remove redundant writing public key to disk while generating key/pair using Kubernetes secret operation

[developer-guy]

Description

Do we really need to write public key to disk while generating key pair as Kubernetes Secret? Detail 👇 https://github.com/sigstore/cosign/blob/27d68e081567d193d051a330075d3b2acdc1de7e/pkg/cosign/kubernetes/secret.go#L87

All the details are available within the Secret, pub/private key pair, and the password, why are we still writing the public key to disk?

Should we remove this line because in the sign/verify flow for this situation we don’t need to store public key on disk because we can verify images by using Secret references like:

$ cosign verify k8s://mykey devopps/nginx:latest

Based on the Slack conversation: https://sigstore.slack.com/archives/C01PZKDL4DP/p1632956513249300

[hectorj2f]

In my opinion, this decision should be based on the expected user experience. If we remove this step, we should also do it for the KMS services because they also write the public key locally.

[developer-guy]

supported k8s:// protocol is not like the KMS service because we are responsible for creating key pairs by using the client-go package, so IMHO it'd be okay to separate the logic from other KMS services. WDYT @dlorenc?

[hectorj2f]

@developer-guy I see now, then I'd suggest to keep the same UX experience in both.