From 591c2a8763b8aac2ca0d9a21b727dfa79bc84575 Mon Sep 17 00:00:00 2001
From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com>
Date: Wed, 22 May 2024 13:48:01 -0600
Subject: [PATCH] feat: Add refresh strategy proxy configuration. Part of #597.
 (#598)

Adds operator configuration to allow users to set the --lazy-refresh on proxy containers.

Fixes #597
---
 docs/api.md                                | 195 ++++++++++++---------
 internal/api/v1/authproxyworkload_types.go |  17 +-
 internal/workload/podspec_updates.go       |   5 +
 internal/workload/podspec_updates_test.go  |   2 +
 4 files changed, 134 insertions(+), 85 deletions(-)

diff --git a/docs/api.md b/docs/api.md
index 500c4425..d42bf287 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -19,55 +19,66 @@ the custom resource AuthProxyWorkload version v1.
 
 
 
-AdminServerSpec specifies how to start the proxy's admin server: which port and whether to enable debugging or quitquitquit. It controls to the proxy's --admin-port, --debug, and --quitquitquit CLI flags.
+AdminServerSpec specifies how to start the proxy's admin server:
+which port and whether to enable debugging or quitquitquit. It controls
+to the proxy's --admin-port, --debug, and --quitquitquit CLI flags.
+
+
 
 _Appears in:_
 - [AuthProxyContainerSpec](#authproxycontainerspec)
 
-| Field | Description |
-| --- | --- |
-| `port` _integer_ | Port the port for the proxy's localhost-only admin server. This sets the proxy container's CLI argument `--admin-port` |
-| `enableAPIs` _string array_ | EnableAPIs specifies the list of admin APIs to enable. At least one API must be enabled. Possible values: - "Debug" will enable pprof debugging by setting the `--debug` cli flag. - "QuitQuitQuit" will enable pprof debugging by setting the `--quitquitquit` cli flag. |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `port` _integer_ | Port the port for the proxy's localhost-only admin server.<br />This sets the proxy container's CLI argument `--admin-port` |  | Minimum: 1 <br /> |
+| `enableAPIs` _string array_ | EnableAPIs specifies the list of admin APIs to enable. At least one<br />API must be enabled. Possible values:<br />- "Debug" will enable pprof debugging by setting the `--debug` cli flag.<br />- "QuitQuitQuit" will enable pprof debugging by setting the `--quitquitquit`<br />  cli flag. |  | MinItems: 1 <br /> |
 
 
 #### AuthProxyContainerSpec
 
 
 
-AuthProxyContainerSpec describes how to configure global proxy configuration and kubernetes-specific container configuration.
+AuthProxyContainerSpec describes how to configure global proxy configuration and
+kubernetes-specific container configuration.
+
+
 
 _Appears in:_
 - [AuthProxyWorkloadSpec](#authproxyworkloadspec)
 
