All,
The installation creates ssh keys just for the stack user to login to the overcloud as described by Mohammed. This means that if you loose the undercloud, you loose any chance to login to your overcloud as well.
What I did was to create a new user in each overcloud node so you can login to these servers directly without having to tunnel ssh into the undercloud first.
Additionally, guard the undercloud with your life. That's why I went the VM route for the undercloud where I can create a snapshot and save it in a safe place.
The documentation talks about backing up the undercloud, but I haven't read in detail through that section yet.
IB
The documentation doesnt mention how to login to the overcloud nodes once provisioned.
it is
from the stack@undercloud node run ssh heat-admin@<overcloud_node_ip>
thanks