Details
When registering a Drydock host with Almanac, it is possible to reuse a key across multiple devices with the --allow-key-reuse flag. I am unclear on whether this is a good idea however. That is, should I be creating a unique keypair for each Almanac device or is it fine to reuse the same key?
Answers
I wouldn't recommend reusing the key across devices (and I think we'll probably remove that flag eventually).
What you can do is create a "virtual device" which has the key. For example, if you have repo001, repo002, etc., you could create a repo device, put the key on that, and then all your "physical devices" will just connect as that virtual device. This is a little odd and feels like it probably isn't the right long-term approach, but today there's no real distinction between which devices are connecting, so it's fine to just use one device as the list of authorized keys. We currently do this in the Phacility cluster -- all the daemons connect as daemons.phacility.net.
Once you hit a use case for distinguishing between tiers or devices (which might never happen) you can go split the key apart into separate keys per tier or separate keys per device.