Chapter 6: Provider Management

Providers are the core resources in kubectl-mtv that represent source and target virtualization platforms. This chapter covers complete provider lifecycle management including creation, configuration, patching, and deletion.

For detailed information about provider prerequisites and requirements, see the official Forklift provider documentation.

Overview of Providers

Providers define the connection and authentication details for virtualization platforms. Each migration requires:

Source Provider: Your current virtualization platform (vSphere, oVirt, OpenStack, KubeVirt, OVA, or HyperV)
Target Provider: Your destination KubeVirt cluster (typically OpenShift/Kubernetes)

Supported Provider Types

kubectl-mtv supports the following provider types:

Provider Type	Description	Use Case
`openshift`	OpenShift/Kubernetes clusters	Target provider or KubeVirt-to-KubeVirt migrations
`vsphere`	VMware vSphere/vCenter	Source provider for VMware environments
`ovirt`	oVirt/Red Hat Virtualization	Source provider for oVirt/RHV environments
`openstack`	OpenStack platforms	Source provider for OpenStack environments
`ec2`	Amazon EC2	Source provider for AWS environments
`hyperv`	Microsoft Hyper-V	Source provider for Hyper-V environments
`ova`	OVA/OVF files	Source provider for VM image files

Listing, Describing, and Deleting Providers

List Providers

# List all providers in current namespace
kubectl mtv get providers

# List providers in specific namespace
kubectl mtv get providers --namespace forklift-namespace

# List providers across all namespaces
kubectl mtv get providers --all-namespaces

# List with detailed output
kubectl mtv get providers --output yaml
kubectl mtv get providers --output json

# List specific provider
kubectl mtv get provider --name my-vsphere-provider

Describe Providers

Get detailed information about a specific provider:

# Describe a provider
kubectl mtv describe provider --name my-vsphere-provider

# Describe with additional inventory information
kubectl mtv get inventory providers --name my-vsphere-provider

Delete Providers

# Delete a specific provider
kubectl mtv delete provider --name my-vsphere-provider

# Delete multiple providers
kubectl mtv delete providers --name provider1,provider2,provider3

# Delete all providers in namespace (use with caution)
kubectl mtv delete provider --all

# Plural form for single or multiple
kubectl mtv delete providers --name my-vsphere-provider

How-To: Creating Providers

VMware vSphere Provider

Create providers for VMware vCenter or ESXi environments.

Basic vSphere Provider

# Basic vSphere provider with vCenter
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword

# vSphere provider with ESXi endpoint
kubectl mtv create provider --name esxi-host --type vsphere \
  --url https://esxi-host.example.com/sdk \
  --username root \
  --password YourSecurePassword \
  --sdk-endpoint esxi

vSphere Provider with VDDK Optimization

VDDK is recommended for optimal VMware disk transfer performance. The preferred approach is to set the VDDK image globally so that all vSphere providers use it automatically.

Step 1 — Set the global VDDK image (recommended)

kubectl mtv settings set --setting vddk_image \
  --value quay.io/your-registry/vddk:8.0.1

Once the global image is configured, create a vSphere provider without specifying --vddk-init-image — it will inherit the global setting:

kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword

For advanced VDDK optimization you can still add the tuning flags:

kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --use-vddk-aio-optimization \
  --vddk-buf-size-in-64k 64 \
  --vddk-buf-count 8

Fallback — per-provider VDDK image. If you do not have permission to modify ForkliftController settings, you can specify the VDDK image directly on the provider instead:

kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --vddk-init-image quay.io/your-registry/vddk:8.0.1

See Chapter 25: Settings Management for full details on global settings.

vSphere Provider with Custom CA Certificate

# With CA certificate from file
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --cacert @/path/to/ca-certificate.pem

# With inline CA certificate
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --cacert "-----BEGIN CERTIFICATE-----
MIIGBzCCA++gAwIBAgIJAKt..."

# Skip TLS verification (not recommended for production)
kubectl mtv create provider --name vsphere-test --type vsphere \
  --url https://vcenter.test.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --provider-insecure-skip-tls

vSphere Provider with ESXi Clone Method

Configure the ESXi clone method for direct ESXi disk cloning (vSphere only):

# Use VIB-based ESXi clone method
kubectl mtv create provider --name vsphere-vib --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --esxi-clone-method vib

# Use SSH-based ESXi clone method
kubectl mtv create provider --name vsphere-ssh --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword \
  --esxi-clone-method ssh

vSphere Provider with Existing Secret

# Use existing secret for credentials
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --secret existing-vcenter-secret

oVirt/RHV Provider

Create providers for oVirt and Red Hat Virtualization environments.

