diff --git a/apis/reaper/v1alpha1/reaper_types.go b/apis/reaper/v1alpha1/reaper_types.go
index 5641d9a7c..c96d2b015 100644
--- a/apis/reaper/v1alpha1/reaper_types.go
+++ b/apis/reaper/v1alpha1/reaper_types.go
@@ -56,7 +56,7 @@ type ReaperTemplate struct {
 
 	// Defines the secret which contains the username and password for the Reaper UI and REST API authentication.
 	// +optional
-	UiUserSecretRef corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
+	UiUserSecretRef *corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
 
 	// SecretsProvider defines whether the secrets used for credentials and certs will be backed
 	// by an external secret backend. This moves the responsibility of generating and storing
diff --git a/apis/reaper/v1alpha1/zz_generated.deepcopy.go b/apis/reaper/v1alpha1/zz_generated.deepcopy.go
index a94a532c5..736ad7260 100644
--- a/apis/reaper/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/reaper/v1alpha1/zz_generated.deepcopy.go
@@ -233,7 +233,11 @@ func (in *ReaperTemplate) DeepCopyInto(out *ReaperTemplate) {
 	*out = *in
 	out.CassandraUserSecretRef = in.CassandraUserSecretRef
 	out.JmxUserSecretRef = in.JmxUserSecretRef
-	out.UiUserSecretRef = in.UiUserSecretRef
+	if in.UiUserSecretRef != nil {
+		in, out := &in.UiUserSecretRef, &out.UiUserSecretRef
+		*out = new(v1.LocalObjectReference)
+		**out = **in
+	}
 	if in.ContainerImage != nil {
 		in, out := &in.ContainerImage, &out.ContainerImage
 		*out = new(images.Image)
diff --git a/controllers/k8ssandra/secrets.go b/controllers/k8ssandra/secrets.go
index c12766257..e418afb3b 100644
--- a/controllers/k8ssandra/secrets.go
+++ b/controllers/k8ssandra/secrets.go
@@ -66,12 +66,14 @@ func (r *K8ssandraClusterReconciler) reconcileReaperSecrets(ctx context.Context,
 			var uiUserSecretRef corev1.LocalObjectReference
 			if kc.Spec.Reaper != nil {
 				cassandraUserSecretRef = kc.Spec.Reaper.CassandraUserSecretRef
-				uiUserSecretRef = kc.Spec.Reaper.UiUserSecretRef
+				if kc.Spec.Reaper.UiUserSecretRef != nil {
+					uiUserSecretRef = *kc.Spec.Reaper.UiUserSecretRef
+				}
 			}
 			if cassandraUserSecretRef.Name == "" {
 				cassandraUserSecretRef.Name = reaper.DefaultUserSecretName(kc.SanitizedName())
 			}
-			if uiUserSecretRef.Name == "" {
+			if kc.Spec.Reaper.UiUserSecretRef == nil {
 				uiUserSecretRef.Name = reaper.DefaultUiSecretName(kc.SanitizedName())
 			}
 			kcKey := utils.GetKey(kc)
@@ -79,9 +81,11 @@ func (r *K8ssandraClusterReconciler) reconcileReaperSecrets(ctx context.Context,
 				logger.Error(err, "Failed to reconcile Reaper CQL user secret", "ReaperCassandraUserSecretRef", cassandraUserSecretRef)
 				return result.Error(err)
 			}
-			if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
-				logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
-				return result.Error(err)
+			if kc.Spec.Reaper.UiUserSecretRef != nil {
+				if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
+					logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
+					return result.Error(err)
+				}
 			}
 			logger.Info("Reaper user secrets successfully reconciled")
 
diff --git a/controllers/reaper/reaper_controller.go b/controllers/reaper/reaper_controller.go
index f419355fe..cd3df5fa8 100644
--- a/controllers/reaper/reaper_controller.go
+++ b/controllers/reaper/reaper_controller.go
@@ -328,7 +328,8 @@ func (r *ReaperReconciler) configureReaper(ctx context.Context, actualReaper *re
 }
 
 func (r *ReaperReconciler) getReaperUICredentials(ctx context.Context, actualReaper *reaperapi.Reaper, logger logr.Logger) (string, string, error) {
-	if actualReaper.Spec.UiUserSecretRef.Name == "" {
+
+	if actualReaper.Spec.UiUserSecretRef == nil || actualReaper.Spec.UiUserSecretRef.Name == "" {
 		// The UI user secret doesn't exist, meaning auth is disabled
 		return "", "", nil
 	}
@@ -383,11 +384,11 @@ func (r *ReaperReconciler) collectAuthVarsForType(ctx context.Context, actualRea
 		secretRef = &actualReaper.Spec.CassandraUserSecretRef
 		envVars = []*corev1.EnvVar{}
 	case "ui":
-		secretRef = &actualReaper.Spec.UiUserSecretRef
+		secretRef = actualReaper.Spec.UiUserSecretRef
 		envVars = []*corev1.EnvVar{reaper.EnableAuthVar}
 	}
 
-	if len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
+	if secretRef != nil && len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
 		secretKey := types.NamespacedName{Namespace: actualReaper.Namespace, Name: secretRef.Name}
 		if secret, err := r.getSecret(ctx, secretKey); err != nil {
 			logger.Error(err, "Failed to get Cassandra authentication secret", authType, secretKey)
diff --git a/controllers/reaper/reaper_controller_test.go b/controllers/reaper/reaper_controller_test.go
index 49c85939b..8a7b8cc0e 100644
--- a/controllers/reaper/reaper_controller_test.go
+++ b/controllers/reaper/reaper_controller_test.go
@@ -380,7 +380,7 @@ func testCreateReaperWithAuthEnabled(t *testing.T, ctx context.Context, k8sClien
 	t.Log("create the Reaper object and modify it")
 	rpr := newReaper(testNamespace)
 	rpr.Spec.CassandraUserSecretRef.Name = "top-secret-cass"
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)
 
@@ -477,7 +477,7 @@ func testCreateReaperWithAuthEnabledExternalSecret(t *testing.T, ctx context.Con
 	//lint:ignore SA1019 Verify deprecated method is ineffective
 	rpr.Spec.JmxUserSecretRef.Name = "top-secret-jmx" //nolint:staticcheck
 
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)
 
diff --git a/pkg/reaper/resource.go b/pkg/reaper/resource.go
index afddfd69b..84fcff3db 100644
--- a/pkg/reaper/resource.go
+++ b/pkg/reaper/resource.go
@@ -67,8 +67,8 @@ func NewReaper(
 			desiredReaper.Spec.CassandraUserSecretRef.Name = DefaultUserSecretName(kc.SanitizedName())
 		}
 		// Note: deliberately skip JmxUserSecretRef, which is deprecated.
-		if desiredReaper.Spec.UiUserSecretRef.Name == "" {
-			desiredReaper.Spec.UiUserSecretRef.Name = DefaultUiSecretName(kc.SanitizedName())
+		if desiredReaper.Spec.UiUserSecretRef == nil {
+			desiredReaper.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: DefaultUiSecretName(kc.SanitizedName())}
 		}
 
 		if desiredReaper.Spec.ResourceMeta == nil {