bd71d665de
* Provisioning: add public_app_url instance setting for external URLs Introduces the [provisioning] public_app_url setting to expose a publicly-reachable URL for instances whose [server] root_url points at an internal/cluster host. Both webhook callbacks registered with the Git provider and screenshot images embedded in PR comments fall back through this setting when set, so a single instance-level knob fixes both the unreachable-webhook and broken-PR-image-render cases without overloading the per-repository spec.webhook.baseUrl contract. Resolution chains: - Webhook URL: spec.webhook.baseUrl -> public_app_url -> AppURL - Screenshot URL: public_app_url -> AppURL Screenshots intentionally do not consult spec.webhook.baseUrl — per-repo webhook overrides remain a webhook-only concern, keeping the two contracts independent at the consumer layer. Alternative to #123004. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: rename public_app_url to public_root_url The setting shadows [server] root_url as a fallback, so naming it public_root_url makes the relationship obvious — operators searching docs for "root_url" will land on the correct setting. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: keep clickable links on AppURL even when public_root_url is set The previous revision flipped the entire urlProvider closure to public_root_url, which also moved the GrafanaURL and PreviewURL clickable links in PR comments onto the public URL. That's wrong for the common reviewer scenario: clicks travel from a human's browser on the corp network, and the public URL is often firewalled to the Git provider's CIDRs only — internal reviewers would 403 on their own preview links. Split into two closures: internalURLProvider (returns AppURL, fed to the evaluator's urlProvider for clickable links) and publicURLProvider (returns public_root_url || AppURL, fed to the webhook builder and as screenshotBaseURL for image embeds). Webhooks and screenshots stay public-reachable; clickable links stay corp-network-friendly. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: fall back to public_root_url for operator webhook registration The operator runs as a separate process and previously needed [operator] provisioning_server_public_url to be set explicitly to register webhooks. With public_root_url now defined at the instance level, fall back to it when the operator-specific knob is unset, so a single config drives both the in-process and operator deployments. If neither is set, behavior is unchanged (no webhook registered). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: scope public_root_url to on-prem only The operator deployment path runs in a different topology and is not the target audience for the on-prem dual-network use case that motivates public_root_url. Reverting the operator-side wiring so the setting stays purely an on-prem concern; can revisit if/when operator deployments grow the same need. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: trim operator jobs.go to minimal NewEvaluator signature change Operator path doesn't consume public_root_url; only the new screenshotBaseURL argument is wired (passing AppURL, unused at runtime due to NoOp renderer). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: replace evaluator's split URL args with URLProvider struct NewEvaluator previously took urlProvider and screenshotBaseURL as separate arguments, which forced the operator path to invent a screenshotBaseURL value (cfg.AppURL) it didn't actually need. Wrap both into a URLProvider struct with Internal and Public fields — each caller fills in what it knows: - In-process Grafana: Internal=AppURL, Public=public_root_url||AppURL. - Operator (NoOp renderer, no public/internal split): Internal=Public= the existing per-tenant urlProvider from controllerCfg. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
5.4 KiB
| description | keywords | labels | title | weight | canonical | aliases | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Instructions for extending Git Sync for real-time notification and image rendering. |
|
|
Instantaneous pulling and dashboard previews | 300 | https://grafana.com/docs/grafana/latest/as-code/observability-as-code/git-sync/git-sync-setup/set-up-extend/ |
Set up instantaneous pulling and dashboard previews in Pull Requests
{{< admonition type="note" >}}
Git Sync is now GA for Grafana Cloud, OSS and Enterprise. Refer to Usage and performance limitations to understand usage limits for the different tiers.
Contact Grafana for support or to report any issues you encounter and help us improve this feature.
{{< /admonition >}}
After setup, you can optionally extend Git Sync by enabling pull request notifications and image previews of dashboard changes.
| Capability | Benefit | Requires |
|---|---|---|
| A table summarizing changes to your pull request | A convenient way to save changes back to GitHub | Webhooks configured |
| A dashboard preview image to a PR | A snapshot of dashboard changes to a pull request outside Grafana | Image renderer and webhooks configured |
Set up webhooks for real-time notification and pull request integration
Real-time notifications (or automatic pulling) is enabled and configured by default in Grafana Cloud.
In Grafana OSS/Enterprise, Git Sync uses webhooks to enable real-time updates from GitHub public repositories, or to enable pull request integrations. Without webhooks the polling interval is set during configuration, and is 60 seconds by default. You can set up webhooks with whichever service or tooling you prefer: Cloudflare Tunnels with a Cloudflare-managed domain, port-forwarding and DNS options, or a tool such as ngrok.
To set up webhooks:
- Expose your Grafana instance to the public Internet.
- Use port forwarding and DNS, a tool such as
ngrok, or any other method you prefer. - The permissions set in your GitHub access token provide the authorization for this communication.
- After you have the public URL, add it to your Grafana configuration file:
[server]
root_url = https://<PUBLIC_DOMAIN>
- Replace
<PUBLIC_DOMAIN>with your public domain.
To check the configured webhooks, go to Administration > General > Provisioning and click the View link for your GitHub repository.
{{< admonition type="note" >}}
If your [server] root_url must point at an internal address (for example, when Grafana runs behind a private ingress in a Kubernetes cluster), set the publicly-reachable URL with [provisioning] public_root_url instead. This URL is used both to register webhook callbacks with the Git provider and as the base for screenshot images embedded in pull-request comments, which the Git provider's servers fetch from the public internet.
[server]
root_url = http://internal.cluster.local
[provisioning]
public_root_url = https://<PUBLIC_DOMAIN>
The per-repository spec.webhook.baseUrl field still overrides public_root_url for webhook registration; screenshot URLs always use public_root_url (or root_url when unset).
{{< /admonition >}}
Expose necessary paths only
If your security setup doesn't permit publicly exposing the Grafana instance, you can either choose to allowlist the GitHub IP addresses, or expose only the necessary paths.
The necessary paths required to be exposed are, in RegExp:
/apis/provisioning\.grafana\.app/v0(alpha1)?/namespaces/[^/]+/repositories/[^/]+/(webhook|render/.*)$
Set up image rendering for dashboard previews
{{< admonition type="caution" >}}
Only available in Grafana OSS and Grafana Enterprise.
{{< /admonition >}}
Set up image rendering to add visual previews of dashboard updates directly in pull requests. Image rendering also requires webhooks.
To enable this capability, install the Grafana Image Renderer in your Grafana instance. For more information and installation instructions, refer to the Image Renderer service.
Next steps
To learn more about using Git Sync refer to the following documents: