[wildfly-dev] GSoC 2026 Feature proposal: Native PEM KeyStore support for Kubernetes TLS secrets

Hi all, I am starting work on a new feature proposal for WildFly Elytron: native PEM KeyStore support for Kubernetes TLS secrets. The goal is to allow WildFly to consume Kubernetes-mounted TLS secret files directly, usually tls.crt and tls.key, without requiring users to convert them to JKS or PKCS12 before server startup. The proposed approach is to add a read-only PEM KeyStoreSpi implementation in Elytron and register it through the Elytron provider. This should allow the existing Elytron TLS pipeline to continue using Java's standard KeyStore, KeyManager, TrustManager, and SSLContext APIs. The initial scope is focused on Kubernetes-style identity material: PEM parsing for X.509 certificate chains and private keys A read-only PEM KeyStore implementation Support for separate certificate and private key files Provider registration for the PEM keystore type Validation through KeyStore.getInstance("PEM") Tests for valid PEM files, malformed input, missing files, certificate chains, mismatched certificate/private key pairs, alias handling, and read-only KeyStore behaviour Integration validation with Elytron TLS configuration Documentation showing how to use Kubernetes TLS secret files directly with WildFly Related tracking: ELY issue: https://redhat.atlassian.net/browse/ELY-3051 Feature Planning issue: Analysis PR: https://github.com/wildfly/wildfly-proposals/pull/836 This work is part of my GSoC 2026 project. I would appreciate feedback on the proposed direction and volunteers to participate in the feature team, especially for the SME and Outside Perspective roles. Thanks, Charlie