ran prettier

* WIP: mutator added, start working on validator

* first validator iteration

* second validator iteration

* wip: working on integration tests

* re-working mutation and validation, using Connection interface

* fixing some rebase things

* fixing integration tests

* formatting

* fixing unit tests

* k8s codegen

* linting

* moving tests which are available only for enterprise

* addressing comments: using repo config for connections, updating tests

* addressing comments: adding some more info in the app and installation

* fixing app data

* addressing comments: updating connection implementation

* addressing comments

* formatting

* fixing tests

apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go

@@ -32,7 +32,7 @@ type ConnectionSecure struct {
 
 	// Token is the reference of the token used to act as the Connection.
 	// This value is stored securely and cannot be read back
-	Token common.InlineSecureValue `json:"webhook,omitzero,omitempty"`
+	Token common.InlineSecureValue `json:"token,omitzero,omitempty"`
 }
 
 func (v ConnectionSecure) IsZero() bool {

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go

@@ -320,7 +320,7 @@ func schema_pkg_apis_provisioning_v0alpha1_ConnectionSecure(ref common.Reference
 							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
 						},
 					},
-					"webhook": {
+					"token": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
 							Default:     map[string]interface{}{},

apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list

@@ -22,7 +22,6 @@ API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioni
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ResourceList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,TestResults,Errors
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,WebhookStatus,SubscribedEvents
-API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSecure,Token
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSpec,GitHub
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobSpec,PullRequest
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,URLs

apps/provisioning/pkg/connection/connection.go

@@ -0,0 +1,16 @@
+package connection
+
+import (
+	"context"
+)
+
+//go:generate mockery --name Connection --structname MockConnection --inpackage --filename connection_mock.go --with-expecter
+type Connection interface {
+	// Validate ensures the resource _looks_ correct.
+	// It should be called before trying to upsert a resource into the Kubernetes API server.
+	// This is not an indication that the connection information works, just that they are reasonably configured.
+	Validate(ctx context.Context) error
+
+	// Mutate performs in place mutation of the underneath resource.
+	Mutate(context.Context) error
+}

apps/provisioning/pkg/connection/connection_mock.go

@@ -0,0 +1,128 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockConnection is an autogenerated mock type for the Connection type
+type MockConnection struct {
+	mock.Mock
+}
+
+type MockConnection_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockConnection) EXPECT() *MockConnection_Expecter {
+	return &MockConnection_Expecter{mock: &_m.Mock}
+}
+
+// Mutate provides a mock function with given fields: _a0
+func (_m *MockConnection) Mutate(_a0 context.Context) error {
+	ret := _m.Called(_a0)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Mutate")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(_a0)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockConnection_Mutate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Mutate'
+type MockConnection_Mutate_Call struct {
+	*mock.Call
+}
+
+// Mutate is a helper method to define mock.On call
+//   - _a0 context.Context
+func (_e *MockConnection_Expecter) Mutate(_a0 interface{}) *MockConnection_Mutate_Call {
+	return &MockConnection_Mutate_Call{Call: _e.mock.On("Mutate", _a0)}
+}
+
+func (_c *MockConnection_Mutate_Call) Run(run func(_a0 context.Context)) *MockConnection_Mutate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockConnection_Mutate_Call) Return(_a0 error) *MockConnection_Mutate_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockConnection_Mutate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Mutate_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Validate provides a mock function with given fields: ctx
+func (_m *MockConnection) Validate(ctx context.Context) error {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Validate")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockConnection_Validate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Validate'
+type MockConnection_Validate_Call struct {
+	*mock.Call
+}
+
+// Validate is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockConnection_Expecter) Validate(ctx interface{}) *MockConnection_Validate_Call {
+	return &MockConnection_Validate_Call{Call: _e.mock.On("Validate", ctx)}
+}
+
+func (_c *MockConnection_Validate_Call) Run(run func(ctx context.Context)) *MockConnection_Validate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockConnection_Validate_Call) Return(_a0 error) *MockConnection_Validate_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockConnection_Validate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Validate_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockConnection creates a new instance of MockConnection. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockConnection(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockConnection {
+	mock := &MockConnection{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

apps/provisioning/pkg/connection/extra_mock.go

@@ -0,0 +1,141 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockExtra is an autogenerated mock type for the Extra type
+type MockExtra struct {
+	mock.Mock
+}
+
+type MockExtra_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockExtra) EXPECT() *MockExtra_Expecter {
+	return &MockExtra_Expecter{mock: &_m.Mock}
+}
+
+// Build provides a mock function with given fields: ctx, r
+func (_m *MockExtra) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Build")
+	}
+
+	var r0 Connection
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Connection)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockExtra_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
+type MockExtra_Build_Call struct {
+	*mock.Call
+}
+
+// Build is a helper method to define mock.On call
+//   - ctx context.Context
+//   - r *v0alpha1.Connection
+func (_e *MockExtra_Expecter) Build(ctx interface{}, r interface{}) *MockExtra_Build_Call {
+	return &MockExtra_Build_Call{Call: _e.mock.On("Build", ctx, r)}
+}
+
+func (_c *MockExtra_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockExtra_Build_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
+	})
+	return _c
+}
+
+func (_c *MockExtra_Build_Call) Return(_a0 Connection, _a1 error) *MockExtra_Build_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockExtra_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockExtra_Build_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Type provides a mock function with no fields
+func (_m *MockExtra) Type() v0alpha1.ConnectionType {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Type")
+	}
+
+	var r0 v0alpha1.ConnectionType
+	if rf, ok := ret.Get(0).(func() v0alpha1.ConnectionType); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(v0alpha1.ConnectionType)
+	}
+
+	return r0
+}
+
+// MockExtra_Type_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Type'
+type MockExtra_Type_Call struct {
+	*mock.Call
+}
+
+// Type is a helper method to define mock.On call
+func (_e *MockExtra_Expecter) Type() *MockExtra_Type_Call {
+	return &MockExtra_Type_Call{Call: _e.mock.On("Type")}
+}
+
+func (_c *MockExtra_Type_Call) Run(run func()) *MockExtra_Type_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockExtra_Type_Call) Return(_a0 v0alpha1.ConnectionType) *MockExtra_Type_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockExtra_Type_Call) RunAndReturn(run func() v0alpha1.ConnectionType) *MockExtra_Type_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockExtra creates a new instance of MockExtra. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockExtra(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockExtra {
+	mock := &MockExtra{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

apps/provisioning/pkg/connection/factory.go

@@ -0,0 +1,75 @@
+package connection
+
+import (
+	"context"
+	"fmt"
+	"sort"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+//go:generate mockery --name=Extra --structname=MockExtra --inpackage --filename=extra_mock.go --with-expecter
+type Extra interface {
+	Type() provisioning.ConnectionType
+	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
+}
+
+//go:generate mockery --name=Factory --structname=MockFactory --inpackage --filename=factory_mock.go --with-expecter
+type Factory interface {
+	Types() []provisioning.ConnectionType
+	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
+}
+
+type factory struct {
+	extras  map[provisioning.ConnectionType]Extra
+	enabled map[provisioning.ConnectionType]struct{}
+}
+
+func ProvideFactory(enabled map[provisioning.ConnectionType]struct{}, extras []Extra) (Factory, error) {
+	f := &factory{
+		enabled: enabled,
+		extras:  make(map[provisioning.ConnectionType]Extra, len(extras)),
+	}
+
+	for _, e := range extras {
+		if _, exists := f.extras[e.Type()]; exists {
+			return nil, fmt.Errorf("connection type %q is already registered", e.Type())
+		}
+		f.extras[e.Type()] = e
+	}
+
+	return f, nil
+}
+
+func (f *factory) Types() []provisioning.ConnectionType {
+	var types []provisioning.ConnectionType
+	for t := range f.enabled {
+		if _, exists := f.extras[t]; exists {
+			types = append(types, t)
+		}
+	}
+
+	sort.Slice(types, func(i, j int) bool {
+		return string(types[i]) < string(types[j])
+	})
+
+	return types
+}
+
+func (f *factory) Build(ctx context.Context, c *provisioning.Connection) (Connection, error) {
+	for _, e := range f.extras {
+		if e.Type() == c.Spec.Type {
+			if _, enabled := f.enabled[e.Type()]; !enabled {
+				return nil, fmt.Errorf("connection type %q is not enabled", e.Type())
+			}
+
+			return e.Build(ctx, c)
+		}
+	}
+
+	return nil, fmt.Errorf("connection type %q is not supported", c.Spec.Type)
+}
+
+var (
+	_ Factory = (*factory)(nil)
+)

apps/provisioning/pkg/connection/factory_mock.go

@@ -0,0 +1,143 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockFactory is an autogenerated mock type for the Factory type
+type MockFactory struct {
+	mock.Mock
+}
+
+type MockFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFactory) EXPECT() *MockFactory_Expecter {
+	return &MockFactory_Expecter{mock: &_m.Mock}
+}
+
+// Build provides a mock function with given fields: ctx, r
+func (_m *MockFactory) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Build")
+	}
+
+	var r0 Connection
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Connection)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockFactory_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
+type MockFactory_Build_Call struct {
+	*mock.Call
+}
+
+// Build is a helper method to define mock.On call
+//   - ctx context.Context
+//   - r *v0alpha1.Connection
+func (_e *MockFactory_Expecter) Build(ctx interface{}, r interface{}) *MockFactory_Build_Call {
+	return &MockFactory_Build_Call{Call: _e.mock.On("Build", ctx, r)}
+}
+
+func (_c *MockFactory_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockFactory_Build_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
+	})
+	return _c
+}
+
+func (_c *MockFactory_Build_Call) Return(_a0 Connection, _a1 error) *MockFactory_Build_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockFactory_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockFactory_Build_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Types provides a mock function with no fields
+func (_m *MockFactory) Types() []v0alpha1.ConnectionType {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Types")
+	}
+
+	var r0 []v0alpha1.ConnectionType
+	if rf, ok := ret.Get(0).(func() []v0alpha1.ConnectionType); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]v0alpha1.ConnectionType)
+		}
+	}
+
+	return r0
+}
+
+// MockFactory_Types_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Types'
+type MockFactory_Types_Call struct {
+	*mock.Call
+}
+
+// Types is a helper method to define mock.On call
+func (_e *MockFactory_Expecter) Types() *MockFactory_Types_Call {
+	return &MockFactory_Types_Call{Call: _e.mock.On("Types")}
+}
+
+func (_c *MockFactory_Types_Call) Run(run func()) *MockFactory_Types_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockFactory_Types_Call) Return(_a0 []v0alpha1.ConnectionType) *MockFactory_Types_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockFactory_Types_Call) RunAndReturn(run func() []v0alpha1.ConnectionType) *MockFactory_Types_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockFactory creates a new instance of MockFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactory {
+	mock := &MockFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

apps/provisioning/pkg/connection/factory_test.go

@@ -0,0 +1,309 @@
+package connection
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestProvideFactory(t *testing.T) {
+	t.Run("should create factory with valid extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should create factory with empty extras", func(t *testing.T) {
+		enabled := map[provisioning.ConnectionType]struct{}{}
+
+		factory, err := ProvideFactory(enabled, []Extra{})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should create factory with nil enabled map", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		factory, err := ProvideFactory(nil, []Extra{extra1})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should return error when duplicate repository types", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.Error(t, err)
+		assert.Nil(t, factory)
+		assert.Contains(t, err.Error(), "connection type \"github\" is already registered")
+	})
+}
+
+func TestFactory_Types(t *testing.T) {
+	t.Run("should return only enabled types that have extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 2)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.Contains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should return sorted list of types", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 2)
+		// github should come before gitlab alphabetically
+		assert.Equal(t, provisioning.GithubConnectionType, types[0])
+		assert.Equal(t, provisioning.GitlabConnectionType, types[1])
+	})
+
+	t.Run("should return empty list when no types are enabled", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Empty(t, types)
+	})
+
+	t.Run("should not return types that are enabled but have no extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 1)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.NotContains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should not return types that have extras but are not enabled", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 1)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.NotContains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should return empty list when no extras are provided", func(t *testing.T) {
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Empty(t, types)
+	})
+}
+
+func TestFactory_Build(t *testing.T) {
+	t.Run("should successfully build connection when type is enabled and has extra", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+			},
+		}
+
+		mockConnection := NewMockConnection(t)
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+		extra.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.NoError(t, err)
+		assert.Equal(t, mockConnection, result)
+	})
+
+	t.Run("should return error when type is not enabled", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not enabled")
+	})
+
+	t.Run("should return error when type is not supported", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not supported")
+	})
+
+	t.Run("should pass through errors from extra.Build()", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+			},
+		}
+
+		expectedErr := errors.New("build error")
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+		extra.EXPECT().Build(ctx, conn).Return(nil, expectedErr)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Equal(t, expectedErr, err)
+	})
+
+	t.Run("should build with multiple extras registered", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		mockConnection := NewMockConnection(t)
+
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+		extra2.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.NoError(t, err)
+		assert.Equal(t, mockConnection, result)
+	})
+}

apps/provisioning/pkg/connection/github/client.go

@@ -0,0 +1,93 @@
+package github
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/google/go-github/v70/github"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// API errors that we need to convey after parsing real GH errors (or faking them).
+var (
+	//lint:ignore ST1005 this is not punctuation
+	ErrServiceUnavailable = apierrors.NewServiceUnavailable("github is unavailable")
+)
+
+//go:generate mockery --name Client --structname MockClient --inpackage --filename client_mock.go --with-expecter
+type Client interface {
+	// Apps and installations
+	GetApp(ctx context.Context) (App, error)
+	GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error)
+}
+
+// App represents a Github App.
+type App struct {
+	// ID represents the GH app ID.
+	ID int64
+	// Slug represents the GH app slug.
+	Slug string
+	// Owner represents the GH account/org owning the app
+	Owner string
+}
+
+// AppInstallation represents a Github App Installation.
+type AppInstallation struct {
+	// ID represents the GH installation ID.
+	ID int64
+	// Whether the installation is enabled or not.
+	Enabled bool
+}
+
+type githubClient struct {
+	gh *github.Client
+}
+
+func NewClient(client *github.Client) Client {
+	return &githubClient{client}
+}
+
+// GetApp gets the app by using the given token.
+func (r *githubClient) GetApp(ctx context.Context) (App, error) {
+	app, _, err := r.gh.Apps.Get(ctx, "")
+	if err != nil {
+		var ghErr *github.ErrorResponse
+		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
+			return App{}, ErrServiceUnavailable
+		}
+		return App{}, err
+	}
+
+	// TODO(ferruvich): do we need any other info?
+	return App{
+		ID:    app.GetID(),
+		Slug:  app.GetSlug(),
+		Owner: app.GetOwner().GetLogin(),
+	}, nil
+}
+
+// GetAppInstallation gets the installation of the app related to the given token.
+func (r *githubClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
+	id, err := strconv.Atoi(installationID)
+	if err != nil {
+		return AppInstallation{}, fmt.Errorf("invalid installation ID: %s", installationID)
+	}
+
+	installation, _, err := r.gh.Apps.GetInstallation(ctx, int64(id))
+	if err != nil {
+		var ghErr *github.ErrorResponse
+		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
+			return AppInstallation{}, ErrServiceUnavailable
+		}
+		return AppInstallation{}, err
+	}
+
+	// TODO(ferruvich): do we need any other info?
+	return AppInstallation{
+		ID:      installation.GetID(),
+		Enabled: installation.GetSuspendedAt().IsZero(),
+	}, nil
+}

