Use the port 8080 health check instead of enabling anonymous access

[will-darkwolf]

For more information on TCP health checks, see the GCP documentation https://cloud.google.com/load-balancing/docs/health-check-concepts#method

• Have you signed the contributor license agreement? | Yes
• Have you followed the contributor guidelines?
• If you submit code, is your pull request against main? We recommend pull requests against main. We will backport them as needed.

[prodsecmachine]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[naemono]

In testing this, I think these values need to be updated as well:

  Warning  Translate          11m (x16 over 16m)      loadbalancer-controller    Translation failed: invalid ingress spec: failed to validate exact path /* due to invalid wildcard; failed to validate exact path /* due to invalid wildcard

diff --git a/config/recipes/gclb/02-ingress.yaml b/config/recipes/gclb/02-ingress.yaml
index bd2e2dcff..8072a7532 100644
--- a/config/recipes/gclb/02-ingress.yaml
+++ b/config/recipes/gclb/02-ingress.yaml
@@ -20,8 +20,8 @@ spec:
     - host: "elasticsearch.hulk"
       http:
         paths:
-          - path: "/*"
-            pathType: Exact
+          - path: "/"
+            pathType: Prefix
             backend:
               service:
                 name: hulk-es-http
@@ -30,10 +30,25 @@ spec:
     - host: "kibana.hulk"
       http:
         paths:
-          - path: "/*"
-            pathType: Exact
+          - path: "/"
+            pathType: Prefix

[naemono]

Also, it should be noted here that the gateway api must be enabled in GKE for this to function, or otherwise you get:

no matches for kind "HealthCheckPolicy" in version "networking.gke.io/v1"
ensure CRDs are installed first

[naemono]

Also, these healthcheckpolicy objects are intended to be used with gcp gateways: https://cloud.google.com/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_health_check

Note the error message after applying this resource.

Status:
  Conditions:
    Last Transition Time:  2025-10-10T18:46:57Z
    Message:               No GKE gateway is found for the target Service resource, namespace: elastic, name: hulk-es-http
    Reason:                GatewayNotFound

I'm going to close this pull request now, as this doesn't work as intended, but I will open another PR that notes the 2x things I found that need adjusting since testing this:

1. cert-manager.io/common-name: domain.com <== the domain name requirement
2. The ingress type/path adjustments needed.