On k8s, there's cert-manager but also you need k8s...
Most browsers support trust on first use for leaf certs
I guess I mean treat it as a clear first class feature. Right now most browsers treat it as an arcane error. I’m thinking more “This is the first time you’re connecting to this site. Do you trust it?”
And later if something changes, then they can do the whole DOING SOMETHING NASTY! thing, which is effectively the experience today
Firefox now started that you can't even go on the page on some occasions.
Using a browser in an air gapped environment is so much more pain than it should be.
Well, if your cert-manager distributes its own CA, you'd still need the clients to trust the CA, even in k8s.