Use the new Devstack external plugin method

This makes usage of barbican in devstack significantly more straight
forward. No more pre-cloning and moving files around.

Change-Id: I0ec63819b3aae21a6ffaed5cf8285e26dce6ae94

devstack/README.md

@@ -0,0 +1,21 @@
+This directory contains the Barbican DevStack plugin.
+
+To configure Barbican with DevStack, you will need to enable this plugin and
+the Barbican service by adding one line to the [[local|localrc]] section of
+your local.conf file.
+
+To enable the plugin, add a line of the form:
+
+    enable_plugin barbican <GITURL> [GITREF]
+
+where
+
+    <GITURL> is the URL of a Barbican repository
+    [GITREF] is an optional git ref (branch/ref/tag).  The default is master.
+
+For example
+
+    enable_plugin barbican https://git.openstack.org/openstack/barbican stable/liberty
+
+For more information, see the "Externally Hosted Plugins" section of
+http://docs.openstack.org/developer/devstack/plugins.html

devstack/gate_hook.sh

@@ -12,11 +12,9 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-# This script is executed inside pre_test_hook function in devstack gate.
+set -ex
 
 # Install barbican devstack integration
-BARBICAN_BASE=/opt/stack/new/barbican/contrib/devstack
+export DEVSTACK_LOCAL_CONFIG="enable_plugin barbican https://review.openstack.org/openstack/barbican refs/changes/85/167885/25"
-DEVSTACK_BASE=/opt/stack/new/devstack
 
-cp $BARBICAN_BASE/lib/* $DEVSTACK_BASE/lib
+$BASE/new/devstack-gate/devstack-vm-gate.sh
-cp $BARBICAN_BASE/extras.d/* $DEVSTACK_BASE/extras.d

devstack/lib/barbican

@@ -0,0 +1,494 @@
+#!/usr/bin/env bash
+
+# Install and start **Barbican** service
+
+# To enable a minimal set of Barbican features, add the following to localrc:
+#   enable_service barbican-svc barbican-retry
+#
+# Dependencies:
+# - functions
+# - OS_AUTH_URL for auth in api
+# - DEST set to the destination directory
+# - SERVICE_PASSWORD, SERVICE_TENANT_NAME for auth in api
+# - STACK_USER service user
+
+# stack.sh
+# ---------
+# install_barbican
+# configure_barbican
+# init_barbican
+# start_barbican
+# stop_barbican
+# cleanup_barbican
+
+# Save trace setting
+XTRACE=$(set +o | grep xtrace)
+set +o xtrace
+
+
+# Functions
+# ---------
+
+# TODO(john-wood-w) These 'magic' functions are called by devstack to enable
+# a given service (so the name between 'is_' and '_enabled'). Currently the
+# Zuul infra gate configuration (at https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/barbican.yaml)
+# only enables the 'barbican' service. So the two functions below, for the two
+# services we wish to run, have to key off of that lone 'barbican' selection.
+# Once the Zuul config is updated to add these two services properly, then
+# these functions should be replaced by the single method below.
+# !!!! Special thanks to rm_work for figuring this out !!!!
+function is_barbican-retry_enabled {
+    [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
+}
+
+function is_barbican-svc_enabled {
+    [[ ,${ENABLED_SERVICES} =~ ,"barbican" ]] && return 0
+}
+
+# TODO(john-wood-w) Replace the above two functions with the one below once
+# Zuul is update per above.
+## Test if any Barbican services are enabled
+## is_barbican_enabled
+#function is_barbican_enabled {
+#    [[ ,${ENABLED_SERVICES} =~ ,"barbican-" ]] && return 0
+#    return 1
+#}
+
+# cleanup_barbican - Remove residual data files, anything left over from previous
+# runs that a clean run would need to clean up
+function cleanup_barbican {
+    :
+}
+
+# configure_barbicanclient - Set config files, create data dirs, etc
+function configure_barbicanclient {
+    setup_develop $BARBICANCLIENT_DIR
+}
+
+# configure_dogtag_plugin - Change config to use dogtag plugin
+function configure_dogtag_plugin {
+    sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
+    sudo chown $USER $BARBICAN_CONF_DIR/kra_admin_cert.pem
+    iniset $BARBICAN_CONF dogtag_plugin dogtag_port 8373
+    iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins dogtag_crypto
+    iniset $BARBICAN_CONF certificate enabled_certificate_plugins dogtag
+}
+
+# configure_barbican - Set config files, create data dirs, etc
+function configure_barbican {
+    setup_develop $BARBICAN_DIR
+
+    [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
+    sudo chown $USER $BARBICAN_CONF_DIR
+
+    [ ! -d $BARBICAN_API_LOG_DIR ] &&  sudo mkdir -m 755 -p $BARBICAN_API_LOG_DIR
+    sudo chown $USER $BARBICAN_API_LOG_DIR
+
+    [ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
+    sudo chown $USER $BARBICAN_CONF_DIR
+
+    # Copy the barbican config files to the config dir
+    cp $BARBICAN_DIR/etc/barbican/barbican.conf $BARBICAN_CONF_DIR
+    cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR
+    cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR
+
+    # Copy functional test config
+    cp $BARBICAN_DIR/etc/barbican/barbican-functional.conf $BARBICAN_CONF_DIR
+
+    # Set the logging to INFO
+    iniset $BARBICAN_CONF DEFAULT verbose True
+
+    # Do not set to DEBUG
+    iniset $BARBICAN_CONF DEFAULT debug False
+
+    # Set the log file location
+    iniset $BARBICAN_CONF DEFAULT log_file "$BARBICAN_API_LOG_DIR/barbican.log"
+
+    # Format logging
+    if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
+        setup_colorized_logging $BARBICAN_CONF DEFAULT project user
+    fi
+
+    # Install the policy file for the API server
+    cp $BARBICAN_DIR/etc/barbican/policy.json $BARBICAN_CONF_DIR
+    iniset $BARBICAN_CONF DEFAULT policy_file $BARBICAN_CONF_DIR/policy.json
+
+    # Set the database connection url
+    iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
+
+    # Increase default request buffer size, keystone auth PKI tokens can be very long
+    iniset $BARBICAN_CONF_DIR/vassals/barbican-api.ini uwsgi buffer-size 65535
+
+    # Rabbit settings
+    if is_service_enabled rabbit; then
+        iniset $BARBICAN_CONF 'secrets' broker rabbit://guest:$RABBIT_PASSWORD@$RABBIT_HOST
+    else
+        echo_summary "Barbican requires that the RabbitMQ service is enabled"
+    fi
+
+    ## Set up keystone
+
+    # Turn on the middleware
+    iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp'
+
+    # Set the keystone parameters
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_TENANT_NAME
+    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
+}
+
+# init_barbican - Initialize etc.
+function init_barbican {
+    # Create cache dir
+    sudo mkdir -p $BARBICAN_AUTH_CACHE_DIR
+    sudo chown $STACK_USER $BARBICAN_AUTH_CACHE_DIR
+    rm -f $BARBICAN_AUTH_CACHE_DIR/*
+
+    recreate_database barbican utf8
+}
+
+# install_barbican - Collect source and prepare
+function install_barbican {
+    # Install package requirements
+    if is_fedora; then
+        install_package sqlite-devel openldap-devel
+    fi
+    # TODO(ravips): We need this until barbican gets into devstack
+    ERROR_ON_CLONE=False
+    git_clone $BARBICAN_REPO $BARBICAN_DIR $BARBICAN_BRANCH
+    setup_develop $BARBICAN_DIR
+    pip_install 'uwsgi'
+}
+
+# install_barbicanclient - Collect source and prepare
+function install_barbicanclient {
+    # TODO(ravips): We need this until barbican gets into devstack
+    ERROR_ON_CLONE=False
+    git_clone $BARBICANCLIENT_REPO $BARBICANCLIENT_DIR $BARBICANCLIENT_BRANCH
+    setup_develop $BARBICANCLIENT_DIR
+}
+
+# start_barbican - Start running processes, including screen
+function start_barbican {
+    # Start the Barbican service up.
+    run_process barbican-svc "uwsgi --master --emperor $BARBICAN_CONF_DIR/vassals"
+
+    # Pause while the barbican-svc populates the database, otherwise the retry
+    # service below might try to do this at the same time, leading to race
+    # conditions.
+    sleep 10
+
+    # Start the retry scheduler server up.
+    run_process barbican-retry "$BARBICAN_BIN_DIR/barbican-retry --config-file=$BARBICAN_CONF_DIR/barbican-api.conf"
+}
+
+# stop_barbican - Stop running processes
+function stop_barbican {
+    # This will eventually be refactored to work like
+    # Solum and Manila (script to kick off a wsgiref server)
+    # For now, this will stop uWSGI rather than have it hang
+    killall -9 uwsgi
+
+    # This cleans up the PID file, but uses pkill so Barbican
+    # uWSGI emperor process doesn't actually stop
+    stop_process barbican-svc
+
+    stop_process barbican-retry
+}
+
+function get_id {
+    echo `"$@" | awk '/ id / { print $4 }'`
+}
+
+function create_barbican_accounts {
+    #
+    # Setup Default Admin User
+    #
+    SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
+    ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
+
+    BARBICAN_USER=$(keystone user-create --name=barbican \
+                                                --pass="$SERVICE_PASSWORD" \
+                                                --tenant-id $SERVICE_TENANT \
+                                                --email=barbican@example.com \
+                                                | grep " id " | get_field 2)
+    keystone user-role-add --tenant-id $SERVICE_TENANT \
+                            --user-id $BARBICAN_USER \
+                            --role-id $ADMIN_ROLE
+    #
+    # Setup Default service-admin User
+    #
+    SERVICE_ADMIN=$(get_id keystone user-create \
+        --name="service-admin" \
+        --pass="$SERVICE_PASSWORD" \
+        --email="service-admin@example.com")
+    SERVICE_ADMIN_ROLE=$(get_id keystone role-create \
+        --name="key-manager:service-admin")
+    keystone user-role-add \
+        --tenant_id="$SERVICE_TENANT" \
+        --user_id="$SERVICE_ADMIN" \
+        --role_id="$SERVICE_ADMIN_ROLE"
+    #
+    # Setup RBAC User Projects and Roles
+    #
+    PASSWORD="barbican"
+    PROJECT_A_ID=$(get_id keystone tenant-create \
+        --name="project_a")
+    PROJECT_B_ID=$(get_id keystone tenant-create \
+        --name="project_b")
+    ROLE_ADMIN_ID=$(get_id keystone role-get admin)
+    ROLE_CREATOR_ID=$(get_id keystone role-create \
+        --name="creator")
+    ROLE_OBSERVER_ID=$(get_id keystone role-create \
+        --name="observer")
+    ROLE_AUDIT_ID=$(get_id keystone role-create \
+        --name="audit")
+    #
+    # Setup RBAC Admin of Project A
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_a_admin" \
+        --pass="$PASSWORD" \
+        --email="admin_a@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_ADMIN_ID" \
+        --tenant-id="$PROJECT_A_ID"
+    #
+    # Setup RBAC Creator of Project A
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_a_creator" \
+        --pass="$PASSWORD" \
+        --email="creator_a@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_CREATOR_ID" \
+        --tenant-id="$PROJECT_A_ID"
+    #
+    # Setup RBAC Observer of Project A
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_a_observer" \
+        --pass="$PASSWORD" \
+        --email="observer_a@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_OBSERVER_ID" \
+        --tenant-id="$PROJECT_A_ID"
+    #
+    # Setup RBAC Auditor of Project A
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_a_auditor" \
+        --pass="$PASSWORD" \
+        --email="auditor_a@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_AUDIT_ID" \
+        --tenant-id="$PROJECT_A_ID"
+    #
+    # Setup RBAC Admin of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_admin" \
+        --pass="$PASSWORD" \
+        --email="admin_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_ADMIN_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
+    # Setup RBAC Creator of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_creator" \
+        --pass="$PASSWORD" \
+        --email="creator_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_CREATOR_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
+    # Setup RBAC Observer of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_observer" \
+        --pass="$PASSWORD" \
+        --email="observer_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_OBSERVER_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
+    # Setup RBAC auditor of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_auditor" \
+        --pass="$PASSWORD" \
+        --email="auditor_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_AUDIT_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
+    # Setup Admin Endpoint
+    #
+    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
+        BARBICAN_SERVICE=$(keystone service-create \
+            --name=barbican \
+            --type='key-manager' \
+            --description="Barbican Service" \
+            | grep " id " | get_field 2)
+        keystone endpoint-create \
+            --region RegionOne \
+            --service_id $BARBICAN_SERVICE \
+            --publicurl "http://$SERVICE_HOST:9311" \
+            --internalurl "http://$SERVICE_HOST:9311"
+    fi
+
+}
+
+# Dogtag functions
+# ----------------
+
+function install_389_directory_server {
+    # Make sure that 127.0.0.1 resolves to localhost.localdomain (fqdn)
+    sudo sed -i 's/127.0.0.1[ \t]*localhost localhost.localdomain/127.0.0.1\tlocalhost.localdomain localhost/' /etc/hosts
+
+    install_package 389-ds-base
+    sudo mkdir -p /etc/389-ds
+
+    # Instead of spawning a sub-shell to cat this whole chunk into the desired
+    # file. I just cat it into a temporary file that this user will have access
+    # to, and subsequently use elevated privileges to move the already made
+    # file where we need it to be.
+    cat > .tmp.setup.inf <<EOF
+[General]
+FullMachineName= localhost.localdomain
+SuiteSpotUserID= nobody
+SuiteSpotGroup= nobody
+
+[slapd]
+ServerPort= 389
+ServerIdentifier= pki-tomcat
+Suffix= dc=example,dc=com
+RootDN= cn=Directory Manager
+RootDNPwd= PASSWORD
+EOF
+
+    sudo mv .tmp.setup.inf /etc/389-ds/setup.inf
+
+    sudo setup-ds.pl --silent --file=/etc/389-ds/setup.inf
+}
+
+function install_dogtag_ca {
+    install_package pki-ca
+    sudo mkdir -p /etc/dogtag
+
+    cat > .tmp.ca.cfg <<EOF
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=PASSWORD
+pki_admin_uid=caadmin
+pki_backup_password=PASSWORD
+pki_client_database_password=PASSWORD
+pki_client_database_purge=False
+pki_client_pkcs12_password=PASSWORD
+pki_clone_pkcs12_password=PASSWORD
+pki_ds_base_dn=dc=ca,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=PASSWORD
+pki_hostname=localhost
+pki_security_domain_name=EXAMPLE
+pki_token_password=PASSWORD
+pki_https_port=8373
+pki_http_port=8370
+pki_ajp_port=8379
+pki_tomcat_server_port=8375
+EOF
+
+    sudo mv .tmp.ca.cfg /etc/dogtag/ca.cfg
+
+    sudo pkispawn -v -f /etc/dogtag/ca.cfg -s CA
+}
+
+function wait_for_ca {
+    while true; do
+        # If the sleep command is executed "as-is", the subprocess that it
+        # executes will trigger the "exit_trap" and will cause this script to
+        # fail. To avoid this, we run the sleep command inside this sub-shell,
+        # so the signal will not be caught in this process.
+        ca_running=$(sleep 2 && curl -s -k https://localhost:8373/ca/admin/ca/getStatus | grep -c running)
+        if [[ $ca_running == 1 ]]; then
+            break
+        fi
+    done
+}
+
+function install_dogtag_kra {
+    install_package pki-kra
+    sudo mkdir -p /etc/dogtag
+
+    # Even though we are using localhost.localdomain, the server certificate by
+    # default will get the real host name for the server. So we need to
+    # properly configure the KRA to try to communicate with the real host name
+    # instead of the localhost.
+    cat > .tmp.kra.cfg <<EOF
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=PASSWORD
+pki_admin_uid=kraadmin
+pki_backup_password=PASSWORD
+pki_client_database_password=PASSWORD
+pki_client_database_purge=False
+pki_client_pkcs12_password=PASSWORD
+pki_clone_pkcs12_password=PASSWORD
+pki_ds_base_dn=dc=kra,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=PASSWORD
+pki_hostname=localhost
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=PASSWORD
+pki_token_password=PASSWORD
+pki_https_port=8373
+pki_http_port=8370
+pki_ajp_port=8379
+pki_tomcat_server_port=8375
+pki_security_domain_hostname=localhost
+pki_security_domain_https_port=8373
+EOF
+
+    sudo mv .tmp.kra.cfg /etc/dogtag/kra.cfg
+
+    sudo pkispawn -v -f /etc/dogtag/kra.cfg -s KRA
+}
+
+function install_dogtag_plugin_dependencies {
+    install_package nss-devel
+    pip_install 'python-nss'
+}
+
+function install_dogtag_components {
+    install_dogtag_plugin_dependencies
+    install_389_directory_server
+    install_dogtag_ca
+    wait_for_ca
+    install_dogtag_kra
+}
+
+
+# Restore xtrace
+$XTRACE
+
+

devstack/local.conf.example

@@ -0,0 +1,15 @@
+[[local|localrc]]
+disable_all_services
+
+enable_plugin barbican https://git.openstack.org/openstack/barbican stable/liberty
+enable_service rabbit mysql key
+
+# This is to keep the token small for testing
+KEYSTONE_TOKEN_FORMAT=UUID
+
+# Modify passwords as needed
+DATABASE_PASSWORD=secretdatabase
+RABBIT_PASSWORD=secretrabbit
+ADMIN_PASSWORD=secretadmin
+SERVICE_PASSWORD=secretservice
+SERVICE_TOKEN=111222333444

devstack/plugin.sh

@@ -0,0 +1,42 @@
+# check for service enabled
+if is_service_enabled barbican; then
+    if [[ "$1" == "source" || "`type -t install_barbican`" != 'function' ]]; then
+        # Initial source
+        source $BARBICAN_DIR/devstack/lib/barbican
+    fi
+
+    if [[ "$1" == "stack" && "$2" == "install" ]]; then
+        echo_summary "Installing Barbican"
+        install_barbican
+        install_barbicanclient
+        if is_service_enabled barbican-dogtag; then
+            echo_summary "Installing Dogtag"
+            install_dogtag_components
+        fi
+    elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
+        echo_summary "Configuring Barbican"
+        configure_barbican
+        if is_service_enabled barbican-dogtag; then
+            echo_summary "Configuring Dogtag plugin"
+            configure_dogtag_plugin
+        fi
+        configure_barbicanclient
+
+        if is_service_enabled key; then
+            create_barbican_accounts
+        fi
+    elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
+        echo_summary "Initializing Barbican"
+        init_barbican
+        start_barbican
+    fi
+
+    if [[ "$1" == "unstack" ]]; then
+        stop_barbican
+    fi
+
+    if [[ "$1" == "clean" ]]; then
+        cleanup_barbican
+    fi
+fi
+

devstack/settings

@@ -0,0 +1,27 @@
+# Defaults
+# --------
+
+# Set up default directories
+BARBICAN_DIR=$DEST/barbican
+BARBICANCLIENT_DIR=$DEST/python-barbicanclient
+BARBICAN_CONF_DIR=${BARBICAN_CONF_DIR:-/etc/barbican}
+BARBICAN_CONF=$BARBICAN_CONF_DIR/barbican.conf
+BARBICAN_PASTE_CONF=$BARBICAN_CONF_DIR/barbican-api-paste.ini
+BARBICAN_API_LOG_DIR=$DEST/logs
+BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican}
+
+# Support potential entry-points console scripts
+BARBICAN_BIN_DIR=$(get_python_exec_prefix)
+
+# Set Barbican repository
+BARBICAN_REPO=${BARBICAN_REPO:-${GIT_BASE}/openstack/barbican.git}
+BARBICAN_BRANCH=${BARBICAN_BRANCH:-master}
+
+# Set client library repository
+BARBICANCLIENT_REPO=${BARBICANCLIENT_REPO:-${GIT_BASE}/openstack/python-barbicanclient.git}
+BARBICANCLIENT_BRANCH=${BARBICANCLIENT_BRANCH:-master}
+
+# Tell Tempest this project is present
+TEMPEST_SERVICES+=,barbican
+
+enable_service barbican