# Basic oVirt provider
kubectl mtv create provider --name ovirt-prod --type ovirt \
  --url https://ovirt-engine.example.com/ovirt-engine/api \
  --username admin@internal \
  --password YourSecurePassword

# oVirt provider with CA certificate
kubectl mtv create provider --name ovirt-prod --type ovirt \
  --url https://ovirt-engine.example.com/ovirt-engine/api \
  --username admin@internal \
  --password YourSecurePassword \
  --cacert @/path/to/ovirt-ca.pem

# oVirt provider with existing secret
kubectl mtv create provider --name ovirt-prod --type ovirt \
  --url https://ovirt-engine.example.com/ovirt-engine/api \
  --secret ovirt-credentials-secret

OpenStack Provider

Create providers for OpenStack environments with required project and domain information.

# Basic OpenStack provider
kubectl mtv create provider --name openstack-prod --type openstack \
  --url https://openstack.example.com:5000/v3 \
  --username admin \
  --password YourSecurePassword \
  --provider-domain-name Default \
  --provider-project-name admin

# OpenStack provider with region
kubectl mtv create provider --name openstack-west --type openstack \
  --url https://openstack-west.example.com:5000/v3 \
  --username myuser \
  --password YourSecurePassword \
  --provider-domain-name MyDomain \
  --provider-project-name MyProject \
  --provider-region-name us-west-1

# OpenStack provider with CA certificate
kubectl mtv create provider --name openstack-prod --type openstack \
  --url https://openstack.example.com:5000/v3 \
  --username admin \
  --password YourSecurePassword \
  --provider-domain-name Default \
  --provider-project-name admin \
  --cacert @/path/to/openstack-ca.pem

OpenShift/Kubernetes (Target) Provider

Create target providers for OpenShift or Kubernetes clusters.

# Local OpenShift cluster (current context)
kubectl mtv create provider --name local-openshift --type openshift

# Remote OpenShift cluster with token
kubectl mtv create provider --name remote-openshift --type openshift \
  --url https://api.remote-cluster.example.com:6443 \
  --provider-token your-service-account-token

# Remote OpenShift cluster with CA certificate
kubectl mtv create provider --name remote-openshift --type openshift \
  --url https://api.remote-cluster.example.com:6443 \
  --provider-token your-service-account-token \
  --cacert @/path/to/cluster-ca.pem

# Skip TLS verification for testing
kubectl mtv create provider --name test-openshift --type openshift \
  --url https://api.test-cluster.example.com:6443 \
  --provider-token your-service-account-token \
  --provider-insecure-skip-tls

EC2 Provider

Create providers for Amazon EC2 environments. The --url flag is optional; if omitted, it will be auto-generated from the region.

# Basic EC2 provider (URL auto-generated from region)
kubectl mtv create provider --name ec2-prod --type ec2 \
  --ec2-region us-east-1 \
  --username AKIAIOSFODNN7EXAMPLE \
  --password wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# EC2 provider with target region/AZ for migrations
kubectl mtv create provider --name ec2-prod --type ec2 \
  --ec2-region us-east-1 \
  --target-region us-west-2 \
  --target-az us-west-2b \
  --username AKIAIOSFODNN7EXAMPLE \
  --password wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

EC2 Migration Settings:

--target-region: Target region for migrations (defaults to provider region)
--target-az: Target availability zone (defaults to target-region + a)

Note: Migration host creation and VDDK settings are not applicable to EC2 providers.

OVA Provider

Create providers for OVA/OVF file imports from NFS shares.

Note: OVA providers only support NFS URLs in the format nfs_server:nfs_path where OVA files are stored on an NFS share.

# OVA provider from NFS share
kubectl mtv create provider --name my-ova --type ova \
  --url nfs.example.com:/path/to/ova-files

# OVA provider with IP address
kubectl mtv create provider --name datacenter-ova --type ova \
  --url 192.168.1.100:/exports/vm-images

HyperV Provider

Create providers for Microsoft Hyper-V environments. HyperV providers require an SMB share URL for VM disk access.

# Basic HyperV provider
kubectl mtv create provider --name my-hyperv --type hyperv \
  --url https://192.168.1.100 \
  --username Administrator \
  --password YourSecurePassword \
  --smb-url '//192.168.1.100/VMShare'

# HyperV provider with separate SMB credentials
kubectl mtv create provider --name my-hyperv --type hyperv \
  --url https://192.168.1.100 \
  --username Administrator \
  --password YourSecurePassword \
  --smb-url '//192.168.1.100/VMShare' \
  --smb-user smbuser \
  --smb-password SmbPassword123

# HyperV provider with TLS verification disabled
kubectl mtv create provider --name my-hyperv --type hyperv \
  --url https://192.168.1.100 \
  --username Administrator \
  --password YourSecurePassword \
  --smb-url '//192.168.1.100/VMShare' \
  --provider-insecure-skip-tls

# HyperV provider with CA certificate
kubectl mtv create provider --name my-hyperv --type hyperv \
  --url https://192.168.1.100 \
  --username Administrator \
  --password YourSecurePassword \
  --smb-url '//192.168.1.100/VMShare' \
  --cacert @/path/to/ca-certificate.pem

# HyperV provider with inline CA certificate
kubectl mtv create provider --name my-hyperv --type hyperv \
  --url https://192.168.1.100 \
  --username Administrator \
  --password YourSecurePassword \
  --smb-url '//192.168.1.100/VMShare' \
  --cacert "-----BEGIN CERTIFICATE-----
MIIGBzCCA++gAwIBAgIJAKt...
-----END CERTIFICATE-----"

HyperV Provider Settings:

--url: HyperV host IP or URL (e.g., https://192.168.1.100)
--smb-url: Required SMB share path for VM disk access (e.g., //server/share)
--smb-user: Optional separate SMB username (defaults to HyperV username)
--smb-password: Optional separate SMB password (defaults to HyperV password)

Using Environment Variables

You can use the MTV_VDDK_INIT_IMAGE environment variable to set a default VDDK image:

# Set default VDDK image
export MTV_VDDK_INIT_IMAGE=quay.io/your-registry/vddk:8.0.1

# Create vSphere provider (will use the environment variable)
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username administrator@vsphere.local \
  --password YourSecurePassword

How-To: Patching Providers

Provider patching allows you to update settings of existing providers without recreating them. This is particularly useful for updating credentials, URLs, or VDDK settings.

Understanding Secret Ownership and Protection

kubectl-mtv implements secret ownership protection to prevent accidental modification of shared secrets:

Owned Secrets: Created automatically by kubectl-mtv and owned by the provider
Shared Secrets: Created independently and potentially used by multiple providers

Owned vs. Shared Secrets

# When you create a provider with credentials, kubectl-mtv creates an owned secret
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --username admin \
  --password secret123
# Creates: owned secret that can be patched

# When you create a provider with existing secret, it becomes shared
kubectl create secret generic shared-creds --from-literal=user=admin --from-literal=password=secret123
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --secret shared-creds
# Uses: shared secret that cannot be patched through provider commands

Updating Provider Settings

Update URL and Connection Settings

# Update provider URL
kubectl mtv patch provider --name vsphere-prod \
  --url https://new-vcenter.example.com/sdk

# Update URL and disable TLS verification
kubectl mtv patch provider --name vsphere-test \
  --url https://test-vcenter.internal/sdk \
  --provider-insecure-skip-tls

# Update token for OpenShift provider
kubectl mtv patch provider --name remote-openshift \
  --provider-token new-service-account-token

Update Credentials (Owned Secrets Only)

# Update username and password
kubectl mtv patch provider --name vsphere-prod \
  --username new-admin@vsphere.local \
  --password NewSecurePassword

# Update only password
kubectl mtv patch provider --name vsphere-prod \
  --password UpdatedPassword

# Update OpenStack domain and project
kubectl mtv patch provider --name openstack-prod \
  --provider-domain-name NewDomain \
  --provider-project-name NewProject

# Update EC2 region
kubectl mtv patch provider --name ec2-prod \
  --ec2-region us-west-2

# Update EC2 target region and AZ
kubectl mtv patch provider --name ec2-prod \
  --target-region us-west-2 \
  --target-az us-west-2c

# Update EC2 credentials and region
kubectl mtv patch provider --name ec2-prod \
  --username NEW_ACCESS_KEY_ID \
  --password NEW_SECRET_ACCESS_KEY \
  --ec2-region eu-west-1

# Update HyperV credentials
kubectl mtv patch provider --name my-hyperv \
  --username NewAdmin \
  --password NewPassword

# Update HyperV SMB share URL and credentials
kubectl mtv patch provider --name my-hyperv \
  --smb-url '//new-server/share' \
  --smb-user new-smb-user \
  --smb-password NewSmbPassword

Note: Use --region as a convenient alias for --provider-region-name (OpenStack). For EC2 providers, use --ec2-region instead.

