diff --git a/docs/dictionary/en-custom.txt b/docs/dictionary/en-custom.txt
index 38d65a19fd..ffc84cdd77 100644
--- a/docs/dictionary/en-custom.txt
+++ b/docs/dictionary/en-custom.txt
@@ -25,6 +25,7 @@ az
 azs
 backend
 backends
+barbican
 baremetal
 baremetalhost
 basedir
@@ -45,6 +46,7 @@ bootmacaddress
 bootmode
 buildah
 buildpkgs
+cacert
 cacheable
 cci
 ccitredhat
@@ -203,6 +205,8 @@ hostnames
 hostvars
 hotfix
 href
+hsm
+hsms
 https
 ic
 icjbuue
@@ -300,6 +304,7 @@ mellanox
 metallb
 metalsmith
 mgmt
+minclient
 mins
 minsizegigabytes
 mlnx
@@ -392,6 +397,7 @@ params
 passwd
 passwordless
 pastebin
+pem
 pkgs
 pki
 png
diff --git a/hooks/playbooks/barbican-enable-luna.yml b/hooks/playbooks/barbican-enable-luna.yml
new file mode 100644
index 0000000000..de9f864c93
--- /dev/null
+++ b/hooks/playbooks/barbican-enable-luna.yml
@@ -0,0 +1,78 @@
+---
+- name: Create modified barbican image and get secrets
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Check out the role git repo
+      ansible.builtin.git:
+        dest: "./rhoso_luna_hsm"
+        repo: "https://github.com/openstack-k8s-operators/ansible-role-rhoso-luna-hsm.git"
+        version: main
+
+    - name: Create and upload the new barbican images
+      ansible.builtin.include_role:
+        name: rhoso_luna_hsm
+        tasks_from: create_image.yml
+      vars:
+        barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001"
+        barbican_src_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        barbican_src_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}"
+        barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001"
+        barbican_dest_image_namespace: "{{ cifmw_set_openstack_containers_namespace }}"
+        barbican_dest_image_tag: "{{ cifmw_update_extras['cifmw_set_openstack_containers_tag'] }}{{ cifmw_update_barbican_custom_tag }}"
+        luna_minclient_src: "{{ cifmw_hsm_luna_minclient_src }}"
+        hsm_luna_binaries_src: "{{ cifmw_hsm_luna_binaries_src }}"
+
+    - name: Create secrets with the HSM certs and hsm-login credentials
+      ansible.builtin.include_role:
+        name: rhoso_luna_hsm
+        tasks_from: create_secrets.yml
+      vars:
+        client_ip: "{{ cifmw_hsm_client_ip }}"
+        luna_server_cert_src: "{{ cifmw_hsm_luna_server_cert_src }}"
+        luna_client_cert_src: "{{ cifmw_hsm_luna_client_cert_src }}"
+        partition_password: "{{ cifmw_hsm_partition_password }}"
+        kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}"
+        oc_path: "{{ cifmw_path }}"
+        luna_cert_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
+
+- name: Create kustomization to use update barbican to use luna
+  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
+  tasks:
+    - name: Create file to customize barbican resource deployed in the control plane
+      vars:
+        certs_secret: "{{ cifmw_hsm_luna_cert_secret | default('barbican-luna-certs', true) }}"
+        login_secret: "{{ cifmw_hsm_login_secret | default('hsm-login', true) }}"
+      ansible.builtin.copy:
+        dest: "{{ cifmw_basedir }}/artifacts/manifests/kustomizations/controlplane/93-barbican-luna.yaml"
+        content: |-
+          apiVersion: kustomize.config.k8s.io/v1beta1
+          kind: Kustomization
+          resources:
+          namespace: {{ namespace }}
+          patches:
+          - target:
+              kind: OpenStackControlPlane
+              name: .*
+            patch: |-
+              - op: add
+                path: /spec/barbican/template/globalDefaultSecretStore
+                value: pkcs11
+              - op: add
+                path: /spec/barbican/template/enabledSecretStores
+                value:
+                  - pkcs11
+              - op: add
+                path: /spec/barbican/template/pkcs11
+                value:
+                  type: luna
+                  libraryPath: /usr/local/luna/libs/64/libCryptoki2.so
+                  tokenLabels: "{{ cifmw_hsm_luna_partition }}"
+                  MKEKLabel: "{{ cifm_hsm_mkek_label }}"
+                  HMACLabel: "{{ cifm_hsm_hmac_label }}"
+                  serverAddress: "{{ cifmw_hsm_server_ip }}"
+                  clientAddress: "{{ cifmw_hsm_client_ip }}"
+                  loginSecret: "{{ login_secret }}"
+                  certificatesSecret: "{{ certs_secret }}"
+                  certificatesMountPoint: /usr/local/luna/config/certs
+                  keyWrapMechanism: "{{ cifmw_hsm_key_wrap_mechanism }}"
diff --git a/roles/update_containers/defaults/main.yml b/roles/update_containers/defaults/main.yml
index 95142c4136..1aff329406 100644
--- a/roles/update_containers/defaults/main.yml
+++ b/roles/update_containers/defaults/main.yml
@@ -47,3 +47,4 @@ cifmw_update_containers_manilashares:
 # cifmw_update_containers_edpm_image_url:
 # cifmw_update_containers_ipa_image_url:
 # cifmw_update_containers_edpmnodeexporterimage:
+cifmw_update_barbican_custom_tag: ""
diff --git a/roles/update_containers/templates/update_containers.j2 b/roles/update_containers/templates/update_containers.j2
index 04ccbed301..587078444b 100644
--- a/roles/update_containers/templates/update_containers.j2
+++ b/roles/update_containers/templates/update_containers.j2
@@ -10,9 +10,9 @@ spec:
     aodhEvaluatorImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-evaluator:{{ cifmw_update_containers_tag }}
     aodhListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-listener:{{ cifmw_update_containers_tag }}
     aodhNotifierImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-aodh-notifier:{{ cifmw_update_containers_tag }}
-    barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }}
+    barbicanAPIImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-api:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }}
     barbicanKeystoneListenerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-keystone-listener:{{ cifmw_update_containers_tag }}
-    barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }}
+    barbicanWorkerImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-barbican-worker:{{ cifmw_update_containers_tag }}{{ cifmw_update_barbican_custom_tag }}
     ceilometerCentralImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-central:{{ cifmw_update_containers_tag }}
     ceilometerComputeImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-compute:{{ cifmw_update_containers_tag }}
     ceilometerIpmiImage: {{ cifmw_update_containers_registry }}/{{ cifmw_update_containers_org }}/openstack-ceilometer-ipmi:{{ cifmw_update_containers_tag }}