I think its maybe “worse” than just presenting self signed certificates. Kubernetes Ingress Controller Fake Certificate
is the default Kubernetes certificate when you initially start configuring TLS (and potentially provide incorrect configuration).
Ive seen this happen in the past when the secrets for a certificate are in a different/wrong namespace than the certificate resource