diff --git a/Makefile b/Makefile
index 8c373cf84..be6b9278a 100644
--- a/Makefile
+++ b/Makefile
@@ -397,25 +397,42 @@ SAMPLE_APP_FLAGS += -n $(SAMPLE_APP_NAMESPACE)
 endif
 
 .PHONY: sample_app
-sample_app: ## Deploy sample app.
+sample_app: undeploy_sample_app ## Deploy sample app.
 	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app.yaml
 
 .PHONY: undeploy_sample_app
 undeploy_sample_app: ## Undeploy sample app.
-	$(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app.yaml
+	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app.yaml
 
 .PHONY: sample_app_agent
 sample_app_agent: undeploy_sample_app_agent ## Deploy sample app with Cryostat Agent.
 	@if [ -z "${AUTH_TOKEN}" ]; then \
 		if [ "${CLUSTER_CLIENT}" = "oc" ]; then\
-			AUTH_TOKEN=`oc whoami -t | base64`; \
+			AUTH_TOKEN=`oc whoami -t`; \
 		else \
 			echo "'AUTH_TOKEN' must be specified."; \
 			exit 1; \
 		fi; \
 	fi; \
 	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent.yaml; \
-	$(CLUSTER_CLIENT) set env $(SAMPLE_APP_FLAGS) deployment/quarkus-test-agent CRYOSTAT_AGENT_AUTHORIZATION="Bearer $(AUTH_TOKEN)"
+	$(CLUSTER_CLIENT) set env $(SAMPLE_APP_FLAGS) deployment/quarkus-cryostat-agent CRYOSTAT_AGENT_AUTHORIZATION="Bearer $(AUTH_TOKEN)"
+
+.PHONY: undeploy_sample_app_agent_proxy
+undeploy_sample_app_agent_proxy: ## Undeploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
+	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent-tls-proxy.yaml
+
+.PHONY: sample_app_agent_proxy
+sample_app_agent_proxy: undeploy_sample_app_agent_proxy ## Deploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
+	@if [ -z "${SECRET_HASH}" ]; then \
+		if [ -z "$${SAMPLE_APP_NAMESPACE}" ]; then \
+			SAMPLE_APP_NAMESPACE=`$(CLUSTER_CLIENT) config view --minify -o 'jsonpath={.contexts[0].context.namespace}'`; \
+		fi ;\
+		if [ -z "$${CRYOSTAT_CR_NAME}" ]; then \
+			CRYOSTAT_CR_NAME="cryostat-sample"; \
+		fi ;\
+		SECRET_HASH=`echo -n ${DEPLOY_NAMESPACE}/$${CRYOSTAT_CR_NAME}/$${SAMPLE_APP_NAMESPACE} | sha256sum | cut -d' ' -f 1`; \
+	fi; \
+	sed "s/REPLACEHASH/$${SECRET_HASH}/" < config/samples/sample-app-agent-tls-proxy.yaml | oc apply -f -
 
 .PHONY: undeploy_sample_app_agent
 undeploy_sample_app_agent: ## Undeploy sample app with Cryostat Agent.
diff --git a/README.md b/README.md
index 02ff975d6..9ef48c147 100644
--- a/README.md
+++ b/README.md
@@ -148,8 +148,8 @@ install/remove cert-manager from your cluster.
 
 ### User Authentication
 
-Users can use `oc whoami --show-token | base64` to retrieve their encoded OpenShift OAuth token
-for the currently logged in user account. This encoded token can be used when directly
+Users can use `oc whoami --show-token` to retrieve their OpenShift OAuth token
+for the currently logged in user account. This token can be used when directly
 interacting with the deployed Cryostat instance(s).
 
