Certificate, Issuer, and ServiceAccount processors ignore -preserve-ns flag

[girdharshubham]

Bug

The -preserve-ns flag is supposed to preserve the original namespace in generated Helm templates, but several processors silently drop the namespace because they use hardcoded templates instead of the shared ProcessObjMeta helper.

Affected Processors

• pkg/processor/webhook/cert.go — Certificate
• pkg/processor/webhook/issuer.go — Issuer
• pkg/processor/rbac/serviceaccount.go — ServiceAccount

These processors build their metadata using inline format strings that never include a namespace field, regardless of the -preserve-ns flag.

All other processors (Deployment, DaemonSet, StatefulSet, ConfigMap, Secret, Service, Ingress, Role, RoleBinding, ClusterRoleBinding, Job, CronJob, PDB, PVC, and the default processor) use ProcessObjMeta which correctly respects -preserve-ns.

Reproduction

Given a Certificate with an explicit namespace:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-cert
  namespace: my-system
spec:
  dnsNames:
  - my-service.my-system.svc
  issuerRef:
    kind: Issuer
    name: my-issuer
  secretName: my-cert

Running:

cat cert.yaml | helmify -preserve-ns mychart

Expected: The generated template includes namespace: my-system in metadata.

Actual: The namespace is silently dropped from the generated template.

Suggested Fix

Refactor Certificate, Issuer, and ServiceAccount processors to use ProcessObjMeta for metadata generation instead of hardcoded templates. This would give them namespace, label, and annotation handling for free and ensure consistency with all other processors.

The cert-manager-specific behavior (helm hook annotations when -cert-manager-as-subchart is set, webhook conditional wrapping when -add-webhook-option is set) can be layered on after the ProcessObjMeta call via string manipulation on the returned metadata string.

[girdharshubham]

I'd like to work on this if the approach is acceptable. Happy to submit a PR.

[girdharshubham]

One more thing -- should Certificate and Issuer processors live under pkg/processor/webhook/? They handle general-purpose cert-manager resources that aren't specific to webhooks (e.g., TLS certs for ingress, mTLS between services). Would it make sense to move them to a separate pkg/processor/certmanager/ package as part of this refactor?

[girdharshubham]

Update: The fix also includes RoleBinding and ClusterRoleBinding processors, which unconditionally replaced subject namespaces with {{ .Release.Namespace }}. With -preserve-ns, the original subject namespace is now preserved.

Summary of all changes:

• Certificate — refactored to use ProcessObjMeta for metadata (namespace, labels, annotations handled consistently)
• Issuer — same refactor as Certificate; also fixed pre-existing bug where values was not passed to result (webhook.enabled was silently dropped)
• ServiceAccount — namespace injected via template placeholder when -preserve-ns is set
• RoleBinding / ClusterRoleBinding — subject namespace preserved instead of being replaced with {{ .Release.Namespace }}

PR: https://github.com/girdharshubham/helmify/tree/fix/preserve-ns-cert-issuer-sa