feat: add Azure DevOps enterprise integration support

charts/openhands/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: 0.62.0
-version: 0.1.34
+version: 0.1.35
 maintainers:
   - name: rbren
   - name: xingyao

charts/openhands/README.md

@@ -245,6 +245,36 @@ authentication as well.
      enabled: true
    ```
 
+#### Azure DevOps
+
+1. Create an Azure AD App Registration:
+
+   - Go to the Azure Portal > Azure Active Directory > App registrations > New registration
+   - Set the "Redirect URI" to `https://auth.openhands.example.com/realms/allhands/broker/azuredevops/endpoint`
+   - Under "Certificates & secrets", create a new client secret
+   - Under "API permissions", add the following permissions for Azure DevOps (if using delegated permissions): vso.code_write, vso.work_write, vso.identity, vso.profile, vso.project
+   - Note the Application (client) ID, Directory (tenant) ID, and Client Secret
+
+2. Create an Azure DevOps App secret:
+
+   ```bash
+   kubectl create secret generic azuredevops-app -n openhands \
+     --from-literal=client-id=<your-azure-ad-client-id> \
+     --from-literal=client-secret=<your-azure-ad-client-secret>
+   ```
+
+3. Update site-values.yaml file:
+
+   ```yaml
+   azureDevOps:
+     enabled: true
+     # For single-tenant apps, set your Azure AD tenant ID
+     # For multi-tenant apps, leave empty or set to "common"
+     tenantId: "<your-tenant-id-or-empty>"
+     auth:
+       existingSecret: azuredevops-app
+   ```
+
 When the chart is deployed, a job will run to configure the Keycloak realm with the identity provider credentials you provided.
 
 ### Install OpenHands

charts/openhands/templates/_env.yaml

@@ -180,6 +180,20 @@
       name: {{ .Values.bitbucket.auth.existingSecret }}
       key: client-secret
 {{- end }}
+{{- if .Values.azureDevOps.enabled }}
+- name: AZURE_DEVOPS_APP_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.azureDevOps.auth.existingSecret }}
+      key: client-id
+- name: AZURE_DEVOPS_APP_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.azureDevOps.auth.existingSecret }}
+      key: client-secret
+- name: AZURE_DEVOPS_TENANT_ID
+  value: {{ .Values.azureDevOps.tenantId | quote }}
+{{- end }}
 {{- if and .Values.litellm.enabled .Values.litellm.useDependentInstall }}
 - name: LITE_LLM_API_URL
   value: http://{{ .Release.Name }}-litellm

charts/openhands/templates/ingress-integrations.yaml

@@ -43,6 +43,13 @@ spec:
             name: openhands-integrations-service
             port:
               number: 3000
+      - path: /integration/azure-devops/events
+        pathType: Exact
+        backend:
+          service:
+            name: openhands-integrations-service
+            port:
+              number: 3000
       - path: /integration/jira/events
         pathType: Exact
         backend:

charts/openhands/templates/keycloak-config-script.yaml

@@ -90,7 +90,7 @@ data:
     fi
     if [ "$ERROR_MESSAGE" = "Realm not found." ]; then
       echo "Creating allhands realm..."
-      envsubst '$WEB_HOST,$AUTH_WEB_HOST,$KEYCLOAK_REALM_NAME,$KEYCLOAK_PROVIDER_NAME,$KEYCLOAK_CLIENT_ID,$KEYCLOAK_CLIENT_SECRET,$GITHUB_APP_CLIENT_ID,$GITHUB_APP_CLIENT_SECRET,$GITLAB_APP_CLIENT_ID,$GITLAB_APP_CLIENT_SECRET,$BITBUCKET_APP_CLIENT_ID,$BITBUCKET_APP_CLIENT_SECRET,$GITHUB_BASE_URL,$KEYCLOAK_SMTP_PASSWORD'< /app/allhands-realm-github-provider.json.tmpl > /app/allhands-realm-github-provider.json
+      envsubst '$WEB_HOST,$AUTH_WEB_HOST,$KEYCLOAK_REALM_NAME,$KEYCLOAK_PROVIDER_NAME,$KEYCLOAK_CLIENT_ID,$KEYCLOAK_CLIENT_SECRET,$GITHUB_APP_CLIENT_ID,$GITHUB_APP_CLIENT_SECRET,$GITLAB_APP_CLIENT_ID,$GITLAB_APP_CLIENT_SECRET,$BITBUCKET_APP_CLIENT_ID,$BITBUCKET_APP_CLIENT_SECRET,$AZURE_DEVOPS_APP_CLIENT_ID,$AZURE_DEVOPS_APP_CLIENT_SECRET,$GITHUB_BASE_URL,$KEYCLOAK_SMTP_PASSWORD'< /app/allhands-realm-github-provider.json.tmpl > /app/allhands-realm-github-provider.json
       keycloak_api_call "curl -s -X POST \"$KEYCLOAK_SERVER_URL/admin/realms\" -H \"Authorization: Bearer $ACCESS_TOKEN\" -H \"Content-Type: application/json\" --data \"@/app/allhands-realm-github-provider.json\""
       echo "Created allhands realm."
     fi

charts/openhands/values.yaml

@@ -13,6 +13,7 @@ appConfig:
   OPENHANDS_GITHUB_SERVICE_CLS: "integrations.github.github_service.SaaSGitHubService"
   OPENHANDS_GITLAB_SERVICE_CLS: "integrations.gitlab.gitlab_service.SaaSGitLabService"
   OPENHANDS_BITBUCKET_SERVICE_CLS: "integrations.bitbucket.bitbucket_service.SaaSBitBucketService"
+  OPENHANDS_AZURE_DEVOPS_SERVICE_CLS: "integrations.azure_devops.azure_devops_service.SaaSAzureDevOpsService"
   OPENHANDS_MCP_CONFIG_CLS: "server.mcp.mcp_config.SaaSOpenHandsMCPConfig"
   OPENHANDS_EXPERIMENT_MANAGER_CLS: "experiments.experiment_manager.SaaSExperimentManager"
   POSTHOG_CLIENT_KEY: "1234abcd"
@@ -597,6 +598,14 @@ jiraDc:
 linear:
   enabled: false
 
+azureDevOps:
+  enabled: false
+  # Azure AD tenant ID for single-tenant app authentication
+  # Leave empty or set to "common" for multi-tenant apps
+  tenantId: ""
+  auth:
+    existingSecret: azuredevops-app
+
 global:
   security:
     # This allows using the bitnamilegacy image repo.