diff --git a/operator/zitadel/kinds/iam/zitadel/configuration/desired.go b/operator/zitadel/kinds/iam/zitadel/configuration/desired.go
index 41d4f3ac46..96fbd1a122 100644
--- a/operator/zitadel/kinds/iam/zitadel/configuration/desired.go
+++ b/operator/zitadel/kinds/iam/zitadel/configuration/desired.go
@@ -19,6 +19,7 @@ type Configuration struct {
 	DNS                 *DNS           `yaml:"dns"`
 	ClusterDNS          string         `yaml:"clusterdns"`
 	AssetStorage        *AssetStorage  `yaml:"assetStorage,omitempty"`
+	Proxy               *Proxy         `yaml:"proxy,omitempty"`
 }
 
 func (c *Configuration) Validate() (err error) {
@@ -142,3 +143,11 @@ type Cache struct {
 	ShortMaxAge       string `yaml:"shortMaxAge,omitempty"`
 	ShortSharedMaxAge string `yaml:"shortSharedMaxAge,omitempty"`
 }
+
+type Proxy struct {
+	NoProxy       []string         `yaml:"noProxy,omitempty"`
+	HTTP          *secret.Secret   `yaml:"http,omitempty"`
+	HTTPS         *secret.Secret   `yaml:"https,omitempty"`
+	ExistingHTTP  *secret.Existing `yaml:"existingHTTP,omitempty"`
+	ExistingHTTPS *secret.Existing `yaml:"existingHTTPS,omitempty"`
+}
diff --git a/operator/zitadel/kinds/iam/zitadel/configuration/literals.go b/operator/zitadel/kinds/iam/zitadel/configuration/literals.go
index b830348156..c2bc720197 100644
--- a/operator/zitadel/kinds/iam/zitadel/configuration/literals.go
+++ b/operator/zitadel/kinds/iam/zitadel/configuration/literals.go
@@ -111,6 +111,9 @@ func literalsConfigMap(
 			literalsConfigMap["ZITADEL_ASSET_STORAGE_BUCKET_PREFIX"] = desired.AssetStorage.BucketPrefix
 			literalsConfigMap["ZITADEL_ASSET_STORAGE_MULTI_DELETE"] = strconv.FormatBool(desired.AssetStorage.MultiDelete)
 		}
+		if desired.Proxy != nil {
+			literalsConfigMap["NO_PROXY"] = strings.Join(desired.Proxy.NoProxy, ",")
+		}
 	}
 
 	sentryEnv, _, doIngest := mntr.Environment()
@@ -197,6 +200,22 @@ func literalsSecretVars(k8sClient kubernetes.ClientInt, desired *Configuration)
 				literalsSecretVars["ZITADEL_ASSET_STORAGE_SECRET_ACCESS_KEY"] = value
 			}
 		}
+		if desired.Proxy != nil {
+			if desired.Proxy.HTTP != nil || desired.Proxy.ExistingHTTP != nil {
+				value, err := read.GetSecretValue(k8sClient, desired.Proxy.HTTP, desired.Proxy.ExistingHTTP)
+				if err != nil {
+					return nil, err
+				}
+				literalsSecretVars["HTTP_PROXY"] = value
+			}
+			if desired.Proxy.HTTPS != nil || desired.Proxy.ExistingHTTPS != nil {
+				value, err := read.GetSecretValue(k8sClient, desired.Proxy.HTTPS, desired.Proxy.ExistingHTTPS)
+				if err != nil {
+					return nil, err
+				}
+				literalsSecretVars["HTTPS_PROXY"] = value
+			}
+		}
 
 		_, dsns, doIngest := mntr.Environment()
 		zitadelDsn := ""
diff --git a/operator/zitadel/kinds/iam/zitadel/configuration/literals_test.go b/operator/zitadel/kinds/iam/zitadel/configuration/literals_test.go
index a473b54565..ba87cd2ed6 100644
--- a/operator/zitadel/kinds/iam/zitadel/configuration/literals_test.go
+++ b/operator/zitadel/kinds/iam/zitadel/configuration/literals_test.go
@@ -80,6 +80,11 @@ var (
 			Location:                "",
 			BucketPrefix:            "",
 		},
+		Proxy: &Proxy{
+			NoProxy: nil,
+			HTTP:    &secret.Secret{Value: ""},
+			HTTPS:   &secret.Secret{Value: ""},
+		},
 		ClusterDNS: "",
 	}
 
@@ -148,6 +153,14 @@ var (
 			Location:        "location",
 			BucketPrefix:    "bucketprefix",
 		},
+		Proxy: &Proxy{
+			NoProxy: []string{
+				"test.com",
+				"10.0.0.0/16",
+			},
+			HTTP:  &secret.Secret{Value: "http://username:passwor@proxy:80"},
+			HTTPS: &secret.Secret{Value: "https://username:passwor@proxy:443"},
+		},
 	}
 	desiredFullExisting = &Configuration{
 		Tracing: &Tracing{
@@ -214,6 +227,14 @@ var (
 			Location:                "location",
 			BucketPrefix:            "bucketprefix",
 		},
+		Proxy: &Proxy{
+			NoProxy: []string{
+				"test.com",
+				"10.0.0.0/16",
+			},
+			ExistingHTTP:  &secret.Existing{"httpproxy", "httpproxy", "httpproxy"},
+			ExistingHTTPS: &secret.Existing{"httpsproxy", "httpsproxy", "httpsproxy"},
+		},
 	}
 )
 