-| Field | Description |
-| --- | --- |
-| `container` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core)_ | Container is debugging parameter that when specified will override the proxy container with a completely custom Container spec. |
-| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. |
-| `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry. Optional, by default |
-| `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is available to other containers in the same pod. |
-| `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself to the Google Cloud API. |
-| `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit. This sets the proxy container's CLI argument `--max-connections` |
-| `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to close after receiving a TERM signal. This sets the proxy container's CLI argument `--max-sigterm-delay` and configures `terminationGracePeriodSeconds` on the workload's PodSpec. |
-| `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will change the Google Cloud api endpoint used by the proxy. |
-| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator will use the latest Cloud SQL Auth Proxy version as of the release of the operator. <br /><br /> The operator ensures that all workloads configured with the default proxy image are upgraded automatically to use to the latest released proxy image. <br /><br /> When the customer upgrades the operator, the operator upgrades all workloads using the default proxy image to the latest proxy image. The change to the proxy container image is applied in accordance with the RolloutStrategy. |
-| `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to the workloads affected by the results. When this is set to `Workload`, changes to this resource will be automatically applied to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in accordance with the Strategy set on that workload. When this is set to `None`, the operator will take no action to roll out changes to affected workloads. `Workload` will be used by default if no value is set. See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
-| `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of logging generated by the proxy container. |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `container` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core)_ | Container is debugging parameter that when specified will override the<br />proxy container with a completely custom Container spec. |  | Optional: {} <br /> |
+| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)_ | Resources specifies the resources required for the proxy pod. |  | Optional: {} <br /> |
+| `telemetry` _[TelemetrySpec](#telemetryspec)_ | Telemetry specifies how the proxy should expose telemetry.<br />Optional, by default |  | Optional: {} <br /> |
+| `adminServer` _[AdminServerSpec](#adminserverspec)_ | AdminServer specifies the config for the proxy's admin service which is<br />available to other containers in the same pod. |  |  |
+| `authentication` _[AuthenticationSpec](#authenticationspec)_ | Authentication specifies the config for how the proxy authenticates itself<br />to the Google Cloud API. |  |  |
+| `maxConnections` _integer_ | MaxConnections limits the number of connections. Default value is no limit.<br />This sets the proxy container's CLI argument `--max-connections` |  | Minimum: 0 <br />Optional: {} <br /> |
+| `maxSigtermDelay` _integer_ | MaxSigtermDelay is the maximum number of seconds to wait for connections to<br />close after receiving a TERM signal. This sets the proxy container's<br />CLI argument `--max-sigterm-delay` and<br />configures `terminationGracePeriodSeconds` on the workload's PodSpec. |  | Minimum: 0 <br />Optional: {} <br /> |
+| `sqlAdminAPIEndpoint` _string_ | SQLAdminAPIEndpoint is a debugging parameter that when specified will<br />change the Google Cloud api endpoint used by the proxy. |  | Optional: {} <br /> |
+| `image` _string_ | Image is the URL to the proxy image. Optional, by default the operator<br />will use the latest Cloud SQL Auth Proxy version as of the release of the<br />operator.<br /><br />The operator ensures that all workloads configured with the default proxy<br />image are upgraded automatically to use to the latest released proxy image.<br /><br />When the customer upgrades the operator, the operator upgrades all<br />workloads using the default proxy image to the latest proxy image. The<br />change to the proxy container image is applied in accordance with<br />the RolloutStrategy. |  | Optional: {} <br /> |
+| `rolloutStrategy` _string_ | RolloutStrategy indicates the strategy to use when rolling out changes to<br />the workloads affected by the results. When this is set to<br />`Workload`, changes to this resource will be automatically applied<br />to a running Deployment, StatefulSet, DaemonSet, or ReplicaSet in<br />accordance with the Strategy set on that workload. When this is set to<br />`None`, the operator will take no action to roll out changes to affected<br />workloads. `Workload` will be used by default if no value is set.<br />See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | Workload | Enum: [Workload None] <br />Optional: {} <br /> |
+| `refreshStrategy` _string_ | RefreshStrategy indicates which refresh strategy the proxy should use.<br />When this is set to `lazy`, the proxy will use a lazy refresh strategy,<br />and will be configured to run with the --lazy-refresh flag. When this<br />omitted or set to `background`, the proxy will use the default background<br />refresh strategy.<br />See: https://github.com/GoogleCloudPlatform/cloud-sql-proxy/?tab=readme-ov-file#configuring-a-lazy-refresh | background | Enum: [lazy background] <br />Optional: {} <br /> |
+| `quiet` _boolean_ | Quiet configures the proxy's --quiet flag to limit the amount of<br />logging generated by the proxy container. |  |  |
 
 
 #### AuthProxyWorkload
 
 
 
-AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied to a matching set of workloads, and shows the status of those proxy containers.
+AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied
+to a matching set of workloads, and shows the status of those proxy containers.
 
 
 
-| Field | Description |
-| --- | --- |
-| `apiVersion` _string_ | `cloudsql.cloud.google.com/v1`
-| `kind` _string_ | `AuthProxyWorkload`
-| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
-| `spec` _[AuthProxyWorkloadSpec](#authproxyworkloadspec)_ |  |
+
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `apiVersion` _string_ | `cloudsql.cloud.google.com/v1` | | |
+| `kind` _string_ | `AuthProxyWorkload` | | |
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
+| `spec` _[AuthProxyWorkloadSpec](#authproxyworkloadspec)_ |  |  |  |
 
 
 #### AuthProxyWorkloadSpec
@@ -76,54 +87,80 @@ AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied to
 
 AuthProxyWorkloadSpec describes where and how to configure the proxy.
 
