I created a k8s deployment which spins up nginx in a job to update TLS secrets with dehydrated because I couldn’t get an admin to install cert-manager. It works great, especially because I had scheduled rebuilds of the base container off of latest images. I left the job 3 years ago, and it’s still running fine and staying ahead of the vuln scanners.

I had also used a pre-shared private key, which I put on a F5 BigIp, and just scheduled a job on the F5 to pull the updated certs daily.