@@ -295,6 +316,7 @@ func TestConfiguration_LiteralsConfigMap(t *testing.T) {
 		"ZITADEL_ASSET_STORAGE_LOCATION":      "",
 		"ZITADEL_ASSET_STORAGE_BUCKET_PREFIX": "",
 		"ZITADEL_ASSET_STORAGE_MULTI_DELETE":  "false",
+		"NO_PROXY":                            "",
 		"SENTRY_ENVIRONMENT":                  "",
 		"SENTRY_USAGE":                        "false",
 	}
@@ -382,6 +404,7 @@ func TestConfiguration_LiteralsConfigMapFull(t *testing.T) {
 		"ZITADEL_ASSET_STORAGE_LOCATION":      "location",
 		"ZITADEL_ASSET_STORAGE_BUCKET_PREFIX": "bucketprefix",
 		"ZITADEL_ASSET_STORAGE_MULTI_DELETE":  "false",
+		"NO_PROXY":                            "test.com,10.0.0.0/16",
 		"SENTRY_ENVIRONMENT":                  "",
 		"SENTRY_USAGE":                        "false",
 	}
@@ -463,6 +486,8 @@ func TestConfiguration_LiteralsSecretVars(t *testing.T) {
 		"ZITADEL_TWILIO_SID":                      "",
 		"ZITADEL_ASSET_STORAGE_ACCESS_KEY_ID":     "",
 		"ZITADEL_ASSET_STORAGE_SECRET_ACCESS_KEY": "",
+		"HTTPS_PROXY":                             "",
+		"HTTP_PROXY":                              "",
 		"SENTRY_DSN":                              "",
 	}
 	literals, err := literalsSecretVars(client, desiredEmpty)
@@ -480,6 +505,8 @@ func TestConfiguration_LiteralsSecretVarsFull(t *testing.T) {
 		"ZITADEL_TWILIO_SID":                      "sid",
 		"ZITADEL_ASSET_STORAGE_ACCESS_KEY_ID":     "accesskeyid",
 		"ZITADEL_ASSET_STORAGE_SECRET_ACCESS_KEY": "secretaccesskey",
+		"HTTP_PROXY":                              "http://username:passwor@proxy:80",
+		"HTTPS_PROXY":                             "https://username:passwor@proxy:443",
 		"SENTRY_DSN":                              "",
 	}
 	literals, err := literalsSecretVars(client, desiredFull)
@@ -497,6 +524,8 @@ func TestConfiguration_LiteralsSecretVarsExisting(t *testing.T) {
 	sid := "sid"
 	akid := "accesskeyid"
 	sak := "secretaccesskey"
+	httpProxy := "http://username:passwor@proxy:80"
+	httpsProxy := "https://username:passwor@proxy:443"
 	/* TODO: incomment!!!
 	client.EXPECT().GetSecret(namespace, desiredFullExisting.Notifications.Email.ExistingAppKey.Name).Return(&corev1.Secret{
 			StringData: map[string]string{
@@ -538,6 +567,8 @@ func TestConfiguration_LiteralsSecretVarsExisting(t *testing.T) {
 		"ZITADEL_TWILIO_SID":                      sid,
 		"ZITADEL_ASSET_STORAGE_ACCESS_KEY_ID":     akid,
 		"ZITADEL_ASSET_STORAGE_SECRET_ACCESS_KEY": sak,
+		"HTTP_PROXY":                              httpProxy,
+		"HTTPS_PROXY":                             httpsProxy,
 		"SENTRY_DSN":                              "",
 	}
 	literals, err := literalsSecretVars(client, desiredFull)
diff --git a/operator/zitadel/kinds/iam/zitadel/secrets.go b/operator/zitadel/kinds/iam/zitadel/secrets.go
index 0f5b979642..5c551f4d9a 100644
--- a/operator/zitadel/kinds/iam/zitadel/secrets.go
+++ b/operator/zitadel/kinds/iam/zitadel/secrets.go
@@ -125,5 +125,28 @@ func getSecretsMap(desiredKind *DesiredV0) (
 	secrets[secretKey] = conf.AssetStorage.SecretAccessKey
 	existing[secretKey] = conf.AssetStorage.ExistingSecretAccessKey
 
+	if conf.Proxy == nil {
+		conf.Proxy = &configuration.Proxy{}
+	}
+	if conf.Proxy.HTTP == nil {
+		conf.Proxy.HTTP = &secret.Secret{}
+	}
+	if conf.Proxy.ExistingHTTP == nil {
+		conf.Proxy.ExistingHTTP = &secret.Existing{}
+	}
+	if conf.Proxy.HTTPS == nil {
+		conf.Proxy.HTTPS = &secret.Secret{}
+	}
+	if conf.Proxy.ExistingHTTPS == nil {
+		conf.Proxy.ExistingHTTPS = &secret.Existing{}
+	}
+	httpProxy := "httpproxy"
+	secrets[httpProxy] = conf.Proxy.HTTP
+	existing[httpProxy] = conf.Proxy.ExistingHTTP
+
+	httpsProxy := "httpsproxy"
+	secrets[httpsProxy] = conf.Proxy.HTTPS
+	existing[httpsProxy] = conf.Proxy.ExistingHTTPS
+
 	return secrets, existing
 }