With Kubernetes, I understand that I need to use the service name from Kubernetes, something like "rest" (to make transparent the service itself), but that name would only be visible from the docker container serving the static resources.

Your understanding is correct. As long as you have a kube-dns add-on running in your cluster, your service name as Domain name is resolvable with in the same kubernetes cluster and namespace. In other words, as you said, "rest" will work only with in the kubernetes cluster.

My question: do I need to forward traffic from NGINX to the REST Api? Does Kubernetes expose a public service name usable from Javascript, for example?

This is one way to achieve this.

Advantage of this approach is, you will avoid all the Same Origin Policy/CORS headaches, your microservice (express) authentication details will be abstracted out from user's browser. (This is not necessarily an advantage).

Disadvantage of this approach is, your backend microservice (express) will have a tight coupling with front end (or vice-versa depending on how you look at it), This will make the scaling of backend dependent on front end. Your Backend is not exposed. So, if you have another consumer (let's just say an android app) it will not be able to access your service.

Another Solution

Create an ingress (and use an ingress controller in your cluster) and expose your Microservice(Express).