diff --git a/config/manifest/eksa-components.yaml b/config/manifest/eksa-components.yaml
index f7fe0c2459f4..6b287f2203f2 100644
--- a/config/manifest/eksa-components.yaml
+++ b/config/manifest/eksa-components.yaml
@@ -7140,6 +7140,7 @@ rules:
   - delete
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index f5b81ea51e36..c678596cc00b 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -54,6 +54,7 @@ rules:
   - delete
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:
diff --git a/controllers/cluster_controller.go b/controllers/cluster_controller.go
index 11af51efe2fd..0a3612e0b074 100644
--- a/controllers/cluster_controller.go
+++ b/controllers/cluster_controller.go
@@ -170,7 +170,7 @@ func (r *ClusterReconciler) SetupWithManager(mgr ctrl.Manager, log logr.Logger)
 }
 
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;update
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;delete;update
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;delete;update;patch
 // +kubebuilder:rbac:groups="",namespace=eksa-system,resources=secrets,verbs=patch;update
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=create;delete
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=list
diff --git a/pkg/curatedpackages/packagecontrollerclient.go b/pkg/curatedpackages/packagecontrollerclient.go
index b2deb0813e44..6d8e886ce7b6 100644
--- a/pkg/curatedpackages/packagecontrollerclient.go
+++ b/pkg/curatedpackages/packagecontrollerclient.go
@@ -310,9 +310,11 @@ func (pc *PackageControllerClient) generateHelmOverrideValues() ([]byte, error)
 	endpoint, username, password, caCertContent, insecureSkipVerify := "", defaultRegistryMirrorUsername, defaultRegistryMirrorPassword, "", "false"
 	if pc.registryMirror != nil {
 		endpoint = pc.registryMirror.BaseRegistry
-		username, password, err = config.ReadCredentials()
-		if err != nil {
-			return []byte{}, err
+		if pc.registryMirror.Auth {
+			username, password, err = config.ReadCredentials()
+			if err != nil {
+				return []byte{}, err
+			}
 		}
 		caCertContent = pc.registryMirror.CACertContent
 		if pc.registryMirror.InsecureSkipVerify {