feat: add Azure DevOps enterprise integration support

Add support for Azure DevOps as an enterprise identity provider with automatic organization discovery. The integration uses Azure AD app registration for authentication and automatically discovers user organizations via the Azure DevOps Accounts API.

Changes:
- Add azureDevOps configuration to values.yaml with tenant ID and secret support
- Add Azure DevOps environment variables and keycloak configuration
- Add ingress route for Azure DevOps integration endpoint
- Update README with Azure DevOps setup instructions including secret configuration
- Use auto-discovery for organizations instead of manual configuration

Author: Wan

charts/openhands/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: 0.54.2
-version: 0.1.33
+version: 0.1.34
 maintainers:
   - name: rbren
   - name: xingyao

charts/openhands/README.md

@@ -245,6 +245,36 @@ authentication as well.
      enabled: true
    ```
 
+#### Azure DevOps
+
+1. Create an Azure AD App Registration:
+
+   - Go to the Azure Portal > Azure Active Directory > App registrations > New registration
+   - Set the "Redirect URI" to `https://auth.openhands.example.com/realms/allhands/broker/azuredevops/endpoint`
+   - Under "Certificates & secrets", create a new client secret
+   - Under "API permissions", add the following permissions for Azure DevOps (if using delegated permissions): vso.code_write, vso.work_write, vso.identity, vso.profile, vso.project
+   - Note the Application (client) ID, Directory (tenant) ID, and Client Secret
+
+2. Create an Azure DevOps App secret:
+
+   ```bash
+   kubectl create secret generic azuredevops-app -n openhands \
+     --from-literal=client-id=<your-azure-ad-client-id> \
+     --from-literal=client-secret=<your-azure-ad-client-secret>
+   ```
+
+3. Update site-values.yaml file:
+
+   ```yaml
+   azureDevOps:
+     enabled: true
+     # For single-tenant apps, set your Azure AD tenant ID
+     # For multi-tenant apps, leave empty or set to "common"
+     tenantId: "<your-tenant-id-or-empty>"
+     auth:
+       existingSecret: azuredevops-app
+   ```
+
 When the chart is deployed, a job will run to configure the Keycloak realm with the identity provider credentials you provided.
 
 ### Install OpenHands

charts/openhands/templates/_env.yaml

@@ -180,6 +180,20 @@
       name: {{ .Values.bitbucket.auth.existingSecret }}
       key: client-secret
 {{- end }}
+{{- if .Values.azureDevOps.enabled }}
+- name: AZURE_DEVOPS_APP_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.azureDevOps.auth.existingSecret }}
+      key: client-id
+- name: AZURE_DEVOPS_APP_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.azureDevOps.auth.existingSecret }}
+      key: client-secret
+- name: AZURE_DEVOPS_TENANT_ID
+  value: {{ .Values.azureDevOps.tenantId | quote }}
+{{- end }}
 {{- if and .Values.litellm.enabled .Values.litellm.useDependentInstall }}
 - name: LITE_LLM_API_URL
   value: http://{{ .Release.Name }}-litellm

charts/openhands/templates/ingress-integrations.yaml

@@ -43,6 +43,13 @@ spec:
             name: openhands-integrations-service
             port:
               number: 3000
+      - path: /integration/azure-devops/events
+        pathType: Exact
+        backend:
+          service:
+            name: openhands-integrations-service
+            port:
+              number: 3000
       - path: /integration/jira/events
         pathType: Exact
         backend:

charts/openhands/templates/keycloak-config-script.yaml

@@ -90,7 +90,7 @@ data:
     fi
     if [ "$ERROR_MESSAGE" = "Realm not found." ]; then
       echo "Creating allhands realm..."
-      envsubst '$WEB_HOST,$AUTH_WEB_HOST,$KEYCLOAK_REALM_NAME,$KEYCLOAK_PROVIDER_NAME,$KEYCLOAK_CLIENT_ID,$KEYCLOAK_CLIENT_SECRET,$GITHUB_APP_CLIENT_ID,$GITHUB_APP_CLIENT_SECRET,$GITLAB_APP_CLIENT_ID,$GITLAB_APP_CLIENT_SECRET,$BITBUCKET_APP_CLIENT_ID,$BITBUCKET_APP_CLIENT_SECRET,$GITHUB_BASE_URL,$KEYCLOAK_SMTP_PASSWORD'< /app/allhands-realm-github-provider.json.tmpl > /app/allhands-realm-github-provider.json
+      envsubst '$WEB_HOST,$AUTH_WEB_HOST,$KEYCLOAK_REALM_NAME,$KEYCLOAK_PROVIDER_NAME,$KEYCLOAK_CLIENT_ID,$KEYCLOAK_CLIENT_SECRET,$GITHUB_APP_CLIENT_ID,$GITHUB_APP_CLIENT_SECRET,$GITLAB_APP_CLIENT_ID,$GITLAB_APP_CLIENT_SECRET,$BITBUCKET_APP_CLIENT_ID,$BITBUCKET_APP_CLIENT_SECRET,$AZURE_DEVOPS_APP_CLIENT_ID,$AZURE_DEVOPS_APP_CLIENT_SECRET,$GITHUB_BASE_URL,$KEYCLOAK_SMTP_PASSWORD'< /app/allhands-realm-github-provider.json.tmpl > /app/allhands-realm-github-provider.json
       keycloak_api_call "curl -s -X POST \"$KEYCLOAK_SERVER_URL/admin/realms\" -H \"Authorization: Bearer $ACCESS_TOKEN\" -H \"Content-Type: application/json\" --data \"@/app/allhands-realm-github-provider.json\""
       echo "Created allhands realm."
     fi

charts/openhands/values.yaml

@@ -13,6 +13,7 @@ appConfig:
   OPENHANDS_GITHUB_SERVICE_CLS: "integrations.github.github_service.SaaSGitHubService"
   OPENHANDS_GITLAB_SERVICE_CLS: "integrations.gitlab.gitlab_service.SaaSGitLabService"
   OPENHANDS_BITBUCKET_SERVICE_CLS: "integrations.bitbucket.bitbucket_service.SaaSBitBucketService"
+  OPENHANDS_AZURE_DEVOPS_SERVICE_CLS: "integrations.azure_devops.azure_devops_service.SaaSAzureDevOpsService"
   OPENHANDS_MCP_CONFIG_CLS: "server.mcp.mcp_config.SaaSOpenHandsMCPConfig"
   OPENHANDS_EXPERIMENT_MANAGER_CLS: "experiments.experiment_manager.SaaSExperimentManager"
   POSTHOG_CLIENT_KEY: "1234abcd"
@@ -597,6 +598,14 @@ jiraDc:
 linear:
   enabled: false
 
+azureDevOps:
+  enabled: false
+  # Azure AD tenant ID for single-tenant app authentication
+  # Leave empty or set to "common" for multi-tenant apps
+  tenantId: ""
+  auth:
+    existingSecret: azuredevops-app
+
 global:
   security:
     # This allows using the bitnamilegacy image repo.