+
+
 _Appears in:_
 - [AuthProxyWorkload](#authproxyworkload)
 
-| Field | Description |
-| --- | --- |
-| `workloadSelector` _[WorkloadSelectorSpec](#workloadselectorspec)_ | Workload selects the workload where the proxy container will be added. |
-| `instances` _[InstanceSpec](#instancespec) array_ | Instances describes the Cloud SQL instances to configure on the proxy container. |
-| `authProxyContainer` _[AuthProxyContainerSpec](#authproxycontainerspec)_ | AuthProxyContainer describes the resources and config for the Auth Proxy container. |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `workloadSelector` _[WorkloadSelectorSpec](#workloadselectorspec)_ | Workload selects the workload where the proxy container will be added. |  | Required: {} <br /> |
+| `instances` _[InstanceSpec](#instancespec) array_ | Instances describes the Cloud SQL instances to configure on the proxy container. |  | MinItems: 1 <br />Required: {} <br /> |
+| `authProxyContainer` _[AuthProxyContainerSpec](#authproxycontainerspec)_ | AuthProxyContainer describes the resources and config for the Auth Proxy container. |  | Optional: {} <br /> |
 
 
 #### AuthenticationSpec
 
 
 
-AuthenticationSpec specifies how the proxy is authenticated with the Google Cloud SQL Admin API. This configures proxy's --impersonate-service-account flag.
+AuthenticationSpec specifies how the proxy is authenticated with the
+Google Cloud SQL Admin API. This configures proxy's
+--impersonate-service-account flag.
+
+
 
 _Appears in:_
 - [AuthProxyContainerSpec](#authproxycontainerspec)
 
-| Field | Description |
-| --- | --- |
-| `impersonationChain` _string array_ | ImpersonationChain is a list of one or more service accounts. The first entry in the chain is the impersonation target. Any additional service accounts after the target are delegates. The roles/iam.serviceAccountTokenCreator must be configured for each account that will be impersonated. This sets the --impersonate-service-account flag on the proxy. |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `impersonationChain` _string array_ | ImpersonationChain is a list of one or more service<br />accounts. The first entry in the chain is the impersonation target. Any<br />additional service accounts after the target are delegates. The<br />roles/iam.serviceAccountTokenCreator must be configured for each account<br />that will be impersonated. This sets the --impersonate-service-account<br />flag on the proxy. |  |  |
 
 
 #### InstanceSpec
 
 
 
-InstanceSpec describes the configuration for how the proxy should expose a Cloud SQL database instance to a workload. 
- In the minimum recommended configuration, the operator will choose a non-conflicting TCP port and set environment variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port and hostname. The application can read these values to connect to the database through the proxy. For example: 
- `{ "connectionString":"my-project:us-central1:my-db-server", "portEnvName":"MY_DB_SERVER_PORT" "hostEnvName":"MY_DB_SERVER_HOST" }` 
- If you want to assign a specific port number for a database, set the `port` field. For example: 
- `{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }`
+InstanceSpec describes the configuration for how the proxy should expose
+a Cloud SQL database instance to a workload.
+
+
+In the minimum recommended configuration, the operator will choose
+a non-conflicting TCP port and set environment
+variables MY_DB_SERVER_PORT MY_DB_SERVER_HOST with the value of the TCP port
+and hostname. The application can read these values to connect to the database
+through the proxy. For example:
+
+
+	`{
+			   "connectionString":"my-project:us-central1:my-db-server",
+			   "portEnvName":"MY_DB_SERVER_PORT"
+			   "hostEnvName":"MY_DB_SERVER_HOST"
+	}`
+
+
+If you want to assign a specific port number for a database, set the `port`
+field. For example:
+
+
+	`{ "connectionString":"my-project:us-central1:my-db-server", "port":5000 }`
+
+
 
 _Appears in:_
 - [AuthProxyWorkloadSpec](#authproxyworkloadspec)
 
