Skip to main content

The most recent patch for this version is 26.1.6.  Learn more  

Version: 26.1

Sample CI/CD pipeline

A key principle of policy DevOps is that authorization policy changes go through the same automated quality gates as application code. When a developer modifies a policy, attribute, or attribute connector, the CI/CD pipeline should verify the change with tests. If the image-based deployment model is used, the pipeline should also build and publish a new ADS container image.

The pipeline below reflects this flow: tests run first to validate the authorization domain, then APD stages the build context, and finally the pipeline builds and pushes the image to a container registry. APD handles compilation and packaging; your pipeline handles the container build and registry interaction.

note

The examples below assume the image-based deployment model, where the authorization domain is baked into the ADS container image. If you are using Authorization Hub instead, replace the stageDeployment and container build steps with the relevant AllPushTo{environment} tasks.

Pipeline steps

The essential steps in any pipeline are:

# 1. Run unit and integration tests against the authorization domain
./gradlew test

# 2. Stage the ADS deployment build context
./gradlew stageDeployment

# 3. Build the container image
docker build -t <registry>/<image>:<tag> build/install/deployment/ads/

# 4. Push the image to your registry
docker push <registry>/<image>:<tag>

Jenkins

Jenkinsfile
pipeline {
    agent any
    stages {
        stage('Test') {
            steps {
                sh './gradlew test'
            }
        }
        stage('Stage deployment') {
            steps {
                sh './gradlew stageDeployment'
            }
        }
        stage('Build and push image') {
            steps {
                sh '''
                    docker build -t ${REGISTRY}/${IMAGE}:${BUILD_NUMBER} build/install/deployment/ads/
                    docker push ${REGISTRY}/${IMAGE}:${BUILD_NUMBER}
                '''
            }
        }
    }
}

Azure DevOps

azure-pipelines.yml
steps:
  - task: Gradle@3
    displayName: Test
    inputs:
      tasks: test

  - task: Gradle@3
    displayName: Stage deployment
    inputs:
      tasks: stageDeployment

  - task: Docker@2
    displayName: Build and push image
    inputs:
      command: buildAndPush
      repository: $(imageRepository)
      dockerfile: build/install/deployment/ads/Dockerfile
      buildContext: build/install/deployment/ads/
      tags: $(Build.BuildId)

GitHub Actions

.github/workflows/build.yml
- name: Test
  run: ./gradlew test

- name: Stage deployment
  run: ./gradlew stageDeployment

- name: Build and push image
  uses: docker/build-push-action@v5
  with:
    context: build/install/deployment/ads/
    push: true
    tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.sha }}
tip

The build/install/deployment/ads/ directory is a standard Gradle output and can be cached between pipeline runs. This speeds up builds when neither the policies, attributes, nor connectors have changed.