diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl
index 4184077..90292e7 100644
--- a/charts/cryostat/templates/_reports_authproxy.tpl
+++ b/charts/cryostat/templates/_reports_authproxy.tpl
@@ -45,6 +45,62 @@
       readOnly: true
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
+{{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }}
+- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }}
+  securityContext:
+    {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }}
+  image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}"
+  imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }}
+  env:
+    - name: OAUTH2_PROXY_CLIENT_ID
+      value: dummy
+    - name: OAUTH2_PROXY_CLIENT_SECRET
+      value: none
+    - name: OAUTH2_PROXY_HTTP_ADDRESS
+      value: 0.0.0.0:4180
+    - name: OAUTH2_PROXY_HTTPS_ADDRESS
+      value: :8443
+    - name: OAUTH2_PROXY_TLS_CERT_FILE
+      value: /etc/tls/private/cert
+    - name: OAUTH2_PROXY_TLS_KEY_FILE
+      value: /etc/tls/private/key
+    - name: OAUTH2_PROXY_UPSTREAMS
+      value: http://localhost:10001/
+    - name: OAUTH2_PROXY_REDIRECT_URL
+      value: "http://localhost:4180/oauth2/callback"
+    - name: OAUTH2_PROXY_COOKIE_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }}
+          key: COOKIE_SECRET
+          optional: false
+    - name: OAUTH2_PROXY_EMAIL_DOMAINS
+      value: "*"
+    - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
+      value: write
+    - name: OAUTH2_PROXY_HTPASSWD_FILE
+      value: /etc/oauth2_proxy/basicauth/htpasswd
+    - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
+      value: "^/health$"
+    - name: OAUTH2_PROXY_PROXY_WEBSOCKETS
+      value: "false"
+  ports:
+    - containerPort: 4180
+      name: http
+      protocol: TCP
+    - containerPort: 8443
+      name: https
+      protocol: TCP
+  resources:
+    {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }}
+  volumeMounts:
+    - name: {{ .Release.Name }}-reports-secret
+      mountPath: /etc/oauth2_proxy/basicauth
+      readOnly: true
+    {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }}
+    - name: {{ .Release.Name }}-oauth2proxy-reports-tls
+      mountPath: /etc/tls/private
+    {{- end }}
 {{- else }}
 - name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }}
   securityContext:
diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml
index c759628..76db1b5 100644
--- a/charts/cryostat/templates/cryostat_deployment.yaml
+++ b/charts/cryostat/templates/cryostat_deployment.yaml
@@ -75,7 +75,7 @@ spec:
           - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST
             value: "false"
           - name: QUARKUS_REST_CLIENT_REPORTS_URL
-            value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }}
+            value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled)) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }}
           {{- end }}
           - name: QUARKUS_DATASOURCE_USERNAME
             value: cryostat
diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml
index 05c846d..1ad5aca 100644
--- a/charts/cryostat/templates/reports_deployment.yaml
+++ b/charts/cryostat/templates/reports_deployment.yaml
@@ -83,5 +83,9 @@ spec:
       - name: {{ .Release.Name }}-proxy-tls
         secret:
           secretName: {{ .Release.Name }}-proxy-tls
+      {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }}
+      - name: {{ .Release.Name }}-oauth2proxy-reports-tls
+        secret:
+          secretName: {{ .Release.Name }}-oauth2proxy-reports-tls
       {{- end }}
 {{- end -}}
diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml
index 5ebb9be..6ab4aad 100644
--- a/charts/cryostat/templates/reports_service.yaml
+++ b/charts/cryostat/templates/reports_service.yaml
@@ -11,7 +11,7 @@ spec:
   type: {{ .Values.reports.service.type }}
   ports:
     - port: {{ .Values.reports.service.httpPort }}
-      targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }}
+      targetPort: {{ ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }}
   selector:
     {{- include "cryostat.selectorLabels" $ | nindent 4 }}
     app.kubernetes.io/component: reports
diff --git a/charts/cryostat/templates/reports_tls_secret.yaml b/charts/cryostat/templates/reports_tls_secret.yaml
new file mode 100644
index 0000000..4828808
--- /dev/null
+++ b/charts/cryostat/templates/reports_tls_secret.yaml
@@ -0,0 +1,15 @@
+{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }}
+{{- $fullName := include "cryostat.fullname" . }}
+{{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-oauth2proxy-reports-tls
+  labels:
+    {{- include "cryostat.labels" $ | nindent 4 }}
+type: Opaque
+immutable: true
+data:
+  cert: {{ $cert.Cert | b64enc }}
+  key: {{ $cert.Key | b64enc }}
+{{- end -}}