Comment 19 for bug 1834974

@deej after discussing with @jameinel, we have found a workaround to unblock you (and everyone else coming across this bug). The basic idea is to add the juju system public key that's missing on any machine that you create and thus not allowing the controller to update the iptables and open the ports you need.

These are the steps:
1) Retrieve the fingerprint corresponding to the juju system key (located on the controller machine's authorized keys). It should be commented with `Juju:juju-system-key`:
$ juju ssh -m controller 0
ubuntu@juju-165b85-0:~$ cat ~/.ssh/authorized_keys
ssh-rsa aaa Juju:juju-client-key
ssh-ed25519 bbb Juju:nicolas@home
ssh-rsa ccc Juju:juju-system-key

(in this case copy the last line, containing the comment `Juju:juju-system-key`)
If you are on HA repeat this process for all controller machines and copy all of the corresponding keys.

2) Add this (these if you are on HA) key(s) to your model:
$ juju add-ssh-key "ssh-rsa ccc Juju:juju-system-key"

Now you should be able to open ports.

If you want a separate scenario, you can try:
$ juju bootstrap OCI-Cloud c
$ juju add-model m
{steps 1 and 2}
$ juju deploy ubuntu -n 2
$ juju deploy 'juju-qa-network-health'
$ juju expose network-health
$ juju add-relation ubuntu network-health
$ juju run --unit ubuntu/0 curl <public IP of machine 1>:8039

The last step of this scenario should return `pass`.