-| Field | Description |
-| --- | --- |
-| `connectionString` _string_ | ConnectionString is the connection string for the Cloud SQL Instance in the format `project_id:region:instance_name` |
-| `port` _integer_ | Port (optional) sets the tcp port for this instance. If not set, a value will be automatically assigned by the operator and set as an environment variable on all containers in the workload named according to PortEnvName. The operator will choose a port so that it does not conflict with other ports on the workload. |
-| `autoIAMAuthN` _boolean_ | AutoIAMAuthN (optional) Enables IAM Authentication for this instance. Default value is false. |
-| `privateIP` _boolean_ | PrivateIP (optional) Enable connection to the Cloud SQL instance's private ip for this instance. Default value is false. |
-| `psc` _boolean_ | PSC (optional) Enable connection to the Cloud SQL instance's private service connect endpoint. May not be used with PrivateIP. Default value is false. |
-| `portEnvName` _string_ | PortEnvName is name of the environment variable containing this instance's tcp port. Optional, when set this environment variable will be added to all containers in the workload. |
-| `hostEnvName` _string_ | HostEnvName The name of the environment variable containing this instances tcp hostname Optional, when set this environment variable will be added to all containers in the workload. |
-| `unixSocketPath` _string_ | UnixSocketPath is the path to the unix socket where the proxy will listen for connnections. This will be mounted to all containers in the pod. |
-| `unixSocketPathEnvName` _string_ | UnixSocketPathEnvName is the environment variable containing the value of UnixSocketPath. |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `connectionString` _string_ | ConnectionString is the connection string for the Cloud SQL Instance<br />in the format `project_id:region:instance_name` |  | Pattern: `^([^:]+(:[^:]+)?):([^:]+):([^:]+)$` <br />Required: {} <br /> |
+| `port` _integer_ | Port (optional) sets the tcp port for this instance. If not set, a value will<br />be automatically assigned by the operator and set as an environment variable<br />on all containers in the workload named according to PortEnvName. The operator will choose<br />a port so that it does not conflict with other ports on the workload. |  | Minimum: 1 <br />Optional: {} <br /> |
+| `autoIAMAuthN` _boolean_ | AutoIAMAuthN (optional) Enables IAM Authentication for this instance.<br />Default value is false. |  | Optional: {} <br /> |
+| `privateIP` _boolean_ | PrivateIP (optional) Enable connection to the Cloud SQL instance's private ip for this instance.<br />Default value is false. |  | Optional: {} <br /> |
+| `psc` _boolean_ | PSC (optional) Enable connection to the Cloud SQL instance's private<br />service connect endpoint. May not be used with PrivateIP.<br />Default value is false. |  | Optional: {} <br /> |
+| `portEnvName` _string_ | PortEnvName is name of the environment variable containing this instance's tcp port.<br />Optional, when set this environment variable will be added to all containers in the workload. |  | Optional: {} <br /> |
+| `hostEnvName` _string_ | HostEnvName The name of the environment variable containing this instances tcp hostname<br />Optional, when set this environment variable will be added to all containers in the workload. |  | Optional: {} <br /> |
+| `unixSocketPath` _string_ | UnixSocketPath is the path to the unix socket where the proxy will listen<br />for connnections. This will be mounted to all containers in the pod. |  | Optional: {} <br /> |
+| `unixSocketPathEnvName` _string_ | UnixSocketPathEnvName is the environment variable containing the value of<br />UnixSocketPath. |  | Optional: {} <br /> |
 
 
 #### TelemetrySpec
@@ -132,53 +169,43 @@ _Appears in:_
 
 TelemetrySpec specifies how the proxy container will expose telemetry.
 
+
+
 _Appears in:_
 - [AuthProxyContainerSpec](#authproxycontainerspec)
 
