the expected value due to the resource not being configured will simply return `nil` instead, without an error. The error is only returned if something goes wrong during retrieval of the resource.
 
+The ClusterAccess Reconciler remembers requests that are in deletion and won't create new resources for them. This means that `Reconcile` can safely be called at the beginning of a reconciliation that is going to delete resources and `ReconcileDelete` at the end of it, without the former one recreating resources the latter one has already removed.
+A request is considered to be 'in deletion' when `ReconcileDelete` is called for it and it stops being 'in deletion' when `ReconcileDelete` returns with a `RequeueAfter` value of zero and no error.
+
 #### Additional Data
 
 While probably not required for most cases, there might be some situations in which the generation of resources requires more information than just the `reconcile.Request`, for example if the controller fetches some kind of configuration that specifies the required access permissions. The ClusterAccess library enables this by allowing arbitrary arguments to be passed into some methods: `Reconcile`, `ReconcileDelete`, as well as the four getter methods `Access`, `AccessRequest`, `ClusterRequest`, and `Cluster` take any amount of optional arguments. Additional arguments that are passed into any of these methods will be passed to the generator functions (which have been passed into `WithTokenAccessGenerator`, `WithOIDCAccessGenerator`, and `WithNamespaceGenerator` during creation of the `ClusterRegistration`), which can use the additional information for generating the namespace or the spec for `AccessRequest` or `ClusterRequest`.