diff --git a/manifests/compute/rbd.pp b/manifests/compute/rbd.pp
index 0d03f0cc7..c5d1301ab 100644
--- a/manifests/compute/rbd.pp
+++ b/manifests/compute/rbd.pp
@@ -81,6 +81,16 @@ class nova::compute::rbd (
       require => Class['::nova']
     }
 
+    # whenever `rbd_keyring` value changed,
+    # undefine the old secret and remove the file lock (/etc/nova/virsh.secret),
+    # then recreate secret with the new `rbd_keyring`,
+    # if there's no value change, leave it untouched.
+    exec { 'undefine-if-value-not-match virsh secret':
+      path    => ['/bin', '/usr/bin'],
+      command => "virsh secret-undefine --secret ${libvirt_rbd_secret_uuid} && rm -f /etc/nova/virsh.secret",
+      onlyif  => "virsh secret-dumpxml --secret ${libvirt_rbd_secret_uuid} 2>/dev/null | grep -q -v -w \"${rbd_keyring}\"",
+      require => File['/etc/nova/secret.xml']
+    } ->
     exec { 'get-or-set virsh secret':
       command => '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
       creates => '/etc/nova/virsh.secret',
diff --git a/spec/classes/nova_compute_rbd_spec.rb b/spec/classes/nova_compute_rbd_spec.rb
index d98ee8cc1..3d4d918f5 100644
--- a/spec/classes/nova_compute_rbd_spec.rb
+++ b/spec/classes/nova_compute_rbd_spec.rb
@@ -80,6 +80,12 @@ describe 'nova::compute::rbd' do
           "  <uuid>UUID</uuid>",
           "</secret>"
         ])
+        is_expected.to contain_exec('undefine-if-value-not-match virsh secret').with(
+          :path    => '["/bin", "/usr/bin"]',
+          :command => 'virsh secret-undefine --secret UUID && rm -f /etc/nova/virsh.secret',
+          :onlyif  => 'virsh secret-dumpxml --secret UUID 2>/dev/null | grep -q -v -w "client.rbd_test"',
+          :require => 'File[/etc/nova/secret.xml]'
+        )
         is_expected.to contain_exec('get-or-set virsh secret').with(
           :command =>  '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
           :creates => '/etc/nova/virsh.secret',
@@ -131,6 +137,12 @@ describe 'nova::compute::rbd' do
           "  <uuid>UUID</uuid>",
           "</secret>"
         ])
+        is_expected.to contain_exec('undefine-if-value-not-match virsh secret').with(
+          :path    => '["/bin", "/usr/bin"]',
+          :command => 'virsh secret-undefine --secret UUID && rm -f /etc/nova/virsh.secret',
+          :onlyif  => 'virsh secret-dumpxml --secret UUID 2>/dev/null | grep -q -v -w "client.rbd_test"',
+          :require => 'File[/etc/nova/secret.xml]'
+        )
         is_expected.to contain_exec('get-or-set virsh secret').with(
           :command =>  '/usr/bin/virsh secret-define --file /etc/nova/secret.xml | /usr/bin/awk \'{print $2}\' | sed \'/^$/d\' > /etc/nova/virsh.secret',
           :creates => '/etc/nova/virsh.secret',