Why would these hypothetical bad guys need "new" valid certificates having stolen the private key? The existing certificates for your domain are public documents and those will work perfectly for them now that they've stolen your private key. Your only option here is to revoke all certificates for that key, throw away the key and regenerate everything.
I think your whole crazy design revolves around a misunderstanding of Public Key encryption and the surrounding infrastructure. I strongly advise you not to try to invent a completely different security mechanism but to instead embrace how the Web PKI is actually supposed to work, which means you should protect your Private Key and stop treating public documents like CSRs (Certificate Signing Requests) and Certificates as if they were secrets.
If you want Let's Encrypt certificate issuance and renewal to be handled by a separate "pod" that pod either needs access to the Private Key or to a CSR generated using that Private Key and a complete list of the names to be included on the certificate. The pods that provide a TLS service identified by the certificates need access to the Private Key and to a current valid certificate, but while the Private Key must be protected, the certificate is a public document and doesn't need to be kept in a "Kubernetes Secret" at all.