Rework Docker file to apply best practices

[gberche-orange]

Expected

See inspiration from

https://github.com/orange-cloudfoundry/paas-docker-cloudfoundry-tools/blob/30d5df749ff07e54719e79fc4acfaeb47e3b05cb/k8s-tools/Dockerfile#L14-L21

# renovate: datasource=github-releases depName=k14s/ytt
ENV YTT_VERSION "0.45.2"
ENV YTT_SUM c909d88845ce55430a91a1cf9db5e3f14ffa8ce53d6ecb42e7ff3acf56a2037f
ENV YTT_FILENAME ytt-linux-amd64
ADD https://github.com/k14s/ytt/releases/download/v${YTT_VERSION}/${YTT_FILENAME} .
RUN echo "Computed sha256sum: $(sha256sum ${YTT_FILENAME})"
&& echo "${YTT_SUM} ${YTT_FILENAME}" | sha256sum -c -
&& mv ${YTT_FILENAME} ytt

https://github.com/orange-cloudfoundry/paas-docker-cloudfoundry-tools/blob/30d5df749ff07e54719e79fc4acfaeb47e3b05cb/k8s-tools/Dockerfile#L3C3-L10

# we use libc6 instead of libc6-compat as we do not use alpine base image
ENV PACKAGES "unzip curl openssl ca-certificates git libc6 bash jq gettext"

# we also use apt-get as we use an Ubuntu image, not an Alpine
RUN apt-get update
&& apt-get -y upgrade
&& apt-get install -y --no-install-recommends ${PACKAGES}
&& rm -rf /var/lib/apt/lists/*

https://github.com/orange-cloudfoundry/paas-docker-cloudfoundry-tools/blob/30d5df749ff07e54719e79fc4acfaeb47e3b05cb/k8s-tools/Dockerfile#L6-L10

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#leverage-build-cache

Leverage build cache

When building an image, Docker steps through the instructions in your Dockerfile, executing each in the order specified. As each instruction is examined, Docker looks for an existing image in its cache, rather than creating a new, duplicate image.

For the ADD and COPY instructions, the contents of each file in the image are examined and a checksum is calculated for each file. The last-modified and last-accessed times of each file aren’t considered in these checksums. During the cache lookup, the checksum is compared against the checksum in the existing images. If anything has changed in any file, such as the contents and metadata, then the cache is invalidated.

Below is a well-formed RUN instruction that demonstrates all the apt-get recommendations.

RUN apt-get update && apt-get install -y
aufs-tools
automake
build-essential
curl
dpkg-sig
libcap-dev
libsqlite3-dev
mercurial
reprepro
ruby1.9.1
ruby1.9.1-dev
s3cmd=1.1.*
&& rm -rf /var/lib/apt/lists/*

The s3cmd argument specifies a version 1.1.*. If the image previously used an older version, specifying the new one causes a cache bust of apt-get update and ensures the installation of the new version. Listing packages on each line can also prevent mistakes in package duplication.

In addition, when you clean up the apt cache by removing /var/lib/apt/lists it reduces the image size, since the apt cache isn’t stored in a layer. Since the RUN statement starts with apt-get update, the package cache is always refreshed prior to apt-get install.

/CC @o-orand

Observed

kuttl-enriched-image/Dockerfile

Lines 55 to 57 in c998037

	echo "Installing ytt version ${YTT_VERSION}" ; \
	curl -L "https://github.com/vmware-tanzu/carvel-ytt/releases/download/${YTT_VERSION}/ytt-linux-amd64" -o /usr/local/bin/ytt && \
	chmod +rx /usr/local/bin/ytt && \

/