Integrate Gcp Api Gateway with GKE Cluster

My architecture is gcp API gateway should be central endpoint (like have map domain with https for gateway url), followed by i have created gke cluster and deployed microservices in that cluster and exposed those via gcp ingress.

flow : user → api gateway → gke ingress endpoint → microservices.

i am i configures till gke ingress like all services are deployed in gke cluster and up and running via ingress endpoint.

now i need to integrate api gateway with ingress endpoint. and here we using keyclock as auth service and backend is java application (spring boot).

Here i need you guys help for this scenario to get integrate gcp gateway with gke cluster ingress.

my api gateway open config file

swagger: “2.0”
info:
title: " API Gateway"
description: “Centralized API Gateway for microservices with Keycloak integration”
version: “1.0.0”
schemes:

• https
  produces:
• application/json
  consumes:
• application/json

x-google-management:
metrics:

• name: “requests_count”
  displayName: “Request Count”
  valueType: INT64
  metricKind: DELTA
  quota:
  limits:
• name: “requests-per-project”
  unit: “1/min”
  values:
  STANDARD: 1000

paths:
/:
get:
operationId: getInspection
security:

• keycloak_jwt: [“openid”, “profile”]
• api_key:
  x-google-backend:
  address: “https://api.example.com” # Ingress endpoint
  path_translation: APPEND_PATH_TO_ADDRESS
  deadline: 30.0
  jwt_audience: “$client-id”
  responses:
  ‘200’:
  description: “Successful response”
  ‘401’:
  description: “Unauthorized”
  ‘403’:
  description: “Forbidden”
  post:
  operationId: postInspection
  security:
• keycloak_jwt: [“openid”, “profile”]
• api_key:
  x-google-backend:
  address: “https://api.example.com” # Ingress endpoint
  path_translation: APPEND_PATH_TO_ADDRESS
  deadline: 30.0
  jwt_audience: “client-id”
  responses:
  ‘200’:
  description: “Successful response”
  ‘401’:
  description: “Unauthorized”
  ‘403’:
  description: “Forbidden”

securityDefinitions:
api_key:
type: apiKey
in: header
name: X-API-KEY

keycloak_jwt:
type: “oauth2”
flow: “accessCode”
authorizationUrl: “https://auth.example.com/client/realms/client/protocol/openid-connect/auth”
tokenUrl: “https://auth.example.com/client/realms/client/protocol/openid-connect/token”
x-google-issuer: “https://auth.example.com/client/realms/client”
x-google-jwks_uri: “https://auth.example.com/client/realms/client/protocol/openid-connect/certs”
x-google-audiences: “client-id”
scopes:
openid: “OpenID Connect scope”
profile: “Profile scope”

Hi @Harisabareesh,

Welcome to Google Cloud Community!

It seems like this kind of setup needs further assistance. For more detailed guidance, please feel free to reach out to the google support team.

this should really not be the answer. google of all companies should know that writing an answer in a public forum > some private email chat.

You can integrate your GCP API Gateway with your GKE Ingress by configuring the x-google-backend in your OpenAPI spec to point to your GKE Ingress HTTPS endpoint, which you’ve already done. Make sure the Ingress allows traffic from the API Gateway’s IPs or has a public endpoint, and that your backend services accept JWTs issued by Keycloak—the API Gateway will validate these using the x-google-issuer, x-google-jwks_uri, and x-google-audiences fields. Ensure your API Gateway and GKE Ingress both use HTTPS and that CORS, path translation, and headers are properly handled. Essentially, API Gateway acts as a front-door, validating JWTs and passing requests to your GKE Ingress, which then routes them to the microservices. If you need deeper troubleshooting or custom setup, contacting Google Cloud support is recommended.