Release Notes



  • Update gm-jwt-security-gov server version to 1.1.2



Grey Matter v1.2 release candidates are now available. Artifacts can be found in the staging repositories:

NOTE: Release candidates are intended for early evaluation of feature sets. These versions are neither guaranteed to be stable nor guaranteed to have a seamless upgrade path to the final relased versions.

Release Candidate server versions:


  • gm-proxy:1.4.2

  • gm-control:1.4.2

  • gm-control-api:1.4.4

  • gm-jwt-security:1.1.1

  • gm-jwt-security-gov:1.1.1

  • gm-cli:1.4.1


  • gm-dashboard:3.4.1

  • gm-slo:1.1.4

  • gm-catalog:1.0.7

Platform Services

  • gm-data:1.1.1

Release Notes


  • Allow setting Envoy HTTP filters

  • Allow setting Envoy Network filters

  • Allow setting Network and HTTP filters on Grey Matter Listener object

  • Allow setting all Envoy cluster load balancing policies (excepting deprecated options)

  • Control server now has a simple healthcheck endpoint

  • Sidecar environment variables now support tracing with Zipkin/Jeager

  • Sidecar can now disable or restrict Sidecar admin endpoint

  • Sidecar filters now support per-route metadata and configurations

  • Sidecar environment variables can now setup Envoy Redis and TCP network filter static resources

  • New gm.oidc-authentication filter

  • New gm.oidc-validation filter

  • New gm.ensure-variables filter

  • New gm.jwt-security filter


  • Sidecar base Envoy build updated to 1.13.1

  • gm.inheaders filter will now return 403 if certificates are not present

  • Update trace defaults to v2 APIs

  • Data server will now error early if it can't write to the intended storage medium

  • Data server: improved documentation, CLI messages, and server logs


  • None


  • Control EDS resolution of instances now properly causes an update to be sent to the Sidecar

  • Change internal protocol selection to USE_DOWNSTREM_PROTOCOL to fully support HTTP2

  • Control server no longer overwrites defined static resources for the data plane

  • Set better default health checks to prevent rejection by Envoy

  • Retry Policies can now be turned off by setting num_retries to 0

  • Listeners now properly always use the set IP rather than defaulting to

  • Fixed nil pointer reference in some configurations of listener

  • Allow not setting validation certs in Cluster SSLConfig and Domain SSLConfig

  • Sidecar Observables TLS and mTLS support now working properly

  • Sidecar Observables kafka connection logic now properly terminates

  • Sidecar Observables are now proper JSON when outputting to files

  • Sidecar filters no longer dropping T and ST in USER_DN fields (PKI)

  • Removed frame when outputting observables to file that created invalid JSON

Known Issues

  • #3482 The Catalog API requires that cluster name be unique, if you have two services with the same name and version values. Failure to do so will lead to a mismatch in the Sense Dashboard and you will not see one of the services. If the versions are unique then you can use the same name value.

  • #761 The proxy requires a route to be configured on the domain/listener in order for observables to be enabled.