From 54d371fbe26ef6b53a7f9501ed2b5610ab9ac896 Mon Sep 17 00:00:00 2001
From: Will Kline <will.kline@darkwolfsolutions.com>
Date: Thu, 31 Jul 2025 11:10:26 -0400
Subject: [PATCH] Use the port 8080 health check instead of enabling anonymous
 access

For more information on TCP health checks, see the GCP documentation https://cloud.google.com/load-balancing/docs/health-check-concepts#method
---
 config/recipes/gclb/01-elastic-stack.yaml |  5 -----
 config/recipes/gclb/02-ingress.yaml       | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/config/recipes/gclb/01-elastic-stack.yaml b/config/recipes/gclb/01-elastic-stack.yaml
index 7c5363ce9f..b753509198 100644
--- a/config/recipes/gclb/01-elastic-stack.yaml
+++ b/config/recipes/gclb/01-elastic-stack.yaml
@@ -23,11 +23,6 @@ spec:
     count: 3
     config:
       node.store.allow_mmap: false
-      # Enable anonymous access to allow GCLB health probes to succeed
-      xpack.security.authc:
-        anonymous:
-          username: anon
-          roles: monitoring_user
     podTemplate:
       spec:
         containers:
diff --git a/config/recipes/gclb/02-ingress.yaml b/config/recipes/gclb/02-ingress.yaml
index bd2e2dcff1..112c2918a4 100644
--- a/config/recipes/gclb/02-ingress.yaml
+++ b/config/recipes/gclb/02-ingress.yaml
@@ -37,3 +37,18 @@ spec:
                 name: hulk-kb-http
                 port:
                   name: https
+---
+apiVersion: networking.gke.io/v1
+kind: HealthCheckPolicy
+metadata:
+  name: es-lb-healthcheck
+spec:
+  default:
+    config:
+      tcpHealthCheck:
+        port: 8080
+      type: TCP
+  targetRef:
+    group: ''
+    kind: Service
+    name: hulk-es-http