diff --git a/charts/lunarfront/templates/ingress.yaml b/charts/lunarfront/templates/ingress.yaml
index 93edc68..ab130f5 100644
--- a/charts/lunarfront/templates/ingress.yaml
+++ b/charts/lunarfront/templates/ingress.yaml
@@ -4,13 +4,14 @@ metadata:
   name: lunarfront
   namespace: {{ .Values.customer.name }}
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Cloudflare proxies TLS to the browser — origin cert handles CF → cluster
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
 spec:
   ingressClassName: nginx
   tls:
     - hosts:
         - {{ .Values.customer.domain }}
-      secretName: lunarfront-tls
+      secretName: {{ .Values.cloudflare.originCertSecret }}
   rules:
     - host: {{ .Values.customer.domain }}
       http:
diff --git a/charts/lunarfront/values.yaml b/charts/lunarfront/values.yaml
index 3459ba6..44f4876 100644
--- a/charts/lunarfront/values.yaml
+++ b/charts/lunarfront/values.yaml
@@ -37,6 +37,11 @@ auth:
 storage:
   secretName: lunarfront-storage-secret
 
+# Cloudflare origin cert — installed once as a cluster-wide secret
+# See: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca
+cloudflare:
+  originCertSecret: cloudflare-origin-cert
+
 replicaCount: 1
 
 resources: