fix(module): avoid queue blocking on invalid module config

images/hooks/pkg/hooks/discovery-clusterip-service-for-dvcr/hook.go

@@ -64,7 +64,15 @@ var configDiscoveryService = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handleDiscoveryService(_ context.Context, input *pkg.HookInput) error {
+func handleDiscoveryService(ctx context.Context, input *pkg.HookInput) error {
+	canRun, err := settings.CanRunWithModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !canRun {
+		return nil
+	}
+
 	clusterIP := getClusterIP(input)
 
 	if clusterIP == "" {

images/hooks/pkg/hooks/discovery-clusterip-service-for-dvcr/hook_test.go

@@ -23,10 +23,13 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/tidwall/gjson"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"github.com/deckhouse/module-sdk/pkg"
 	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+	"github.com/deckhouse/virtualization/hooks/pkg/settings"
 )
 
 func TestDiscoveryClusterIPServiceForDVCR(t *testing.T) {
@@ -45,6 +48,7 @@ var _ = Describe("DiscoveryClusterIPServiceForDVCR", func() {
 		dc = mock.NewDependencyContainerMock(GinkgoT())
 		snapshots = mock.NewSnapshotsMock(GinkgoT())
 		values = mock.NewPatchableValuesCollectorMock(GinkgoT())
+		values.GetMock.When(settings.InternalValuesConfigCopyPath).Then(gjson.Result{})
 	})
 
 	AfterEach(func() {
@@ -64,6 +68,11 @@ var _ = Describe("DiscoveryClusterIPServiceForDVCR", func() {
 	}
 
 	newInput := func() *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			return nil
+		}}, nil)
 		return &pkg.HookInput{
 			Snapshots: snapshots,
 			Values:    values,
@@ -90,3 +99,12 @@ var _ = Describe("DiscoveryClusterIPServiceForDVCR", func() {
 		Expect(handleDiscoveryService(context.Background(), newInput())).To(Succeed())
 	})
 })
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}

images/hooks/pkg/hooks/discovery-workload-nodes/hook.go

@@ -78,7 +78,15 @@ var configDiscoveryService = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handleDiscoveryNodes(_ context.Context, input *pkg.HookInput) error {
+func handleDiscoveryNodes(ctx context.Context, input *pkg.HookInput) error {
+	canRun, err := settings.CanRunWithModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !canRun {
+		return nil
+	}
+
 	nodeCount := len(input.Snapshots.Get(discoveryNodesSnapshot))
 	input.Values.Set(virtHandlerNodeCountPath, nodeCount)
 

images/hooks/pkg/hooks/discovery-workload-nodes/hook_test.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2026 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery_workload_nodes
+
+import (
+	"context"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/tidwall/gjson"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/deckhouse/deckhouse/pkg/log"
+	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+	"github.com/deckhouse/virtualization/hooks/pkg/settings"
+)
+
+func TestDiscoveryWorkloadNodes(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "DiscoveryWorkloadNodes Suite")
+}
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
+
+var _ = Describe("DiscoveryWorkloadNodes", func() {
+	var (
+		dc        *mock.DependencyContainerMock
+		snapshots *mock.SnapshotsMock
+		values    *mock.OutputPatchableValuesCollectorMock
+	)
+
+	newInput := func(withModuleConfig bool) *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			if withModuleConfig {
+				*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			} else {
+				*mc = *settings.NewModuleConfigForTest(nil)
+			}
+			return nil
+		}}, nil)
+		return &pkg.HookInput{
+			DC:        dc,
+			Snapshots: snapshots,
+			Values:    values,
+			Logger:    log.NewNop(),
+		}
+	}
+
+	BeforeEach(func() {
+		dc = mock.NewDependencyContainerMock(GinkgoT())
+		snapshots = mock.NewSnapshotsMock(GinkgoT())
+		values = mock.NewPatchableValuesCollectorMock(GinkgoT())
+		values.GetMock.When(settings.InternalValuesConfigCopyPath).Then(gjson.Result{})
+	})
+
+	AfterEach(func() {
+		dc = nil
+		snapshots = nil
+		values = nil
+	})
+
+	It("should do nothing when module config is incomplete", func() {
+		Expect(handleDiscoveryNodes(context.Background(), newInput(false))).To(Succeed())
+	})
+
+	It("should set node count when module config exists", func() {
+		snapshots.GetMock.When(discoveryNodesSnapshot).Then([]pkg.Snapshot{
+			mock.NewSnapshotMock(GinkgoT()),
+			mock.NewSnapshotMock(GinkgoT()),
+		})
+		snapshots.GetMock.When(kubevirtConfigSnapshot).Then([]pkg.Snapshot{})
+
+		setCalls := 0
+		values.SetMock.Set(func(path string, v any) {
+			setCalls++
+			Expect(path).To(Equal(virtHandlerNodeCountPath))
+			Expect(v).To(Equal(2))
+		})
+
+		Expect(handleDiscoveryNodes(context.Background(), newInput(true))).To(Succeed())
+		Expect(setCalls).To(Equal(1))
+	})
+})