apps/provisioning/pkg/connection/github/client_mock.go

@@ -0,0 +1,149 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package github
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockClient is an autogenerated mock type for the Client type
+type MockClient struct {
+	mock.Mock
+}
+
+type MockClient_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockClient) EXPECT() *MockClient_Expecter {
+	return &MockClient_Expecter{mock: &_m.Mock}
+}
+
+// GetApp provides a mock function with given fields: ctx
+func (_m *MockClient) GetApp(ctx context.Context) (App, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetApp")
+	}
+
+	var r0 App
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) (App, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) App); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Get(0).(App)
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockClient_GetApp_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetApp'
+type MockClient_GetApp_Call struct {
+	*mock.Call
+}
+
+// GetApp is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockClient_Expecter) GetApp(ctx interface{}) *MockClient_GetApp_Call {
+	return &MockClient_GetApp_Call{Call: _e.mock.On("GetApp", ctx)}
+}
+
+func (_c *MockClient_GetApp_Call) Run(run func(ctx context.Context)) *MockClient_GetApp_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockClient_GetApp_Call) Return(_a0 App, _a1 error) *MockClient_GetApp_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockClient_GetApp_Call) RunAndReturn(run func(context.Context) (App, error)) *MockClient_GetApp_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAppInstallation provides a mock function with given fields: ctx, installationID
+func (_m *MockClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
+	ret := _m.Called(ctx, installationID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAppInstallation")
+	}
+
+	var r0 AppInstallation
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (AppInstallation, error)); ok {
+		return rf(ctx, installationID)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) AppInstallation); ok {
+		r0 = rf(ctx, installationID)
+	} else {
+		r0 = ret.Get(0).(AppInstallation)
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, installationID)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockClient_GetAppInstallation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAppInstallation'
+type MockClient_GetAppInstallation_Call struct {
+	*mock.Call
+}
+
+// GetAppInstallation is a helper method to define mock.On call
+//   - ctx context.Context
+//   - installationID string
+func (_e *MockClient_Expecter) GetAppInstallation(ctx interface{}, installationID interface{}) *MockClient_GetAppInstallation_Call {
+	return &MockClient_GetAppInstallation_Call{Call: _e.mock.On("GetAppInstallation", ctx, installationID)}
+}
+
+func (_c *MockClient_GetAppInstallation_Call) Run(run func(ctx context.Context, installationID string)) *MockClient_GetAppInstallation_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockClient_GetAppInstallation_Call) Return(_a0 AppInstallation, _a1 error) *MockClient_GetAppInstallation_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockClient_GetAppInstallation_Call) RunAndReturn(run func(context.Context, string) (AppInstallation, error)) *MockClient_GetAppInstallation_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockClient creates a new instance of MockClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockClient(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClient {
+	mock := &MockClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

apps/provisioning/pkg/connection/github/client_test.go

@@ -0,0 +1,297 @@
+package github_test
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/google/go-github/v70/github"
+	conngh "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	mockhub "github.com/migueleliasweb/go-github-mock/src/mock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGithubClient_GetApp(t *testing.T) {
+	tests := []struct {
+		name        string
+		mockHandler *http.Client
+		token       string
+		wantApp     conngh.App
+		wantErr     error
+	}{
+		{
+			name: "get app successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						app := &github.App{
+							ID:   github.Ptr(int64(12345)),
+							Slug: github.Ptr("my-test-app"),
+							Owner: &github.User{
+								Login: github.Ptr("grafana"),
+							},
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(app))
+					}),
+				),
+			),
+			token: "test-token",
+			wantApp: conngh.App{
+				ID:    12345,
+				Slug:  "my-test-app",
+				Owner: "grafana",
+			},
+			wantErr: nil,
+		},
+		{
+			name: "service unavailable",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusServiceUnavailable)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusServiceUnavailable,
+							},
+							Message: "Service unavailable",
+						}))
+					}),
+				),
+			),
+			token:   "test-token",
+			wantApp: conngh.App{},
+			wantErr: conngh.ErrServiceUnavailable,
+		},
+		{
+			name: "other error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusInternalServerError)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusInternalServerError,
+							},
+							Message: "Internal server error",
+						}))
+					}),
+				),
+			),
+			token:   "test-token",
+			wantApp: conngh.App{},
+			wantErr: &github.ErrorResponse{
+				Response: &http.Response{
+					StatusCode: http.StatusInternalServerError,
+				},
+				Message: "Internal server error",
+			},
+		},
+		{
+			name: "unauthorized error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusUnauthorized)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusUnauthorized,
+							},
+							Message: "Bad credentials",
+						}))
+					}),
+				),
+			),
+			token:   "invalid-token",
+			wantApp: conngh.App{},
+			wantErr: &github.ErrorResponse{
+				Response: &http.Response{
+					StatusCode: http.StatusUnauthorized,
+				},
+				Message: "Bad credentials",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a mock client
+			ghClient := github.NewClient(tt.mockHandler)
+			client := conngh.NewClient(ghClient)
+
+			// Call the method being tested
+			app, err := client.GetApp(context.Background())
+
+			// Check the error
+			if tt.wantErr != nil {
+				assert.Error(t, err)
+				assert.Equal(t, tt.wantApp, app)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.wantApp, app)
+			}
+		})
+	}
+}
+
+func TestGithubClient_GetAppInstallation(t *testing.T) {
+	tests := []struct {
+		name             string
+		mockHandler      *http.Client
+		appToken         string
+		installationID   string
+		wantInstallation conngh.AppInstallation
+		wantErr          bool
+		errContains      string
+	}{
+		{
+			name: "get disabled app installation successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						installation := &github.Installation{
+							ID:          github.Ptr(int64(67890)),
+							SuspendedAt: github.Ptr(github.Timestamp{Time: time.Now()}),
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(installation))
+					}),
+				),
+			),
+			appToken:       "test-app-token",
+			installationID: "67890",
+			wantInstallation: conngh.AppInstallation{
+				ID:      67890,
+				Enabled: false,
+			},
+			wantErr: false,
+		},
+		{
+			name: "get enabled app installation successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						installation := &github.Installation{
+							ID:          github.Ptr(int64(67890)),
+							SuspendedAt: nil,
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(installation))
+					}),
+				),
+			),
+			appToken:       "test-app-token",
+			installationID: "67890",
+			wantInstallation: conngh.AppInstallation{
+				ID:      67890,
+				Enabled: true,
+			},
+			wantErr: false,
+		},
+		{
+			name:             "invalid installation ID",
+			mockHandler:      mockhub.NewMockedHTTPClient(),
+			appToken:         "test-app-token",
+			installationID:   "not-a-number",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+			errContains:      "invalid installation ID",
+		},
+		{
+			name: "service unavailable",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusServiceUnavailable)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusServiceUnavailable,
+							},
+							Message: "Service unavailable",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "67890",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+		{
+			name: "installation not found",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusNotFound)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusNotFound,
+							},
+							Message: "Not Found",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "99999",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+		{
+			name: "other error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusInternalServerError)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusInternalServerError,
+							},
+							Message: "Internal server error",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "67890",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a mock client
+			ghClient := github.NewClient(tt.mockHandler)
+			client := conngh.NewClient(ghClient)
+
+			// Call the method being tested
+			installation, err := client.GetAppInstallation(context.Background(), tt.installationID)
+
+			// Check the error
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+
+			// Check the result
+			assert.Equal(t, tt.wantInstallation, installation)
+		})
+	}
+}

apps/provisioning/pkg/connection/github/connection.go

@@ -0,0 +1,192 @@
+package github
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+//go:generate mockery --name GithubFactory --structname MockGithubFactory --inpackage --filename factory_mock.go --with-expecter
+type GithubFactory interface {
+	New(ctx context.Context, ghToken common.RawSecureValue) Client
+}
+
+type Connection struct {
+	obj       *provisioning.Connection
+	ghFactory GithubFactory
+}
+
+func NewConnection(
+	obj *provisioning.Connection,
+	factory GithubFactory,
+) Connection {
+	return Connection{
+		obj:       obj,
+		ghFactory: factory,
+	}
+}
+
+const (
+	//TODO(ferruvich): these probably need to be setup in API configuration.
+	githubInstallationURL = "https://github.com/settings/installations"
+	jwtExpirationMinutes  = 10 // GitHub Apps JWT tokens expire in 10 minutes maximum
+)
+
+// Mutate performs in place mutation of the underneath resource.
+func (c *Connection) Mutate(_ context.Context) error {
+	// Do nothing in case spec.Github is nil.
+	// If this field is required, we should fail at validation time.
+	if c.obj.Spec.GitHub == nil {
+		return nil
+	}
+
+	c.obj.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, c.obj.Spec.GitHub.InstallationID)
+
+	// Generate JWT token if private key is being provided.
+	// Same as for the spec.Github, if such a field is required, Validation will take care of that.
+	if !c.obj.Secure.PrivateKey.Create.IsZero() {
+		token, err := generateToken(c.obj.Spec.GitHub.AppID, c.obj.Secure.PrivateKey.Create)
+		if err != nil {
+			return fmt.Errorf("failed to generate JWT token: %w", err)
+		}
+
+		// Store the generated token
+		c.obj.Secure.Token = common.InlineSecureValue{Create: token}
+	}
+
+	return nil
+}
+
+// Token generates and returns the Connection token.
+func generateToken(appID string, privateKey common.RawSecureValue) (common.RawSecureValue, error) {
+	// Decode base64-encoded private key
+	privateKeyPEM, err := base64.StdEncoding.DecodeString(string(privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to decode base64 private key: %w", err)
+	}
+
+	// Parse the private key
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(privateKeyPEM)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	// Create the JWT token
+	now := time.Now()
+	claims := jwt.RegisteredClaims{
+		IssuedAt:  jwt.NewNumericDate(now),
+		ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(jwtExpirationMinutes) * time.Minute)),
+		Issuer:    appID,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	signedToken, err := token.SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign JWT token: %w", err)
+	}
+
+	return common.RawSecureValue(signedToken), nil
+}
+
+// Validate ensures the resource _looks_ correct.
+func (c *Connection) Validate(ctx context.Context) error {
+	list := field.ErrorList{}
+
+	if c.obj.Spec.Type != provisioning.GithubConnectionType {
+		list = append(list, field.Invalid(field.NewPath("spec", "type"), c.obj.Spec.Type, "invalid connection type"))
+
+		// Doesn't make much sense to continue validating a connection which is not a Github one.
+		return toError(c.obj.GetName(), list)
+	}
+
+	if c.obj.Spec.GitHub == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
+		)
+
+		// Doesn't make much sense to continue validating a connection with no information.
+		return toError(c.obj.GetName(), list)
+	}
+
+	if c.obj.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
+	}
+	if c.obj.Secure.Token.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "token"), "token must be specified for GitHub connection"))
+	}
+	if !c.obj.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
+	}
+
+	// Validate GitHub configuration fields
+	if c.obj.Spec.GitHub.AppID == "" {
+		list = append(list, field.Required(field.NewPath("spec", "github", "appID"), "appID must be specified for GitHub connection"))
+	}
+	if c.obj.Spec.GitHub.InstallationID == "" {
+		list = append(list, field.Required(field.NewPath("spec", "github", "installationID"), "installationID must be specified for GitHub connection"))
+	}
+
+	// In case we have any error above, we don't go forward with the validation, and return the errors.
+	if len(list) > 0 {
+		return toError(c.obj.GetName(), list)
+	}
+
+	// Validating app content via GH API
+	if err := c.validateAppAndInstallation(ctx); err != nil {
+		list = append(list, err)
+	}
+
+	return toError(c.obj.GetName(), list)
+}
+
+// validateAppAndInstallation validates the appID and installationID against the given github token.
+func (c *Connection) validateAppAndInstallation(ctx context.Context) *field.Error {
+	ghClient := c.ghFactory.New(ctx, c.obj.Secure.Token.Create)
+
+	app, err := ghClient.GetApp(ctx)
+	if err != nil {
+		if errors.Is(err, ErrServiceUnavailable) {
+			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
+		}
+		return field.Invalid(field.NewPath("spec", "token"), "[REDACTED]", "invalid token")
+	}
+
+	if fmt.Sprintf("%d", app.ID) != c.obj.Spec.GitHub.AppID {
+		return field.Invalid(field.NewPath("spec", "appID"), c.obj.Spec.GitHub.AppID, "appID mismatch")
+	}
+
+	_, err = ghClient.GetAppInstallation(ctx, c.obj.Spec.GitHub.InstallationID)
+	if err != nil {
+		if errors.Is(err, ErrServiceUnavailable) {
+			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
+		}
+		return field.Invalid(field.NewPath("spec", "installationID"), c.obj.Spec.GitHub.InstallationID, "invalid installation ID")
+	}
+
+	return nil
+}
+
+// toError converts a field.ErrorList to an error, returning nil if the list is empty
+func toError(name string, list field.ErrorList) error {
+	if len(list) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(
+		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
+		name,
+		list,
+	)
+}
+
+var (
+	_ connection.Connection = (*Connection)(nil)
+)

apps/provisioning/pkg/connection/github/connection_test.go

@@ -0,0 +1,434 @@
+package github
+
+import (
+	"context"
+	"encoding/base64"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//nolint:gosec // Test RSA private key (generated for testing purposes only)
+const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoInVbLY9io2Q/wHvUIXlEHg2Qyvd8eRzBAVEJ92DS6fx9H10
+06V0VRm78S0MXyo6i+n8ZAbZ0/R+GWpP2Ephxm0Gs2zo+iO2mpB19xQFI4o6ZTOw
+b2WyjSaa2Vr4oyDkqti6AvfjW4VUAu932e08GkgwmmQSHXj7FX2CMWjgUwTTcuaX
+65SHNKLNYLUP0HTumLzoZeqDTdoMMpKNdgH9Avr4/8vkVJ0mD6rqvxnw3JHsseNO
+WdQTxf2aApBNHIIKxWZ2i/ZmjLNey7kltgjEquGiBdJvip3fHhH5XHdkrXcjRtnw
+OJDnDmi5lQwv5yUBOSkbvbXRv/L/m0YLoD/fbwIDAQABAoIBAFfl//hM8/cnuesV
++R1Con/ZAgTXQOdPqPXbmEyniVrkMqMmCdBUOBTcST4s5yg36+RtkeaGpb/ajyyF
+PAB2AYDucwvMpudGpJWOYTiOOp4R8hU1LvZfXVrRd1lo6NgQi4NLtNUpOtACeVQ+
+H4Yv0YemXQ47mnuOoRNMK/u3q5NoIdSahWptXBgUno8KklNpUrH3IYWaUxfBzDN3
+2xsVRTn2SfTSyoDmTDdTgptJONmoK1/sV7UsgWksdFc6XyYhsFAZgOGEJrBABRvF
+546dyQ0cWxuPyVXpM7CN3tqC5ssvLjElg3LicK1V6gnjpdRnnvX88d1Eh3Uc/9IM
+OZInT2ECgYEA6W8sQXTWinyEwl8SDKKMbB2ApIghAcFgdRxprZE4WFxjsYNCNL70
+dnSB7MRuzmxf5W77cV0N7JhH66N8HvY6Xq9olrpQ5dNttR4w8Pyv3wavDe8x7seL
+5L2Xtbu7ihDr8Dk27MjiBSin3IxhBP5CJS910+pR6LrAWtEuU+FzFfECgYEAsA6y
+qxHhCMXlTnauXhsnmPd1g61q7chW8kLQFYtHMLlQlgjHTW7irDZ9cPbPYDNjwRLO
+7KLorcpv2NKe7rqq2ZyCm6hf1b9WnlQjo3dLpNWMu6fhy/smK8MgbRqcWpX+oTKF
+79mK6hbY7o6eBzsQHBl7Z+LBNuwYmp9qOodPa18CgYEArv6ipKdcNhFGzRfMRiCN
+OHederp6VACNuP2F05IsNUF9kxOdTEFirnKE++P+VU01TqA2azOhPp6iO+ohIGzi
+MR06QNSH1OL9OWvasK4dggpWrRGF00VQgDgJRTnpS4WH+lxJ6pRlrAxgWpv6F24s
+VAgSQr1Ejj2B+hMasdMvHWECgYBJ4uE4yhgXBnZlp4kmFV9Y4wF+cZkekaVrpn6N
+jBYkbKFVVfnOlWqru3KJpgsB5I9IyAvvY68iwIKQDFSG+/AXw4dMrC0MF3DSoZ0T
+TU2Br92QI7SvVod+djV1lGVp3ukt3XY4YqPZ+hywgUnw3uiz4j3YK2HLGup4ec6r
+IX5DIQKBgHRLzvT3zqtlR1Oh0vv098clLwt+pGzXOxzJpxioOa5UqK13xIpFXbcg
+iWUVh5YXCcuqaICUv4RLIEac5xQitk9Is/9IhP0NJ/81rHniosvdSpCeFXzxTImS
+B8Uc0WUgheB4+yVKGnYpYaSOgFFI5+1BYUva/wDHLy2pWHz39Usb
+-----END RSA PRIVATE KEY-----`
+
+func TestConnection_Mutate(t *testing.T) {
+	t.Run("should add URL to Github connection", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "test-private-key",
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+	})
+
+	t.Run("should generate JWT token when private key is provided", func(t *testing.T) {
+		privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue(privateKeyBase64),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+		assert.False(t, c.Secure.Token.Create.IsZero(), "JWT token should be generated")
+	})
+
+	t.Run("should do nothing when GitHub config is nil", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+				Gitlab: &provisioning.GitlabConnectionConfig{
+					ClientID: "clientID",
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+	})
+
+	t.Run("should fail when private key is not base64", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue("invalid-key"),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		err := conn.Mutate(context.Background())
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to generate JWT token")
+		assert.Contains(t, err.Error(), "failed to decode base64 private key")
+	})
+
+	t.Run("should fail when private key is invalid", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue(base64.StdEncoding.EncodeToString([]byte("invalid-key"))),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		err := conn.Mutate(context.Background())
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to generate JWT token")
+		assert.Contains(t, err.Error(), "failed to parse private key")
+	})
+}
+
+func TestConnection_Validate(t *testing.T) {
+	tests := []struct {
+		name           string
+		connection     *provisioning.Connection
+		setupMock      func(*MockGithubFactory)
+		wantErr        bool
+		errMsgContains []string
+	}{
+		{
+			name: "invalid type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: "invalid",
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.type"},
+		},
+		{
+			name: "github type without github config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github"},
+		},
+		{
+			name: "github type without private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.privateKey"},
+		},
+		{
+			name: "github type without token returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.token"},
+		},
+		{
+			name: "github type with client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-client-secret"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.clientSecret"},
+		},
+		{
+			name: "github type without appID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github.appID"},
+		},
+		{
+			name: "github type without installationID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID: "123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					Token: common.InlineSecureValue{
+						Name: "test-token",
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github.installationID"},
+		},
+		{
+			name: "github type with valid config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr: false,
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
+				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{ID: 456}, nil)
+			},
+		},
+		{
+			name: "problem getting app returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.token", "[REDACTED]"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{}, assert.AnError)
+			},
+		},
+		{
+			name: "mismatched app ID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.appID"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 444, Slug: "test-app"}, nil)
+			},
+		},
+		{
+			name: "problem when getting installation returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.installationID", "456"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
+				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{}, assert.AnError)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockFactory := NewMockGithubFactory(t)
+			if tt.setupMock != nil {
+				tt.setupMock(mockFactory)
+			}
+
+			conn := NewConnection(tt.connection, mockFactory)
+			err := conn.Validate(context.Background())
+			if tt.wantErr {
+				assert.Error(t, err)
+				for _, msg := range tt.errMsgContains {
+					assert.Contains(t, err.Error(), msg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

