diff --git a/pkg/registry/client.go b/pkg/registry/client.go
index 0dfa6926fb4..0dc6390a201 100644
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@@ -105,12 +105,7 @@ func NewClient(options ...ClientOption) (*Client, error) {
 			if err != nil {
 				return nil, errors.New("unable to retrieve credentials")
 			}
-			// A blank returned username and password value is a bearer token
-			if username == "" && password != "" {
-				headers.Set("Authorization", fmt.Sprintf("Bearer %s", password))
-			} else {
-				headers.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(username, password)))
-			}
+			authHeader(username, password, &headers)
 		}
 
 		opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)}
diff --git a/pkg/registry/util.go b/pkg/registry/util.go
index ca93297e60b..6fb1d0cdacf 100644
--- a/pkg/registry/util.go
+++ b/pkg/registry/util.go
@@ -256,3 +256,22 @@ func basicAuth(username, password string) string {
 	auth := username + ":" + password
 	return base64.StdEncoding.EncodeToString([]byte(auth))
 }
+
+// authHeader generates an HTTP authorization header based on the provided
+// username and password and sets it in the provided HTTP headers pointer.
+//
+// If both username and password are empty, no header is set.
+// If only the password is provided, a "Bearer" token is created and set in
+// the Authorization header.
+// If both username and password are provided, a "Basic" authentication token
+// is created using the basicAuth function, and set in the Authorization header.
+func authHeader(username, password string, headers *http.Header) {
+	if username == "" && password == "" {
+		return
+	}
+	if username == "" {
+		headers.Set("Authorization", fmt.Sprintf("Bearer %s", password))
+		return
+	}
+	headers.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(username, password)))
+}
diff --git a/pkg/registry/util_test.go b/pkg/registry/util_test.go
index f08c1fef15c..f641801fe26 100644
--- a/pkg/registry/util_test.go
+++ b/pkg/registry/util_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package registry // import "helm.sh/helm/v3/pkg/registry"
 
 import (
+	"net/http"
 	"reflect"
 	"testing"
 	"time"
@@ -266,3 +267,49 @@ func Test_basicAuth(t *testing.T) {
 		})
 	}
 }
+
+func Test_authHeader(t *testing.T) {
+	tests := []struct {
+		name           string
+		username       string
+		password       string
+		expectedHeader http.Header
+	}{
+		{
+			name:     "basic login header with username and password",
+			username: "admin",
+			password: "passw0rd",
+			expectedHeader: func() http.Header {
+				header := http.Header{}
+				header.Set("Authorization", "Basic YWRtaW46cGFzc3cwcmQ=")
+				return header
+			}(),
+		},
+		{
+			name:     "bearer login header with no username and password",
+			username: "",
+			password: "hunter2",
+			expectedHeader: func() http.Header {
+				header := http.Header{}
+				header.Set("Authorization", "Bearer hunter2")
+				return header
+			}(),
+		},
+		{
+			name:           "no change in header with neither username nor password",
+			username:       "",
+			password:       "",
+			expectedHeader: http.Header{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := &http.Header{}
+			authHeader(tt.username, tt.password, got)
+			if !reflect.DeepEqual(*got, tt.expectedHeader) {
+				t.Errorf("authHeader got %#v wanted %#v", *got, tt.expectedHeader)
+			}
+		})
+	}
+}