Merge branch 'feat/default-private-key' into 'main'

| `environment-url` / `ANSIBLE_ENVIRONMENT_URL`       | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.acme.com`)_ | _none_ |

| `environment-namespace` / `ANSIBLE_ENVIRONMENT_NAMESPACE` | Extra [GitLab environments](https://docs.gitlab.com/ci/environments/) namespace _(only required when deploying [multiple environments](#multiple-environments-support))_<br/>:warning: must start with a slash `/` | _none_ |

| :lock: `ANSIBLE_VAULT_PASSWORD` | The Ansible vault password used to decrypt vars.                                     | **has to be defined in gitlab secret if used** |

| :lock: `ANSIBLE_PRIVATE_KEY`    | The Ansible SSH private key to use in all stages (can be overridden per env)         | **has to be defined in gitlab secret if used** |

| `public-key` / `ANSIBLE_PUBLIC_KEY` | The Ansible SSH public key associated to the private key to be use in all stages (can be overridden per env) | **has to be defined if used** |

| :lock: `ANSIBLE_DEFAULT_PRIVATE_KEY`    | The Ansible SSH private key to use in all stages (can be overridden per env)         | **has to be defined in gitlab secret if used** |

| `default-public-key` / `ANSIBLE_DEFAULT_PUBLIC_KEY` | The Ansible SSH public key associated to the private key to be use in all stages (can be overridden per env) | **has to be defined if used** |

| `default-inventory` / `ANSIBLE_DEFAULT_INVENTORY` | The default inventory, if used                                                       | **has to be defined if used**                  |

| `default-tags` / `ANSIBLE_DEFAULT_TAGS` | The default tags, if used                                                            | **has to be defined if used**                  |

| `default-extra-args` / `ANSIBLE_DEFAULT_EXTRA_ARGS` | Optional default args to add to the ansible-playbook command line                    | **has to be defined if used**                  |

| `review-extra-args` / `ANSIBLE_REVIEW_EXTRA_ARGS` | The command line args for `review` env             | `$ANSIBLE_DEFAULT_EXTRA_ARGS`                   |

| `review-playbook-file` / `ANSIBLE_REVIEW_PLAYBOOK_FILE` | The playbook filename for `review` env             | **has to be defined to enable the review env**  |

| `review-cleanup-playbook-file` / `ANSIBLE_REVIEW_CLEANUP_PLAYBOOK_FILE` | The playbook filename to cleanup `review` env             | `$ANSIBLE_REVIEW_PLAYBOOK_FILE`  |

| :lock: `ANSIBLE_REVIEW_PRIVATE_KEY`    | The SSH private key to be use in `review` env      | `$ANSIBLE_PRIVATE_KEY`                   |

| `review-public-key` / `ANSIBLE_REVIEW_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `review` env      | `$ANSIBLE_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_REVIEW_PRIVATE_KEY`    | The SSH private key to be use in `review` env      | `$ANSIBLE_DEFAULT_PRIVATE_KEY`                   |

| `review-public-key` / `ANSIBLE_REVIEW_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `review` env      | `$ANSIBLE_DEFAULT_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_REVIEW_VAULT_PASSWORD` | The Ansible vault password for `review` env        | `$ANSIBLE_VAULT_PASSWORD`                 |

| `review-autostop-duration` / `ANSIBLE_REVIEW_AUTOSTOP_DURATION` | The amount of time before GitLab will automatically stop `review` environments | `4 hours` |

| `integ-extra-args` / `ANSIBLE_INTEG_EXTRA_ARGS` | The command line args  for `integration` env       | `$ANSIBLE_DEFAULT_EXTRA_ARGS`                   |

| `integ-playbook-file` / `ANSIBLE_INTEG_PLAYBOOK_FILE` | The playbook filename for `integration` env        | **has to be defined to enable the integration env** |

| `integ-cleanup-playbook-file` / `ANSIBLE_INTEG_CLEANUP_PLAYBOOK_FILE` | The playbook filename to cleanup `integration` env     | `$ANSIBLE_INTEG_PLAYBOOK_FILE` |

| :lock: `ANSIBLE_INTEG_PRIVATE_KEY`    | The SSH private key to be use in `integration` env     | `$ANSIBLE_PRIVATE_KEY`                  |