Update CA Certificates

# Update CA certificate from file
kubectl mtv patch provider --name vsphere-prod \
  --cacert @/path/to/new-ca-certificate.pem

# Remove CA certificate (empty string)
kubectl mtv patch provider --name vsphere-prod \
  --cacert ""

# Add CA certificate where none existed
kubectl mtv patch provider --name vsphere-prod \
  --cacert @/path/to/ca-certificate.pem

Update VDDK Settings

# Update VDDK init image
kubectl mtv patch provider --name vsphere-prod \
  --vddk-init-image quay.io/your-registry/vddk:8.0.2

# Enable VDDK AIO optimization
kubectl mtv patch provider --name vsphere-prod \
  --use-vddk-aio-optimization

# Update VDDK buffer settings
kubectl mtv patch provider --name vsphere-prod \
  --vddk-buf-size-in-64k 128 \
  --vddk-buf-count 16

# Disable VDDK AIO optimization
kubectl mtv patch provider --name vsphere-prod \
  --use-vddk-aio-optimization=false

Update ESXi Clone Method (vSphere Only)

# Set ESXi clone method to VIB
kubectl mtv patch provider --name vsphere-prod \
  --esxi-clone-method vib

# Set ESXi clone method to SSH
kubectl mtv patch provider --name vsphere-prod \
  --esxi-clone-method ssh

Handling Shared Secrets

When you encounter a shared secret error:

# Error message example:
# Error: cannot patch credentials for provider 'vsphere-prod': secret 'shared-creds' is not owned by this provider.
# This usually means the secret was created independently and is shared by multiple providers.
# To update credentials, either:
# 1. Update the secret directly: kubectl patch secret shared-creds -p '{...}'
# 2. Create a new secret and update the provider to use it: kubectl patch provider vsphere-prod --secret new-secret-name

Solution 1: Update the Secret Directly

# Update shared secret directly
kubectl patch secret shared-creds -p '{"data":{"user":"'$(echo -n "new-username" | base64)'","password":"'$(echo -n "new-password" | base64)'"}}'

# Or using kubectl create secret with --dry-run and --save-config
kubectl create secret generic shared-creds \
  --from-literal=user=new-username \
  --from-literal=password=new-password \
  --dry-run=client -o yaml | kubectl apply -f -

Solution 2: Recreate Provider with New Secret

# Create new secret
kubectl create secret generic new-vsphere-creds \
  --from-literal=user=new-username \
  --from-literal=password=new-password

# Delete the old provider and recreate it pointing to the new secret
kubectl mtv delete provider --name vsphere-prod

kubectl mtv create provider --name vsphere-prod --type vsphere \
  --url https://vcenter.example.com/sdk \
  --secret new-vsphere-creds

Verification and Monitoring

# Verify provider status after patching
kubectl mtv get provider --name vsphere-prod

# Check provider details
kubectl mtv describe provider --name vsphere-prod

# Test provider connectivity (through inventory)
kubectl mtv get inventory providers --name vsphere-prod

Provider Configuration Examples

Complete vSphere Production Setup

# 1. Create optimized vSphere provider
kubectl mtv create provider --name vsphere-production --type vsphere \
  --url https://vcenter.prod.company.com/sdk \
  --username svc-migration@vsphere.local \
  --password $(cat /secure/vsphere-password) \
  --cacert @/etc/ssl/certs/vcenter-ca.pem \
  --vddk-init-image quay.io/company/vddk:8.0.1 \
  --use-vddk-aio-optimization \
  --vddk-buf-size-in-64k 64 \
  --vddk-buf-count 8

# 2. Create target OpenShift provider
kubectl mtv create provider --name openshift-target --type openshift

# 3. Verify providers
kubectl mtv get providers
kubectl mtv describe provider --name vsphere-production

Multi-Region OpenStack Setup

# West region provider
kubectl mtv create provider --name openstack-west --type openstack \
  --url https://west.openstack.company.com:5000/v3 \
  --username migration-user \
  --password SecurePassword123 \
  --provider-domain-name Production \
  --provider-project-name Migration \
  --provider-region-name us-west-2

