feat: Add Python Virtual Environment Support: Add k8s Gateway Configuration

[SarahAsad23]

What changes were proposed in this PR?

This PR is an extension of PR #4484, #4902, #5035, and #5069. It adds Kubernetes gateway routing and access control configurations.

Any related issues, documentation, discussions?

This change is part of ongoing efforts to support environment isolation and reproducibility within Texera. Related issue includes #4296. This PR closes sub-issue #5137.

How was this PR tested?

Tested manually.

Was this PR authored or co-authored using generative AI tooling?

Co-authored using: Claude Code (claude-opus-4-7)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 55.55556% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.13%. Comparing base (c435aa7) to head (aa2c269).

Files with missing lines	Patch %	Lines
...exera/service/resource/AccessControlResource.scala	62.50%	2 Missing and 1 partial ⚠️
...virtual-environment/virtual-environment.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5138      +/-   ##
============================================
- Coverage     47.15%   47.13%   -0.02%     
+ Complexity     2348     2343       -5     
============================================
  Files          1042     1042              
  Lines         39989    39993       +4     
  Branches       4260     4261       +1     
============================================
- Hits          18855    18850       -5     
- Misses        20012    20016       +4     
- Partials       1122     1127       +5     

Flag	Coverage Δ		*Carryforward flag
access-control-service	40.44% <62.50%> (+0.91%)	⬆️
agent-service	33.74% <ø> (-0.03%)	⬇️	Carriedforward from 0f5f791
amber	50.31% <ø> (-0.05%)	⬇️
computing-unit-managing-service	0.00% <ø> (ø)
config-service	0.00% <ø> (ø)
file-service	32.18% <ø> (ø)
frontend	37.81% <0.00%> (ø)
python	90.50% <ø> (ø)		Carriedforward from 0f5f791
workflow-compiling-service	56.81% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kunwp1]

Looks good in general. Left some comments.

[kunwp1]

isLocal describes where the backend is running. I can see that there is a security issue where a malicious user can flip isLocal. I suggest to derive isLocal from KubernetesConfig (there's already a config flag for this) and drop the param.

[kunwp1]

Suggested by Claude:

.*/(?:api/|wsapi/)?pve(?:/.*)? is overly permissive — the leading .*/ will match any path ending in …/pve or …/pve/anything, not just the expected /api/pve / /wsapi/pve / /pve shapes. Consistent with how wsapiWorkflowWebsocket / apiExecutionsStats are written above, so not out of line for this file, but the PVE routes here are well-defined enough to anchor more tightly, e.g.:

private val pveRoute: Regex = """^/?(?:auth/)?(?:api/|wsapi/)?pve(?:/.*)?$""".r

Also applies to pvePvesCuidPath and pvePackagesCuidPath below. Worth double-checking whether uriInfo.getPath here includes the auth/ prefix from the enclosing @Path("/auth") resource — your manual test probably already covered this, but the regex shape depends on it.

[kunwp1]

PR description says "Tested manually." Worth adding a small unit test on AccessControlResource.authorize that covers such as:

• /pve/system?cuid=N → 200 (query-string cuid)
• /pve/pves/N → 200 (path-segment cuid via the DELETE route)
• /pve/N/myenv/packages/numpy → 200 (path-segment cuid via the packages route)
• /pve/no-cuid-anywhere → 403 (cuid extraction falls through to empty → NumberFormatException → FORBIDDEN)
• a non-PVE garbage path → 403