| `integ-public-key` / `ANSIBLE_INTEG_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `integration` env  | `$ANSIBLE_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_INTEG_PRIVATE_KEY`    | The SSH private key to be use in `integration` env     | `$ANSIBLE_DEFAULT_PRIVATE_KEY`                  |

| `integ-public-key` / `ANSIBLE_INTEG_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `integration` env  | `$ANSIBLE_DEFAULT_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_INTEG_VAULT_PASSWORD` | The Ansible vault password for `integration` env       | `$ANSIBLE_VAULT_PASSWORD`                |

| `integ-autostop-duration` / `ANSIBLE_INTEG_AUTOSTOP_DURATION` | The amount of time before GitLab will automatically stop the `integration` env | `never` |

| `staging-extra-args` / `ANSIBLE_STAGING_EXTRA_ARGS` | The command line args  for `staging` env           | `$ANSIBLE_DEFAULT_EXTRA_ARGS`                   |

| `staging-playbook-file` / `ANSIBLE_STAGING_PLAYBOOK_FILE` | The playbook filename for `staging` env            | **has to be defined to enable the staging env** |

| `staging-cleanup-playbook-file` / `ANSIBLE_STAGING_CLEANUP_PLAYBOOK_FILE` | The playbook filename to cleanup `staging` env            | `$ANSIBLE_STAGING_PLAYBOOK_FILE` |

| :lock: `ANSIBLE_STAGING_PRIVATE_KEY`    | The SSH private key to be use in `staging` env     | `$ANSIBLE_PRIVATE_KEY`                  |

| `staging-public-key` / `ANSIBLE_STAGING_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `staging` env      | `$ANSIBLE_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_STAGING_PRIVATE_KEY`    | The SSH private key to be use in `staging` env     | `$ANSIBLE_DEFAULT_PRIVATE_KEY`                  |

| `staging-public-key` / `ANSIBLE_STAGING_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `staging` env      | `$ANSIBLE_DEFAULT_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_STAGING_VAULT_PASSWORD` | The Ansible vault password for `staging` env       | `$ANSIBLE_VAULT_PASSWORD`                |

| `staging-autostop-duration` / `ANSIBLE_STAGING_AUTOSTOP_DURATION` | The amount of time before GitLab will automatically stop the `staging` env | `never` |

| `prod-tags` / `ANSIBLE_PROD_TAGS` | The tags for `production` env                      | `$ANSIBLE_DEFAULT_TAGS`                                   |

| `prod-extra-args` / `ANSIBLE_PROD_EXTRA_ARGS` | The command line args  for `production` env        | `$ANSIBLE_DEFAULT_EXTRA_ARGS`                             |

| `prod-playbook-file` / `ANSIBLE_PROD_PLAYBOOK_FILE` | The playbook filename for `production` env         | **has to be defined**                                     |

| :lock: `ANSIBLE_PROD_PRIVATE_KEY`      | The SSH private key to be use in `production` env  | `$ANSIBLE_PRIVATE_KEY`                             |

| `prod-public-key` / `ANSIBLE_PROD_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `production` env      | `$ANSIBLE_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_PROD_PRIVATE_KEY`      | The SSH private key to be use in `production` env  | `$ANSIBLE_DEFAULT_PRIVATE_KEY`                             |

| `prod-public-key` / `ANSIBLE_PROD_PUBLIC_KEY` | The SSH public key associated to the private key to be use in `production` env      | `$ANSIBLE_DEFAULT_PUBLIC_KEY`                   |

| :lock: `ANSIBLE_PROD_VAULT_PASSWORD`   | The Ansible vault password for `production` env    | `$ANSIBLE_VAULT_PASSWORD`                           |

Variables that you want to define or override default have to be defined as a project or group CI/CD variable or globally in your `.gitlab-ci.yml` file.

      prod-playbook-file: "main.yml" 

```

Don't forget to add `$ANSIBLE_VAULT_PASSWORD` & `$ANSIBLE_PRIVATE_KEY` in GitLab secret variables.

Don't forget to add `$ANSIBLE_VAULT_PASSWORD` & `$ANSIBLE_DEFAULT_PRIVATE_KEY` in GitLab secret variables.

### Deploy your application

variables:

  # Secrets managed by Vault

  ANSIBLE_VAULT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-infra/ansible?field=vault.password"

  ANSIBLE_PRIVATE_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-infra/ansible?field=priv_key"

  ANSIBLE_DEFAULT_PRIVATE_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-infra/ansible?field=priv_key"

