Release Notes

Artifacts

Grey Matter v1.2 artifacts are now available. Artifacts can be found in the staging repositories:

1.2.2

Server versions (if changed from 1.2.1):

Fabric

  • gm-proxy:1.4.5

Fixed

  • Fixed intermittent segfault when using websockets

1.2.1

Server versions (if changed from 1.2.0):

Fabric

  • gm-proxy:1.4.4

  • gm-jwt-security-gov:1.1.2

  • gm-cli:1.4.2

Sense

  • gm-dashboard:3.4.2

  • gm-slo:1.1.5

Changed

  • JWT-Security filter cache now respects token expiration and internally limits the max cache size

  • Sidecar now supports FIPS-compliant builds

  • Sidecar base build updated to Envoy 1.13.3

  • JWT Security Service (Gov) uses RFC3339 for logging

  • JWT Security Service (Gov) allows omitting JWT_AAC_SERVER_CN

  • greymatter CLI import-zone now properly works with the output of export-zone

  • greymatter deep delete and list summary format works for all objects

  • Dashboard paginates routes on instance views and can disable routes tabs entirely

  • Dashboard misc bug fixes and browser support

  • SLO service Alpine binary no longer throws segmentation fault in Alpine

1.2

Server versions:

Fabric

  • gm-proxy:1.4.2

  • gm-control:1.4.2

  • gm-control-api:1.4.4

  • gm-jwt-security:1.1.1

  • gm-jwt-security-gov:1.1.1

  • gm-cli:1.4.1

Sense

  • gm-dashboard:3.4.1

  • gm-slo:1.1.4

  • gm-catalog:1.0.7

Platform Services

  • gm-data:1.1.1

Release Notes

Added

  • Allow setting Envoy HTTP filters

  • Allow setting Envoy Network filters

  • Allow setting Network and HTTP filters on Grey Matter Listener object

  • Allow setting all Envoy cluster load balancing policies (excepting deprecated options)

  • Control server now has a simple healthcheck endpoint

  • Sidecar environment variables now support tracing with Zipkin/Jeager

  • Sidecar can now disable or restrict Sidecar admin endpoint

  • Sidecar filters now support per-route metadata and configurations

  • Sidecar environment variables can now setup Envoy Redis and TCP network filter static resources

  • New gm.oidc-authentication filter

  • New gm.oidc-validation filter

  • New gm.ensure-variables filter

  • New gm.jwt-security filter

Changed

  • Sidecar base Envoy build updated to 1.13.1

  • gm.inheaders filter will now return 403 if certificates are not present

  • Update trace defaults to v2 APIs

  • Data server will now error early if it can't write to the intended storage medium

  • Data server: improved documentation, CLI messages, and server logs

Removed

  • None

Fixed

  • Control EDS resolution of instances now properly causes an update to be sent to the Sidecar

  • Change internal protocol selection to USE_DOWNSTREM_PROTOCOL to fully support HTTP2

  • Control server no longer overwrites defined static resources for the data plane

  • Set better default health checks to prevent rejection by Envoy

  • Retry Policies can now be turned off by setting num_retries to 0

  • Listeners now properly always use the set IP rather than defaulting to 0.0.0.0

  • Fixed nil pointer reference in some configurations of listener

  • Allow not setting validation certs in Cluster SSLConfig and Domain SSLConfig

  • Sidecar Observables TLS and mTLS support now working properly

  • Sidecar Observables kafka connection logic now properly terminates

  • Sidecar Observables are now proper JSON when outputting to files

  • Sidecar filters no longer dropping T and ST in USER_DN fields (PKI)

  • Removed frame when outputting observables to file that created invalid JSON

Known Issues

  • #3482 The Catalog API requires that cluster name be unique, if you have two services with the same name and version values. Failure to do so will lead to a mismatch in the Sense Dashboard and you will not see one of the services. If the versions are unique then you can use the same name value.

  • #761 The proxy requires a route to be configured on the domain/listener in order for observables to be enabled.