deckhouse · LopatinDmitr · Apr 20, 2026 · Apr 21, 2026
@@ -102,7 +102,7 @@ func handle(values gjson.Result) error {
 	if validationObj.IsObject() {
 		validationErr := validationObj.Get("error")
 		if validationErr.Exists() {
-			return fmt.Errorf(validationErr.String())
+			return fmt.Errorf("%s", validationErr.String())
 		}
 	}
 	return nil

@@ -65,7 +65,15 @@ var configDiscoveryService = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handleDiscoveryService(_ context.Context, input *pkg.HookInput) error {
+func handleDiscoveryService(ctx context.Context, input *pkg.HookInput) error {
+	hasModuleConfig, err := settings.HasModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !hasModuleConfig {
+		return nil
+	}
+
 	clusterIP := getClusterIP(input)
 
 	if clusterIP == "" {

@@ -23,10 +23,14 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/tidwall/gjson"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"hooks/pkg/settings"
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"github.com/deckhouse/module-sdk/pkg"
 	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
 )
 
 func TestDiscoveryClusterIPServiceForDVCR(t *testing.T) {
@@ -64,6 +68,11 @@ var _ = Describe("DiscoveryClusterIPServiceForDVCR", func() {
 	}
 
 	newInput := func() *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			return nil
+		}}, nil)
 		return &pkg.HookInput{
 			Snapshots: snapshots,
 			Values:    values,
@@ -90,3 +99,12 @@ var _ = Describe("DiscoveryClusterIPServiceForDVCR", func() {
 		Expect(handleDiscoveryService(context.Background(), newInput())).To(Succeed())
 	})
 })
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
@@ -80,7 +80,15 @@ var configDiscoveryService = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handleDiscoveryNodes(_ context.Context, input *pkg.HookInput) error {
+func handleDiscoveryNodes(ctx context.Context, input *pkg.HookInput) error {
+	hasModuleConfig, err := settings.HasModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !hasModuleConfig {
+		return nil
+	}
+
 	nodeCount := len(input.Snapshots.Get(discoveryNodesSnapshot))
 	input.Values.Set(virtHandlerNodeCountPath, nodeCount)
 

@@ -0,0 +1,107 @@
+/*
+Copyright 2026 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery_workload_nodes
+
+import (
+	"context"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"hooks/pkg/settings"
+
+	"github.com/deckhouse/deckhouse/pkg/log"
+	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+)
+
+func TestDiscoveryWorkloadNodes(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "DiscoveryWorkloadNodes Suite")
+}
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
+
+var _ = Describe("DiscoveryWorkloadNodes", func() {
+	var (
+		dc        *mock.DependencyContainerMock
+		snapshots *mock.SnapshotsMock
+		values    *mock.OutputPatchableValuesCollectorMock
+	)
+
+	newInput := func(withModuleConfig bool) *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			if withModuleConfig {
+				*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			} else {
+				*mc = *settings.NewModuleConfigForTest(nil)
+			}
+			return nil
+		}}, nil)
+		return &pkg.HookInput{
+			DC:        dc,
+			Snapshots: snapshots,
+			Values:    values,
+			Logger:    log.NewNop(),
+		}
+	}
+
+	BeforeEach(func() {
+		dc = mock.NewDependencyContainerMock(GinkgoT())
+		snapshots = mock.NewSnapshotsMock(GinkgoT())
+		values = mock.NewPatchableValuesCollectorMock(GinkgoT())
+	})
+
+	AfterEach(func() {
+		dc = nil
+		snapshots = nil
+		values = nil
+	})
+
+	It("should do nothing when module config is incomplete", func() {
+		Expect(handleDiscoveryNodes(context.Background(), newInput(false))).To(Succeed())
+	})
+
+	It("should set node count when module config exists", func() {
+		snapshots.GetMock.When(discoveryNodesSnapshot).Then([]pkg.Snapshot{
+			mock.NewSnapshotMock(GinkgoT()),
+			mock.NewSnapshotMock(GinkgoT()),
+		})
+		snapshots.GetMock.When(kubevirtConfigSnapshot).Then([]pkg.Snapshot{})
+
+		setCalls := 0
+		values.SetMock.Set(func(path string, v any) {
+			setCalls++
+			Expect(path).To(Equal(virtHandlerNodeCountPath))
+			Expect(v).To(Equal(2))
+		})
+
+		Expect(handleDiscoveryNodes(context.Background(), newInput(true))).To(Succeed())
+		Expect(setCalls).To(Equal(1))
+	})
+})
@@ -74,7 +74,15 @@ var configDVCRSecrets = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handlerDVCRSecrets(_ context.Context, input *pkg.HookInput) error {
+func handlerDVCRSecrets(ctx context.Context, input *pkg.HookInput) error {
+	hasModuleConfig, err := settings.HasModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !hasModuleConfig {
+		return nil
+	}
+
 	dataFromSecret, err := getDVCRSecretsFromSecrets(input)
 	if err != nil {
 		return err

