docs(guides): add holodeck + AICR integration preview (provisioning + snapshot/recipe)

[ArangoGutierrez]

Summary

Adds a preview walkthrough at docs/guides/aicr-integration.md
covering the Day-0 + early Day-1 surface of the Holodeck → AICR flow:
provision a single-node g6e.xlarge L40S cluster with Holodeck, then
capture an AICR snapshot and generate a matching recipe. The companion
example at examples/aicr-demo/environment.yaml is the single
declarative file the guide walks through.

Scope

The guide is intentionally narrowed to what runs end-to-end on
g6e.xlarge L40S against current Holodeck + AICR main today:

• Phase 1 — holodeck create --provision → holodeck get kubeconfig
  → kubectl get nodes Ready.
• Phase 2.1 — aicr snapshot against the live cluster.
• Phase 2.2 — aicr recipe from that snapshot.

The full end-to-end (Slurm sbatch job + Dynamo chat-completions
response) is deferred. A "What's coming" section in the guide lists
the prerequisites:

• AICR Slinky/Slurm support — not yet on main.
• AICR overlay catalog coverage for L40 accelerators — --accelerator l40 today applies only the base + monitoring-hpa overlays, so
  dynamo-platform does not appear in the bundle.
• GPU Operator's gdrcopy-validation init step — requires the
  gdrdrv kernel module, which Holodeck's Ansible plays do not
  install.

When these land, the guide grows back the bundle/deploy/validate
sections.

CLI corrections vs. an earlier draft

Driving Holodeck end-to-end surfaced a handful of CLI-shape drifts
that the guide now reflects:

• holodeck create -f env.yaml only spins up the EC2 instance; the
  --provision flag is required to run the Ansible plays.
• holodeck update INSTANCE_ID --reprovision returns "instance ID is
  required". Flag must precede positional arg:
  holodeck update --reprovision INSTANCE_ID. Same ordering applies
  to holodeck get kubeconfig -o PATH INSTANCE_ID. The guide's
  troubleshooting calls this out.
• The kubeconfig is fetched explicitly via holodeck get kubeconfig,
  not written automatically to CWD by create.
• Security group falls back to 0.0.0.0/0 when public-IP detection
  fails. Documented in the guide's troubleshooting.
• runtimeClassName: nvidia does not work as a Day-0 GPU smoke test
  — the nvidia RuntimeClass is not installed by Holodeck.
  Kubernetes-level GPU registration is Phase 2's job (GPU Operator).

Testing

Manual run on AWS us-west-2 g6e.xlarge (1× L40S) on 2026-05-18:
provisioning succeeded, snapshot captured with NVIDIA L40S /
Ada Lovelace / driver 575.57.08 / CUDA 13.2 detected, recipe generated
with 10 components. Cluster torn down at end of session.

make mdlint not run locally in this environment; CI will verify.

Files

• docs/guides/aicr-integration.md — preview-scope rewrite.
• docs/guides/README.md, docs/examples/README.md — index entries
  reflect the reduced scope.
• examples/aicr-demo/environment.yaml — header comment updated.
• examples/aicr-demo/slurm-cluster.yaml — removed from v1 (no
  longer referenced; the Slurm track is deferred).

Out of scope (future work)

• Full Slurm + Dynamo end-to-end demo — re-added once the three
  upstream prerequisites above land.
• make demo-test / GitHub Action for CI-driven end-to-end runs.
• scripts/aicr-demo.sh helper.

[coveralls]

Coverage Report for CI Build 26209697389

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage remained the same at 47.822%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	11066
Covered Lines:	5292
Line Coverage:	47.82%
Coverage Strength:	0.53 hits per line

---

💛 - Coveralls

[mchmarny]

Preview-scope rewrite reads well and CI is fully green. One nit on a copy-pasteable yq snippet in §2.1 — readers will hit a parse error as written. Not a merge blocker.

[mchmarny]

Docs-only PR adding the Holodeck → AICR preview walkthrough. Scope is well-bounded, "What's coming" honestly names the upstream gates, and the troubleshooting section captures real friction from the manual test run. CI is green across 18 checks (PR is "behind" main — needs a rebase before merge).

One medium concern: the 0.0.0.0/0 security-group troubleshooting entry doesn't match the single-node code path (create.go errors out rather than falling back), so either the wording needs adjustment or the actual code path observed needs to be pinned down. Plus a handful of nits — unused jq prereq, PROVISIONED: true phrasing, and one clarification around --accelerator inference in the recipe step. Nothing that blocks merge.

[mchmarny]

jq is listed as a prerequisite but never used in the guide — only yq appears in the snippets (lines 162-163, 187). Drop jq from the list, or add the jq command that justifies it.

[ArangoGutierrez]

Dropped jq from prerequisites in 106cfc4 — only yq is used in the snippets.

[mchmarny]

This troubleshooting entry contradicts the single-node code path the guide covers. In pkg/provider/aws/create.go:368-369, when utils.GetIPAddress() fails, holodeck create returns an error (could not detect public IP for security group (set ingressCidr explicitly)) rather than falling back to 0.0.0.0/0. The 0.0.0.0/0 rules in pkg/provider/aws/cluster.go apply to NodePort and Calico VXLAN ranges in multinode cluster mode, not single-node.

If you actually observed a 0.0.0.0/0 SSH/apiserver rule on g6e.xlarge during testing, it's worth pinning down the code path — otherwise this section may steer readers wrong. Suggest rewording around the actual failure mode: "If holodeck create fails with could not detect public IP, set spec.ingressIpRanges explicitly or run from a network with a routable public IP."

[ArangoGutierrez]

Verified against the PR's view of pkg/provider/aws/create.go:366-368 — utils.GetIPAddress() failure returns could not detect public IP for security group rather than falling back to 0.0.0.0/0, so the previous wording was wrong. Rewrote the troubleshooting entry in 106cfc4 to describe the actual failure mode and point at spec.ingressIpRanges for an explicit override.

For completeness on the cluster.go rules: on the multi-node path, only NodePort TCP/UDP (cluster.go:421-434) open 0.0.0.0/0; the Calico VXLAN/BGP/Typha rules use UserIdGroupPairs between the CP and Worker SGs, not 0.0.0.0/0. None of that applies to the single-node walkthrough in this guide.

[mchmarny]

nit: holodeck list prints a table with a PROVISIONED column showing true/false (see cmd/cli/list/list.go:46), not a KEY: value line. Reword as "...the instance shows true under the PROVISIONED column of holodeck list."

[ArangoGutierrez]

Reworded in 106cfc4 to: "the instance shows true under the PROVISIONED column of holodeck list."

[mchmarny]

nit: the "What's coming" section at line 213 talks about --accelerator l40, but this command doesn't pass --accelerator at all. Worth one sentence here clarifying that the accelerator is inferred from the snapshot — otherwise readers may think they need to add --accelerator l40 after seeing the L40 note below.

[ArangoGutierrez]

Added a one-sentence clarification in 106cfc4 before the AICR-matching explanation — accelerator is inferred from the snapshot, no --accelerator flag in this command. Keeps the --accelerator l40 reference in "What's coming" scoped to the underlying overlay-catalog gate.

[mchmarny]

The "What's coming" section is a strong addition — naming the three upstream gates (Slurm PR #866, L40 overlay coverage, gdrdrv) makes the preview scope honest and gives readers a clear sense of when v2 grows back. Nice.

[ArangoGutierrez]

@mchmarny — pushed 636dfbb addressing the 5 nits (per-thread replies inline) and rebased on current main. Ready for another look when you have a sec.