The private baking key should never leave the Ledger. But on a test network, it is fine to store it online as a Kubernetes secret instead.

You may replace the “signer forwarder” with just a Tezos signer. You still end up with a complete baking infrastructure, but with an exposed key, which is fine for a test network.