diff --git a/config/manifest/eksa-components.yaml b/config/manifest/eksa-components.yaml
index eee951c8dd087..3bc14d57cf356 100644
--- a/config/manifest/eksa-components.yaml
+++ b/config/manifest/eksa-components.yaml
@@ -6005,6 +6005,17 @@ rules:
   - delete
   - update
   - create
+- apiGroups:
+  - packages.eks.amazonaws.com
+  resources:
+  - packagebundlecontrollers
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/controllers/cluster_controller.go b/controllers/cluster_controller.go
index d115573f65183..53f3b8dbc120d 100644
--- a/controllers/cluster_controller.go
+++ b/controllers/cluster_controller.go
@@ -335,13 +335,16 @@ func (r *ClusterReconciler) enablePackagesForWorkloadCluster(ctx context.Context
 
 	rm := registrymirror.FromCluster(cluster)
 	var options []curatedpackages.PackageControllerClientOpt
-	r.packageControllerClient.EnableCuratedPackagesFullLifecycle(ctx,
+	err = r.packageControllerClient.EnableCuratedPackagesFullLifecycle(ctx,
 		cluster.Name,
 		f.Name(),
 		image,
 		rm,
 		options...,
 	)
+	if err != nil {
+		return fmt.Errorf("package controller client error: %w", err)
+	}
 
 	return nil
 }
diff --git a/controllers/factory.go b/controllers/factory.go
index 80eab97f5e713..cb8ef2d1907ae 100644
--- a/controllers/factory.go
+++ b/controllers/factory.go
@@ -15,6 +15,7 @@ import (
 	"github.com/aws/eks-anywhere/pkg/crypto"
 	"github.com/aws/eks-anywhere/pkg/curatedpackages"
 	"github.com/aws/eks-anywhere/pkg/dependencies"
+	"github.com/aws/eks-anywhere/pkg/executables"
 	ciliumreconciler "github.com/aws/eks-anywhere/pkg/networking/cilium/reconciler"
 	cnireconciler "github.com/aws/eks-anywhere/pkg/networking/reconciler"
 	dockerreconciler "github.com/aws/eks-anywhere/pkg/providers/docker/reconciler"
@@ -393,7 +394,7 @@ func (f *Factory) withAWSIamConfigReconciler() *Factory {
 }
 
 func (f *Factory) withPackageControllerClient() *Factory {
-	f.dependencyFactory.WithHelm().WithKubectl()
+	f.dependencyFactory.WithHelm(executables.WithSkipCRDs()).WithKubectl()
 
 	f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
 		if f.packageControllerClient != nil {
diff --git a/pkg/curatedpackages/packagecontrollerclient.go b/pkg/curatedpackages/packagecontrollerclient.go
index 9908a72b0bf10..57190316ae069 100644
--- a/pkg/curatedpackages/packagecontrollerclient.go
+++ b/pkg/curatedpackages/packagecontrollerclient.go
@@ -61,7 +61,13 @@ func NewPackageControllerClientFullLifecycle(chartInstaller ChartInstaller, kube
 }
 
 func (pc *PackageControllerClient) EnableCuratedPackagesFullLifecycle(ctx context.Context, clusterName, kubeConfig string, chart *v1alpha1.Image, registryMirror *registrymirror.RegistryMirror, options ...PackageControllerClientOpt) error {
+	writer, err := filewriter.NewWriter(clusterName)
+	if err != nil {
+		return fmt.Errorf("creating new filewriter for helm values file writer: %w", err)
+	}
+	options = append(options, WithValuesFileWriter(writer))
 	newPC := NewPackageControllerClient(pc.chartInstaller, pc.kubectl, clusterName, kubeConfig, chart, registryMirror, options...)
+	pc = newPC // yuck!
 	return newPC.EnableCuratedPackages(ctx)
 }
 
diff --git a/pkg/executables/helm.go b/pkg/executables/helm.go
index 5d51a467dcfc8..d8755695bd415 100644
--- a/pkg/executables/helm.go
+++ b/pkg/executables/helm.go
@@ -21,6 +21,8 @@ type Helm struct {
 	registryMirror *registrymirror.RegistryMirror
 	env            map[string]string
 	insecure       bool
+	// skipCRDs passes the --skip-crds flag to the helm executable.
+	skipCRDs bool
 }
 
 type HelmOpt func(*Helm)
@@ -32,6 +34,16 @@ func WithRegistryMirror(mirror *registrymirror.RegistryMirror) HelmOpt {
 	}
 }
 
+// WithSkipCRDs configures helm to skip the creation of CRDs when installing a
+// chart.
+func WithSkipCRDs() HelmOpt {
+	return func(h *Helm) {
+		h.skipCRDs = true
+	}
+}
+
+// WithInsecure configures helm to skip validating TLS certificates when
+// communicating with the Kubernetes API.
 func WithInsecure() HelmOpt {
 	return func(h *Helm) {
 		h.insecure = true
@@ -127,6 +139,9 @@ func (h *Helm) InstallChartFromName(ctx context.Context, ociURI, kubeConfig, nam
 func (h *Helm) InstallChart(ctx context.Context, chart, ociURI, version, kubeconfigFilePath, namespace, valueFilePath string, values []string) error {
 	valueArgs := GetHelmValueArgs(values)
 	params := []string{"install", chart, ociURI, "--version", version}
+	if h.skipCRDs {
+		params = append(params, "--skip-crds")
+	}
 	params = append(params, valueArgs...)
 	params = append(params, "--kubeconfig", kubeconfigFilePath)
 	if len(namespace) > 0 {