#10293

## Description of change

Merge 2.5 into 2.6 bringing in #10288

#16394

This patch aims to fix https://bugs.launchpad.net/juju/+bug/1834974 where we cannot apply iptables rules on OCI.
This happens because on OCI (and Vsphere and Equinix) we use the `SshInstanceConfigurator` which applies iptables' rules via ssh, but on the units the authorized_keys file under /home/ubuntu/.ssh is not fully populated: the system identity public key is missing and therefore the controller machine cannot ssh onto it.

We fix this by adding this missing key to the model config at model creation.

## Checklist

*If an item is not applicable, use `~strikethrough~`.*

- [X] Code style: imports ordered, good names, simple structure, etc
- [X] Comments saying why design decisions were made
- [X] Go unit tests, with comments saying what you're testing
- [ ] ~[Integration tests](https://github.com/juju/juju/tree/main/tests), with comments saying what you're testing~
- [ ] ~[doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~

## QA steps
Reproduce the QA steps from this PR #10288:

```
juju bootstrap --config compartment-id=ocid1.compartment.oc1..aaaaaaaanvu2racnlczevenu73dlcf3nokgsjpdkbdgp4xbrz3lb2y4giyjq oci-canonical c
juju deploy ubuntu -n 2
juju deploy 'juju-qa-network-health'
juju expose network-health
juju add-relation ubuntu network-health
juju run --unit ubuntu/0 curl <public IP of machine 1>:8039
```

The last command should `pass`:

```
juju run --unit ubuntu/0 curl <public IP of machine 1>:8039
pass % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 4 0 4 0 0 2000 0 --:--:-- --:--:-- --:--:-- 2000
```

also, if you ssh onto any created machine, you should see the correct authorized keys:

```
juju ssh 0
ubuntu@juju-6ddb09-0:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2... Juju:juju-client-key
ssh-ed25519 AAAAC3NzaC... Juju:nicolas@thinkpad
ssh-rsa AAAAB3NzaC1yc2... Juju:juju-system-key
```

## Links

**Launchpad bug:** https://bugs.launchpad.net/juju/+bug/1834974

**Jira card:** JUJU-4678

#16795

Every Juju controller has generated for it a system ssh key that allows the controller itself to ssh into machines and containers. Predominantly this has been used for configuring machine based firewalls.

A fix was introduced as part of #16394 that took the juju-system-ssh key as part of the controllers model config and appended it to newly created model's authorised key.

The problems this introduces is that it special cases the controller model as a defaults source for models which is not the design Juju is attempting to achieve. It also means that during model migrations we are migrating the system ssh key of one controller to another potentially introducing a security bug into the model where the previous controller could still access machines of a migrated model.

With this PR we have made the bootstrap client instead generate the system ssh key and place it into the controller's config. In the API facades we now form a union of the two ssh key sources before returning them to the caller.

This work also allows for the continuation of moving model config over to Dqlite as now we don't have to special case the controllers model config in the design.

As part of this PR we have also updated some wording around model defaults at bootstrap time that was confusing and not correct.

Newly created instance configs will also get the controllers system ssh key.

## Checklist

- [x] Code style: imports ordered, good names, simple structure, etc
- [x] Comments saying why design decisions were made
- [x] Go unit tests, with comments saying what you're testing
- [x] [Integration tests](https://github.com/juju/juju/tree/main/tests), with comments saying what you're testing
- [x] [doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages

## QA steps

Reproduce the QA steps from this PR #10288:

```
juju bootstrap --config compartment-id=ocid1.compartment.oc1..aaaaaaaanvu2racnlczevenu73dlcf3nokgsjpdkbdgp4xbrz3lb2y4giyjq oci-canonical c
juju deploy ubuntu -n 2
juju deploy 'juju-qa-network-health'
juju expose network-health
juju add-relation ubuntu network-health
juju exec --unit ubuntu/0 curl <public IP of machine 1>:8039
```

The last command should `pass`:

```
juju run --unit ubuntu/0 curl <public IP of machine 1>:8039
pass % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 4 0 4 0 0 2000 0 --:--:-- --:--:-- --:--:-- 2000
```

also, if you ssh onto any created machine, you should see the correct authorized keys:

```
juju ssh 0
ubuntu@juju-6ddb09-0:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2... Juju:juju-client-key
ssh-ed25519 AAAAC3NzaC... Juju:nicolas@thinkpad
ssh-rsa AAAAB3NzaC1yc2... Juju:juju-system-key
```

### Test 2
We also want to make sure that the system ssh key is not settable at bootstrap time.
Running: `juju bootstrap --config system-ssh-keys="..."` should result in ERROR "system-ssh-keys" is not a user configurable item. Please unset this and continue.

## Documentation changes

N/A

## Links

**Jira card:** JUJU-5094