apps/provisioning/pkg/connection/github/extra.go

@@ -0,0 +1,36 @@
+package github
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/grafana/grafana-app-sdk/logging"
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+)
+
+type extra struct {
+	factory GithubFactory
+}
+
+func (e *extra) Type() provisioning.ConnectionType {
+	return provisioning.GithubConnectionType
+}
+
+func (e *extra) Build(ctx context.Context, connection *provisioning.Connection) (connection.Connection, error) {
+	logger := logging.FromContext(ctx)
+	if connection == nil || connection.Spec.GitHub == nil {
+		logger.Error("connection is nil or github info is nil")
+
+		return nil, fmt.Errorf("invalid github connection")
+	}
+
+	c := NewConnection(connection, e.factory)
+	return &c, nil
+}
+
+func Extra(factory GithubFactory) connection.Extra {
+	return &extra{
+		factory: factory,
+	}
+}

apps/provisioning/pkg/connection/github/extra_test.go

@@ -0,0 +1,126 @@
+package github_test
+
+import (
+	"context"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestExtra_Type(t *testing.T) {
+	t.Run("should return GithubConnectionType", func(t *testing.T) {
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result := e.Type()
+		assert.Equal(t, provisioning.GithubConnectionType, result)
+	})
+}
+
+func TestExtra_Build(t *testing.T) {
+	t.Run("should successfully build connection", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue("test-private-key"),
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+
+		e := github.Extra(mockFactory)
+
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should handle different connection configurations", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "another-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "789",
+					InstallationID: "101112",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "existing-private-key",
+				},
+				Token: common.InlineSecureValue{
+					Name: "existing-token",
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+
+		e := github.Extra(mockFactory)
+
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should build connection with background context", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should always pass empty token to factory.New", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				Token: common.InlineSecureValue{
+					Create: common.NewSecretValue("some-token"),
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+}

apps/provisioning/pkg/connection/github/factory.go

@@ -0,0 +1,39 @@
+package github
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/google/go-github/v70/github"
+	"golang.org/x/oauth2"
+
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+)
+
+// Factory creates new GitHub clients.
+// It exists only for the ability to test the code easily.
+type Factory struct {
+	// Client allows overriding the client to use in the GH client returned. It exists primarily for testing.
+	// FIXME: we should replace in this way. We should add some options pattern for the factory.
+	Client *http.Client
+}
+
+func ProvideFactory() GithubFactory {
+	return &Factory{}
+}
+
+func (r *Factory) New(ctx context.Context, ghToken common.RawSecureValue) Client {
+	if r.Client != nil {
+		return NewClient(github.NewClient(r.Client))
+	}
+
+	if !ghToken.IsZero() {
+		tokenSrc := oauth2.StaticTokenSource(
+			&oauth2.Token{AccessToken: string(ghToken)},
+		)
+		tokenClient := oauth2.NewClient(ctx, tokenSrc)
+		return NewClient(github.NewClient(tokenClient))
+	}
+
+	return NewClient(github.NewClient(&http.Client{}))
+}

apps/provisioning/pkg/connection/github/factory_mock.go

@@ -0,0 +1,86 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package github
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockGithubFactory is an autogenerated mock type for the GithubFactory type
+type MockGithubFactory struct {
+	mock.Mock
+}
+
+type MockGithubFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockGithubFactory) EXPECT() *MockGithubFactory_Expecter {
+	return &MockGithubFactory_Expecter{mock: &_m.Mock}
+}
+
+// New provides a mock function with given fields: ctx, ghToken
+func (_m *MockGithubFactory) New(ctx context.Context, ghToken v0alpha1.RawSecureValue) Client {
+	ret := _m.Called(ctx, ghToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 Client
+	if rf, ok := ret.Get(0).(func(context.Context, v0alpha1.RawSecureValue) Client); ok {
+		r0 = rf(ctx, ghToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Client)
+		}
+	}
+
+	return r0
+}
+
+// MockGithubFactory_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
+type MockGithubFactory_New_Call struct {
+	*mock.Call
+}
+
+// New is a helper method to define mock.On call
+//   - ctx context.Context
+//   - ghToken v0alpha1.RawSecureValue
+func (_e *MockGithubFactory_Expecter) New(ctx interface{}, ghToken interface{}) *MockGithubFactory_New_Call {
+	return &MockGithubFactory_New_Call{Call: _e.mock.On("New", ctx, ghToken)}
+}
+
+func (_c *MockGithubFactory_New_Call) Run(run func(ctx context.Context, ghToken v0alpha1.RawSecureValue)) *MockGithubFactory_New_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(v0alpha1.RawSecureValue))
+	})
+	return _c
+}
+
+func (_c *MockGithubFactory_New_Call) Return(_a0 Client) *MockGithubFactory_New_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockGithubFactory_New_Call) RunAndReturn(run func(context.Context, v0alpha1.RawSecureValue) Client) *MockGithubFactory_New_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockGithubFactory creates a new instance of MockGithubFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockGithubFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockGithubFactory {
+	mock := &MockGithubFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

apps/provisioning/pkg/connection/mutator.go

@@ -1,28 +0,0 @@
-package connection
-
-import (
-	"fmt"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-)
-
-const (
-	githubInstallationURL = "https://github.com/settings/installations"
-)
-
-func MutateConnection(connection *provisioning.Connection) error {
-	switch connection.Spec.Type {
-	case provisioning.GithubConnectionType:
-		// Do nothing in case spec.Github is nil.
-		// If this field is required, we should fail at validation time.
-		if connection.Spec.GitHub == nil {
-			return nil
-		}
-
-		connection.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, connection.Spec.GitHub.InstallationID)
-		return nil
-	default:
-		// TODO: we need to setup the URL for bitbucket and gitlab.
-		return nil
-	}
-}

apps/provisioning/pkg/connection/mutator_test.go

@@ -1,35 +0,0 @@
-package connection_test
-
-import (
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestMutateConnection(t *testing.T) {
-	t.Run("should add URL to Github connection", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Name: "test-private-key",
-				},
-			},
-		}
-
-		require.NoError(t, connection.MutateConnection(c))
-		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
-	})
-}

apps/provisioning/pkg/connection/validator.go

@@ -1,104 +0,0 @@
-package connection
-
-import (
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-func ValidateConnection(connection *provisioning.Connection) error {
-	list := field.ErrorList{}
-
-	if connection.Spec.Type == "" {
-		list = append(list, field.Required(field.NewPath("spec", "type"), "type must be specified"))
-	}
-
-	switch connection.Spec.Type {
-	case provisioning.GithubConnectionType:
-		list = append(list, validateGithubConnection(connection)...)
-	case provisioning.BitbucketConnectionType:
-		list = append(list, validateBitbucketConnection(connection)...)
-	case provisioning.GitlabConnectionType:
-		list = append(list, validateGitlabConnection(connection)...)
-	default:
-		list = append(
-			list, field.NotSupported(
-				field.NewPath("spec", "type"),
-				connection.Spec.Type,
-				[]provisioning.ConnectionType{
-					provisioning.GithubConnectionType,
-					provisioning.BitbucketConnectionType,
-					provisioning.GitlabConnectionType,
-				}),
-		)
-	}
-
-	return toError(connection.GetName(), list)
-}
-
-func validateGithubConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.GitHub == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
-		)
-	}
-
-	if connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
-	}
-	if !connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
-	}
-
-	return list
-}
-
-func validateBitbucketConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.Bitbucket == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "bitbucket"), "bitbucket info must be specified in Bitbucket connection"),
-		)
-	}
-	if connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Bitbucket connection"))
-	}
-	if !connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Bitbucket connection"))
-	}
-
-	return list
-}
-
-func validateGitlabConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.Gitlab == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "gitlab"), "gitlab info must be specified in Gitlab connection"),
-		)
-	}
-	if connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Gitlab connection"))
-	}
-	if !connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Gitlab connection"))
-	}
-
-	return list
-}
-
-// toError converts a field.ErrorList to an error, returning nil if the list is empty
-func toError(name string, list field.ErrorList) error {
-	if len(list) == 0 {
-		return nil
-	}
-	return apierrors.NewInvalid(
-		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
-		name,
-		list,
-	)
-}

apps/provisioning/pkg/connection/validator_test.go

@@ -1,253 +0,0 @@
-package connection_test
-
-import (
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestValidateConnection(t *testing.T) {
-	tests := []struct {
-		name       string
-		connection *provisioning.Connection
-		wantErr    bool
-		errMsg     string
-	}{
-		{
-			name: "empty type returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec:       provisioning.ConnectionSpec{},
-			},
-			wantErr: true,
-			errMsg:  "spec.type",
-		},
-		{
-			name: "invalid type returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: "invalid",
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.type",
-		},
-		{
-			name: "github type without github config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.github",
-		},
-		{
-			name: "github type without private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "github type with client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "github type with github config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "bitbucket type without bitbucket config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.bitbucket",
-		},
-		{
-			name: "bitbucket type without client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "bitbucket type with private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "bitbucket type with bitbucket config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "gitlab type without gitlab config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.gitlab",
-		},
-		{
-			name: "gitlab type without client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "gitlab type with private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "gitlab type with gitlab config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := connection.ValidateConnection(tt.connection)
-			if tt.wantErr {
-				assert.Error(t, err)
-				if tt.errMsg != "" {
-					assert.Contains(t, err.Error(), tt.errMsg)
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}

apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go

@@ -13,7 +13,7 @@ import (
 type ConnectionSecureApplyConfiguration struct {
 	PrivateKey   *commonv0alpha1.InlineSecureValue `json:"privateKey,omitempty"`
 	ClientSecret *commonv0alpha1.InlineSecureValue `json:"clientSecret,omitempty"`
-	Token        *commonv0alpha1.InlineSecureValue `json:"webhook,omitempty"`
+	Token        *commonv0alpha1.InlineSecureValue `json:"token,omitempty"`
 }
 
 // ConnectionSecureApplyConfiguration constructs a declarative configuration of the ConnectionSecure type for use with

docs/sources/datasources/mssql/troubleshooting/index.md

@@ -322,7 +322,7 @@ If you continue to experience issues after following this troubleshooting guide:
 1. Review the [Grafana GitHub issues](https://github.com/grafana/grafana/issues) for known bugs.
 1. Enable debug logging in Grafana to capture detailed error information.
 1. Check SQL Server logs for additional error details.
-1. Contact Grafana Support if you're an Enterprise or Cloud customer.
+1. Contact [Grafana Support](https://grafana.com/contact/) if you're an Enterprise or Cloud customer.
 
 When reporting issues, include:
 

docs/sources/datasources/mysql/_index.md

@@ -17,52 +17,145 @@ menuTitle: MySQL
 title: MySQL data source
 weight: 1000
 refs:
-  annotate-visualizations:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/dashboards/build-dashboards/annotate-visualizations/
   configure-mysql-data-source:
     - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configuration/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configure/
     - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configuration/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configure/
   mysql-query-editor:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
-  alerting:
+  troubleshoot-mysql:
     - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/troubleshooting/
     - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/troubleshooting/
+  mysql-template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
+  mysql-alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+  mysql-annotations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
   transformations:
     - pattern: /docs/grafana/
       destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/transform-data/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana-cloud/visualizations/panels-visualizations/query-transform-data/transform-data/
+  visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/visualizations/panels-visualizations/visualizations/
+  variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/visualizations/dashboards/variables/
+  query-caching:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/#query-and-resource-caching
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/#query-and-resource-caching
+  postgres:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/postgres/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/postgres/
+  mssql:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mssql/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mssql/
 ---
 
 # MySQL data source
 
-Grafana ships with a built-in MySQL data source plugin that allows you to query and visualize data from a MySQL-compatible database like [MariaDB](https://mariadb.org/) or [Percona Server](https://www.percona.com/). You don't need to install a plugin in order to add the MySQL data source to your Grafana instance.
+Grafana ships with built-in support for MySQL.
+You can query and visualize data from MySQL-compatible databases like [MariaDB](https://mariadb.org/) or [Percona Server](https://www.percona.com/).
 
-Grafana offers several configuration options for this data source as well as a visual and code-based query editor.
+Use this data source to create dashboards, explore SQL data, and monitor MySQL-based workloads in real time.
 
-## Get started with the MySQL data source
+{{< docs/play title="MySQL Overview" url="https://play.grafana.org/d/edyh1ib7db6rkb/mysql-overview" >}}
 
-The following documents will help you get started with the MySQL data source in Grafana:
+## Supported databases
+
+This data source supports the following MySQL-compatible databases:
+
+- MySQL 5.7 and newer
+- MySQL 8.0 and newer
+- MariaDB 10.2 and newer
+- Percona Server 5.7 and newer
+- Amazon Aurora MySQL
+- Azure Database for MySQL
+- Google Cloud SQL for MySQL
+
+Grafana recommends using the latest available version for your database for optimal compatibility.
+
+## Key capabilities
+
+The MySQL data source supports:
+
+- **Time series queries:** Visualize metrics over time using built-in time grouping macros.
+- **Table queries:** Display query results in table format for any valid SQL query.
+- **Template variables:** Create dynamic dashboards with variable-driven queries.
+- **Annotations:** Overlay events from MySQL on your dashboard graphs.
+- **Alerting:** Create alerts based on MySQL query results.
+- **Macros:** Simplify queries with built-in macros for time filtering and grouping.
+
+## Get started
+
+The following documentation helps you get started with the MySQL data source:
 
 - [Configure the MySQL data source](ref:configure-mysql-data-source)
 - [MySQL query editor](ref:mysql-query-editor)
+- [MySQL template variables](ref:mysql-template-variables)
+- [MySQL annotations](ref:mysql-annotations)
+- [MySQL alerting](ref:mysql-alerting)
+- [Troubleshoot MySQL data source issues](ref:troubleshoot-mysql)
 
-Once you have configured the data source you can:
+## Additional resources
 
-- Add [annotations](ref:annotate-visualizations)
-- Set up [alerting](ref:alerting)
-- Add [transformations](ref:transformations)
+After configuring the MySQL data source, you can also:
 
-View a MySQL overview on Grafana Play:
+- Create a wide variety of [visualizations](ref:visualizations).
+- Configure and use [templates and variables](ref:variables).
+- Add [transformations](ref:transformations).
+- Optimize performance with [query caching](ref:query-caching).
 
