Automating is a big topic here, it should have some documentation (wiki style).
My issue is that automating makes it either tedious or less secure than 1 year certificates when using Kubernetes; or am I missing something?
For Kubernetes, people traditionally create a Kubernetes Secret with the TLS certificate and use it then. Manually re-generating a certificate and updating that secret every year isn’t a lot of work. This means that if someone somehow gets your private key they cannot generate new valid certificates for your domain.
To be automated, one would need to have an external server running a cronjob with access to your Kubernetes cluster and your CSR certificate, so that means a really secure server and actually an additional server (you’re not supposed to have a Kubernetes Pod with access to the cluster on which it’s running).
Another hacky option may be to a Kubernetes Secret with the CSR and have each Pod (i.e. each service using your TLS certificate) to use it to get the TLS certificate at startup time. This delays start-up time but the real difficulty is ensuring that Pods restart somehow periodically. One hacky way to do that may be to force re-deploy a new version each 60 days. Also it means that if someone gets access to your server, it’s possible to get unlimited TLS cert generator for your domain.