Well, if your cert-manager distributes its own CA, you'd still need the clients to trust the CA, even in k8s.