-{{< docs/play title="MySQL Overview" url="https://play.grafana.org/d/edyh1ib7db6rkb/mysql-overview" >}}
+## Pre-configured dashboards
+
+If you want to monitor your MySQL server's performance metrics (connections, queries, replication, and more), Grafana provides pre-configured dashboards through the MySQL integration:
+
+- **MySQL Overview** - Key performance metrics for your MySQL server.
+- **MySQL Logs** - Log analysis for troubleshooting.
+
+The MySQL integration uses the Prometheus MySQL Exporter to collect server metrics and includes 15 pre-configured alert rules.
+
+To use these dashboards:
+
+1. In Grafana Cloud, navigate to **Connections** > **Add new connection**.
+1. Search for **MySQL** and select the MySQL integration.
+1. Follow the setup instructions to install the MySQL Exporter.
+1. Import the pre-configured dashboards from the integration page.
+
+For more MySQL dashboards, browse the [Grafana dashboard catalog](https://grafana.com/grafana/dashboards/?search=mysql).
+
+{{< admonition type="note" >}}
+The MySQL integration monitors your MySQL _server_ using Prometheus metrics. The MySQL _data source_ documented here queries data stored _in_ MySQL tables. These are complementary features for different use cases.
+{{< /admonition >}}
+
+## Related data sources
+
+- [PostgreSQL](ref:postgres) - For PostgreSQL databases.
+- [Microsoft SQL Server](ref:mssql) - For Microsoft SQL Server and Azure SQL databases.

docs/sources/datasources/mysql/alerting/index.md

@@ -0,0 +1,188 @@
+---
+description: Using Grafana Alerting with the MySQL data source
+keywords:
+  - grafana
+  - mysql
+  - alerting
+  - alerts
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Alerting
+title: MySQL alerting
+weight: 350
+refs:
+  alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/
+  create-alert-rule:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/create-grafana-managed-rule/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/alerting-rules/create-grafana-managed-rule/
+  mysql-query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+---
+
+# MySQL alerting
+
+You can use Grafana Alerting with MySQL to create alerts based on your MySQL data. This allows you to monitor metrics, detect anomalies, and receive notifications when specific conditions are met.
+
+For general information about Grafana Alerting, refer to [Grafana Alerting](ref:alerting).
+
+## Before you begin
+
+Before creating alerts with MySQL, ensure you have:
+
+- A MySQL data source configured in Grafana.
+- Appropriate permissions to create alert rules.
+- Understanding of the metrics you want to monitor.
+
+## Supported query types
+
+MySQL alerting works with **time series queries** that return numeric data over time. Table formatted queries are not supported in alert rule conditions.
+
+To create a valid alert query:
+
+- Include a `time` column that returns a SQL datetime or UNIX epoch timestamp
+- Return numeric values for the metrics you want to alert on
+- Sort results by the time column
+
+For more information on writing time series queries, refer to [MySQL query editor](ref:mysql-query-editor).
+
+### Query format requirements
+
+| Query format | Alerting support | Notes                                    |
+| ------------ | ---------------- | ---------------------------------------- |
+| Time series  | Yes              | Required for alerting                    |
+| Table        | No               | Convert to time series format for alerts |
+
+## Create an alert rule
+
+To create an alert rule using MySQL:
+
+1. Navigate to **Alerting** > **Alert rules**.
+1. Click **New alert rule**.
+1. Enter a name for the alert rule.
+1. Select your **MySQL** data source.
+1. Build your query using the query editor:
+   - Set the **Format** to **Time series**
+   - Include a time column using the `$__time()` or `$__timeGroup()` macro
+   - Add numeric columns for the values to monitor
+   - Use `$__timeFilter()` to filter data by the dashboard time range
+1. Configure the alert condition (for example, when the average is above a threshold).
+1. Set the evaluation interval and pending period.
+1. Configure notifications and labels.
+1. Click **Save rule**.
+
+For detailed instructions, refer to [Create a Grafana-managed alert rule](ref:create-alert-rule).
+
+## Example alert queries
+
+The following examples show common alerting scenarios with MySQL.
+
+### Alert on high error count
+
+Monitor the number of errors over time:
+
+```sql
+SELECT
+  $__timeGroup(created_at, '1m') AS time,
+  COUNT(*) AS error_count
+FROM error_logs
+WHERE $__timeFilter(created_at)
+  AND level = 'error'
+GROUP BY time
+ORDER BY time
+```
+
+**Condition:** When error_count is above 100.
+
+### Alert on average response time
+
+Monitor API response times:
+
+```sql
+SELECT
+  $__timeGroup(request_time, '5m') AS time,
+  AVG(response_time_ms) AS avg_response_time
+FROM api_requests
+WHERE $__timeFilter(request_time)
+GROUP BY time
+ORDER BY time
+```
+
+**Condition:** When avg_response_time is above 500 (milliseconds).
+
+### Alert on low order volume
+
+Detect drops in order activity:
+
+```sql
+SELECT
+  $__timeGroup(order_date, '1h') AS time,
+  COUNT(*) AS order_count
+FROM orders
+WHERE $__timeFilter(order_date)
+GROUP BY time
+ORDER BY time
+```
+
+**Condition:** When order_count is below 10.
+
+### Alert on disk usage percentage
+
+Monitor database storage metrics:
+
+```sql
+SELECT
+  $__timeGroup(recorded_at, '5m') AS time,
+  AVG(disk_used_percent) AS disk_usage
+FROM system_metrics
+WHERE $__timeFilter(recorded_at)
+  AND metric_type = 'disk'
+GROUP BY time
+ORDER BY time
+```
+
+**Condition:** When disk_usage is above 85.
+
+## Limitations
+
+When using MySQL with Grafana Alerting, be aware of the following limitations:
+
+### Template variables not supported
+
+Alert queries cannot contain template variables. Grafana evaluates alert rules on the backend without dashboard context, so variables like `$hostname` or `$environment` won't be resolved.
+
+If your dashboard query uses template variables, create a separate query for alerting with hard coded values.
+
+### Table format not supported
+
+Queries using the **Table** format cannot be used for alerting. Set the query format to **Time series** and ensure your query returns a time column.
+
+### Query timeout
+
+Complex queries with large datasets may timeout during alert evaluation. Optimize queries for alerting by:
+
+- Adding appropriate `WHERE` clauses to limit data
+- Using indexes on time and filter columns
+- Reducing the time range evaluated
+
+## Best practices
+
+Follow these best practices when creating MySQL alerts:
+
+- **Use time series format:** Always set the query format to Time series for alert queries.
+- **Include time filters:** Use the `$__timeFilter()` macro to limit data to the evaluation window.
+- **Optimize queries:** Add indexes on columns used in `WHERE` clauses and `GROUP BY`.
+- **Test queries first:** Verify your query returns expected results in Explore before creating an alert.
+- **Set realistic thresholds:** Base alert thresholds on historical data patterns.
+- **Use meaningful names:** Give alert rules descriptive names that indicate what they monitor.

docs/sources/datasources/mysql/annotations/index.md

@@ -0,0 +1,163 @@
+---
+description: Using annotations with MySQL in Grafana
+keywords:
+  - grafana
+  - mysql
+  - annotations
+  - events
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Annotations
+title: MySQL annotations
+weight: 340
+refs:
+  annotate-visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+---
+
+# MySQL annotations
+
+Annotations overlay event data on your dashboard graphs, helping you correlate events with metrics.
+You can use MySQL as a data source for annotations to display events such as deployments, alerts, or other significant occurrences on your visualizations.
+
+For general information about annotations, refer to [Annotate visualizations](ref:annotate-visualizations).
+
+## Before you begin
+
+Before creating MySQL annotations, ensure you have:
+
+- A MySQL data source configured in Grafana.
+- Tables containing event data with timestamp fields.
+- Read access to the tables containing your events.
+
+## Create an annotation query
+
+To add a MySQL annotation to your dashboard:
+
+1. Navigate to your dashboard and click **Dashboard settings** (gear icon).
+1. Select **Annotations** in the left menu.
+1. Click **Add annotation query**.
+1. Enter a **Name** for the annotation.
+1. Select your **MySQL** data source from the **Data source** drop-down.
+1. Write a SQL query that returns the required columns.
+1. Click **Save dashboard**.
+
+## Query columns
+
+Your annotation query must return a `time` column and can optionally include `timeend`, `text`, and `tags` columns.
+
+| Column    | Required | Description                                                                                   |
+| --------- | -------- | --------------------------------------------------------------------------------------------- |
+| `time`    | Yes      | The timestamp for the annotation. Can be a SQL datetime or UNIX epoch value.                  |
+| `timeend` | No       | The end timestamp for range annotations. Creates a shaded region instead of a vertical line.  |
+| `text`    | No       | The annotation description displayed when you hover over the annotation.                      |
+| `tags`    | No       | Tags for the annotation as a comma-separated string. Helps categorize and filter annotations. |
+
+## Example queries
+
+The following examples show common annotation query patterns.
+
+### Basic annotation with epoch time
+
+Display events using UNIX epoch timestamps:
+
+```sql
+SELECT
+  epoch_time as time,
+  description as text,
+  CONCAT(tag1, ',', tag2) as tags
+FROM events
+WHERE $__unixEpochFilter(epoch_time)
+```
+
+### Annotation with a single tag
+
+Display events with a single tag value:
+
+```sql
+SELECT
+  epoch_time as time,
+  message as text,
+  category as tags
+FROM event_log
+WHERE $__unixEpochFilter(epoch_time)
+```
+
+### Range annotation with start and end time
+
+Display events with duration as shaded regions:
+
+```sql
+SELECT
+  start_time as time,
+  end_time as timeend,
+  description as text,
+  CONCAT(type, ',', severity) as tags
+FROM incidents
+WHERE $__unixEpochFilter(start_time)
+```
+
+### Annotation with native SQL datetime
+
+Display events using native MySQL datetime columns:
+
+```sql
+SELECT
+  event_date as time,
+  message as text,
+  CONCAT(category, ',', priority) as tags
+FROM system_events
+WHERE $__timeFilter(event_date)
+```
+
+### Deployment annotations
+
+Display deployment events:
+
+```sql
+SELECT
+  deployed_at as time,
+  CONCAT('Deployed ', version, ' to ', environment) as text,
+  environment as tags
+FROM deployments
+WHERE $__timeFilter(deployed_at)
+```
+
+### Maintenance window annotations
+
+Display maintenance windows as range annotations:
+
+```sql
+SELECT
+  start_time as time,
+  end_time as timeend,
+  CONCAT('Maintenance: ', description) as text,
+  'maintenance' as tags
+FROM maintenance_windows
+WHERE $__timeFilter(start_time)
+```
+
+## Macros
+
+Use these macros in your annotation queries to filter by the dashboard time range:
+
+| Macro                        | Description                                                      |
+| ---------------------------- | ---------------------------------------------------------------- |
+| `$__timeFilter(column)`      | Filters by time range using a native SQL datetime column.        |
+| `$__unixEpochFilter(column)` | Filters by time range using a column with UNIX epoch timestamps. |
+
+## Best practices
+
+Follow these best practices when creating MySQL annotations:
+
+- **Use time filters:** Always include `$__timeFilter()` or `$__unixEpochFilter()` to limit results to the dashboard time range.
+- **Keep queries efficient:** Add indexes on time columns and filter columns to improve query performance.
+- **Use meaningful text:** Include descriptive information in the `text` column to make annotations useful.
+- **Organize with tags:** Use consistent tag values to categorize annotations and enable filtering.
+- **Test queries first:** Verify your query returns expected results in Explore before adding it as an annotation.

docs/sources/datasources/mysql/configure/_index.md

@@ -1,4 +1,6 @@
 ---
+aliases:
+  - ../configuration/
 description: This document provides instructions for configuring the MySQL data source and explains available configuration options.
 keywords:
   - grafana
@@ -10,7 +12,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: Configure the MySQL data source
+menuTitle: Configure
 title: Configure the MySQL data source
 weight: 10
 refs:
@@ -34,6 +36,41 @@ refs:
       destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
     - pattern: /docs/grafana-cloud/
       destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
+  mysql-query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+  annotate-visualizations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/visualizations/dashboards/build-dashboards/annotate-visualizations/
+  alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/alerting-and-irm/alerting/
+  mysql-alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+  mysql-annotations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
+  mysql-troubleshoot:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/troubleshooting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/troubleshooting/
+  mysql-template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
 ---
 
 # Configure the MySQL data source
@@ -42,24 +79,35 @@ This document provides instructions for configuring the MySQL data source and ex
 
 ## Before you begin
 
-You must have the `Organization administrator` role in order to configure the MySQL data source.
-Administrators can also [configure the data source via YAML](#provision-the-data-source) with Grafana's provisioning system.
+Before configuring the MySQL data source, ensure you have the following:
+
+- **Grafana permissions:** You must have the `Organization administrator` role to configure data sources. Organization administrators can also [configure the data source via YAML](#provision-the-data-source) with the Grafana provisioning system.
+
+- **A running MySQL instance:** MySQL 5.7 or newer, MariaDB 10.2 or newer, or a compatible MySQL-based database such as Percona Server.
+
+- **Network access:** Grafana must be able to reach your MySQL server. The default port is `3306`.
+
+- **Authentication credentials:** A MySQL user with at least `SELECT` permissions on the databases and tables you want to query.
+
+- **Security certificates:** If using encrypted connections, gather any necessary TLS/SSL certificates.
 
 {{< admonition type="note" >}}
-Grafana ships with the MySQL data source by default, so no additional installation is required.
+Grafana ships with a built-in MySQL data source plugin. No additional installation is required.
 {{< /admonition >}}
 
-{{< admonition type="caution" >}}
-When adding a data source, ensure the database user you specify has only `SELECT` permissions on the relevant database and tables. Grafana does not validate the safety of queries, which means they can include potentially harmful SQL statements, such as `USE otherdb;` or `DROP TABLE user;`, which could get executed.
-
-To minimize this risk, Grafana strongly recommends creating a dedicated MySQL user with restricted permissions.
+{{< admonition type="tip" >}}
+**Grafana Cloud users:** If your MySQL server is in a private network, you can configure [Private data source connect](https://grafana.com/docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/) to establish connectivity.
 {{< /admonition >}}
 
-Example:
+### Database user permissions
+
+When adding a data source, ensure the database user you specify has only `SELECT` permissions on the relevant database and tables. Grafana doesn't validate the safety of queries, which means they can include potentially harmful SQL statements, such as `USE otherdb;` or `DROP TABLE user;`, which could get executed.
+
+To minimize this risk, Grafana strongly recommends creating a dedicated MySQL user with restricted permissions:
 
 ```sql
- CREATE USER 'grafanaReader' IDENTIFIED BY 'password';
- GRANT SELECT ON mydatabase.mytable TO 'grafanaReader';
+CREATE USER 'grafanaReader' IDENTIFIED BY 'password';
+GRANT SELECT ON mydatabase.mytable TO 'grafanaReader';
 ```
 