-| Field | Description |
-| --- | --- |
-| `quotaProject` _string_ | QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking. The IAM principal must have the "serviceusage.services.use" permission for the given project. See https://cloud.google.com/service-usage/docs/overview and https://cloud.google.com/storage/docs/requester-pays This sets the proxy container's CLI argument `--quota-project` |
-| `prometheus` _boolean_ | Prometheus Enables Prometheus HTTP endpoint /metrics on localhost This sets the proxy container's CLI argument `--prometheus` |
-| `prometheusNamespace` _string_ | PrometheusNamespace is used the provided Prometheus namespace for metrics This sets the proxy container's CLI argument `--prometheus-namespace` |
-| `telemetryProject` _string_ | TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID. This sets the proxy container's CLI argument `--telemetry-project` |
-| `telemetryPrefix` _string_ | TelemetryPrefix is the prefix for Cloud Monitoring metrics. This sets the proxy container's CLI argument `--telemetry-prefix` |
-| `telemetrySampleRate` _[int](#int)_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces. This sets the proxy container's CLI argument `--telemetry-sample-rate` |
-| `httpPort` _integer_ | HTTPPort the port for Prometheus and health check server. This sets the proxy container's CLI argument `--http-port` |
-| `disableTraces` _boolean_ | DisableTraces disables Cloud Trace testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-traces` |
-| `disableMetrics` _boolean_ | DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject) This sets the proxy container's CLI argument `--disable-metrics` |
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `quotaProject` _string_ | QuotaProject Specifies the project to use for Cloud SQL Admin API quota tracking.<br />The IAM principal must have the "serviceusage.services.use" permission<br />for the given project. See https://cloud.google.com/service-usage/docs/overview and<br />https://cloud.google.com/storage/docs/requester-pays<br />This sets the proxy container's CLI argument `--quota-project` |  | Optional: {} <br /> |
+| `prometheus` _boolean_ | Prometheus Enables Prometheus HTTP endpoint /metrics on localhost<br />This sets the proxy container's CLI argument `--prometheus` |  | Optional: {} <br /> |
+| `prometheusNamespace` _string_ | PrometheusNamespace is used the provided Prometheus namespace for metrics<br />This sets the proxy container's CLI argument `--prometheus-namespace` |  | Optional: {} <br /> |
+| `telemetryProject` _string_ | TelemetryProject enables Cloud Monitoring and Cloud Trace with the provided project ID.<br />This sets the proxy container's CLI argument `--telemetry-project` |  | Optional: {} <br /> |
+| `telemetryPrefix` _string_ | TelemetryPrefix is the prefix for Cloud Monitoring metrics.<br />This sets the proxy container's CLI argument `--telemetry-prefix` |  | Optional: {} <br /> |
+| `telemetrySampleRate` _integer_ | TelemetrySampleRate is the Cloud Trace sample rate. A smaller number means more traces.<br />This sets the proxy container's CLI argument `--telemetry-sample-rate` |  | Optional: {} <br /> |
+| `httpPort` _integer_ | HTTPPort the port for Prometheus and health check server.<br />This sets the proxy container's CLI argument `--http-port` |  | Optional: {} <br /> |
+| `disableTraces` _boolean_ | DisableTraces disables Cloud Trace testintegration (used with telemetryProject)<br />This sets the proxy container's CLI argument `--disable-traces` |  | Optional: {} <br /> |
+| `disableMetrics` _boolean_ | DisableMetrics disables Cloud Monitoring testintegration (used with telemetryProject)<br />This sets the proxy container's CLI argument `--disable-metrics` |  | Optional: {} <br /> |
 
 
 #### WorkloadSelectorSpec
 
 
 
-WorkloadSelectorSpec describes which workloads should be configured with this proxy configuration. To be valid, WorkloadSelectorSpec must specify `kind` and either `name` or `selector`.
-
-_Appears in:_
-- [AuthProxyWorkloadSpec](#authproxyworkloadspec)
-
-| Field | Description |
-| --- | --- |
-| `selector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)_ | Selector (optional) selects resources using labels. See "Label selectors" in the kubernetes docs https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors |
-| `kind` _string_ | Kind specifies what kind of workload Supported kinds: Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps". |
-| `name` _string_ | Name specifies the name of the resource to select. |
+WorkloadSelectorSpec describes which workloads should be configured with this
+proxy configuration. To be valid, WorkloadSelectorSpec must specify `kind`
+and either `name` or `selector`.
 
 
-#### WorkloadStatus
 
+_Appears in:_
+- [AuthProxyWorkloadSpec](#authproxyworkloadspec)
 
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `selector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)_ | Selector (optional) selects resources using labels. See "Label selectors" in the kubernetes docs<br />https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors |  | Optional: {} <br /> |
+| `kind` _string_ | Kind specifies what kind of workload<br />Supported kinds: Deployment, StatefulSet, Pod, ReplicaSet,DaemonSet, Job, CronJob<br />Example: "Deployment" "Deployment.v1" or "Deployment.v1.apps". |  | Pattern: `\w+(\.\w+)*` <br />Required: {} <br /> |
+| `name` _string_ | Name specifies the name of the resource to select. |  | Optional: {} <br /> |
 
-WorkloadStatus presents the status for how this AuthProxyWorkload resource was applied to a specific workload.
 