images/hooks/pkg/hooks/generate-secret-for-dvcr/hook.go

@@ -73,7 +73,15 @@ var configDVCRSecrets = &pkg.HookConfig{
 	Queue: fmt.Sprintf("modules/%s", settings.ModuleName),
 }
 
-func handlerDVCRSecrets(_ context.Context, input *pkg.HookInput) error {
+func handlerDVCRSecrets(ctx context.Context, input *pkg.HookInput) error {
+	canRun, err := settings.CanRunWithModuleConfig(ctx, input)
+	if err != nil {
+		return err
+	}
+	if !canRun {
+		return nil
+	}
+
 	dataFromSecret, err := getDVCRSecretsFromSecrets(input)
 	if err != nil {
 		return err

images/hooks/pkg/hooks/generate-secret-for-dvcr/hook_test.go

@@ -24,10 +24,13 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/tidwall/gjson"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"github.com/deckhouse/module-sdk/pkg"
 	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+	"github.com/deckhouse/virtualization/hooks/pkg/settings"
 )
 
 func TestSetDVCRSecrets(t *testing.T) {
@@ -70,6 +73,11 @@ var _ = Describe("DVCR Secrets", func() {
 	}
 
 	newInput := func() *pkg.HookInput {
+		dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+			mc := obj.(*mcapi.ModuleConfig)
+			*mc = *settings.NewModuleConfigForTest(map[string]any{"dvcr": map[string]any{}, "virtualMachineCIDRs": []any{"10.0.0.0/24"}})
+			return nil
+		}}, nil)
 		return &pkg.HookInput{
 			Snapshots: snapshots,
 			Values:    values,
@@ -82,6 +90,7 @@ var _ = Describe("DVCR Secrets", func() {
 		dc = mock.NewDependencyContainerMock(GinkgoT())
 		snapshots = mock.NewSnapshotsMock(GinkgoT())
 		values = mock.NewPatchableValuesCollectorMock(GinkgoT())
+		values.GetMock.When(settings.InternalValuesConfigCopyPath).Then(gjson.Result{})
 	})
 
 	AfterEach(func() {
@@ -227,3 +236,12 @@ var _ = Describe("Generate secrets", func() {
 		Expect(validateHtpasswd(password, htpasswd)).To(BeTrue())
 	})
 })
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}

images/hooks/pkg/hooks/tls-certificates-api-proxy/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package tls_certificates_api_proxy
 
 import (
+	"context"
 	"fmt"
 
 	v1 "k8s.io/api/certificates/v1"
@@ -26,12 +27,22 @@ import (
 	"github.com/deckhouse/virtualization/hooks/pkg/settings"
 )
 