 Use wildcards (`*`) in place of a database or table if you want to grant access to more databases and tables.
@@ -213,3 +261,46 @@ datasources:
       tlsClientCert: ${GRAFANA_TLS_CLIENT_CERT}
       tlsCACert: ${GRAFANA_TLS_CA_CERT}
 ```
+
+## Configure with Terraform
+
+You can configure the MySQL data source using [Terraform](https://www.terraform.io/) with the [Grafana Terraform provider](https://registry.terraform.io/providers/grafana/grafana/latest/docs).
+
+For more information about provisioning resources with Terraform, refer to the [Grafana as code using Terraform](https://grafana.com/docs/grafana-cloud/developer-resources/infrastructure-as-code/terraform/) documentation.
+
+### Terraform example
+
+The following example creates a basic MySQL data source:
+
+```hcl
+resource "grafana_data_source" "mysql" {
+  name = "MySQL"
+  type = "mysql"
+  url  = "localhost:3306"
+  user = "grafana"
+
+  json_data_encoded = jsonencode({
+    database         = "grafana"
+    maxOpenConns     = 100
+    maxIdleConns     = 100
+    maxIdleConnsAuto = true
+    connMaxLifetime  = 14400
+  })
+
+  secure_json_data_encoded = jsonencode({
+    password = "password"
+  })
+}
+```
+
+For all available configuration options, refer to the [Grafana provider data source resource documentation](https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/data_source).
+
+## Next steps
+
+After configuring your MySQL data source, you can:
+
+- [Write queries](ref:mysql-query-editor) using the query editor to explore and visualize your data.
+- [Use template variables](ref:mysql-template-variables) to create dynamic, reusable dashboards.
+- [Add annotations](ref:mysql-annotations) to overlay MySQL events on your graphs.
+- [Set up alerting](ref:mysql-alerting) to create alert rules based on your MySQL data.
+- [Troubleshoot issues](ref:mysql-troubleshoot) if you encounter problems with your data source.

docs/sources/datasources/mysql/query-editor/_index.md

@@ -9,7 +9,7 @@ labels:
     - cloud
     - enterprise
     - oss
-menuTitle: MySQL query editor
+menuTitle: Query editor
 title: MySQL query editor
 weight: 30
 refs:
@@ -61,6 +61,21 @@ refs:
   configure-standard-options:
     - pattern: /docs/grafana/
     - destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/configure-standard-options/
+  mysql-template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/template-variables/
+  mysql-alerting:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/alerting/
+  mysql-annotations:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/annotations/
 ---
 
 # MySQL query editor
@@ -305,171 +320,20 @@ Table panel result:
 
 The query returns multiple columns representing minimum and maximum values within the defined range.
 
-## Templating
+## Template variables
 
-Instead of hardcoding values like server, application, or sensor names in your metric queries, you can use variables. Variables appear as drop-down select boxes at the top of the dashboard. These drop-downs make it easy to change the data being displayed in your dashboard.
+Instead of hard-coding values like server, application, or sensor names in your metric queries, you can use variables. Variables appear as drop-down select boxes at the top of the dashboard, making it easy to change the data displayed in your dashboard.
 
-Refer to [Templates](ref:variables) for an introduction to creating template variables as well as the different types.
-
-### Query variable
-
-If you add a `Query` template variable you can write a MySQL query to retrieve items such as measurement names, key names, or key values, which will be displayed in the drop-down menu.
-
-For example, you can use a variable to retrieve all the values from the `hostname` column in a table by creating the following query in the templating variable _Query_ setting.
-
-```sql
-SELECT hostname FROM my_host
-```
-
-A query can return multiple columns, and Grafana will automatically generate a list based on the query results. For example, the following query returns a list with values from `hostname` and `hostname2`.
-
-```sql
-SELECT my_host.hostname, my_other_host.hostname2 FROM my_host JOIN my_other_host ON my_host.city = my_other_host.city
-```
-
-To use time range dependent macros like `$__timeFilter(column)` in your query,you must set the template variable's refresh mode to _On Time Range Change_.
-
-```sql
-SELECT event_name FROM event_log WHERE $__timeFilter(time_column)
-```
-
-Another option is a query that can create a key/value variable. The query should return two columns that are named `__text` and `__value`. The `__text` column must contain unique values (if not, only the first value is used). This allows the drop-down options to display a text-friendly name as the text while using an ID as the value. For example, a query could use `hostname` as the text and `id` as the value:
-
-```sql
-SELECT hostname AS __text, id AS __value FROM my_host
-```
-
-You can also create nested variables. For example, if you have a variable named `region`, you can configure the `hosts` variable to display only the hosts within the currently selected region as shown in the following example. If `region` is a multi-value variable, use the `IN` operator instead of `=` to match multiple values.
-
-```sql
-SELECT hostname FROM my_host  WHERE region IN($region)
-```
-
-#### Use `__searchFilter` to filter results in a query variable
-
-Using `__searchFilter` in the query field allows the query results to be filtered based on the user’s input in the drop-down selection box. If you do not enter anything, the default value for `__searchFilter` is %
-
-Note that you must enclose the `__searchFilter` expression in quotes as Grafana does not add them automatically.
-
-The following example demonstrates how to use `__searchFilter` in the query field to enable real-time searching for `hostname` as the user type in the drop-down selection box.
-
-```sql
-SELECT hostname FROM my_host  WHERE hostname LIKE '$__searchFilter'
-```
-
-### Using variables in queries
-
-Template variable values are only quoted when the template variable is a `multi-value`.
-
-If the variable is a multi-value variable, use the `IN` comparison operator instead of `=` to match against multiple values.
-
-You can use two different syntaxes:
-
-`$<varname>` Example with a template variable named `hostname`:
-
-```sql
-SELECT
-  UNIX_TIMESTAMP(atimestamp) as time,
-  aint as value,
-  avarchar as metric
-FROM my_table
-WHERE $__timeFilter(atimestamp) and hostname in($hostname)
-ORDER BY atimestamp ASC
-```
-
-`[[varname]]` Example with a template variable named `hostname`:
-
-```sql
-SELECT
-  UNIX_TIMESTAMP(atimestamp) as time,
-  aint as value,
-  avarchar as metric
-FROM my_table
-WHERE $__timeFilter(atimestamp) and hostname in([[hostname]])
-ORDER BY atimestamp ASC
-```
-
-#### Disabling quoting for multi-value variables
-
-Grafana automatically creates a quoted, comma-separated string for multi-value variables. For example: if `server01` and `server02` are selected then it will be formatted as: `'server01', 'server02'`. To disable quoting, use the csv formatting option for variables:
-
-Grafana automatically formats multi-value variables as a quoted, comma-separated string. For example, if `server01` and `server02` are selected, they are formatted as `'server01'`, `'server02'`. To remove the quotes, enable the CSV formatting option for the variables.
-
-`${servers:csv}`
-
-Read more about variable formatting options in the [Variables](ref:variable-syntax-advanced-variable-format-options) documentation.
+For detailed information on using template variables with MySQL, refer to [MySQL template variables](ref:mysql-template-variables).
 
 ## Annotations
 
-[Annotations](ref:annotate-visualizations) allow you to overlay rich event information on top of graphs. You add annotation queries via the **Dashboard settings > Annotations view**.
+Annotations allow you to overlay event information on your graphs, helping you correlate events with metrics. You can write SQL queries that return event data to display as annotations on your dashboards.
 
-**Example query using a`time` column with epoch values:**
-
-```sql
-SELECT
-  epoch_time as time,
-  metric1 as text,
-  CONCAT(tag1, ',', tag2) as tags
-FROM
-  public.test_data
-WHERE
-  $__unixEpochFilter(epoch_time)
-```
-
-You may use one or more tags to show them as annotations in a common-separate string.
-
-**Example query using a `time` column with epoch values for a single tag:**
-
-```sql
-SELECT
-  epoch_time as time,
-  metric1 as text,
-  tag1 as tag
-FROM
-  my_data
-WHERE
-  $__unixEpochFilter(epoch_time)
-```
-
-**Example region query using `time` and `timeend` columns with epoch values:**
-
-```sql
-SELECT
-  epoch_time as time,
-  epoch_timeend as timeend,
-  metric1 as text,
-  CONCAT(tag1, ',', tag2) as tags
-FROM
-  public.test_data
-WHERE
-  $__unixEpochFilter(epoch_time)
-```
-
-**Example query using a `time` column with a native SQL date/time data type:**
-
-```sql
-SELECT
-  native_date_time as time,
-  metric1 as text,
-  CONCAT(tag1, ',', tag2) as tags
-FROM
-  public.test_data
-WHERE
-  $__timeFilter(native_date_time)
-```
-
-| Name      | Description                                                                                                           |
-| --------- | --------------------------------------------------------------------------------------------------------------------- |
-| `time`    | The name of the date/time field, which can be a column with a native SQL date/time data type or epoch value.          |
-| `timeend` | Optional name of the end date/time field, which can be a column with a native SQL date/time data type or epoch value. |
-| `text`    | Event description field.                                                                                              |
-| `tags`    | Optional field name to use for event tags as a comma separated string.                                                |
+For detailed information on creating annotations with MySQL, refer to [MySQL annotations](ref:mysql-annotations).
 
 ## Alerting
 
-Use time series queries to create alerts. Table formatted queries aren't yet supported in alert rule conditions.
+You can use time series queries to create Grafana-managed alert rules. Table formatted queries are not supported in alert rule conditions.
 
-For more information regarding alerting refer to the following:
-
-- [Alert rules](ref:alert-rules)
-- [Template annotations and labels](ref:template-annotations-and-labels)
+For detailed information on creating alerts with MySQL, refer to [MySQL alerting](ref:mysql-alerting).

docs/sources/datasources/mysql/template-variables/index.md

@@ -0,0 +1,146 @@
+---
+description: Using template variables with MySQL in Grafana
+keywords:
+  - grafana
+  - mysql
+  - templates
+  - variables
+  - queries
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Template variables
+title: MySQL template variables
+weight: 300
+refs:
+  variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/
+  variable-syntax-advanced-variable-format-options:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/variable-syntax/#advanced-variable-format-options
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/variable-syntax/#advanced-variable-format-options
+  add-template-variables:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/add-template-variables/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/add-template-variables/
+---
+
+# MySQL template variables
+
+Instead of hard-coding details such as server, application, and sensor names in metric queries, you can use variables.
+Grafana displays these variables in drop-down select boxes at the top of the dashboard to help you change the data displayed in your dashboard.
+Grafana refers to such variables as **template variables**.
+
+For an introduction to templating and template variables, refer to [Templating](ref:variables) and [Add and manage variables](ref:add-template-variables).
+
+## Query variable
+
+A query variable in Grafana dynamically retrieves values from your data source using a query. With a query variable, you can write a SQL query that returns values such as measurement names, key names, or key values that are shown in a drop-down select box.
+
+For example, the following query returns all values from the `hostname` column:
+
+```sql
+SELECT hostname FROM my_host
+```
+
+A query can return multiple columns, and Grafana automatically generates a list using the values from those columns. For example, the following query returns values from both the `hostname` and `hostname2` columns, which are included in the variable's drop-down list.
+
+```sql
+SELECT my_host.hostname, my_other_host.hostname2 FROM my_host JOIN my_other_host ON my_host.city = my_other_host.city
+```
+
+To use time range dependent macros like `$__timeFilter(column)` in your query, you must set the template variable's refresh mode to **On Time Range Change**.
+
+```sql
+SELECT event_name FROM event_log WHERE $__timeFilter(time_column)
+```
+
+### Key/value variables
+
+You can create a key/value variable using a query that returns two columns named `__text` and `__value`.
+
+- The `__text` column defines the label shown in the drop-down.
+- The `__value` column defines the value passed to panel queries.
+
+This is useful when you want to display a user-friendly label (like a hostname) but use a different underlying value (like an ID).
+
+Note that the values in the `__text` column should be unique. If there are duplicates, Grafana uses only the first matching entry.
+
+```sql
+SELECT hostname AS __text, id AS __value FROM my_host
+```
+
+### Nested variables
+
+You can create nested variables, where one variable depends on the value of another. For example, if you have a variable named `region`, you can configure a `hosts` variable to only show hosts from the selected region. If `region` is a multi-value variable, use the `IN` operator instead of `=` to match against multiple selected values.
+
+```sql
+SELECT hostname FROM my_host WHERE region IN($region)
+```
+
+### Filter results with `__searchFilter`
+
+Using `__searchFilter` in the query field allows the query results to be filtered based on the user's input in the drop-down selection box. If you don't enter anything, the default value for `__searchFilter` is `%`.
+
+Note that you must enclose the `__searchFilter` expression in quotes as Grafana doesn't add them automatically.
+
+The following example demonstrates how to use `__searchFilter` in the query field to enable real-time searching for `hostname` as the user types in the drop-down selection box.
+
+```sql
+SELECT hostname FROM my_host WHERE hostname LIKE '$__searchFilter'
+```
+
+## Use variables in queries
+
+Grafana automatically quotes template variable values only when the template variable is a `multi-value`.
+
+When using a multi-value variable, use the `IN` comparison operator instead of `=` to match against multiple values.
+
+Grafana supports two syntaxes for using variables in queries:
+
+- **`$<varname>` syntax**
+
+Example with a template variable named `hostname`:
+
+```sql
+SELECT
+  UNIX_TIMESTAMP(atimestamp) as time,
+  aint as value,
+  avarchar as metric
+FROM my_table
+WHERE $__timeFilter(atimestamp) and hostname in($hostname)
+ORDER BY atimestamp ASC
+```
+
+- **`[[varname]]` syntax**
+
+Example with a template variable named `hostname`:
+
+```sql
+SELECT
+  UNIX_TIMESTAMP(atimestamp) as time,
+  aint as value,
+  avarchar as metric
+FROM my_table
+WHERE $__timeFilter(atimestamp) and hostname in([[hostname]])
+ORDER BY atimestamp ASC
+```
+
+### Disable quoting for multi-value variables
+
+By default, Grafana formats multi-value variables as a quoted, comma-separated string. For example, if `server01` and `server02` are selected, the result will be `'server01'`, `'server02'`. To disable quoting, use the `csv` formatting option for variables:
+
+```text
+${servers:csv}
+```
+
+This outputs the values as an unquoted comma-separated list.
+
+Refer to [Advanced variable format options](ref:variable-syntax-advanced-variable-format-options) for additional information.

docs/sources/datasources/mysql/troubleshoot/index.md

@@ -1,80 +0,0 @@
----
-description: Learn how to troubleshoot common problems with the Grafana MySQL data source plugin
-keywords:
-  - grafana
-  - mysql
-  - query
-labels:
-  products:
-    - cloud
-    - enterprise
-    - oss
-menuTitle: Troubleshoot
-title: Troubleshoot common problems with the Grafana MySQL data source plugin
-weight: 40
-refs:
-  variables:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/dashboards/variables/
-  variable-syntax-advanced-variable-format-options:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/variables/variable-syntax/#advanced-variable-format-options
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/dashboards/variables/variable-syntax/#advanced-variable-format-options
-  annotate-visualizations:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/annotate-visualizations/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/dashboards/build-dashboards/annotate-visualizations/
-  explore:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
