Hand-written StatefulSet YAML teaches how IBM MQ fits Kubernetes, but production teams on OpenShift and enterprise Kubernetes rarely stop there—they install the IBM MQ Operator so queue managers become declarative custom resources checked into Git, reviewed in pull requests, and reconciled automatically when someone changes storage size or TLS certificates. The operator is a controller process in the cluster that watches QueueManager objects, compares spec to reality, and creates or updates pods, persistent volume claims, services, and certificate resources until status conditions report Ready or surface a clear error. Beginners expect the operator to eliminate MQ expertise; in practice it eliminates boilerplate assembly while you still define channels, queues, authority, and application connectivity. This tutorial covers operator installation sources, the QueueManager CR fields and what each controls, reconciliation and status conditions, storage and version upgrades, integration with cert-manager, differences from raw Helm-only installs, day-two operations like log collection and scaling Native HA roles, and troubleshooting when the CR says Ready but clients still get 2059.
| Topic | MQ Operator | Manual StatefulSet |
|---|---|---|
| Upgrade orchestration | Built-in roll patterns | You script pod order |
| TLS certificates | Integrates cert-manager patterns | You mount secrets |
| IBM tested combinations | Supported matrix | You validate yourself |
| Learning curve | CRD + Kubernetes | Kubernetes only |
On OpenShift, install from OperatorHub into a namespace with appropriate permissions; OLM manages subscription channels and CSV upgrades. On Kubernetes, IBM documents Helm-based operator installs or bundled manifests. Pin operator version to MQ queue manager version compatibility table—installing the newest operator against an unsupported QM version fails reconciliation with conditions you must read in kubectl describe queuemanager. Cluster admins need cluster-scoped RBAC to install CRDs; application teams receive namespace-scoped rights to create QueueManager instances.
The spec section names the queue manager, chooses MQ version image, requests CPU and memory, defines storage size and storage class, and enables features such as TLS or metrics per your operator version. status.conditions show Ready, Error, or progressing states. status.version reports running fix pack. Editing spec triggers reconciliation— increasing storage may expand PVC if storage class allows volume expansion. Decreasing storage is usually blocked. Renaming queue manager in spec on existing PVC is destructive—treat name as immutable.
12345678910111213141516171819202122apiVersion: mq.ibm.com/v1beta1 kind: QueueManager metadata: name: finance-qm spec: version: 9.4.0.0-r1 license: accept: true queueManager: name: FINANCE storage: queueManager: type: persistent-claim size: 100Gi class: fast-ssd resources: requests: cpu: "1" memory: 1Gi limits: cpu: "2" memory: 2Gi
When you kubectl apply a QueueManager, the operator observes the change, calculates required child resources, and applies them. If a pod is deleted manually, the operator recreates it to match spec—do not fight the controller without pausing reconciliation. Finalizers may block deletion until queues drain—understand operator deletion policies before kubectl delete in production. Events on the CR and operator pod logs explain most failures.
The operator is a robot that reads a recipe card (the CR) and builds the MQ box (pod plus disk plus wires) exactly as written. If a part falls off, the robot puts it back. You still decide what messages go in which queues—the robot does not write your application logic.
Single-instance QueueManager CR maps to one primary queue manager PVC. Native HA configurations use multiple CRs or HA-specific spec sections per IBM documentation for your operator release—never share one RWO PVC across two active writers. Read IBM architecture for active and replica roles before enabling HA in production.
Operators often integrate cert-manager to issue listener and channel certificates with automatic renewal. Define Issuer or ClusterIssuer cluster-wide; QueueManager spec references certificate secrets mounted into the pod. When certs rotate, channels using SSL must tolerate handshakes during rollover—plan maintenance windows if clients cache trust incorrectly.
The MQ Operator is a helper robot that builds and fixes your MQ toy set whenever you change the instruction card, so you do not have to screw every piece by hand each time.
Install operator in lab; create QueueManager; verify Ready and connect with sample client.
Describe which child resources exist after CR create (StatefulSet, Service, PVC).
Simulate cert expiry scenario and document renewal steps for your operator version.
1. The operator watches:
2. Reconciliation means:
3. Before upgrade backup:
4. Operator creates typically: