Integrate Azure DevOps into Red Hat Developer Hub workflows

Integrating Azure DevOps with Red Hat Developer Hub brings together two powerful platforms to create a seamless, end-to-end CI/CD experience. Azure DevOps offers robust capabilities for source control, build automation, and deployment. Meanwhile, Red Hat Developer Hub serves as a centralized developer portal for managing tools, services, documentation, and templates. When combined, teams benefit from improved collaboration, faster delivery, and increased visibility across the entire development lifecycle.

Supported Azure DevOps plug-ins

Red Hat Developer Hub includes several Azure DevOps plug-ins:

• Azure Scaffolder plug-in
• Azure DevOps plug-in
• Azure DevOps Backend plug-in

In this guide, we’ll walk through the steps to integrate these plug-ins with Red Hat Developer Hub. We’ll also use Microsoft Entra ID (formerly Azure AD) for authentication, which requires the msgraph plug-in for secure identity management.

All 4 of these plug-ins are in Technology Preview as of the documentation’s creation date, which corresponds to the Red Hat Developer Hub 1.5 release.

Prerequisites

Before we begin, ensure that you have:

• Set up Azure Entra ID.
• Configured Azure DevOps.
• Satisfied the platform requirements. Red Hat Developer Hub can run on any AWS KMS External Key Store (XKS) or Red Hat Enterprise Linux system. For this demo, we’ll use Red Hat OpenShift 4.18.

We will walk through a summary of the steps to set up Azure Entra ID and configure Azure DevOps.

Azure Entra ID setup

Refer to the official documentation for comprehensive details. We’ll summarize the required steps:

1. Register a web application with a client secret (Figure 1).

2. Set the redirect URI to https://<rhdh-host>/api/auth/microsoft/handler/frame, as shown in Figure 2.

3. Set the required API permissions:

   • email
   • offline_access
   • openid
   • profile
   • User.Read

   Figure 3 shows an example.

Azure DevOps configuration

1. Create an Azure DevOps organization, as shown in Figure 4.

2. Add your Entra ID service principal under Org Settings > Users. See Figure 5.

3. Ensure your pipeline agent pool (Azure or self-hosted) is available and running Docker (Figure 6).

4. Set up a service connection under Project > Pipelines > Service Connections to your image registry. In this example, we used quay.io. See Figure 7.

Install Red Hat Developer Hub with Azure plug-ins

For Azure DevOps configuration, refer to the upstream documentation. For Azure SSO configuration, consult the upstream documentation. Then follow these steps:

1. Update the dynamic-plugins section of your configuration to enable Azure-related plug-ins:

dynamic:
  plugins:
    - package: ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-msgraph-dynamic
      disabled: false
    - package: ./dynamic-plugins/dist/backstage-plugin-scaffolder-backend-module-azure-dynamic
      disabled: false
    - package: ./dynamic-plugins/dist/backstage-community-plugin-azure-devops
      disabled: false
    - package: ./dynamic-plugins/dist/backstage-community-plugin-azure-devops-backend-dynamic
      disabled: false

2. If using Entra ID authentication, add your client ID, secret, and tenant ID to the auth configuration:

auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
        tenantId: ${TENANT_ID}

3. To import users and groups from Entra ID:

catalog:
  providers:
    microsoftGraphOrg:
      providerId:
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
        tenantId: ${TENANT_ID}
        userGroupMember:
          search: '"displayName:team a" OR "displayName:teamb"'
        schedule:
          frequency: PT1M
          timeout: PT50M

4. Add a sample Azure DevOps template under catalog:

catalog:
  locations:
    - target: ${TEMPLATE_URL}      
      type: url
      rules:
        - allow: [Template]

This template URL should link to a file. Alternatively, the template can be imported via the web UI (Figure 8).