-_Appears in:_
-- [AuthProxyWorkloadStatus](#authproxyworkloadstatus)
-
-| Field | Description |
-| --- | --- |
-| `kind` _string_ | Kind Version Namespace Name identify the specific workload. |
-| `version` _string_ |  |
-| `namespace` _string_ |  |
-| `name` _string_ |  |
-| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta) array_ | Conditions show the status of the AuthProxyWorkload resource on this matching workload. <br /><br /> The "UpToDate" condition indicates that the proxy was successfully applied to all matching workloads. See ConditionUpToDate. |
 
 
diff --git a/internal/api/v1/authproxyworkload_types.go b/internal/api/v1/authproxyworkload_types.go
index 7a7f975f..b288fec9 100644
--- a/internal/api/v1/authproxyworkload_types.go
+++ b/internal/api/v1/authproxyworkload_types.go
@@ -70,10 +70,14 @@ const (
 	// See: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
 	WorkloadStrategy = "Workload"
 
-	// NoneStrategy is the RolloutStrategy value that indicates that the.
+	// NoneStrategy is the RolloutStrategy value that indicates that
 	// when the AuthProxyWorkload is updated or deleted, no action should be taken
 	// by the operator to update the affected workloads.
 	NoneStrategy = "None"
+
+	// RefreshStrategyLazy is the RefreshStrategy value indicating that the
+	// proxy should be configured with the --lazy-refresh flag.
+	RefreshStrategyLazy = "lazy"
 )
 
 // AuthProxyWorkload declares how a Cloud SQL Proxy container should be applied
@@ -210,6 +214,17 @@ type AuthProxyContainerSpec struct {
 	//+kubebuilder:default=Workload
 	RolloutStrategy string `json:"rolloutStrategy,omitempty"`
 
+	// RefreshStrategy indicates which refresh strategy the proxy should use.
+	// When this is set to `lazy`, the proxy will use a lazy refresh strategy,
+	// and will be configured to run with the --lazy-refresh flag. When this
+	// omitted or set to `background`, the proxy will use the default background
+	// refresh strategy.
+	// See: https://github.com/GoogleCloudPlatform/cloud-sql-proxy/?tab=readme-ov-file#configuring-a-lazy-refresh
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:validation:Enum=lazy;background
+	//+kubebuilder:default=background
+	RefreshStrategy string `json:"refreshStrategy,omitempty"`
+
 	// Quiet configures the proxy's --quiet flag to limit the amount of
 	// logging generated by the proxy container.
 	Quiet bool `json:"quiet,omitempty"`
diff --git a/internal/workload/podspec_updates.go b/internal/workload/podspec_updates.go
index 99c52ca8..ac8acdb6 100644
--- a/internal/workload/podspec_updates.go
+++ b/internal/workload/podspec_updates.go
@@ -604,6 +604,11 @@ func (s *updateState) updateContainer(p *cloudsqlapi.AuthProxyWorkload, c *corev
 		s.addProxyContainerEnvVar(p, "CSQL_PROXY_QUIET", "true")
 	}
 
+	// configure lazy refresh
+	if p.Spec.AuthProxyContainer != nil && p.Spec.AuthProxyContainer.RefreshStrategy == cloudsqlapi.RefreshStrategyLazy {
+		s.addProxyContainerEnvVar(p, "CSQL_PROXY_LAZY_REFRESH", "true")
+	}
+
 	c.Name = ContainerName(p)
 	c.ImagePullPolicy = "IfNotPresent"
 
diff --git a/internal/workload/podspec_updates_test.go b/internal/workload/podspec_updates_test.go
index 64a02ba3..495b4684 100644
--- a/internal/workload/podspec_updates_test.go
+++ b/internal/workload/podspec_updates_test.go
@@ -670,6 +670,7 @@ func TestProxyCLIArgs(t *testing.T) {
 					MaxConnections:  ptr(int64(10)),
 					MaxSigtermDelay: ptr(int64(20)),
 					Quiet:           true,
+					RefreshStrategy: "lazy",
 				},
 				Instances: []cloudsqlapi.InstanceSpec{{
 					ConnectionString: "hello:world:one",
@@ -699,6 +700,7 @@ func TestProxyCLIArgs(t *testing.T) {
 				"CSQL_PROXY_IMPERSONATE_SERVICE_ACCOUNT": "sv1@developer.gserviceaccount.com,sv2@developer.gserviceaccount.com",
 				"CSQL_PROXY_QUIET":                       "true",
 				"CSQL_PROXY_STRUCTURED_LOGS":             "true",
+				"CSQL_PROXY_LAZY_REFRESH":                "true",
 			},
 		},
 		{