diff --git a/templates/ingressroute.yaml b/templates/ingressroute.yaml
index 567ac78..a6504fd 100644
--- a/templates/ingressroute.yaml
+++ b/templates/ingressroute.yaml
@@ -63,8 +63,18 @@ spec:
       # bounded retry budget so transient Pod-not-ready windows
       # during an Odoo restart don't surface as Traefik's default
       # 404 to the customer. TLS-related fields below are unchanged.
+      #
+      # Gated on `.Values.ingress.useTenantsDefaults` so a cluster
+      # running with `traefik.enabled=false` in cluster-platform-v3
+      # (the Middleware would never be created) doesn't break every
+      # instance sync with "Middleware tenants-default-retry not
+      # found". Default true matches the standard platform shape;
+      # operators flip it to false only when running an externally-
+      # managed Traefik that doesn't carry our tenants-default-* set.
+      {{- if .Values.ingress.useTenantsDefaults | default true }}
       middlewares:
         - name: tenants-default-retry
+      {{- end }}
       services:
         - name: {{ include "instance.fullname" . }}-odoo
           port: 8069
diff --git a/values.yaml b/values.yaml
index 03c8973..52eaf36 100644
--- a/values.yaml
+++ b/values.yaml
@@ -153,3 +153,12 @@ ingress:
   # See infrastructure/cluster/wildcard-cert.yaml for the
   # provisioning manifest.
   tlsSecret: tenants-wildcard-tls
+  # useTenantsDefaults — when true, the IngressRoute references the
+  # cluster-level `tenants-default-retry` Middleware (rendered by the
+  # cluster-platform-v3 chart in the same `tenants` namespace).
+  # Default true matches the standard platform shape; flip to false
+  # only when running on a cluster whose Traefik install isn't
+  # paired with the platform's defaults Middleware set (e.g. an
+  # externally-managed Traefik, or cluster-platform-v3's
+  # `traefik.enabled` is false). Audit B.11.
+  useTenantsDefaults: true