feat: Add Python Virtual Environment Support: Add k8s Gateway Configuration

[SarahAsad23]

What changes were proposed in this PR?

This PR is an extension of PR #4484, #4902, #5035, and #5069. It adds Kubernetes gateway routing and access control configurations.

Any related issues, documentation, discussions?

This change is part of ongoing efforts to support environment isolation and reproducibility within Texera. Related issue includes #4296. This PR closes sub-issue #5137.

How was this PR tested?

Tested manually.

Was this PR authored or co-authored using generative AI tooling?

Co-authored using: Claude Code (claude-opus-4-7)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 55.55556% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.63%. Comparing base (0f5f791) to head (4a5f7ae).

Files with missing lines	Patch %	Lines
...exera/service/resource/AccessControlResource.scala	62.50%	2 Missing and 1 partial ⚠️
...virtual-environment/virtual-environment.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5138      +/-   ##
============================================
- Coverage     43.66%   43.63%   -0.04%     
+ Complexity     2218     2216       -2     
============================================
  Files          1049     1049              
  Lines         40580    40561      -19     
  Branches       4324     4325       +1     
============================================
- Hits          17719    17698      -21     
+ Misses        21766    21765       -1     
- Partials       1095     1098       +3     

Flag	Coverage Δ		*Carryforward flag
access-control-service	40.44% <62.50%> (+0.91%)	⬆️
agent-service	33.64% <ø> (-0.12%)	⬇️	Carriedforward from 36f0b52
amber	43.92% <ø> (-0.03%)	⬇️
computing-unit-managing-service	1.38% <ø> (ø)
config-service	19.35% <ø> (ø)
file-service	32.18% <ø> (ø)
frontend	35.15% <0.00%> (ø)
python	90.47% <ø> (-0.03%)	⬇️	Carriedforward from 36f0b52
workflow-compiling-service	58.39% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kunwp1]

Looks good in general. Left some comments.

[kunwp1]

isLocal describes where the backend is running. I can see that there is a security issue where a malicious user can flip isLocal. I suggest to derive isLocal from KubernetesConfig (there's already a config flag for this) and drop the param.

[kunwp1]

Suggested by Claude:

.*/(?:api/|wsapi/)?pve(?:/.*)? is overly permissive — the leading .*/ will match any path ending in …/pve or …/pve/anything, not just the expected /api/pve / /wsapi/pve / /pve shapes. Consistent with how wsapiWorkflowWebsocket / apiExecutionsStats are written above, so not out of line for this file, but the PVE routes here are well-defined enough to anchor more tightly, e.g.:

private val pveRoute: Regex = """^/?(?:auth/)?(?:api/|wsapi/)?pve(?:/.*)?$""".r

Also applies to pvePvesCuidPath and pvePackagesCuidPath below. Worth double-checking whether uriInfo.getPath here includes the auth/ prefix from the enclosing @Path("/auth") resource — your manual test probably already covered this, but the regex shape depends on it.

[kunwp1]

PR description says "Tested manually." Worth adding a small unit test on AccessControlResource.authorize that covers such as:

• /pve/system?cuid=N → 200 (query-string cuid)
• /pve/pves/N → 200 (path-segment cuid via the DELETE route)
• /pve/N/myenv/packages/numpy → 200 (path-segment cuid via the packages route)
• /pve/no-cuid-anywhere → 403 (cuid extraction falls through to empty → NumberFormatException → FORBIDDEN)
• a non-PVE garbage path → 403