-  query-transform-data:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/panels-visualizations/query-transform-data/
-  panel-inspector:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/panel-inspector/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/panels-visualizations/panel-inspector/
-  query-editor:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/query-transform-data/#query-editors
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/visualizations/panels-visualizations/query-transform-data/#query-editors
-  alert-rules:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/fundamentals/alert-rules/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/alerting-rules/
-  template-annotations-and-labels:
-    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/alerting/alerting-rules/templates/
-    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana-cloud/alerting-and-irm/alerting/alerting-rules/templates/
-  configure-standard-options:
-    - pattern: /docs/grafana/
-    - destination: /docs/grafana/<GRAFANA_VERSION>/panels-visualizations/configure-standard-options/
----
-
-# Troubleshoot common problems with the Grafana MySQL data source plugin
-
-This page lists common issues you might experience when setting up the Grafana MySQL data source plugin.
-
-### My data source connection fails when using the Grafana MySQL data source plugin
-
-- Check if the MySQL server is up and running.
-- Make sure that your firewall is open for MySQL server (default port is `3306`).
-- Ensure that you have the correct permissions to access the MySQL server and also have permission to access the database.
-- If the error persists, create a new user for the Grafana MySQL data source plugin with correct permissions and try to connect with it.
-
-### What should I do if I see "An unexpected error happened" or "Could not connect to MySQL" after trying all of the above?
-
-- Check the Grafana logs for more details about the error.
-- For Grafana Cloud customers, contact support.

docs/sources/datasources/mysql/troubleshooting/index.md

@@ -0,0 +1,370 @@
+---
+aliases:
+  - ../troubleshoot/
+description: Troubleshoot common problems with the MySQL data source in Grafana
+keywords:
+  - grafana
+  - mysql
+  - troubleshooting
+  - errors
+labels:
+  products:
+    - cloud
+    - enterprise
+    - oss
+menuTitle: Troubleshooting
+title: Troubleshoot MySQL data source issues
+weight: 400
+refs:
+  configure-mysql-data-source:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configure/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/configure/
+  mysql-query-editor:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/mysql/query-editor/
+  private-data-source-connect:
+    - pattern: /docs/grafana/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+    - pattern: /docs/grafana-cloud/
+      destination: /docs/grafana-cloud/connect-externally-hosted/private-data-source-connect/
+---
+
+# Troubleshoot MySQL data source issues
+
+This document provides solutions to common issues you may encounter when configuring or using the MySQL data source in Grafana.
+
+## Connection errors
+
+These errors occur when Grafana cannot establish or maintain a connection to the MySQL server.
+
+### Unable to connect to the server
+
+**Error message:** "dial tcp: connection refused" or "Could not connect to MySQL"
+
+**Cause:** Grafana cannot establish a network connection to the MySQL server.
+
+**Solution:**
+
+1. Verify that the MySQL server is running and accessible.
+1. Check that the host and port are correct in the data source configuration. The default MySQL port is `3306`.
+1. Ensure there are no firewall rules blocking the connection between Grafana and MySQL.
+1. Verify that MySQL is configured to allow remote connections by checking the `bind-address` setting in your MySQL configuration.
+1. For Grafana Cloud, ensure you have configured [Private data source connect](ref:private-data-source-connect) if your MySQL instance isn't publicly accessible.
+
+### Connection timeout
+
+**Error message:** "Connection timed out" or "I/O timeout"
+
+**Cause:** The connection to MySQL timed out before receiving a response.
+
+**Solution:**
+
+1. Check the network latency between Grafana and MySQL.
+1. Verify that MySQL isn't overloaded or experiencing performance issues.
+1. Check if any network devices (load balancers, proxies) are timing out the connection.
+1. Increase the `wait_timeout` setting in MySQL if connections are timing out during idle periods.
+
+### TLS/SSL connection failures
+
+**Error message:** "TLS handshake failed" or "x509: certificate verify failed"
+
+**Cause:** There is a mismatch between the TLS settings in Grafana and what the MySQL server supports or requires.
+
+**Solution:**
+
+1. Verify that the MySQL server has a valid SSL certificate if encryption is enabled.
+1. Check that the certificate is trusted by the Grafana server.
+1. If using a self-signed certificate, enable **With CA Cert** and provide the root certificate under **TLS/SSL Root Certificate**.
+1. To bypass certificate validation (not recommended for production), enable **Skip TLS Verification** in the data source configuration.
+1. Ensure the SSL certificate hasn't expired.
+
+### Connection reset by peer
+
+**Error message:** "Connection reset by peer" or "EOF"
+
+**Cause:** The MySQL server closed the connection unexpectedly.
+
+**Solution:**
+
+1. Check the `max_connections` setting on the MySQL server to ensure it isn't being exceeded.
+1. Verify the `wait_timeout` and `interactive_timeout` settings in MySQL aren't set too low.
+1. Increase the **Max lifetime** setting in Grafana's data source configuration to be lower than MySQL's `wait_timeout`.
+1. Check MySQL server logs for any errors or connection-related messages.
+
+## Authentication errors
+
+These errors occur when there are issues with authentication credentials or permissions.
+
+### Access denied for user
+
+**Error message:** "Access denied for user 'username'@'host'" or "Authentication failed"
+
+**Cause:** The authentication credentials are invalid or the user doesn't have permission to connect from the Grafana server's host.
+
+**Solution:**
+
+1. Verify that the username and password are correct.
+1. Check that the user exists in MySQL and is enabled.
+1. Ensure the user has permission to connect from the Grafana server's IP address. MySQL restricts access based on the connecting host:
+
+   ```sql
+   SELECT user, host FROM mysql.user WHERE user = 'your_user';
+   ```
+
+1. If necessary, create a user that can connect from the Grafana server:
+
+   ```sql
+   CREATE USER 'grafana'@'grafana_server_ip' IDENTIFIED BY 'password';
+   ```
+
+1. If using the `mysql_native_password` authentication plugin, ensure it's enabled on the server.
+
+### Cannot access database
+
+**Error message:** "Access denied for user 'username'@'host' to database 'dbname'"
+
+**Cause:** The authenticated user doesn't have permission to access the specified database.
+
+**Solution:**
+
+1. Verify that the database name is correct in the data source configuration.
+1. Ensure the user has the required permissions on the database:
+
+   ```sql
+   GRANT SELECT ON your_database.* TO 'grafana'@'grafana_server_ip';
+   FLUSH PRIVILEGES;
+   ```
+
+1. For production environments, grant permissions only on specific tables:
+
+   ```sql
+   GRANT SELECT ON your_database.your_table TO 'grafana'@'grafana_server_ip';
+   ```
+
+### PAM authentication issues
+
+**Error message:** "Authentication plugin 'auth_pam' cannot be loaded" or cleartext password errors
+
+**Cause:** PAM (Pluggable Authentication Modules) authentication requires cleartext password transmission.
+
+**Solution:**
+
+1. Enable **Allow Cleartext Passwords** in the data source configuration if using PAM authentication.
+1. Ensure TLS is enabled to protect password transmission when using cleartext passwords.
+1. Verify that the PAM plugin is correctly installed and configured on the MySQL server.
+
+## Query errors
+
+These errors occur when there are issues with query syntax or configuration.
+
+### Time column not found or invalid
+
+**Error message:** "Could not find time column" or time series visualization shows no data
+
+**Cause:** The query doesn't return a properly formatted `time` column for time series visualization.
+
+**Solution:**
+
+1. Ensure your query includes a column named `time` when using the **Time series** format.
+1. Use the `$__time()` macro to convert your date column: `$__time(your_date_column)`.
+1. Verify the time column is of a valid MySQL date/time type (`DATETIME`, `TIMESTAMP`, `DATE`) or contains Unix epoch values.
+1. Ensure the result set is sorted by the time column using `ORDER BY`.
+
+### Macro expansion errors
+
+**Error message:** "Error parsing query" or macros appear unexpanded in the query
+
+**Cause:** Grafana macros are being used incorrectly.
+
+**Solution:**
+
+1. Verify macro syntax: use `$__timeFilter(column)` not `$_timeFilter(column)`.
+1. Check that the column name passed to macros exists in your table.
+1. View the expanded query by clicking **Generated SQL** after running the query to debug macro expansion.
+1. Ensure backticks are used for reserved words or special characters in column names: `$__timeFilter(\`time-column\`)`.
+
+### Timezone and time shift issues
+
+**Cause:** Time series data appears shifted or doesn't align with expected times.
+
+**Solution:**
+
+1. Store timestamps in UTC in your database to avoid timezone issues.
+1. Time macros (`$__time`, `$__timeFilter`, etc.) always expand to UTC values.
+1. Set the **Session Timezone** in the data source configuration to match your data's timezone, or use `+00:00` for UTC.
+1. If your timestamps are stored in local time, convert them to UTC in your query:
+
+   ```sql
+   SELECT
+     CONVERT_TZ(your_datetime_column, 'Your/Timezone', 'UTC') AS time,
+     value
+   FROM your_table
+   ```
+
+### Query returns too many rows
+
+**Error message:** "Result set too large" or browser becomes unresponsive
+
+**Cause:** The query returns more data than can be efficiently processed.
+
+**Solution:**
+
+1. Add time filters using `$__timeFilter(column)` to limit data to the dashboard time range.
+1. Use aggregations (`AVG`, `SUM`, `COUNT`) with `GROUP BY` instead of returning raw rows.
+1. Add a `LIMIT` clause to restrict results: `SELECT ... LIMIT 1000`.
+1. Use the `$__timeGroup()` macro to aggregate data into time intervals.
+
+### Syntax error in SQL statement
+
+**Error message:** "You have an error in your SQL syntax" followed by specific error details
+
+**Cause:** The SQL query contains invalid syntax.
+
+**Solution:**
+
+1. Check for missing or extra commas, parentheses, or quotes.
+1. Ensure reserved words used as identifiers are enclosed in backticks: `` `table` ``, `` `select` ``.
+1. Verify that template variable syntax is correct: `$variable` or `${variable}`.
+1. Test the query directly in a MySQL client to isolate Grafana-specific issues.
+
+### Unknown column in field list
+
+**Error message:** "Unknown column 'column_name' in 'field list'"
+
+**Cause:** The specified column doesn't exist in the table or is misspelled.
+
+**Solution:**
+
+1. Verify the column name is spelled correctly.
+1. Check that the column exists in the specified table.
+1. If the column name contains special characters or spaces, enclose it in backticks: `` `column-name` ``.
+1. Ensure the correct database is selected if you're referencing columns without the full table path.
+
+## Performance issues
+
+These issues relate to slow queries or high resource usage.
+
+### Slow query execution
+
+**Cause:** Queries take a long time to execute.
+
+**Solution:**
+
+1. Reduce the dashboard time range to limit data volume.
+1. Add indexes to columns used in `WHERE` clauses and time filters:
+
+   ```sql
+   CREATE INDEX idx_time ON your_table(time_column);
+   ```
+
+1. Use aggregations instead of returning individual rows.
+1. Increase the **Min time interval** setting to reduce the number of data points.
+1. Review the query execution plan using `EXPLAIN` to identify bottlenecks:
+
+   ```sql
+   EXPLAIN SELECT * FROM your_table WHERE time_column > NOW() - INTERVAL 1 HOUR;
+   ```
+
+### Connection pool exhaustion
+
+**Error message:** "Too many connections" or "Connection pool exhausted"
+
+**Cause:** Too many concurrent connections to the database.
+
+**Solution:**
+
+1. Increase the **Max open** connection limit in the data source configuration.
+1. Enable **Auto (max idle)** to automatically manage idle connections.
+1. Reduce the number of panels querying the same data source simultaneously.
+1. Check for long-running queries that might be holding connections.
+1. Increase the `max_connections` setting in MySQL if necessary:
+
+   ```sql
+   SHOW VARIABLES LIKE 'max_connections';
+   SET GLOBAL max_connections = 200;
+   ```
+
+### Query timeout
+
+**Error message:** "Query execution was interrupted" or "Lock wait timeout exceeded"
+
+**Cause:** The query takes too long and exceeds the configured timeout.
+
+**Solution:**
+
+1. Optimize the query by adding appropriate indexes.
+1. Reduce the amount of data being queried by narrowing the time range.
+1. Use aggregations to reduce the result set size.
+1. Check for table locks that might be blocking the query.
+
+## Other common issues
+
+The following issues don't produce specific error messages but are commonly encountered.
+
+### Template variable queries fail
+
+**Cause:** Variable queries return unexpected results or errors.
+
+**Solution:**
+
+1. Verify the variable query syntax is valid SQL that returns a single column.
+1. Check that the data source connection is working.
+1. Ensure the user has permission to access the tables referenced in the variable query.
+1. Test the query in the query editor before using it as a variable query.
+
+### Data appears incorrect or misaligned
+
+**Cause:** Data formatting or type conversion issues.
+
+**Solution:**
+
+1. Use explicit column aliases to ensure consistent naming: `SELECT value AS metric`.
+1. Verify numeric columns are actually numeric types, not strings.
+1. Check for `NULL` values that might affect aggregations.
+1. Use the `FILL` option in `$__timeGroup()` macro to handle missing data points.
+
+### Special characters in database or table names
+
+**Cause:** Queries fail when tables or databases contain reserved words or special characters.
+
+**Solution:**
+
+1. Enclose identifiers with special characters in backticks: `` `my-database`.`my-table` ``.
+1. The query editor automatically handles this for selections, but manual queries require backticks.
+1. Avoid using reserved words as identifiers when possible.
+
+### An unexpected error happened
+
+**Error message:** "An unexpected error happened"
+
+**Cause:** A general error occurred that doesn't have a specific error message.
+
+**Solution:**
+
+1. Check the Grafana server logs for more details about the error.
+1. Verify all data source configuration settings are correct.
+1. Test the connection using the **Save & test** button.
+1. Ensure the MySQL server is accessible and responding to queries.
+1. For Grafana Cloud customers, contact support for assistance.
+
+## Get additional help
+
+If you continue to experience issues after following this troubleshooting guide:
+
+1. Check the [Grafana community forums](https://community.grafana.com/) for similar issues.
+1. Review the [Grafana GitHub issues](https://github.com/grafana/grafana/issues) for known bugs.
+1. Enable debug logging in Grafana to capture detailed error information.
+1. Check MySQL error logs for additional details.
+1. Contact Grafana Support if you're an Enterprise or Cloud customer.
+
+When reporting issues, include:
+
+- Grafana version
+- MySQL version
+- Error messages (redact sensitive information)
+- Steps to reproduce
+- Relevant query examples (redact sensitive data)

packages/grafana-api-clients/src/clients/rtkq/provisioning/v0alpha1/endpoints.gen.ts

@@ -1452,7 +1452,7 @@ export type ConnectionSecure = {
   /** PrivateKey is the reference to the private key used for GitHub App authentication. This value is stored securely and cannot be read back */
   privateKey?: InlineSecureValue;
   /** Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back */
-  webhook?: InlineSecureValue;
+  token?: InlineSecureValue;
 };
 export type BitbucketConnectionConfig = {
   /** App client ID */

pkg/registry/apis/provisioning/extras/register.go

@@ -2,6 +2,8 @@ package extras
 
 import (
 	apisprovisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/git"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
@@ -42,6 +44,15 @@ func ProvideProvisioningOSSRepositoryExtras(
 	}
 }
 
+func ProvideProvisioningOSSConnectionExtras(
+	_ *setting.Cfg,
+	ghFactory ghconnection.GithubFactory,
+) []connection.Extra {
+	return []connection.Extra{
+		ghconnection.Extra(ghFactory),
+	}
+}
+
 func ProvideExtraWorkers(pullRequestWorker *pullrequest.PullRequestWorker) []jobs.Worker {
 	return []jobs.Worker{pullRequestWorker}
 }
@@ -54,3 +65,12 @@ func ProvideFactoryFromConfig(cfg *setting.Cfg, extras []repository.Extra) (repo
 
 	return repository.ProvideFactory(enabledTypes, extras)
 }
+
+func ProvideConnectionFactoryFromConfig(cfg *setting.Cfg, extras []connection.Extra) (connection.Factory, error) {
