Hi, my shameless plug (I am the creator of webhookrelay): https://webhookrelay.com/v1/guide/ingress-controller, using it both for services that are running in GKE and on minikube locally. It's cheaper than allocating a LB IP for backing services that don't get much traffic like Grafana and similar things.

One possibility (especially for "home Kubernetes" case) is not exposing the services to the outside world at all and using ZeroTier to access them https://www.zerotier.com/ It's L2 mesh VPN, and I believe you can even use MetalLB with it with some minor trickery. You can, of course, set up WireGuard or OpenVPN for yourself, too, but from my experience zt is the simplest for accessing the boxes behind NAT as you don't even need to set up any servers with real IPs.

DNAT. You map one/more ports from your router exposed on internet to ip:port of the local app.

However, http/https ports are already used on routers to offer an admin web GUI. It’s technically possible to circumvent this with some ad-hoc firewall rules, but it depends if the router admin UI let’s you do that.

> However, http/https ports are already used on routers to offer an admin web GUI.

not on the wan side I'd hope

Exactly, they aren’t exposed outside. That’s why you can “potentially” add rules to route request from the outside to an internal host:port, even 80/143. On the LAN you would still able to connect to router admin.

Using NodePort and Traefik ingress controller.

thanks!

You don't necessarily need an ingress, NodePort may be sufficient to expose a service.