feat: network isolation support for Go and per-language resource limits

[aron-muon]

Summary

• Fix Go execution timing out when network isolation is enabled by dynamically setting GOPROXY=off and GOSUMDB=off
• Add per-language resource limits to allow configuring different CPU/memory for each language
• Improve sidecar debug logging with flush for better log visibility

Problem

1. Go network isolation: When networkPolicy.denyEgress: true is set, Go execution fails because go run tries to reach proxy.golang.org for module verification. This causes a 30-second timeout.

2. Resource constraints: Go compilation is CPU-intensive. Previously, all languages shared the same sidecar resource limits, making it impossible to give Go more resources without affecting Python/JavaScript.

Solution

Network Isolation

• Added NETWORK_ISOLATED environment variable to sidecar container
• Sidecar dynamically applies language-specific overrides when network is isolated:
  • Go: Sets GOPROXY=off and GOSUMDB=off to work offline
• Configuration flows from Helm values → ConfigMap → Settings → PoolConfig → Pod manifest → Sidecar

Per-Language Resources

• Added per-language resource configuration in Helm values:

  execution:
    languages:
      go:
        poolSize: 2
        resources:
          limits:
            cpu: "2"
            memory: "1Gi"
          requests:
            cpu: "500m"
            memory: "512Mi"

• Resources apply to the sidecar container (where user code runs via nsenter)
• Falls back to execution.sidecar.resources defaults when not specified

Files Changed

• docker/sidecar/main.py - Network isolation override logic and debug logging
• docker/go.Dockerfile - Added comment about GOPROXY override
• src/services/kubernetes/models.py - Added network_isolated to PoolConfig/PodSpec
• src/services/kubernetes/client.py - Pass NETWORK_ISOLATED env var to sidecar
• src/services/kubernetes/pool.py - Pass network_isolated through to pod creation
• src/services/kubernetes/job_executor.py - Pass network_isolated to job creation
• src/services/kubernetes/manager.py - Added network_isolated parameter
• src/config/__init__.py - Read per-language resources from env vars
• helm-deployments/kubecoderun/templates/configmap.yaml - Generate per-language resource env vars
• helm-deployments/kubecoderun/values.yaml - Document per-language resources schema
• tests/unit/test_sidecar_network_isolation.py - New tests for network isolation
• tests/unit/test_pool.py - Tests for per-language resources
• tests/unit/test_kubernetes_client.py - Tests for network_isolated parameter

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

• Go execution with network isolation enabled - verified GOPROXY=off is applied
• Go execution returns stdout/stderr correctly
• Unit tests pass (1301 tests)
• Helm template generates correct per-language resource env vars

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• My changes generate no new warnings

[github-actions]

🎉 This PR is included in version 2.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