diff --git a/pkg/curatedpackages/packagecontrollerclient.go b/pkg/curatedpackages/packagecontrollerclient.go
index 1b3381976b6b..d885becbec48 100644
--- a/pkg/curatedpackages/packagecontrollerclient.go
+++ b/pkg/curatedpackages/packagecontrollerclient.go
@@ -250,11 +250,17 @@ func (pc *PackageControllerClient) Enable(ctx context.Context) error {
 
 // UpdateSecrets is used to update the registry-mirror-cred secret used by the packages controller.
 func (pc *PackageControllerClient) UpdateSecrets(ctx context.Context, client client.Client, cluster *anywherev1.Cluster) error {
+	secretName := "registry-mirror-cred"
 	secretKey := types.NamespacedName{
 		Namespace: constants.EksaPackagesName,
-		Name:      "registry-mirror-cred",
+		Name:      secretName,
+	}
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: constants.EksaPackagesName,
+		},
 	}
-	secret := &corev1.Secret{}
 	credErr := client.Get(ctx, secretKey, secret)
 	err := fillRegistrySecret(cluster.Name, cluster.Spec.RegistryMirrorConfiguration, secret)
 	if err != nil {
@@ -272,13 +278,20 @@ func (pc *PackageControllerClient) UpdateSecrets(ctx context.Context, client cli
 func fillRegistrySecret(clusterName string, registry *anywherev1.RegistryMirrorConfiguration, secret *corev1.Secret) error {
 	caDataName := clusterName + "_ca.crt"
 	insecureDataName := clusterName + "_insecure"
+	configName := "config.json"
+	if secret.Data == nil {
+		secret.Data = make(map[string][]byte)
+	}
 	secret.Data[caDataName] = []byte(registry.CACertContent)
 	secret.Data[insecureDataName] = []byte(strconv.FormatBool(registry.InsecureSkipVerify))
 
 	dconfig := &dockerConfig{Auths: make(map[string]*dockerAuth)}
-	err := json.Unmarshal(secret.Data["config.json"], dconfig)
-	if err != nil {
-		return err
+	configData, ok := secret.Data[configName]
+	if ok {
+		err := json.Unmarshal(configData, dconfig)
+		if err != nil {
+			return err
+		}
 	}
 	username, password, err := config.ReadCredentials()
 	if err != nil {
@@ -295,7 +308,7 @@ func fillRegistrySecret(clusterName string, registry *anywherev1.RegistryMirrorC
 	if err != nil {
 		return err
 	}
-	secret.Data["config.json"] = configJSON
+	secret.Data[configName] = configJSON
 	return nil
 }
 
diff --git a/pkg/curatedpackages/packagecontrollerclient_test.go b/pkg/curatedpackages/packagecontrollerclient_test.go
index 1cde163e9651..4b3186eee650 100644
--- a/pkg/curatedpackages/packagecontrollerclient_test.go
+++ b/pkg/curatedpackages/packagecontrollerclient_test.go
@@ -873,6 +873,74 @@ func TestCreateHelmOverrideValuesYamlFail(t *testing.T) {
 	}
 }
 
+func TestUpdateSecrets(t *testing.T) {
+	tests := []struct {
+		name     string
+		unsetEnv bool
+		secret   *corev1.Secret
+		error    bool
+	}{
+		{
+			name:   "secret_not_found",
+			secret: nil,
+		},
+		{
+			name:   "secret_found",
+			secret: &corev1.Secret{},
+		},
+		{
+			name: "unmarshal_error",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					"config.json": nil,
+				},
+			},
+			error: true,
+		},
+		{
+			name:     "no_cred_env",
+			unsetEnv: true,
+			error:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			ctx := context.Background()
+			ctrl := gomock.NewController(t)
+			k := mocks.NewMockKubectlRunner(ctrl)
+			cm := mocks.NewMockChartManager(ctrl)
+			kubeConfig := "kubeconfig.kubeconfig"
+			cluster := newReconcileTestCluster()
+			cluster.Spec.RegistryMirrorConfiguration = test.RegistryMirrorInsecureSkipVerifyEnabledAndCACert()
+			objs := []runtime.Object{cluster}
+			if tt.secret != nil {
+				tt.secret.Name = "registry-mirror-cred"
+				tt.secret.Namespace = constants.EksaPackagesName
+				objs = append(objs, tt.secret)
+			}
+			client := fake.NewClientBuilder().WithRuntimeObjects(objs...).Build()
+			pcc := curatedpackages.NewPackageControllerClient(cm, k, "test", kubeConfig, nil, nil)
+
+			os.Setenv(constants.RegistryUsername, "test")
+			os.Setenv(constants.RegistryPassword, "test")
+
+			if tt.unsetEnv {
+				os.Unsetenv(constants.RegistryUsername)
+				os.Unsetenv(constants.RegistryPassword)
+			}
+
+			err := pcc.UpdateSecrets(ctx, client, cluster)
+			if !tt.error {
+				g.Expect(err).To(BeNil())
+			} else {
+				g.Expect(err).ToNot(BeNil())
+			}
+		})
+	}
+}
+
 func TestCreateHelmOverrideValuesYamlFailWithNoWriter(t *testing.T) {
 	for _, tt := range newPackageControllerTests(t) {
 		tt.command = curatedpackages.NewPackageControllerClient(