Thanks Rob. It was this which suggested to me that the re-enrolment itself would result in new host keys being generated:
> A new certificate, ssh keys are generated, ipaUniqueID stays the same.
However I've confirmed that actually it is simply cloud-init which is creating new keys on reimaging the instance; if you rewrite the host keys back to what they were before the reimage then re-enrol using ipa-client-install --keytab, the host's keys remain as they were.
Thanks for making me check my assumptions!
Steve
Please note I work Tuesday to Friday.