@@ -24,10 +24,14 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/tidwall/gjson"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"hooks/pkg/settings"
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"github.com/deckhouse/module-sdk/pkg"
 	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
 )
 
 func TestSetDVCRSecrets(t *testing.T) {
@@ -70,6 +74,11 @@ var _ = Describe("DVCR Secrets", func() {
 	}
 
 	newInput := func() *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			return nil
+		}}, nil)
 		return &pkg.HookInput{
 			Snapshots: snapshots,
 			Values:    values,
@@ -227,3 +236,12 @@ var _ = Describe("Generate secrets", func() {
 		Expect(validateHtpasswd(password, htpasswd)).To(BeTrue())
 	})
 })
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
@@ -14,6 +14,7 @@ limitations under the License.
 package tls_certificates_api_proxy
 
 import (
+	"context"
 	"fmt"
 
 	"hooks/pkg/settings"
@@ -22,14 +23,31 @@ import (
 
 	tlscertificate "github.com/deckhouse/module-sdk/common-hooks/tls-certificate"
 	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/pkg/registry"
 )
 
-var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLSHookConf{
+var conf = tlscertificate.GenSelfSignedTLSHookConf{
 	CN:                   settings.APIProxyCertCN,
 	TLSSecretName:        "virtualization-api-proxy-tls",
 	Namespace:            settings.ModuleNamespace,
 	SANs:                 func(input *pkg.HookInput) []string { return []string{} },
 	FullValuesPathPrefix: fmt.Sprintf("%s.internal.apiserver.proxyCert", settings.ModuleName),
 	CommonCAValuesPath:   fmt.Sprintf("%s.internal.rootCA", settings.ModuleName),
 	Usages:               []v1.KeyUsage{v1.UsageClientAuth},
-})
+}
+
+var reconcile = func(conf tlscertificate.GenSelfSignedTLSHookConf) pkg.ReconcileFunc {
+	return func(ctx context.Context, input *pkg.HookInput) error {
+		hasModuleConfig, err := settings.HasModuleConfig(ctx, input)
+		if err != nil {
+			return err
+		}
+		if !hasModuleConfig {
+			return nil
+		}
+
+		return tlscertificate.GenSelfSignedTLS(conf)(ctx, input)
+	}
+}
+
+var _ = registry.RegisterFunc(tlscertificate.GenSelfSignedTLSConfig(conf), reconcile(conf))
@@ -0,0 +1,52 @@
+/*
+Copyright 2026 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls_certificates_api_proxy
+
+import (
+	"context"
+	"testing"
+
+	"hooks/pkg/settings"
+
+	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
+
+func TestReconcileSkipsWithoutModuleConfig(t *testing.T) {
+	dc := mock.NewDependencyContainerMock(t)
+	dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+		mc := obj.(*mcapi.ModuleConfig)
+		*mc = *settings.NewModuleConfigForTest(nil)
+		return nil
+	}}, nil)
+
+	input := &pkg.HookInput{DC: dc}
+	if err := reconcile(conf)(context.Background(), input); err != nil {
+		t.Fatalf("expected nil error, got %v", err)
+	}
+}
@@ -16,14 +16,17 @@ limitations under the License.
 package tls_certificates_api
 
 import (
+	"context"
 	"fmt"
 
 	"hooks/pkg/settings"
 
 	tlscertificate "github.com/deckhouse/module-sdk/common-hooks/tls-certificate"
+	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/pkg/registry"
 )
 
-var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLSHookConf{
+var conf = tlscertificate.GenSelfSignedTLSHookConf{
 	CN:            settings.APICertCN,
 	TLSSecretName: "virtualization-api-tls",
 	Namespace:     settings.ModuleNamespace,
@@ -40,4 +43,20 @@ var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLS
 
 	FullValuesPathPrefix: fmt.Sprintf("%s.internal.apiserver.cert", settings.ModuleName),
 	CommonCAValuesPath:   fmt.Sprintf("%s.internal.rootCA", settings.ModuleName),
-})
+}
+
+var reconcile = func(conf tlscertificate.GenSelfSignedTLSHookConf) pkg.ReconcileFunc {
+	return func(ctx context.Context, input *pkg.HookInput) error {
+		hasModuleConfig, err := settings.HasModuleConfig(ctx, input)
+		if err != nil {
+			return err
+		}
+		if !hasModuleConfig {
+			return nil
+		}
+
+		return tlscertificate.GenSelfSignedTLS(conf)(ctx, input)
+	}
+}
+
+var _ = registry.RegisterFunc(tlscertificate.GenSelfSignedTLSConfig(conf), reconcile(conf))