```

### Google Cloud variant

      "secret": true

    },

    {

      "name": "ANSIBLE_PRIVATE_KEY",

      "name": "ANSIBLE_DEFAULT_PRIVATE_KEY",

      "description": "The Ansible SSH private key to use in all stages (can be overridden per env)",

      "secret": true

    },

    {

      "name": "ANSIBLE_PUBLIC_KEY",

      "name": "ANSIBLE_DEFAULT_PUBLIC_KEY",

      "description": "The Ansible SSH public key associated to the private key to be use in all stages (can be overridden per env)",

      "advanced": true

    },

    {

      "name": "ANSIBLE_PUBLIC_KEY",

      "description": "Backward compatibility. Use `default-public-key` instead",

      "advanced": true

    },

    {

      "name": "ANSIBLE_DEFAULT_INVENTORY",

      "description": "The default inventory, if used"

        :warning: must start with a slash `/`

      default: ''

    public-key:

    default-public-key:

      description: The Ansible SSH public key associated to the private key to be use in all stages (can be overridden per env)

      default: ''

    public-key:

      description: Backward compatibility. Use `default-public-key` instead

      default: ''

    default-inventory:

      description: The default inventory, if used

      default: ''

  ANSIBLE_ENVIRONMENT_URL: $[[ inputs.environment-url ]]

  ANSIBLE_ENVIRONMENT_NAMESPACE: $[[ inputs.environment-namespace ]]

  ANSIBLE_DEFAULT_PUBLIC_KEY: $[[ inputs.default-public-key ]]

  ANSIBLE_PUBLIC_KEY: $[[ inputs.public-key ]]

  ANSIBLE_DEFAULT_INVENTORY: $[[ inputs.default-inventory ]]

  ANSIBLE_DEFAULT_TAGS: $[[ inputs.default-tags ]]

    export environment_url=${ENV_URL:-${ANSIBLE_ENVIRONMENT_URL:-$CI_ENVIRONMENT_URL}}

    environment_namespace=$(echo "$ANSIBLE_ENVIRONMENT_NAMESPACE" | tr -d '[:punct:]' | tr '[:upper:]' '[:lower:]')

    export environment_namespace

    private_key=${ENV_PRIVATE_KEY:-$ANSIBLE_PRIVATE_KEY}

    public_key=${ENV_PUBLIC_KEY:-$ANSIBLE_PUBLIC_KEY}

    private_key=${ENV_PRIVATE_KEY:-${ANSIBLE_DEFAULT_PRIVATE_KEY:-$ANSIBLE_PRIVATE_KEY}}

    public_key=${ENV_PUBLIC_KEY:-${ANSIBLE_DEFAULT_PRIVATE_KEY:-$ANSIBLE_PUBLIC_KEY}}

    vault_password=${ENV_VAULT_PASSWORD:-$ANSIBLE_VAULT_PASSWORD}

    # variables expansion in $environment_url

    if [ -n "$private_key" ]; then

      log_info "--- \\e[32mprivate key\\e[0m found"

      if [ -n "$ANSIBLE_PRIVATE_KEY" ]; then

        log_warn "ANSIBLE_PRIVATE_KEY conflicts with ansible 2.9+ ssh configuration. Use ANSIBLE_DEFAULT_PRIVATE_KEY instead"

      fi

      if [ -f "$private_key" ]; then

        # chmod to prevent SSH client from complaining

        chmod 0600 "$private_key"

    if [ -n "$public_key" ]; then

      log_info "--- \\e[32mpublic key\\e[0m found"

      if [ -n "$ANSIBLE_PUBLIC_KEY" ]; then

        log_warn "ANSIBLE_PUBLIC_KEY is deprecated. Use ANSIBLE_DEFAULT_PUBLIC_KEY instead"

      fi

      if [ -f "$public_key" ]; then

        ansible_opts="$ansible_opts -e ssh_public_key_file=$public_key -e ANSIBLE_SSH_PUBLIC_KEY_FILE=$public_key"

      else