Upgrade pip to fix installation issues in AMI

[webvictim]

Something appears to have changed with the cryptography pip package which results in an error message when trying to install it using the version of pip that comes out of the box with Amazon Linux 2. This breaks AMI builds.

The advice to fix it is to upgrade pip to a newer version. The newer version of pip installs to /usr/local/bin rather than /usr/bin by default (which isn't on the default PATH) so we add that temporarily to finish the install, and upgrade the paths to certbot in the systemd unit files.

Tested with TELEPORT_VERSION=5.1.2 make -C assets/aws oss

[awly]

@webvictim what errors are you seeing with the cryptography package?
something about this smells supply-chain-compromise-y.

[webvictim]

teleport-aws-linux: Collecting cryptography>=2.1.4 (from certbot)
teleport-aws-linux:   Downloading https://files.pythonhosted.org/packages/35/52/a3b9c3d8ce84544bfe8d663ba993e0593d9c518d6c08f01f6f8fff87b895/cryptography-3.4.2.tar.gz (544kB)
teleport-aws-linux:     100% \|████████████████████████████████\| 552kB 2.2MB/s
teleport-aws-linux:     Complete output from command python setup.py egg_info:
teleport-aws-linux:
teleport-aws-linux:             =============================DEBUG ASSISTANCE==========================
teleport-aws-linux:             If you are seeing an error here please try the following to
teleport-aws-linux:             successfully install cryptography:
teleport-aws-linux:
teleport-aws-linux:             Upgrade to the latest pip and try again. This will fix errors for most
teleport-aws-linux:             users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
teleport-aws-linux:             =============================DEBUG ASSISTANCE==========================
teleport-aws-linux:
teleport-aws-linux:     Traceback (most recent call last):
teleport-aws-linux:       File "<string>", line 1, in <module>
teleport-aws-linux:       File "/tmp/pip-build-5xtm1q0w/cryptography/setup.py", line 14, in <module>
teleport-aws-linux:         from setuptools_rust import RustExtension
teleport-aws-linux:     ModuleNotFoundError: No module named 'setuptools_rust'
teleport-aws-linux:
teleport-aws-linux:     ----------------------------------------
teleport-aws-linux: Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-5xtm1q0w/cryptography/

It looks legit - see recent changes to the FAQ file and its history. I think they added Rust as a requirement to compile cryptography from source. If you have a sufficiently new version of pip it'll install a pre-compiled wheel, which is why upgrading works.

We could also pin cryptography to 3.3.2 as per Azure/azure-cli#16858 which might be less invasive, but is likely to break again at some point.