5. Configure the Azure DevOps back-end provider with the organization, project, and repository used for Azure DevOps:

catalog:
  providers:
    azureDevOps:
      yourProviderId:
        organization: ${AZURE_DEVOPS_ORG}
        project: '*'
        repository: '*'
        path: /catalog-info.yaml
        schedule:
          frequency: { minutes: 30 }
          timeout: { minutes: 3 }

6. Specify Azure DevOps credentials:

integrations:
  azure:
    - host: dev.azure.com
      credentials:
        - clientId: ${CLIENT_ID}
          clientSecret: ${CLIENT_SECRET}
          tenantId: ${TENANT_ID}

This is what the overall configuration looks like:

app:
  baseUrl: ${RHDH_HOST}
backend:
  auth:
    externalAccess:
    - options:
        secret: ${BACKEND_SECRET}
        subject: legacy-default-config
      type: legacy
  baseUrl: ${RHDH_HOST}
  cors:
    origin: ${RHDH_HOST}
auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
        tenantId: ${TENANT_ID}
signInPage: microsoft
catalog:
  rules:
  - allow: [Component, System, API, Resource, Location, Template, Group, User]
  locations:
  - target: 
https://github.com/suchugh/red-hat-developer-hub-software-templates/blob/main/templates/azure/dotnet-frontend/template.yaml
    type: url
    rules:
      - allow: [Template]   
  providers:      
    microsoftGraphOrg:
      providerId:
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
        tenantId: ${TENANT_ID}
        userGroupMember:
          search: '"displayName:team a" OR "displayName:teamb"'
        schedule:
          frequency: PT1M
          timeout: PT50M
    azureDevOps:
      yourProviderId: # identifies your dataset / provider independent of config changes
        organization: ${AZURE_DEVOPS_ORG}
        project: '*'
        repository: '*' # this will match all repos 
        path: /catalog-info.yaml
        schedule: # optional; same options as in TaskScheduleDefinition
          # supports cron, ISO duration, "human duration" as used in code
          frequency: { minutes: 30 }
          # supports ISO duration, "human duration" as used in code
          timeout: { minutes: 3 }      
integrations:
  azure:
    - host: dev.azure.com
      credentials:
        - clientId: ${CLIENT_ID}
          clientSecret: ${CLIENT_SECRET}
          tenantId: ${TENANT_ID}
          # organizations:
          #   - \$AZURE_DEVOPS_ORG
permission:
  enabled: false
enabled:
  azure: true
  azureDevOps: true
  microsoftGraphOrg: true
  microsoft: true
  permission: false

In the following video, you can see the template is imported into Developer Hub.

Launching the template

Launch the template by initiating it with parameters. The following video shows the .NET template execution after it’s successfully imported into Red Hat Developer Hub.

After you launch the application template via Developer Hub, import azure-pipelines.yml from the Azure Git repository created by the template. Then, run the Azure pipeline from your application repository. Note the imageRepository where the image will be published:

trigger:
  - main
resources:
  - repo: self
variables:
  tag: "azure-devops-demo-$(Build.BuildId),azure-devops-demo-latest"
  imageRepository: "suchugh/azureado"
  dockerRegistryServiceConnection: "quay.io"
stages:
  - stage: Build
    displayName: Build image
    jobs:
      - job: Build
        pool:
          name: Default
        steps:
          - task: DockerInstaller@0
            inputs:
              dockerVersion: '28.0.4'
          - task: Docker@2
            displayName: Build and push image
            inputs:
              command: buildAndPush
              repository: $(imageRepository)
              containerRegistry: $(dockerRegistryServiceConnection)
              dockerfile: "$(Build.SourcesDirectory)/Dockerfile"
              tags: |
                $(tag)

The following video depicts creating a pipeline for the sample .NET application in Azure Pipelines using a locally running agent. This will be reflected in Developer Hub after the application is imported into the catalog.

Logging into the Developer Hub console, you can see the pipeline in action. After a successful execution of Azure Pipelines for the sample application, you can view the details of the applications from within the Developer Hub catalog, as depicted in the following video.

Final thoughts

With this setup (Figure 9), you can:

• Scaffold new projects using Developer Hub templates.
• Authenticate users with Entra ID.
• Automate builds and deployments using Azure DevOps.

This integration showcases how Red Hat Developer Hub and Azure DevOps together enhance developer productivity, enabling fast, consistent, and scalable CI/CD workflows.

Have questions or want to see this in action? Feel free to reach out!

The post Integrate Azure DevOps into Red Hat Developer Hub workflows appeared first on Red Hat Developer.