Memcached's ufw config blocks public IP access to 11211

When memcached is used on an OpenStack deployment, Designate and Memcached Charms might use other namespaces to communicate, which means that relation-get('private-address') won't be a valid IP for communication (e.g. private-address might be a pxe network on MAAS deployment whereas public-address goes on OpenStack internal network, which is the appropriate network for control traffic; or OpenStack-over-OpenStack, where Designate and Memcached should use FIPs to communicate)

Therefore, besides defining firewall rules that allow private-address on cache-relation-joined:

@hooks.hook('cache-relation-joined')
def cache_relation_joined():

    # advertise our network space bind address, if set, otherwise fall back to
    # the unit_get
    settings = {'host': get_relation_ip('cache'),
                'port': config('tcp-port'),
                'udp-port': config('udp-port')}

    for rid in relation_ids('cache'):
        relation_set(rid, **settings)

    addr = relation_get('private-address')
    if addr:
        log('Granting memcached access to {}'.format(addr), level='INFO')
        grant_access(addr)

There should be firewall rules that also allow public-address access, otherwise, on a deployment where memcached is using extra-binding to connect to Designate, designate will fail with: https://pastebin.canonical.com/p/fTKRYxDytf/