feat: Add Python Virtual Environment Support: Add k8s Gateway Configuration

[SarahAsad23]

What changes were proposed in this PR?

This PR is an extension of PR #4484, #4902, #5035, and #5069. It adds Kubernetes gateway routing and access control configurations.

Any related issues, documentation, discussions?

This change is part of ongoing efforts to support environment isolation and reproducibility within Texera. Related issue includes #4296. This PR closes sub-issue #5137.

How was this PR tested?

Tested manually.

Was this PR authored or co-authored using generative AI tooling?

Co-authored using: Claude Code (claude-opus-4-7)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 55.55556% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.76%. Comparing base (d8c254c) to head (e86829d).

Files with missing lines	Patch %	Lines
...exera/service/resource/AccessControlResource.scala	62.50%	2 Missing and 1 partial ⚠️
...virtual-environment/virtual-environment.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5138      +/-   ##
============================================
- Coverage     48.95%   48.76%   -0.20%     
+ Complexity     2377     2370       -7     
============================================
  Files          1048     1046       -2     
  Lines         40270    40148     -122     
  Branches       4272     4273       +1     
============================================
- Hits          19714    19577     -137     
- Misses        19402    19412      +10     
- Partials       1154     1159       +5     

Flag	Coverage Δ		*Carryforward flag
access-control-service	40.44% <62.50%> (+0.91%)	⬆️
agent-service	33.76% <ø> (ø)		Carriedforward from 2153c17
amber	51.49% <ø> (-0.09%)	⬇️
computing-unit-managing-service	0.00% <ø> (ø)
config-service	0.00% <ø> (ø)
file-service	37.99% <ø> (ø)
frontend	40.64% <0.00%> (ø)
python	90.50% <ø> (-0.30%)	⬇️	Carriedforward from 2153c17
workflow-compiling-service	56.81% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kunwp1]

Looks good in general. Left some comments.

[kunwp1]

isLocal describes where the backend is running. I can see that there is a security issue where a malicious user can flip isLocal. I suggest to derive isLocal from KubernetesConfig (there's already a config flag for this) and drop the param.

[kunwp1]

Suggested by Claude:

.*/(?:api/|wsapi/)?pve(?:/.*)? is overly permissive — the leading .*/ will match any path ending in …/pve or …/pve/anything, not just the expected /api/pve / /wsapi/pve / /pve shapes. Consistent with how wsapiWorkflowWebsocket / apiExecutionsStats are written above, so not out of line for this file, but the PVE routes here are well-defined enough to anchor more tightly, e.g.:

private val pveRoute: Regex = """^/?(?:auth/)?(?:api/|wsapi/)?pve(?:/.*)?$""".r

Also applies to pvePvesCuidPath and pvePackagesCuidPath below. Worth double-checking whether uriInfo.getPath here includes the auth/ prefix from the enclosing @Path("/auth") resource — your manual test probably already covered this, but the regex shape depends on it.

[kunwp1]

PR description says "Tested manually." Worth adding a small unit test on AccessControlResource.authorize that covers such as:

• /pve/system?cuid=N → 200 (query-string cuid)
• /pve/pves/N → 200 (path-segment cuid via the DELETE route)
• /pve/N/myenv/packages/numpy → 200 (path-segment cuid via the packages route)
• /pve/no-cuid-anywhere → 403 (cuid extraction falls through to empty → NumberFormatException → FORBIDDEN)
• a non-PVE garbage path → 403