Description
cosign allows to generate a key pair and to store it as a Kubernetes Secret, as follows:
cosign generate-key-pair k8s://namespace/secretName (example taken from official documentation)

But the policy controller expects only one data (the public key) in the Kubernetes Secret (clusterimagepolicy.go#L250).

The documentation of the helm chart of the policy controller gives an example where the secret is created from the public key only:
kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub
(in Deploy policy-controller Helm Chart)

If cosign supports the creation of a key pair and its storage as a Kubernetes Secret, policy controller should also support it.

One approach would be to explicitly read the cosign.pub data from the Kubernetes Secret. Another possibility would be to specify the name of the data containing the public key in the ClusterImagePolicy with the use of an additional field.

Until then, updating the documentation of the policy controller to clarify the current state would help.

Version
0.5.2

Yeah, this is a bit unfortunate that it doesn't allow for the key. IMHO we should change it to support specifying the Key as well, just like the ConfigMapRef does. We used the v1.SecretReference, should I think if we're are careful, we could still contain the backward compatiblity on the 'wire' as in json/yaml by switching the type to our SecretRef that took the key as well as the name of the Ref.
https://github.com/sigstore/policy-controller/blob/main/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go#L309