kyverno-policy-rancher-webhook-ha unit is disabled during workload cluster upgrade

Summary

kyverno-policy-rancher-webhook-ha unit is installed on workload cluster during the initial deployment, but disabled on subsequent upgrades.

this is caused by the fact that is has

enabled_condition:
- `{{ tuple . "cluster-import" | include "unit-enabled" }}`

and cluster-import is a one-shot unit

related references

This issue was observed while working on !5613 (merged)