From 53ffb5a04135579148f45dc75915c7149a437861 Mon Sep 17 00:00:00 2001
From: OdooSky v3 <m@havari.me>
Date: Tue, 5 May 2026 12:01:16 +0200
Subject: [PATCH] =?UTF-8?q?fix(ingress):=20add=20HTTP=E2=86=92HTTPS=20redi?=
 =?UTF-8?q?rect=20IngressRoute=20so=20bare-hostname=20http://=20stops=2040?=
 =?UTF-8?q?4ing?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 templates/ingressroute.yaml | 38 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/templates/ingressroute.yaml b/templates/ingressroute.yaml
index e50313c..7e42738 100644
--- a/templates/ingressroute.yaml
+++ b/templates/ingressroute.yaml
@@ -7,7 +7,7 @@ TLS source resolution:
   - Otherwise (multi-domain tenants deploying on a domain outside their
     wildcard zone, e.g. `app.havari.me` when wildcard is
     `*.tenants.4th.online`), cert-manager issues a per-host
-    Let's Encrypt cert via HTTP-01. The IngressRoute references that
+    Let's Encrypt cert via DNS-01. The IngressRoute references that
     cert's Secret instead.
 
 This logic lives at template render time so a single chart serves both
@@ -41,6 +41,42 @@ spec:
     - {{ .Values.instance.domain }}
 {{- end }}
 ---
+# HTTP → HTTPS redirect. Browsers default a bare hostname to http://,
+# but the only entrypoint serving Odoo is `websecure` — without this
+# route plain-http requests fall through to Traefik's default backend
+# and the user sees Traefik's "404 page not found" even though the
+# instance is fully up. The Middleware lives in this same chart so a
+# legacy cluster without a global redirect-to-https middleware works
+# the same as a fresh one.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "instance.fullname" . }}-redirect-https
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "instance.fullname" . }}-http
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`{{ .Values.instance.domain }}`)
+      kind: Rule
+      middlewares:
+        - name: {{ include "instance.fullname" . }}-redirect-https
+      services:
+        - name: {{ include "instance.fullname" . }}-odoo
+          port: 8069
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata: