[rancher-tracing] Replace global.rbac.pspEnabled flag.

* Replace previous global.rbac.pspEnabled flag with global.cattle.psp.enabled.
* Add new flag to values.yaml.
* Include validation in validate-psp-install.yaml.

packages/rancher-istio/1.15/rancher-tracing/charts/templates/deployment.yaml

@@ -68,7 +68,7 @@ spec:
       affinity:
       {{- include "nodeAffinity" . | indent 6 }}
       {{- include "podAntiAffinity" . | indent 6 }}
-     {{- if .Values.global.rbac.pspEnabled }}
+     {{- if .Values.global.cattle.psp.enabled }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000

packages/rancher-istio/1.15/rancher-tracing/charts/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.global.rbac.pspEnabled }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,7 +9,6 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 ---
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -85,4 +84,3 @@ spec:
   - secret
   - persistentVolumeClaim
 {{- end }}
-{{- end }}

packages/rancher-istio/1.15/rancher-tracing/charts/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}

packages/rancher-istio/1.15/rancher-tracing/charts/values.yaml

@@ -14,6 +14,8 @@ fullnameOverride: ""
 global:
   cattle:
     systemDefaultRegistry: ""
+    psp:
+      enabled: false
   defaultResources: {}
   imagePullPolicy: IfNotPresent
   imagePullSecrets: []