+	enabledTypes := make(map[apisprovisioning.ConnectionType]struct{}, len(cfg.ProvisioningRepositoryTypes))
+	for _, e := range cfg.ProvisioningRepositoryTypes {
+		enabledTypes[apisprovisioning.ConnectionType(e)] = struct{}{}
+	}
+
+	return connection.ProvideFactory(enabledTypes, extras)
+}

pkg/registry/apis/provisioning/register.go

@@ -30,7 +30,7 @@ import (
 
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
 	"github.com/grafana/grafana/apps/provisioning/pkg/auth"
-	connectionvalidation "github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
 	appcontroller "github.com/grafana/grafana/apps/provisioning/pkg/controller"
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 	client "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1"
@@ -105,20 +105,21 @@ type APIBuilder struct {
 		jobs.Queue
 		jobs.Store
 	}
-	jobHistoryConfig *JobHistoryConfig
-	jobHistoryLoki   *jobs.LokiJobHistory
-	resourceLister   resources.ResourceLister
-	dashboardAccess  legacy.MigrationDashboardAccessor
-	unified          resource.ResourceClient
-	repoFactory      repository.Factory
-	client           client.ProvisioningV0alpha1Interface
-	access           auth.AccessChecker
-	accessWithAdmin  auth.AccessChecker
-	accessWithEditor auth.AccessChecker
-	accessWithViewer auth.AccessChecker
-	statusPatcher    *appcontroller.RepositoryStatusPatcher
-	healthChecker    *controller.HealthChecker
-	validator        repository.RepositoryValidator
+	jobHistoryConfig  *JobHistoryConfig
+	jobHistoryLoki    *jobs.LokiJobHistory
+	resourceLister    resources.ResourceLister
+	dashboardAccess   legacy.MigrationDashboardAccessor
+	unified           resource.ResourceClient
+	repoFactory       repository.Factory
+	connectionFactory connection.Factory
+	client            client.ProvisioningV0alpha1Interface
+	access            auth.AccessChecker
+	accessWithAdmin   auth.AccessChecker
+	accessWithEditor  auth.AccessChecker
+	accessWithViewer  auth.AccessChecker
+	statusPatcher     *appcontroller.RepositoryStatusPatcher
+	healthChecker     *controller.HealthChecker
+	repoValidator     repository.RepositoryValidator
 	// Extras provides additional functionality to the API.
 	extras       []Extra
 	extraWorkers []jobs.Worker
@@ -133,6 +134,7 @@ type APIBuilder struct {
 func NewAPIBuilder(
 	onlyApiServer bool,
 	repoFactory repository.Factory,
+	connectionFactory connection.Factory,
 	features featuremgmt.FeatureToggles,
 	unified resource.ResourceClient,
 	configProvider apiserver.RestConfigProvider,
@@ -176,6 +178,7 @@ func NewAPIBuilder(
 		usageStats:                          usageStats,
 		features:                            features,
 		repoFactory:                         repoFactory,
+		connectionFactory:                   connectionFactory,
 		clients:                             clients,
 		parsers:                             parsers,
 		repositoryResources:                 resources.NewRepositoryResourcesFactory(parsers, clients, resourceLister),
@@ -192,7 +195,7 @@ func NewAPIBuilder(
 		allowedTargets:                      allowedTargets,
 		allowImageRendering:                 allowImageRendering,
 		registry:                            registry,
-		validator:                           repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
+		repoValidator:                       repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
 		useExclusivelyAccessCheckerForAuthz: useExclusivelyAccessCheckerForAuthz,
 	}
 
@@ -253,6 +256,7 @@ func RegisterAPIService(
 	extraBuilders []ExtraBuilder,
 	extraWorkers []jobs.Worker,
 	repoFactory repository.Factory,
+	connectionFactory connection.Factory,
 ) (*APIBuilder, error) {
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if !features.IsEnabledGlobally(featuremgmt.FlagProvisioning) {
@@ -271,6 +275,7 @@ func RegisterAPIService(
 	builder := NewAPIBuilder(
 		cfg.DisableControllers,
 		repoFactory,
+		connectionFactory,
 		features,
 		client,
 		configProvider,
@@ -641,7 +646,7 @@ func (b *APIBuilder) UpdateAPIGroupInfo(apiGroupInfo *genericapiserver.APIGroupI
 	storage[provisioning.ConnectionResourceInfo.StoragePath("repositories")] = NewConnectionRepositoriesConnector()
 
 	// TODO: Add some logic so that the connectors can registered themselves and we don't have logic all over the place
-	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.validator), b.VerifyAgainstExistingRepositories))
+	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.repoValidator), b.VerifyAgainstExistingRepositories))
 	storage[provisioning.RepositoryResourceInfo.StoragePath("files")] = NewFilesConnector(b, b.parsers, b.clients, b.accessWithAdmin)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("refs")] = NewRefsConnector(b)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("resources")] = &listConnector{
@@ -682,10 +687,15 @@ func (b *APIBuilder) Mutate(ctx context.Context, a admission.Attributes, o admis
 	if ok {
 		return nil
 	}
-	// TODO: complete this as part of https://github.com/grafana/git-ui-sync-project/issues/700
+
 	c, ok := obj.(*provisioning.Connection)
 	if ok {
-		return connectionvalidation.MutateConnection(c)
+		conn, err := b.asConnection(ctx, c, nil)
+		if err != nil {
+			return err
+		}
+
+		return conn.Mutate(ctx)
 	}
 
 	r, ok := obj.(*provisioning.Repository)
@@ -736,9 +746,15 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 		return nil
 	}
 
-	connection, ok := obj.(*provisioning.Connection)
+	// Validate connections
+	c, ok := obj.(*provisioning.Connection)
 	if ok {
-		return connectionvalidation.ValidateConnection(connection)
+		conn, err := b.asConnection(ctx, c, a.GetOldObject())
+		if err != nil {
+			return err
+		}
+
+		return conn.Validate(ctx)
 	}
 
 	// Validate Jobs
@@ -758,7 +774,7 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 	// the only time to add configuration checks here is if you need to compare
 	// the incoming change to the current configuration
 	isCreate := a.GetOperation() == admission.Create
-	list := b.validator.ValidateRepository(repo, isCreate)
+	list := b.repoValidator.ValidateRepository(repo, isCreate)
 	cfg := repo.Config()
 
 	if a.GetOperation() == admission.Update {
@@ -831,7 +847,7 @@ func (b *APIBuilder) GetPostStartHooks() (map[string]genericapiserver.PostStartH
 			}
 
 			b.statusPatcher = appcontroller.NewRepositoryStatusPatcher(b.GetClient())
-			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.validator))
+			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.repoValidator))
 
 			// if running solely CRUD, skip the rest of the setup
 			if b.onlyApiServer {
@@ -1449,6 +1465,35 @@ func (b *APIBuilder) asRepository(ctx context.Context, obj runtime.Object, old r
 	return b.repoFactory.Build(ctx, r)
 }
 
+func (b *APIBuilder) asConnection(ctx context.Context, obj runtime.Object, old runtime.Object) (connection.Connection, error) {
+	if obj == nil {
+		return nil, fmt.Errorf("missing connection object")
+	}
+
+	c, ok := obj.(*provisioning.Connection)
+	if !ok {
+		return nil, fmt.Errorf("expected connection object")
+	}
+
+	// Copy previous values if they exist
+	if old != nil {
+		o, ok := old.(*provisioning.Connection)
+		if ok && !o.Secure.IsZero() {
+			if c.Secure.PrivateKey.IsZero() {
+				c.Secure.PrivateKey = o.Secure.PrivateKey
+			}
+			if c.Secure.Token.IsZero() {
+				c.Secure.Token = o.Secure.Token
+			}
+			if c.Secure.ClientSecret.IsZero() {
+				c.Secure.ClientSecret = o.Secure.ClientSecret
+			}
+		}
+	}
+
+	return b.connectionFactory.Build(ctx, c)
+}
+
 func getJSONResponse(ref string) *spec3.Responses {
 	return &spec3.Responses{
 		ResponsesProps: spec3.ResponsesProps{

pkg/registry/apis/provisioning/register_validate_test.go

@@ -28,7 +28,7 @@ func TestAPIBuilderValidate(t *testing.T) {
 		repoFactory:         factory,
 		allowedTargets:      []v0alpha1.SyncTargetType{v0alpha1.SyncTargetTypeFolder},
 		allowImageRendering: false,
-		validator:           validator,
+		repoValidator:       validator,
 	}
 
 	t.Run("min sync interval is less than 10 seconds", func(t *testing.T) {

pkg/registry/apis/wireset.go

@@ -44,6 +44,7 @@ var provisioningExtras = wire.NewSet(
 	pullrequest.ProvidePullRequestWorker,
 	webhooks.ProvideWebhooksWithImages,
 	extras.ProvideFactoryFromConfig,
+	extras.ProvideConnectionFactoryFromConfig,
 	extras.ProvideProvisioningExtraAPIs,
 	extras.ProvideExtraWorkers,
 )

pkg/server/test_env.go

@@ -3,6 +3,7 @@ package server
 import (
 	"github.com/stretchr/testify/mock"
 
+	githubconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/apps/secret/pkg/decrypt"
 	"github.com/grafana/grafana/pkg/infra/db"
@@ -34,24 +35,26 @@ func ProvideTestEnv(
 	featureMgmt featuremgmt.FeatureToggles,
 	resourceClient resource.ResourceClient,
 	idService auth.IDService,
-	githubFactory *github.Factory,
+	githubRepoFactory *github.Factory,
+	githubConnectionFactory githubconnection.GithubFactory,
 	decryptService decrypt.DecryptService,
 ) (*TestEnv, error) {
 	return &TestEnv{
-		TestingT:            testingT,
-		Server:              server,
-		SQLStore:            db,
-		Cfg:                 cfg,
-		NotificationService: ns,
-		GRPCServer:          grpcServer,
-		PluginRegistry:      pluginRegistry,
-		HTTPClientProvider:  httpClientProvider,
-		OAuthTokenService:   oAuthTokenService,
-		FeatureToggles:      featureMgmt,
-		ResourceClient:      resourceClient,
-		IDService:           idService,
-		GitHubFactory:       githubFactory,
-		DecryptService:      decryptService,
+		TestingT:                testingT,
+		Server:                  server,
+		SQLStore:                db,
+		Cfg:                     cfg,
+		NotificationService:     ns,
+		GRPCServer:              grpcServer,
+		PluginRegistry:          pluginRegistry,
+		HTTPClientProvider:      httpClientProvider,
+		OAuthTokenService:       oAuthTokenService,
+		FeatureToggles:          featureMgmt,
+		ResourceClient:          resourceClient,
+		IDService:               idService,
+		GithubRepoFactory:       githubRepoFactory,
+		GithubConnectionFactory: githubConnectionFactory,
+		DecryptService:          decryptService,
 	}, nil
 }
 
@@ -60,18 +63,19 @@ type TestEnv struct {
 		mock.TestingT
 		Cleanup(func())
 	}
-	Server              *Server
-	SQLStore            db.DB
-	Cfg                 *setting.Cfg
-	NotificationService *notifications.NotificationServiceMock
-	GRPCServer          grpcserver.Provider
-	PluginRegistry      registry.Service
-	HTTPClientProvider  httpclient.Provider
-	OAuthTokenService   *oauthtokentest.Service
-	RequestMiddleware   web.Middleware
-	FeatureToggles      featuremgmt.FeatureToggles
-	ResourceClient      resource.ResourceClient
-	IDService           auth.IDService
-	GitHubFactory       *github.Factory
-	DecryptService      decrypt.DecryptService
+	Server                  *Server
+	SQLStore                db.DB
+	Cfg                     *setting.Cfg
+	NotificationService     *notifications.NotificationServiceMock
+	GRPCServer              grpcserver.Provider
+	PluginRegistry          registry.Service
+	HTTPClientProvider      httpclient.Provider
+	OAuthTokenService       *oauthtokentest.Service
+	RequestMiddleware       web.Middleware
+	FeatureToggles          featuremgmt.FeatureToggles
+	ResourceClient          resource.ResourceClient
+	IDService               auth.IDService
+	GithubRepoFactory       *github.Factory
+	GithubConnectionFactory githubconnection.GithubFactory
+	DecryptService          decrypt.DecryptService
 }

pkg/server/wire.go

@@ -15,6 +15,7 @@ import (
 	"go.opentelemetry.io/otel/trace"
 
 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/pkg/api"
 	"github.com/grafana/grafana/pkg/api/avatar"
@@ -297,6 +298,7 @@ var wireBasicSet = wire.NewSet(
 	notifications.ProvideService,
 	notifications.ProvideSmtpService,
 	github.ProvideFactory,
+	ghconnection.ProvideFactory,
 	tracing.ProvideService,
 	tracing.ProvideTracingConfig,
 	wire.Bind(new(tracing.Tracer), new(*tracing.TracingService)),

pkg/server/wireexts_oss.go

@@ -72,6 +72,7 @@ import (
 
 var provisioningExtras = wire.NewSet(
 	extras.ProvideProvisioningOSSRepositoryExtras,
+	extras.ProvideProvisioningOSSConnectionExtras,
 )
 
 var configProviderExtras = wire.NewSet(

pkg/tests/apis/helper.go

@@ -14,6 +14,7 @@ import (
 	"testing"
 	"time"
 
+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -207,6 +208,10 @@ func (c *K8sTestHelper) GetEnv() server.TestEnv {
 	return c.env
 }
 
+func (c *K8sTestHelper) SetGithubConnectionFactory(f githubConnection.GithubFactory) {
+	c.env.GithubConnectionFactory = f
+}
+
 func (c *K8sTestHelper) GetListenerAddress() string {
 	return c.listenerAddress
 }

pkg/tests/apis/openapi_snapshots/provisioning.grafana.app-v0alpha1.json

@@ -4559,7 +4559,7 @@
               }
             ]
           },
-          "webhook": {
+          "token": {
             "description": "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
             "default": {},
             "allOf": [

pkg/tests/apis/provisioning/connection_repositories_test.go

@@ -2,13 +2,13 @@ package provisioning
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
@@ -20,7 +20,7 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {
 
 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -39,13 +39,12 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)
 
 	t.Run("endpoint returns not implemented", func(t *testing.T) {
 		var statusCode int
@@ -129,14 +128,14 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T
 
 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
 		"apiVersion": "provisioning.grafana.app/v0alpha1",
 		"kind":       "Connection",
 		"metadata": map[string]any{
-			"name":      "connection-repositories-type-test",
+			"name":      "connection-repositories-test",
 			"namespace": "default",
 		},
 		"spec": map[string]any{
@@ -148,13 +147,12 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)
 
 	t.Run("verify ExternalRepositoryList type exists in API", func(t *testing.T) {
 		// Verify the type is registered and can be instantiated

pkg/tests/apis/provisioning/connection_status_auth_test.go

@@ -2,12 +2,12 @@ package provisioning
 
 import (
 	"context"
+	"encoding/base64"
 	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/grafana/grafana/pkg/util/testutil"
@@ -18,7 +18,7 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {
 
 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -37,13 +37,12 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)
 
 	t.Run("admin can GET connection status", func(t *testing.T) {
 		var statusCode int

pkg/tests/apis/provisioning/connection_test.go

@@ -2,11 +2,20 @@ package provisioning
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"errors"
+	"fmt"
+	"net/http"
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/go-github/v70/github"
+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	"github.com/grafana/grafana/pkg/extensions"
 	"github.com/grafana/grafana/pkg/util/testutil"
+	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -17,12 +26,55 @@ import (
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 )
 
+//nolint:gosec // Test RSA private key (generated for testing purposes only)
+const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
+MIIEoQIBAAKCAQBn1MuM5hIfH6d3TNStI1ofWv/gcjQ4joi9cFijEwVLuPYkF1nD
+KkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6m5T/sHfVSiEWAEUblh3cA34HVCmD
+cqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyjpKOXuojJ9wN9a17D2cYU5WkXjoDC
+4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7DA9T8yiZwIWPp5YesgsAPyQLCFPgM
+s77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQohUID0BIxE7G5quL069RuuCZWZkoF
+oPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmXAgMBAAECggEADSs4Bc7ITZo+Kytb
+bfol3AQ2n8jcRrANN7mgBE7NRSVYUouDnvUlbnCC2t3QXPwLdxQa11GkygLSQ2bg
+GeVDgq1o4GUJTcvxFlFCcpU/hEANI/DQsxNAQ/4wUGoLOlHaO3HPvwBblHA70gGe
+Ux/xpG+lMAFAiB0EHEwZ4M0mClBEOQv3NzaFTWuBHtIMS8eid7M1q5qz9+rCgZSL
+KBBHo0OvUbajG4CWl8SM6LUYapASGg+U17E+4xA3npwpIdsk+CbtX+vvX324n4kn
+0EkrJqCjv8M1KiCKAP+UxwP00ywxOg4PN+x+dHI/I7xBvEKe/x6BltVSdGA+PlUK
+02wagQKBgQDF7gdQLFIagPH7X7dBP6qEGxj/Ck9Qdz3S1gotPkVeq+1/UtQijYZ1
+j44up/0yB2B9P4kW091n+iWcyfoU5UwBua9dHvCZP3QH05LR1ZscUHxLGjDPBASt
+l2xSq0hqqNWBspb1M0eCY0Yxi65iDkj3xsI2iN35BEb1FlWdR5KGvwKBgQCGS0ce
+wASWbZIPU2UoKGOQkIJU6QmLy0KZbfYkpyfE8IxGttYVEQ8puNvDDNZWHNf+LP85
+c8iV6SfnWiLmu1XkG2YmJFBCCAWgJ8Mq2XQD8E+a/xcaW3NqlcC5+I2czX367j3r
+69wZSxRbzR+DCfOiIkrekJImwN183ZYy2cBbKQKBgFj86IrSMmO6H5Ft+j06u5ZD
+fJyF7Rz3T3NwSgkHWzbyQ4ggHEIgsRg/36P4YSzSBj6phyAdRwkNfUWdxXMJmH+a
+FU7frzqnPaqbJAJ1cBRt10QI1XLtkpDdaJVObvONTtjOC3LYiEkGCzQRYeiyFXpZ
+AU51gJ8JnkFotjtNR4KPAoGAehVREDlLcl0lnN0ZZspgyPk2Im6/iOA9KTH3xBZZ
+ZwWu4FIyiHA7spgk4Ep5R0ttZ9oMI3SIcw/EgONGOy8uw/HMiPwWIhEc3B2JpRiO
+CU6bb7JalFFyuQBudiHoyxVcY5PVovWF31CLr3DoJr4TR9+Y5H/U/XnzYCIo+w1N
+exECgYBFAGKYTIeGAvhIvD5TphLpbCyeVLBIq5hRyrdRY+6Iwqdr5PGvLPKwin5+
++4CDhWPW4spq8MYPCRiMrvRSctKt/7FhVGL2vE/0VY3TcLk14qLC+2+0lnPVgnYn
+u5/wOyuHp1cIBnjeN41/pluOWFBHI9xLW3ExLtmYMiecJ8VdRA==
+-----END RSA PRIVATE KEY-----`
+
+//nolint:gosec // Test RSA public key (generated for testing purposes only)
+const testPublicKeyPem = `-----BEGIN PUBLIC KEY-----
+MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBn1MuM5hIfH6d3TNStI1of
+Wv/gcjQ4joi9cFijEwVLuPYkF1nDKkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6
