diff --git a/deployment/chainloop/templates/controlplane/migrate-job.yaml b/deployment/chainloop/templates/controlplane/migrate-job.yaml
index 35a2b932c..ebada3e89 100644
--- a/deployment/chainloop/templates/controlplane/migrate-job.yaml
+++ b/deployment/chainloop/templates/controlplane/migrate-job.yaml
@@ -22,6 +22,28 @@ spec:
       securityContext:
         {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }}
       containers:
+        {{ if .Values.controlplane.sqlProxy.enabled }}
+        - name: cloud-sql-proxy
+          # It is recommended to use the latest version of the Cloud SQL proxy
+          # Make sure to update on a regular schedule!
+          image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
+          command:
+            - "/cloud_sql_proxy"
+            # If connecting from a VPC-native GKE cluster, you can use the
+            # following flag to have the proxy connect over private IP
+            # - "-ip_address_types=PRIVATE"
+
+            # By default, the proxy will write all logs to stderr. In some
+            # environments, anything printed to stderr is consider an error. To
+            # disable this behavior and write all logs to stdout (except errors
+            # which will still go to stderr), use:
+            - "-log_debug_stdout"
+            - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:5432"
+          securityContext:
+            runAsNonRoot: true
+          resources:
+            {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }}
+        {{- end }}
         - name: migrate
           image: "{{ .Values.controlplane.migration.image.repository }}:{{ .Values.controlplane.migration.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }}