Home  /  Self-Managed Deployments  /  Installation

Install on GCP

Materialize provides a set of modular Terraform modules that can be used to deploy all services required for Materialize to run on Google Cloud. The module is intended to provide a simple set of examples on how to deploy Materialize. It can be used as is or modules can be taken from the example and integrated with existing DevOps tooling.

Self-managed Materialize requires: a Kubernetes (v1.31+) cluster; PostgreSQL as a metadata database; blob storage; and a license key. The example on this page deploys a complete Materialize environment on GCP using the modular Terraform setup from this repository.

WARNING!

The Terraform modules used in this tutorial are intended for evaluation/demonstration purposes and for serving as a template when building your own production deployment. The modules should not be directly relied upon for production deployments: future releases of the modules will contain breaking changes. Instead, to use as a starting point for your own production deployment, either:

  • Fork the repo and pin to a specific version; or

  • Use the code as a reference when developing your own deployment.

What Gets Created

This example provisions the following infrastructure:

Networking

Resource Description
VPC Network Custom VPC with auto-create subnets disabled
Subnet 192.168.0.0/20 primary range with private Google access enabled
Secondary Ranges Pods: 192.168.64.0/18, Services: 192.168.128.0/20
Cloud Router For NAT and routing configuration
Cloud NAT For outbound internet access from private nodes
VPC Peering Service networking connection for Cloud SQL private access

Compute

Resource Description
GKE Cluster Regional cluster with Workload Identity enabled
Generic Node Pool e2-standard-8 machines, autoscaling 2-5 nodes, 50GB disk, for general workloads
Materialize Node Pool n2-highmem-8 machines, autoscaling 2-5 nodes, 100GB disk, 1 local SSD, swap enabled, dedicated taints for Materialize workloads
Service Account GKE service account with workload identity binding

Database

Resource Description
Cloud SQL PostgreSQL Private IP only (no public IP)
Tier db-custom-2-4096 (2 vCPUs, 4GB memory)
Database materialize database with UTF8 charset
User materialize user with auto-generated password
Network Connected via VPC peering for private access

Storage

Resource Description
Cloud Storage Bucket Regional bucket for Materialize persistence
Access HMAC keys for S3-compatible access (Workload Identity service account with storage permissions is configured but not currently used by Materialize for GCS access, in future we will remove HMAC keys and support access to GCS either via Workload Identity Federation or via Kubernetes ServiceAccounts that impersonate IAM service accounts)
Versioning Disabled (for testing; enable in production)

Kubernetes Add-ons

Resource Description
cert-manager Certificate management controller for Kubernetes that automates TLS certificate provisioning and renewal
Self-signed ClusterIssuer Provides self-signed TLS certificates for Materialize instance internal communication (balancerd, console). Used by the Materialize instance for secure inter-component communication.

Materialize

Resource Description
Operator Materialize Kubernetes operator in the materialize namespace
Instance Single Materialize instance in the materialize-environment namespace
Load Balancers GCP Load Balancers for Materialize access
Port Description
6875 For SQL connections to the database
6876 For HTTP(S) connections to the database
8080 For HTTP(S) connections to Materialize Console

Prerequisites

GCP Account Requirements

A Google account with permission to:

  • Enable Google Cloud APIs/services on for your project.
  • Create:
    • GKE clusters
    • Cloud SQL instances
    • Cloud Storage buckets
    • VPC networks and networking resources
    • Service accounts and IAM bindings

Required Tools

License Key

License key type Deployment type Action
Community New deployments

To get a license key:
Community Existing deployments Contact Materialize support.
Enterprise New deployments Visit https://materialize.com/self-managed/enterprise-license/ to purchase an Enterprise license.
Enterprise Existing deployments Contact Materialize support.

Getting started: Simple example

WARNING!

The Terraform modules used in this tutorial are intended for evaluation/demonstration purposes and for serving as a template when building your own production deployment. The modules should not be directly relied upon for production deployments: future releases of the modules will contain breaking changes. Instead, to use as a starting point for your own production deployment, either:

  • Fork the repo and pin to a specific version; or

  • Use the code as a reference when developing your own deployment.

Step 1: Set Up the Environment

  1. Open a terminal window.

  2. Clone the Materialize Terraform repository and go to the gcp/examples/simple directory.

    git clone https://github.com/MaterializeInc/materialize-terraform-self-managed.git
cd materialize-terraform-self-managed/gcp/examples/simple

  3. Authenticate to GCP with your user account.

    gcloud auth login

  4. Find the list of GCP projects:

    gcloud projects list

  5. Set your active GCP project, substitute with your <PROJECT_ID>.

    gcloud config set project <PROJECT_ID>

  6. Enable the following APIs for your project:

    gcloud services enable container.googleapis.com               # For creating Kubernetes clusters
gcloud services enable compute.googleapis.com                 # For creating GKE nodes and other compute resources
gcloud services enable sqladmin.googleapis.com                # For creating databases
gcloud services enable cloudresourcemanager.googleapis.com    # For managing GCP resources
gcloud services enable servicenetworking.googleapis.com       # For private network connections
gcloud services enable iamcredentials.googleapis.com          # For security and authentication
gcloud services enable iam.googleapis.com                     # For managing IAM service accounts and policies
gcloud services enable storage.googleapis.com                 # For Cloud Storage buckets

  7. Authenticate application default credentials for Terraform

    gcloud auth application-default login

Step 2: Configure Terraform Variables

  1. Create a terraform.tfvars file and specify the following variables:

    Variable Description
    project_id Set to your GCP project ID.
    name_prefix Set a prefix for all resource names (e.g., simple-demo) as well as your release name for the Operator
    region Set the GCP region for the deployment (e.g., us-central1).
    license_key Set to your Materialize license key.
    labels Set to the labels to apply to resources. 
    project_id  = "my-gcp-project"
name_prefix = "simple-demo"
region      = "us-central1"
license_key = "your-materialize-license-key"
labels = {
  environment = "demo"
  created_by  = "terraform"
}

Step 3: Apply the Terraform

  1. Initialize the Terraform directory to download the required providers and modules:

    terraform init

  2. Apply the Terraform configuration to create the infrastructure.

    • To deploy with the default internal NLB for Materialize access:
    terraform apply
    • To deploy with public NLB for Materialize access:
    terraform apply -var="internal=false"

    If you are satisfied with the planned changes, type yes when prompted to proceed.

  3. From the output, you will need the following field(s) to connect:

    • console_load_balancer_ip for the Materialize Console
    • balancerd_load_balancer_ip to connect PostgreSQL-compatible clients/drivers.
    terraform output -raw <field_name>
    💡 Tip: Your shell may show an ending marker (such as %) because the output did not end with a newline. Do not include the marker when using the value.

  4. Configure kubectl to connect to your GKE cluster, replacing:

    • <your-gke-cluster-name> with your cluster name; i.e., the gke_cluster_name in the Terraform output. For the sample example, your cluster name has the form <name_prefix>-gke; e.g., simple-demo-gke

    • <your-region> with your cluster location; i.e., the gke_cluster_location in the Terraform output. Your region can also be found in your terraform.tfvars file.

    • <your-project-id> with your GCP project ID.

    # gcloud container clusters get-credentials <your-gke-cluster-name> --region <your-region> --project <your-project-id>
gcloud container clusters get-credentials $(terraform output -raw gke_cluster_name) \
 --region $(terraform output -raw gke_cluster_location) \
 --project <your-project-id>

Step 4. Optional. Verify the status of your deployment

  1. Check the status of your deployment:

      To check the status of the Materialize operator, which runs in the materialize namespace:

      kubectl -n materialize get all

      To check the status of the Materialize instance, which runs in the materialize-environment namespace:

      kubectl -n materialize-environment get all

      If you run into an error during deployment, refer to the Troubleshooting.

    Step 5: Connect to Materialize

    NOTE: If using an internal Network Load Balancer (NLB) for your Materialize access, you can connect from inside the same VPC or from networks that are privately connected to it.

    Connect using the Materialize Console

    Using the console_load_balancer_ip from the Terraform output, you can connect to Materialize via the Materialize Console.

    To connect to the Materialize Console, open a browser to https://<console_load_balancer_ip>:8080, substituting your <console_load_balancer_ip>.

    From the terminal, you can type:

    open "https://$(terraform output -raw console_load_balancer_ip):8080/materialize"
    💡 Tip: The example uses a self-signed ClusterIssuer. As such, you may encounter a warning with regards to the certificate. In production, run with certificates from an official Certificate Authority (CA) rather than self-signed certificates.

    Connect using the psql

    Using the balancerd_load_balancer_ip value from the Terraform output, you can connect to Materialize via PostgreSQL-compatible clients/drivers, such as psql:

    psql "postgres://$(terraform output -raw balancerd_load_balancer_ip):6875/materialize"

    Customizing Your Deployment

    💡 Tip: To reduce cost in your demo environment, you can tweak machine types and database tiers in main.tf.

    You can customize each module independently.

    NOTE: GCP Storage Authentication Limitation: Materialize currently only supports HMAC key authentication for GCS access (S3-compatible API). Current State: The modules configure both HMAC keys and Workload Identity, but Materialize uses HMAC keys for actual storage access. Future: Native GCS access via Workload Identity Federation or Kubernetes service account impersonation will be supported in a future release, eliminating the need for static credentials.

    See also:

    Cleanup

    To delete the whole sample infrastructure and deployment (including the Materialize operator and Materialize instances and data), run from the Terraform directory:

    terraform destroy

    When prompted to proceed, type yes to confirm the deletion.

    See Also

    Back to top ↑