+m5T/sHfVSiEWAEUblh3cA34HVCmDcqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyj
+pKOXuojJ9wN9a17D2cYU5WkXjoDC4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7D
+A9T8yiZwIWPp5YesgsAPyQLCFPgMs77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQo
+hUID0BIxE7G5quL069RuuCZWZkoFoPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmX
+AgMBAAE=
+-----END PUBLIC KEY-----`
+
 func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 	testutil.SkipIntegrationTestInShortMode(t)
 
 	helper := runGrafana(t)
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+
+	decryptService := helper.GetEnv().DecryptService
+	require.NotNil(t, decryptService, "decrypt service not wired properly")
 
 	t.Run("should perform CRUDL requests on connection", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -41,12 +93,12 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		// CREATE
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		_, err := helper.CreateGithubConnection(t, ctx, connection)
 		require.NoError(t, err, "failed to create resource")
 
 		// READ
@@ -64,6 +116,22 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 		require.Contains(t, output.Object, "secure", "object should contain secure")
 		assert.Contains(t, output.Object["secure"], "privateKey", "secure should contain PrivateKey")
 
+		// Verifying token
+		assert.Contains(t, output.Object["secure"], "token", "token should be created")
+		secretName, found, err := unstructured.NestedString(output.Object, "secure", "token", "name")
+		require.NoError(t, err, "error getting secret name")
+		require.True(t, found, "secret name should exist: %v", output.Object)
+		decrypted, err := decryptService.Decrypt(ctx, "provisioning.grafana.app", output.GetNamespace(), secretName)
+		require.NoError(t, err, "decryption error")
+		require.Len(t, decrypted, 1)
+
+		val := decrypted[secretName].Value()
+		require.NotNil(t, val)
+		k := val.DangerouslyExposeAndConsumeValue()
+		valid, err := verifyToken(t, "123456", testPublicKeyPem, k)
+		require.NoError(t, err, "error verifying token: %s", k)
+		require.True(t, valid, "token should be valid: %s", k)
+
 		// LIST
 		list, err := helper.Connections.Resource.List(ctx, metav1.ListOptions{})
 		require.NoError(t, err, "failed to list resource")
@@ -81,22 +149,22 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			"spec": map[string]any{
 				"type": "github",
 				"github": map[string]any{
-					"appID":          "456789",
-					"installationID": "454545",
+					"appID":          "123456",
+					"installationID": "454546",
 				},
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
-		res, err := helper.Connections.Resource.Update(ctx, updatedConnection, metav1.UpdateOptions{})
+		res, err := helper.UpdateGithubConnection(t, ctx, updatedConnection)
 		require.NoError(t, err, "failed to update resource")
 		spec = res.Object["spec"].(map[string]any)
 		require.Contains(t, spec, "github")
 		githubInfo = spec["github"].(map[string]any)
-		assert.Equal(t, "456789", githubInfo["appID"], "appID should be updated")
+		assert.Equal(t, "454546", githubInfo["installationID"], "installationID should be updated")
 
 		// DELETE
 		require.NoError(t, helper.Connections.Resource.Delete(ctx, "connection", metav1.DeleteOptions{}), "failed to delete resource")
@@ -122,7 +190,7 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
@@ -155,9 +223,12 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 }
 
 func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
+	testutil.SkipIntegrationTestInShortMode(t)
+
 	helper := runGrafana(t)
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	t.Run("should fail when type is empty", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -172,13 +243,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "type must be specified")
+		assert.Contains(t, err.Error(), "connection type \"\" is not supported")
 	})
 
 	t.Run("should fail when type is invalid", func(t *testing.T) {
@@ -194,13 +265,57 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "spec.type: Unsupported value: \"some-invalid-type\"")
+		assert.Contains(t, err.Error(), "connection type \"some-invalid-type\" is not supported")
+	})
+
+	t.Run("should fail when type is 'git'", func(t *testing.T) {
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "git",
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "connection type \"git\" is not supported")
+	})
+
+	t.Run("should fail when type is 'local'", func(t *testing.T) {
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "local",
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "connection type \"local\" is not supported")
 	})
 
 	t.Run("should fail when type is github but 'github' field is not there", func(t *testing.T) {
@@ -216,13 +331,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "github info must be specified for GitHub connection")
+		assert.Contains(t, err.Error(), "invalid github connection")
 	})
 
 	t.Run("should fail when type is github but private key is not there", func(t *testing.T) {
@@ -246,7 +361,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "privateKey must be specified for GitHub connection")
 	})
 
-	t.Run("should fail when type is github but a client Secret is specified", func(t *testing.T) {
+	t.Run("should fail when type is github but a client Secret is also specified", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
 			"kind":       "Connection",
@@ -263,7 +378,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 				"clientSecret": map[string]any{
 					"create": "someSecret",
@@ -275,6 +390,100 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "clientSecret is forbidden in GitHub connection")
 	})
 
+	t.Run("should fail when type is github and github API is unavailable", func(t *testing.T) {
+		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+		connectionFactory.Client = ghmock.NewMockedHTTPClient(
+			ghmock.WithRequestMatchHandler(
+				ghmock.GetApp,
+				http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+					w.WriteHeader(http.StatusServiceUnavailable)
+					require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+						Response: &http.Response{
+							StatusCode: http.StatusServiceUnavailable,
+						},
+						Message: "Service unavailable",
+					}))
+				}),
+			),
+		)
+		helper.SetGithubConnectionFactory(connectionFactory)
+
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "github",
+				"github": map[string]any{
+					"appID":          "123456",
+					"installationID": "454545",
+				},
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "spec.token: Internal error: github is unavailable")
+	})
+
+	t.Run("should fail when type is github and returned app ID doesn't match given one", func(t *testing.T) {
+		var appID int64 = 123455
+		appSlug := "appSlug"
+		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+		connectionFactory.Client = ghmock.NewMockedHTTPClient(
+			ghmock.WithRequestMatch(
+				ghmock.GetApp, github.App{
+					ID:   &appID,
+					Slug: &appSlug,
+				},
+			),
+		)
+		helper.SetGithubConnectionFactory(connectionFactory)
+
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "github",
+				"github": map[string]any{
+					"appID":          "123456",
+					"installationID": "454545",
+				},
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "spec.appID: Invalid value: \"123456\": appID mismatch")
+	})
+}
+
+func TestIntegrationProvisioning_ConnectionEnterpriseValidation(t *testing.T) {
+	testutil.SkipIntegrationTestInShortMode(t)
+
+	if !extensions.IsEnterprise {
+		t.Skip("Skipping integration test when not enterprise")
+	}
+
+	helper := runGrafana(t)
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	ctx := context.Background()
+
 	t.Run("should fail when type is bitbucket but 'bitbucket' field is not there", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
@@ -294,7 +503,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "bitbucket info must be specified in Bitbucket connection")
+		assert.Contains(t, err.Error(), "invalid bitbucket connection")
 	})
 
 	t.Run("should fail when type is bitbucket but client secret is not there", func(t *testing.T) {
@@ -364,7 +573,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "gitlab info must be specified in Gitlab connection")
+		assert.Contains(t, err.Error(), "invalid gitlab connection")
 	})
 
 	t.Run("should fail when type is gitlab but client secret is not there", func(t *testing.T) {
@@ -428,6 +637,7 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 	provisioningClient, err := clientset.NewForConfig(restConfig)
 	require.NoError(t, err)
 	connClient := provisioningClient.ProvisioningV0alpha1().Connections(namespace)
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	t.Run("health check gets updated after initial creation", func(t *testing.T) {
 		// Create a connection using unstructured (like other connection tests)
@@ -447,12 +657,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "test-private-key",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 
-		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
+		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)
 
@@ -501,12 +711,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "test-private-key-2",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 
-		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
+		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)
 
@@ -538,7 +748,7 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 		updatedUnstructured := latestUnstructured.DeepCopy()
 		githubSpec := updatedUnstructured.Object["spec"].(map[string]any)["github"].(map[string]any)
 		githubSpec["appID"] = "99999"
-		_, err = helper.Connections.Resource.Update(ctx, updatedUnstructured, metav1.UpdateOptions{})
+		_, err = helper.UpdateGithubConnection(t, ctx, updatedUnstructured)
 		require.NoError(t, err)
 
 		// Wait for reconciliation after spec change
@@ -566,6 +776,7 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 	helper := runGrafana(t)
 	ctx := context.Background()
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
 
 	// Create a connection first
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -584,12 +795,12 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "test-private-key",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
 
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
 	require.NoError(t, err, "failed to create connection")
 
 	t.Cleanup(func() {
@@ -731,3 +942,27 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		assert.Contains(t, names, "repo-with-different-connection")
 	})
 }
+
+func verifyToken(t *testing.T, appID, publicKey, token string) (bool, error) {
+	t.Helper()
+
+	// Parse the private key
+	key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKey))
+	if err != nil {
+		return false, err
+	}
+
+	parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (any, error) {
+		return key, nil
+	}, jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}))
+	if err != nil {
+		return false, err
+	}
+
+	claims, ok := parsedToken.Claims.(jwt.MapClaims)
+	if !ok || !parsedToken.Valid {
+		return false, fmt.Errorf("invalid token")
+	}
+
+	return claims.VerifyIssuer(appID, true), nil
+}

pkg/tests/apis/provisioning/helper_test.go

@@ -10,11 +10,14 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 	"text/template"
 	"time"
 
+	"github.com/google/go-github/v70/github"
+	"github.com/grafana/grafana/pkg/extensions"
 	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -30,6 +33,7 @@ import (
 	dashboardsV2beta1 "github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v2beta1"
 	folder "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	grafanarest "github.com/grafana/grafana/pkg/apiserver/rest"
 	"github.com/grafana/grafana/pkg/registry/apis/provisioning/jobs"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -699,13 +703,18 @@ func runGrafana(t *testing.T, options ...grafanaOption) *provisioningTestHelper
 		// (instance is needed for export jobs, folder for most operations)
 		ProvisioningAllowedTargets: []string{"folder", "instance"},
 	}
+
+	if extensions.IsEnterprise {
+		opts.ProvisioningRepositoryTypes = []string{"local", "github", "gitlab", "bitbucket"}
+	}
+
 	for _, o := range options {
 		o(&opts)
 	}
 	helper := apis.NewK8sTestHelper(t, opts)
 
-	// FIXME: keeping this line here to keep the dependency around until we have tests which use this again.
-	helper.GetEnv().GitHubFactory.Client = ghmock.NewMockedHTTPClient()
+	// FIXME: keeping these lines here to keep the dependency around until we have tests which use this again.
+	helper.GetEnv().GithubRepoFactory.Client = ghmock.NewMockedHTTPClient()
 
 	repositories := helper.GetResourceClient(apis.ResourceClientArgs{
 		User:      helper.Org1.Admin,
@@ -973,6 +982,79 @@ func (h *provisioningTestHelper) CleanupAllRepos(t *testing.T) {
 	}, waitTimeoutDefault, waitIntervalDefault, "repositories should be cleaned up between subtests")
 }
 
+func (h *provisioningTestHelper) CreateGithubConnection(
+	t *testing.T,
+	ctx context.Context,
+	connection *unstructured.Unstructured,
+) (*unstructured.Unstructured, error) {
+	t.Helper()
+
+	err := h.setGithubClient(t, connection)
+	if err != nil {
+		return nil, err
+	}
+
+	return h.Connections.Resource.Create(ctx, connection, metav1.CreateOptions{FieldValidation: "Strict"})
+}
+
+func (h *provisioningTestHelper) UpdateGithubConnection(
+	t *testing.T,
+	ctx context.Context,
+	connection *unstructured.Unstructured,
+) (*unstructured.Unstructured, error) {
+	t.Helper()
+
+	err := h.setGithubClient(t, connection)
+	if err != nil {
+		return nil, err
+	}
+
+	return h.Connections.Resource.Update(ctx, connection, metav1.UpdateOptions{FieldValidation: "Strict"})
+}
+
+func (h *provisioningTestHelper) setGithubClient(t *testing.T, connection *unstructured.Unstructured) error {
+	t.Helper()
+
+	objectSpec := connection.Object["spec"].(map[string]interface{})
+	githubObj := objectSpec["github"].(map[string]interface{})
+	appID := githubObj["appID"].(string)
+	id, err := strconv.ParseInt(appID, 10, 64)
+	if err != nil {
+		return err
+	}
+
+	appSlug := "someSlug"
+	connectionFactory := h.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+	connectionFactory.Client = ghmock.NewMockedHTTPClient(
+		ghmock.WithRequestMatchHandler(
+			ghmock.GetApp,
+			http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+				app := github.App{
+					ID:   &id,
+					Slug: &appSlug,
+				}
+				_, _ = w.Write(ghmock.MustMarshal(app))
+			}),
+		),
+		ghmock.WithRequestMatchHandler(
+			ghmock.GetAppInstallationsByInstallationId,
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				id := r.URL.Query().Get("installation_id")
+				idInt, _ := strconv.ParseInt(id, 10, 64)
+				w.WriteHeader(http.StatusOK)
+				installation := github.Installation{
+					ID: &idInt,
+				}
+				_, _ = w.Write(ghmock.MustMarshal(installation))
+			}),
+		),
+	)
+	h.SetGithubConnectionFactory(connectionFactory)
+
+	return nil
+}
+
 func postHelper(t *testing.T, helper apis.K8sTestHelper, path string, body interface{}, user apis.User) (map[string]interface{}, int, error) {
 	return requestHelper(t, helper, http.MethodPost, path, body, user)
 }

pkg/tests/apis/provisioning/repository_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/grafana/grafana/pkg/extensions"
 	provisioningAPIServer "github.com/grafana/grafana/pkg/registry/apis/provisioning"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -149,10 +150,19 @@ func TestIntegrationProvisioning_CreatingAndGetting(t *testing.T) {
 				}
 			}
 
-			assert.ElementsMatch(collect, []provisioning.RepositoryType{
-				provisioning.LocalRepositoryType,
-				provisioning.GitHubRepositoryType,
-			}, settings.AvailableRepositoryTypes)
+			if extensions.IsEnterprise {
+				assert.ElementsMatch(collect, []provisioning.RepositoryType{
+					provisioning.LocalRepositoryType,
+					provisioning.GitHubRepositoryType,
+					provisioning.BitbucketRepositoryType,
+					provisioning.GitLabRepositoryType,
+				}, settings.AvailableRepositoryTypes)
+			} else {
+				assert.ElementsMatch(collect, []provisioning.RepositoryType{
+					provisioning.LocalRepositoryType,
+					provisioning.GitHubRepositoryType,
+				}, settings.AvailableRepositoryTypes)
+			}
 		}, time.Second*10, time.Millisecond*100, "Expected settings to match")
 	})
 

pkg/tests/testinfra/testinfra.go

@@ -622,6 +622,12 @@ func CreateGrafDir(t *testing.T, opts GrafanaOpts) (string, string) {
 		_, err = provisioningSect.NewKey("allowed_targets", strings.Join(opts.ProvisioningAllowedTargets, "|"))
 		require.NoError(t, err)
 	}
+	if len(opts.ProvisioningRepositoryTypes) > 0 {
+		provisioningSect, err := getOrCreateSection("provisioning")
+		require.NoError(t, err)
+		_, err = provisioningSect.NewKey("repository_types", strings.Join(opts.ProvisioningRepositoryTypes, "|"))
+		require.NoError(t, err)
+	}
 	if opts.EnableSCIM {
 		scimSection, err := getOrCreateSection("auth.scim")
 		require.NoError(t, err)
@@ -731,6 +737,7 @@ type GrafanaOpts struct {
 	UnifiedStorageMaxPageSizeBytes        int
 	PermittedProvisioningPaths            string
 	ProvisioningAllowedTargets            []string
+	ProvisioningRepositoryTypes           []string
 	GrafanaComSSOAPIToken                 string
 	LicensePath                           string
 	EnableRecordingRules                  bool