 When using the web-client, users can login with their username and password associated with their OpenShift account. User credentials will be remembered for the duration of the session.
diff --git a/config/samples/sample-app-agent-tls-proxy.yaml b/config/samples/sample-app-agent-tls-proxy.yaml
new file mode 100644
index 000000000..0efd33295
--- /dev/null
+++ b/config/samples/sample-app-agent-tls-proxy.yaml
@@ -0,0 +1,94 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: quarkus-cryostat-agent-tls-proxy
+  name: quarkus-cryostat-agent-tls-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: quarkus-cryostat-agent-tls-proxy
+  template:
+    metadata:
+      labels:
+        app: quarkus-cryostat-agent-tls-proxy
+    spec:
+      containers:
+      - env:
+        - name: CRYOSTAT_AGENT_APP_NAME
+          value: agent-test
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CRYOSTAT_AGENT_API_WRITES_ENABLED
+          value: "true"
+        - name: CRYOSTAT_AGENT_BASEURI
+          value: https://cryostat-sample-agent.$(NAMESPACE).svc:8282
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: CRYOSTAT_AGENT_CALLBACK
+          value: http://$(POD_IP):9977
+        - name: JAVA_OPTS_APPEND
+          value: |-
+            -Dquarkus.http.host=0.0.0.0
+            -Djava.util.logging.manager=org.jboss.logmanager.LogManager
+            -javaagent:/deployments/app/cryostat-agent.jar
+            -Dcryostat.agent.webclient.tls.client-auth.cert.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.crt
+            -Dcryostat.agent.webclient.tls.client-auth.key.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.key
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/io.cryostat/cryostat-agent/ca.crt
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat
+        image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
+        imagePullPolicy: Always
+        name: quarkus-cryostat-agent-tls-proxy
+        ports:
+        - containerPort: 10010
+          protocol: TCP
+        - containerPort: 9097
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /var/run/secrets/io.cryostat/cryostat-agent
+          name: agent-tls
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+      volumes:
+      - name: agent-tls
+        secret:
+          secretName: cryostat-agent-REPLACEHASH
+          defaultMode: 420
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: quarkus-cryostat-agent-tls-proxy
+  name: quarkus-cryostat-agent-tls-proxy
+spec:
+  selector:
+    app: quarkus-cryostat-agent-tls-proxy
+  ports:
+  - name: agent-http
+    port: 9977
+    protocol: TCP
+    targetPort: 9977
+  - name: app-http
+    port: 10010
+    protocol: TCP
+    targetPort: 10010
diff --git a/config/samples/sample-app-agent.yaml b/config/samples/sample-app-agent.yaml
index 4ca177ae7..ece50f2e2 100644
--- a/config/samples/sample-app-agent.yaml
+++ b/config/samples/sample-app-agent.yaml
@@ -3,17 +3,17 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: quarkus-test-agent
-  name: quarkus-test-agent
+    app: quarkus-cryostat-agent
+  name: quarkus-cryostat-agent
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: quarkus-test-agent
+      app: quarkus-cryostat-agent
   template:
     metadata:
       labels:
-        app: quarkus-test-agent
+        app: quarkus-cryostat-agent
     spec:
       containers:
       - env:
@@ -37,11 +37,6 @@ spec:
           value: http://$(POD_IP):9977
         - name: CRYOSTAT_AGENT_AUTHORIZATION
           value: Bearer abcd1234
-        - name: KEYSTORE_PASS
-          valueFrom:
-            secretKeyRef:
-              key: KEYSTORE_PASS
-              name: cryostat-sample-keystore
         - name: JAVA_OPTS_APPEND
           value: |-
             -Dquarkus.http.host=0.0.0.0
@@ -50,11 +45,12 @@ spec:
             -Dcom.sun.management.jmxremote.ssl=false
             -Dcom.sun.management.jmxremote.authenticate=false
             -javaagent:/deployments/app/cryostat-agent.jar
-            -Djavax.net.ssl.trustStore=/var/run/secrets/myapp/truststore.p12
-            -Djavax.net.ssl.trustStorePassword=$(KEYSTORE_PASS)
-        image: quay.io/andrewazores/quarkus-test:latest
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/myapp/ca.crt
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat-sample
+        image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
         imagePullPolicy: Always
-        name: quarkus-test-agent
+        name: quarkus-cryostat-agent
         ports:
         - containerPort: 10010
           protocol: TCP
@@ -73,9 +69,9 @@ spec:
             drop:
             - ALL
         volumeMounts:
-        - mountPath: /var/run/secrets/myapp/truststore.p12
+        - mountPath: /var/run/secrets/myapp/ca.crt
           name: truststore
-          subPath: truststore.p12
+          subPath: ca.crt
       restartPolicy: Always
       securityContext:
         runAsNonRoot: true
@@ -88,11 +84,11 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: quarkus-test-agent
-  name: quarkus-test-agent
+    app: quarkus-cryostat-agent
+  name: quarkus-cryostat-agent
 spec:
   selector:
-    app: quarkus-test-agent
+    app: quarkus-cryostat-agent
   ports:
   - name: jfr-jmx
     port: 9097
diff --git a/config/samples/sample-app.yaml b/config/samples/sample-app.yaml
index b9ba8434c..9dc3225c5 100644
--- a/config/samples/sample-app.yaml
+++ b/config/samples/sample-app.yaml
@@ -16,7 +16,7 @@ spec:
         app: quarkus-test
     spec:
       containers:
-        - image: quay.io/andrewazores/quarkus-test:latest
+        - image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
           imagePullPolicy: Always
           name: quarkus-test
           ports: