diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index c7856ff898..c35189dc39 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -253,18 +253,15 @@ with open(sh_script, 'w') as script_file:
         # they need the old password to achieve that.
         # For those services, we update the config hash to notify
         # paunch that a restart is needed, but we do not update the
-        # password file in docker-puppet and let the service
-        # regenerate it instead.
-        action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
-        if [ "x$action" = "xUPDATE" ];then
-            password_files="/root/.my.cnf"
-        else
-            password_files=""
-        fi
+        # password file in docker-puppet if the file already existed
+        # before and let the service regenerate it instead.
+        password_files="/root/.my.cnf"
 
         exclude_files=""
         for p in $password_files; do
-            exclude_files+=" --exclude=$p"
+            if [ -f "$p" -a -f "/var/lib/config-data/${NAME}$p" ]; then
+                exclude_files+=" --exclude=$p"
+            fi
         done
         rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME}
 
@@ -282,14 +279,16 @@ with open(sh_script, 'w') as script_file:
         # note: while being excluded from the output, password files
         # are still included in checksum computation
         additional_checksum_files=""
+        excluded_original_passwords=""
         for p in $password_files; do
             if [ -f "$p" ]; then
                 additional_checksum_files+=" $p"
+                excluded_original_passwords+=" --exclude=/var/lib/config-data/*${p}"
             fi
         done
         # We need to exclude the swift rings and their backup as those change over time and
         # containers do not need to restart if they change
-        EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'
+        EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'\ ${excluded_original_passwords}
         # We need to repipe the tar command through 'tar xO' to force text
         # output because otherwise the sed command cannot work. The sed is
         # needed because puppet puts timestamps as comments in cron and