diff --git a/templates/ingressroute.yaml b/templates/ingressroute.yaml
index e50313c..7e42738 100644
--- a/templates/ingressroute.yaml
+++ b/templates/ingressroute.yaml
@@ -7,7 +7,7 @@ TLS source resolution:
   - Otherwise (multi-domain tenants deploying on a domain outside their
     wildcard zone, e.g. `app.havari.me` when wildcard is
     `*.tenants.4th.online`), cert-manager issues a per-host
-    Let's Encrypt cert via HTTP-01. The IngressRoute references that
+    Let's Encrypt cert via DNS-01. The IngressRoute references that
     cert's Secret instead.
 
 This logic lives at template render time so a single chart serves both
@@ -41,6 +41,42 @@ spec:
     - {{ .Values.instance.domain }}
 {{- end }}
 ---
+# HTTP → HTTPS redirect. Browsers default a bare hostname to http://,
+# but the only entrypoint serving Odoo is `websecure` — without this
+# route plain-http requests fall through to Traefik's default backend
+# and the user sees Traefik's "404 page not found" even though the
+# instance is fully up. The Middleware lives in this same chart so a
+# legacy cluster without a global redirect-to-https middleware works
+# the same as a fresh one.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "instance.fullname" . }}-redirect-https
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "instance.fullname" . }}-http
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`{{ .Values.instance.domain }}`)
+      kind: Rule
+      middlewares:
+        - name: {{ include "instance.fullname" . }}-redirect-https
+      services:
+        - name: {{ include "instance.fullname" . }}-odoo
+          port: 8069
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata: