After you install the undercloud if you compare the transport_urls in the configurations vs the expected NotifyPassword from tripleo-undercloud-passwords.yaml, the wrong password is being used. Currently the messaging rpc password is being used for both transport urls rather than using a different password for the messaging transport url and the notification transport url.
[centos@undercloud ~]$ egrep '(Rpc|Notify)' tripleo-undercloud-passwords.yaml
NotifyPassword: SPvg7Jvgw4uiBO4PwEPtR4qsL
RpcPassword: X54BRAmHKD22sQpdtiMrr9P5T
[centos@undercloud ~]$
[centos@undercloud ~]$ sudo -i
[root@undercloud ~]# egrep '^transport_url' /var/lib/config-data/puppet-generated/*/etc/*/*.conf
/var/lib/config-data/puppet-generated/glance_api/etc/glance/glance-api.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/glance_api/etc/glance/glance-api.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat_api_cfn/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat_api_cfn/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat_api/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat_api/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/heat/etc/heat/heat.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/ironic_api/etc/ironic/ironic.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/ironic/etc/ironic/ironic.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/ironic_inspector/etc/ironic-inspector/inspector.conf:transport_url=fake://
/var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/mistral/etc/mistral/mistral.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/mistral/etc/mistral/mistral.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/nova_metadata/etc/nova/nova.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
/var/lib/config-data/puppet-generated/nova_metadata/etc/nova/nova.conf:transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0
So it appears that the undercloud is correct as we historically have shared the rpc credentials with the notify connection. It appears that my reuse of the password has an incorrect split in a service configuration somewhere. The configuration in this bug seems to be the intended default.