The `cluster.helm_version.coredns` that sylva-units compute is mistakenly empty; as a result the sylva-capi-cluster generated HelmChart resource specifies no version, and the RKE2 HelmChart controller will try to take the most recent version of the coredns chart. This unpinned version is later superseded by a properly pinned version, installed by Flux helm-controller, but this remains a serious pinning violation, since a released Sylva version would possibly start to stop installing properly after sylva-core builds and pushes a new version of rke2-coredns Helm chart to the sylva-core OCI registry). This was discovered by pure chance while troubleshooting a failed deployment which was relying on a new registry caching mirror based on `zot` where the configuration wasn't letting the registry honor `.../tags/list` queries. logs of `helm-operation-xxx` pod: ``` ... 2026-06-08T17:02:15.183874467Z stderr F + helm install --namespace kube-system rke2-coredns oci://172.20.136.39:5000/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-coredns --ca-file /tmp/ca-file.pem --values /config/values-0-000-HelmChart-ValuesContent.yaml 2026-06-08T17:02:15.250955996Z stderr F Error: INSTALLATION FAILED: GET "https://172.20.136.39:5000/v2/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-coredns/tags/list": response status code 404: name unknown: repository name not known to registry: map[description:This is returned if the name used during an operation is unknown to the registry. name:proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-coredns] ``` we notice that no `--version` is passed. Running the equivalent locally, we get: ``` $ helm install --namespace kube-system rke2-coredns oci://172.20.136.39/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-coredns --dry-run=client --insecure-skip-tls-verify Pulled: 172.20.136.39/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-coredns:1.45.9008_1.45.008 ... ``` (`1.45.9008_1.45.008` is the latest tag we have in sylva-core/rke2-coredns, but isn't the tag that `main` is supposed to use) As a comparison, nothing like this happens for calico: ``` 2026-06-08T16:50:05.218758726Z stderr F + helm install --namespace kube-system --version v3.31.400 rke2-calico oci://172.20.136.39:5000/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-calico --ca-file /tmp/ca-file.pem --values /config/values-1-000-HelmChartConfig-ValuesContent.yaml 2026-06-08T16:50:05.675766862Z stderr F Pulled: 172.20.136.39:5000/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/rke2-calico:v3.31.400 2026-06-08T16:50:05.67581722Z stderr F Digest: sha256:64103477b6d0472f409c4a7b409ca050545708dbcdf2246a6ef2612d172e1dca ``` The reason is simple; in sylva-units/values.yaml, we have: ```yaml cluster: #... helm_versions: # ... coredns: '{{ .Values.units.coredns.helmrelease_spec.chart.spec.version }}' ``` This was ok when this was introduced, but is now empty since this unit now uses `helm_chart_versions`. We need: ```yaml coredns: '{{ tuple . "coredns" .Values.units.coredns | include "get-helm-version" }}' ``` **Note that we also need to have stricter validation in sylva-capi-cluster, to ensure that we fail if those versions are empty.**