# East region provider  
kubectl mtv create provider --name openstack-east --type openstack \
  --url https://east.openstack.company.com:5000/v3 \
  --username migration-user \
  --password SecurePassword123 \
  --provider-domain-name Production \
  --provider-project-name Migration \
  --provider-region-name us-east-1

Development/Testing Setup

# Test vSphere provider with TLS disabled
kubectl mtv create provider --name vsphere-dev --type vsphere \
  --url https://vcenter-dev.internal/sdk \
  --username administrator@vsphere.local \
  --password DevPassword123 \
  --provider-insecure-skip-tls

# Local test OpenShift
kubectl mtv create provider --name openshift-dev --type openshift

Best Practices for Provider Management

Security Best Practices

Use Strong Credentials:

# Generate secure passwords
openssl rand -base64 32
   
# Use service accounts with minimal required permissions
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --username svc-migration@vsphere.local

Certificate Validation:

# Always use CA certificates in production
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --cacert @/path/to/ca-cert.pem
   
# Only skip TLS for development
kubectl mtv create provider --name vsphere-dev --type vsphere \
  --provider-insecure-skip-tls

Secret Management:

# Use external secret management when possible
kubectl create secret generic vsphere-creds \
  --from-file=user=<(echo -n "username") \
  --from-file=password=<(echo -n "password")

Performance Optimization

VDDK Configuration:

# Use VDDK for VMware (significant performance improvement)
kubectl mtv create provider --name vsphere-prod --type vsphere \
  --vddk-init-image quay.io/your-registry/vddk:latest \
  --use-vddk-aio-optimization \
  --vddk-buf-size-in-64k 64 \
  --vddk-buf-count 8

Endpoint Selection:

# Use ESXi direct connection for better performance
kubectl mtv create provider --name esxi-direct --type vsphere \
  --sdk-endpoint esxi \
  --url https://esxi-host.example.com/sdk

Naming and Organization

Consistent Naming:

# Environment-specific naming
kubectl mtv create provider --name vsphere-prod --type vsphere
kubectl mtv create provider --name vsphere-dev --type vsphere
kubectl mtv create provider --name vsphere-test --type vsphere
   
# Location-specific naming  
kubectl mtv create provider --name openstack-west --type openstack
kubectl mtv create provider --name openstack-east --type openstack

Namespace Organization:

# Separate namespaces for different environments
kubectl create namespace migration-prod
kubectl create namespace migration-dev
   
# Create providers in appropriate namespaces
kubectl mtv create provider --name vsphere-prod --type vsphere --namespace migration-prod
kubectl mtv create provider --name vsphere-dev --type vsphere --namespace migration-dev

Troubleshooting Provider Issues

Common Provider Problems

Connection Issues

# Test provider connectivity
kubectl mtv get inventory providers --name vsphere-prod

# Check provider status
kubectl mtv describe provider --name vsphere-prod

# Enable debug logging
kubectl mtv get inventory providers --name vsphere-prod -v=2

Authentication Problems

# Verify secret contents
kubectl get secret -o yaml provider-secret-name

# Check provider credentials
kubectl mtv describe provider --name vsphere-prod | grep -i secret

# Test with updated credentials
kubectl mtv patch provider --name vsphere-prod \
  --username updated-user \
  --password updated-password

Certificate Issues

# Check certificate format
openssl x509 -in ca-cert.pem -text -noout

# Update certificate
kubectl mtv patch provider --name vsphere-prod \
  --cacert @/path/to/correct-ca.pem

# Temporarily disable TLS for testing
kubectl mtv patch provider --name vsphere-test \
  --provider-insecure-skip-tls

Provider Status and Health

# Check all provider statuses
kubectl mtv get providers --output yaml | grep -A5 -B5 "conditions:"

# Monitor provider health
kubectl mtv get inventory providers --name vsphere-prod --watch

# Get detailed provider information
kubectl get provider vsphere-prod -o yaml

Next Steps

After mastering provider management:

Explore Inventory: Learn to discover and query VMs in Chapter 9: Inventory Management
Create Migration Hosts: Set up direct ESXi connections in Chapter 7: Migration Host Management
Configure VDDK: Optimize VMware transfers in Chapter 8: VDDK Image Creation and Configuration
Plan Migrations: Create migration plans in Chapter 13: Migration Plan Creation

Previous: Chapter 5: Conversion Migration
Next: Chapter 7: Migration Host Management