Chef MySQL Server use encrypted data bag for passwords

gistfile1.diff

diff --git a/cookbooks/mysql/recipes/server.rb b/cookbooks/mysql/recipes/server.rb
index 8229adc..0caf44e 100644
--- a/cookbooks/mysql/recipes/server.rb
+++ b/cookbooks/mysql/recipes/server.rb
@@ -35,10 +35,21 @@ if Chef::Config[:solo]
       ].join(' '))
   end
 else
-  # generate all passwords
-  node.set_unless['mysql']['server_debian_password'] = secure_password
-  node.set_unless['mysql']['server_root_password']   = secure_password
-  node.set_unless['mysql']['server_repl_password']   = secure_password
+  # Passwords from the mysql-passwords data bag, data bag item is hostname (from ohai, not hostname -s)
+  mysql_creds_found = search(:mysql, "id:" + node[:hostname]).first
+  unless mysql_creds_found.nil? || mysql_creds_found.empty?
+    mysql_creds = Chef::EncryptedDataBagItem.load("mysql", node[:hostname])
+    node.normal['mysql']['server_root_password'] = mysql_creds['server_root_password']
+    node.normal['mysql']['server_repl_password'] = mysql_creds['server_repl_password']
+    node.normal['mysql']['server_debian_password'] = mysql_creds['server_debian_password']
+    Chef::Log.info("MySQL passwords loaded from encrypted data bag. See " + node['mysql']['grants_path'] + ".")
+  else
+    # generate all passwords
+    node.set_unless['mysql']['server_debian_password'] = secure_password
+    node.set_unless['mysql']['server_root_password']   = secure_password
+    node.set_unless['mysql']['server_repl_password']   = secure_password
+    Chef::Log.info("MySQL passwords not from encrypted data bag. See " + node['mysql']['grants_path'] + ".")
+  end
   node.save
 end