diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl
index 65b3eb9a2..b13b34d20 100644
--- a/deployment/chainloop/templates/_helpers.tpl
+++ b/deployment/chainloop/templates/_helpers.tpl
@@ -173,14 +173,22 @@ Return the Postgresql connection string for Atlas migration
 Return the Postgresql hostname
 */}}
 {{- define "controlplane.database.host" -}}
-{{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}}
+{{- if .Values.controlplane.sqlProxy.enabled }}
+    {{- include "chainloop.sql-proxy.fullname" . -}}
+{{- else -}}
+    {{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
 Return the Postgresql port
 */}}
 {{- define "controlplane.database.port" -}}
-{{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}}
+{{- if .Values.controlplane.sqlProxy.enabled }}
+    {{- 5432 -}}
+{{- else -}}
+    {{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
@@ -266,6 +274,52 @@ null
 {{- end -}}
 {{- end -}}
 
+{{/*
+##############################################################################
+sql-proxy helpers
+##############################################################################
+*/}}
+
+{{/*
+Chainloop sql-proxy release name
+*/}}
+{{- define "chainloop.sql-proxy.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Chainloop sql-proxy Chart fullname
+*/}}
+{{- define "chainloop.sql-proxy.name" -}}
+{{- printf "%s-%s" (include "common.names.name" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "chainloop.sql-proxy.labels" -}}
+{{- include "common.labels.standard" . }}
+app.kubernetes.io/part-of: chainloop
+app.kubernetes.io/component: sql-proxy
+{{- end }}
+
+{{/*
+Migration labels
+*/}}
+{{- define "chainloop.sql-proxy.migration.labels" -}}
+{{- include "common.labels.standard" . }}
+app.kubernetes.io/part-of: chainloop
+app.kubernetes.io/component: sql-proxy-migration
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chainloop.sql-proxy.selectorLabels" -}}
+{{- include "common.labels.matchLabels" .}}
+app.kubernetes.io/component: sql-proxy
+{{- end }}
+
 {{/*
 ##############################################################################
 CAS Helpers
diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
index 3a5b65504..765e2afe4 100644
--- a/deployment/chainloop/templates/controlplane/deployment.yaml
+++ b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -29,28 +29,6 @@ spec:
       securityContext:
         {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }}
       containers:
-        {{ if .Values.controlplane.sqlProxy.enabled }}
-        - name: cloud-sql-proxy
-          # It is recommended to use the latest version of the Cloud SQL proxy
-          # Make sure to update on a regular schedule!
-          image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
-          command:
-            - "/cloud_sql_proxy"
-            # If connecting from a VPC-native GKE cluster, you can use the
-            # following flag to have the proxy connect over private IP
-            # - "-ip_address_types=PRIVATE"
-
-            # By default, the proxy will write all logs to stderr. In some
-            # environments, anything printed to stderr is consider an error. To
-            # disable this behavior and write all logs to stdout (except errors
-            # which will still go to stderr), use:
-            - "-log_debug_stdout"
-            - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:5432"
-          securityContext:
-            runAsNonRoot: true
-          resources:
-            {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }}
-        {{- end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.controlplane.securityContext | nindent 12 }}
diff --git a/deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml b/deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml
new file mode 100644
index 000000000..0bdfcecca
--- /dev/null
+++ b/deployment/chainloop/templates/controlplane/deployment_sqlproxy.yaml
@@ -0,0 +1,56 @@
+{{ if .Values.controlplane.sqlProxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chainloop.sql-proxy.fullname" . }}
+  labels:
+    {{- include "chainloop.sql-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: cloud-sql-proxy
+      labels:
+        {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 8 }}
+    spec:
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/component: controlplane
+            topologyKey: kubernetes.io/hostname
+      {{- with .Values.controlplane.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "controlplane.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }}
+      containers:
+        
+        - name: cloud-sql-proxy
+          # It is recommended to use the latest version of the Cloud SQL proxy
+          # Make sure to update on a regular schedule!
+          image: gcr.io/cloudsql-docker/gce-proxy:1.33.10 # make sure the use the latest version
+          command:
+            - "/cloud_sql_proxy"
+            # If connecting from a VPC-native GKE cluster, you can use the
+            # following flag to have the proxy connect over private IP
+            # - "-ip_address_types=PRIVATE"
+
+            # By default, the proxy will write all logs to stderr. In some
+            # environments, anything printed to stderr is consider an error. To
+            # disable this behavior and write all logs to stdout (except errors
+            # which will still go to stderr), use:
+            - "-log_debug_stdout"
+            - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:0.0.0.0:5432"
+          securityContext:
+            runAsNonRoot: true
+          resources:
+            {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/chainloop/templates/controlplane/migrate-job.yaml b/deployment/chainloop/templates/controlplane/migrate-job.yaml
index ebada3e89..35a2b932c 100644
--- a/deployment/chainloop/templates/controlplane/migrate-job.yaml
+++ b/deployment/chainloop/templates/controlplane/migrate-job.yaml
@@ -22,28 +22,6 @@ spec:
       securityContext:
         {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }}
       containers:
-        {{ if .Values.controlplane.sqlProxy.enabled }}
-        - name: cloud-sql-proxy
-          # It is recommended to use the latest version of the Cloud SQL proxy
-          # Make sure to update on a regular schedule!
-          image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
-          command:
-            - "/cloud_sql_proxy"
-            # If connecting from a VPC-native GKE cluster, you can use the
-            # following flag to have the proxy connect over private IP
-            # - "-ip_address_types=PRIVATE"
-
-            # By default, the proxy will write all logs to stderr. In some
-            # environments, anything printed to stderr is consider an error. To
-            # disable this behavior and write all logs to stdout (except errors
-            # which will still go to stderr), use:
-            - "-log_debug_stdout"
-            - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:5432"
-          securityContext:
-            runAsNonRoot: true
-          resources:
-            {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }}
-        {{- end }}
         - name: migrate
           image: "{{ .Values.controlplane.migration.image.repository }}:{{ .Values.controlplane.migration.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }}
diff --git a/deployment/chainloop/templates/controlplane/service_sql-proxy.yaml b/deployment/chainloop/templates/controlplane/service_sql-proxy.yaml
new file mode 100644
index 000000000..16a7620ec
--- /dev/null
+++ b/deployment/chainloop/templates/controlplane/service_sql-proxy.yaml
@@ -0,0 +1,17 @@
+{{ if .Values.controlplane.sqlProxy.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.sql-proxy.fullname" . }}
+  labels:
+    {{- include "chainloop.sql-proxy.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.controlplane.externalDatabase.port }}
+      targetPort: {{ .Values.controlplane.externalDatabase.port }}
+      protocol: TCP
+      name: tpc
+  selector:
+    {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 4 }}
+{{- end }}
\ No newline at end of file