-var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLSHookConf{
+var conf = tlscertificate.GenSelfSignedTLSHookConf{
 	CN:                   settings.APIProxyCertCN,
 	TLSSecretName:        "virtualization-api-proxy-tls",
 	Namespace:            settings.ModuleNamespace,
 	SANs:                 func(input *pkg.HookInput) []string { return []string{} },
 	FullValuesPathPrefix: fmt.Sprintf("%s.internal.apiserver.proxyCert", settings.ModuleName),
 	CommonCAValuesPath:   fmt.Sprintf("%s.internal.rootCA", settings.ModuleName),
 	Usages:               []v1.KeyUsage{v1.UsageClientAuth},
-})
+	BeforeHookCheck: func(input *pkg.HookInput) bool {
+		canRun, err := settings.CanRunWithModuleConfig(context.Background(), input)
+		if err != nil {
+			input.Logger.Error("Check module config before API proxy TLS hook", "error", err)
+			return false
+		}
+		return canRun
+	},
+}
+
+var _ = tlscertificate.RegisterInternalTLSHookEM(conf)

images/hooks/pkg/hooks/tls-certificates-api-proxy/main_test.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2026 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls_certificates_api_proxy
+
+import (
+	"context"
+	"testing"
+
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/deckhouse/module-sdk/pkg"
+	"github.com/deckhouse/module-sdk/testing/mock"
+	mcapi "github.com/deckhouse/virtualization-controller/pkg/controller/moduleconfig/api"
+	"github.com/deckhouse/virtualization/hooks/pkg/settings"
+)
+
+type fakeKubernetesClient struct {
+	pkg.KubernetesClient
+	get func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error
+}
+
+func (f *fakeKubernetesClient) Get(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object, _ ...ctrlclient.GetOption) error {
+	return f.get(ctx, key, obj)
+}
+
+func TestBeforeHookCheckSkipsWithoutModuleConfig(t *testing.T) {
+	dc := mock.NewDependencyContainerMock(t)
+	dc.GetK8sClientMock.Return(&fakeKubernetesClient{get: func(ctx context.Context, key ctrlclient.ObjectKey, obj ctrlclient.Object) error {
+		mc := obj.(*mcapi.ModuleConfig)
+		*mc = *settings.NewModuleConfigForTest(nil)
+		return nil
+	}}, nil)
+
+	if conf.BeforeHookCheck == nil {
+		t.Fatal("expected BeforeHookCheck to be configured")
+	}
+
+	if ok := conf.BeforeHookCheck(&pkg.HookInput{DC: dc}); ok {
+		t.Fatalf("expected BeforeHookCheck to return false")
+	}
+}

images/hooks/pkg/hooks/tls-certificates-api/main.go

@@ -17,13 +17,15 @@ limitations under the License.
 package tls_certificates_api
 
 import (
+	"context"
 	"fmt"
 
 	tlscertificate "github.com/deckhouse/module-sdk/common-hooks/tls-certificate"
+	"github.com/deckhouse/module-sdk/pkg"
 	"github.com/deckhouse/virtualization/hooks/pkg/settings"
 )
 
-var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLSHookConf{
+var conf = tlscertificate.GenSelfSignedTLSHookConf{
 	CN:            settings.APICertCN,
 	TLSSecretName: "virtualization-api-tls",
 	Namespace:     settings.ModuleNamespace,
@@ -40,4 +42,14 @@ var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLS
 
 	FullValuesPathPrefix: fmt.Sprintf("%s.internal.apiserver.cert", settings.ModuleName),
 	CommonCAValuesPath:   fmt.Sprintf("%s.internal.rootCA", settings.ModuleName),
-})
+	BeforeHookCheck: func(input *pkg.HookInput) bool {
+		canRun, err := settings.CanRunWithModuleConfig(context.Background(), input)
+		if err != nil {
+			input.Logger.Error("Check module config before API TLS hook", "error", err)
+			return false
+		}
+		return canRun
+	},
+}
+
+var _ = tlscertificate.RegisterInternalTLSHookEM(conf)