feat(dgw): decouple agent tunnel SAN from network endpoint

Splits the Gateway's cryptographic identity (the SAN written to the agent
tunnel server certificate) from its network reachability (the host the agent
dials). A single `conf.hostname` was previously overloaded as both, which broke
deployments where the gateway is reachable by several names depending on the
agent's network position (internal FQDN, IP literal, public DNS).

`AgentTunnel.AdvertisedNames` is the authoritative list of names/IPs the
gateway accepts enrollments through, and is the SAN set written into
`agent-tunnel-server-cert.pem`. Each entry is either a bare string or
`{ "Name": "...", "Label": "..." }` for DVLS UI grouping. When absent, the
config defaults to `[conf.hostname]` so existing deployments are unaffected.

At gateway boot the server cert is regenerated whenever the on-disk SAN set
differs from the configured advertised names. The existing server keypair is
reused so the SPKI pin held by already-enrolled agents stays stable; only the
cert document is reissued. The new cert fingerprint is logged.

`/jet/tunnel/enroll` now parses the JWT's `jet_gw_url`, normalises the host
(DNS lowercased, IP literals canonicalised), and rejects with HTTP 400 +
`{ error, message, help }` body when the host is not in
`AgentTunnel.AdvertisedNames`. The enrollment response now carries both
`quic_endpoint` (legacy, computed from the validated JWT host and the listen
port) and `quic_port` (new); a follow-up release will drop `quic_endpoint`.

`/jet/diagnostics/configuration` now exposes an `agent_tunnel` field with
`enabled`, `listen_port`, and the advertised name list (with optional labels).
DVLS reads this to build the "Generate enrollment string" dropdown.

Issue: DGW-Agent-Tunnel-Identity

Author: irvingoujAtDevolution

crates/agent-tunnel/src/cert.rs

@@ -112,10 +112,10 @@ impl AgentTunnelListener {
     pub async fn bind(
         listen_addr: SocketAddr,
         ca_manager: Arc<CaManager>,
-        hostname: &str,
+        advertised_names: &[&str],
     ) -> anyhow::Result<(Self, AgentTunnelHandle)> {
         let tls_config = ca_manager
-            .build_server_tls_config(hostname)
+            .build_server_tls_config(advertised_names)
             .context("build server TLS config")?;
 
         let quic_server_config = quinn::crypto::rustls::QuicServerConfig::try_from(Arc::new(tls_config))

crates/agent-tunnel/src/listener.rs

@@ -32,6 +32,36 @@ pub(crate) struct ConfigDiagnostic {
     version: &'static str,
     /// Listeners configured on this instance
     listeners: Vec<ListenerUrls>,
+    /// Agent tunnel configuration summary (`null` when feature is disabled or absent in config).
+    #[serde(skip_serializing_if = "Option::is_none")]
+    agent_tunnel: Option<AgentTunnelDiagnostic>,
+}
+
+/// Agent tunnel diagnostic surface.
+///
+/// DVLS reads this when building the "Generate enrollment string" dropdown so
+/// admins pick a name the Gateway is actually advertising. Same auth scope as
+/// the rest of `/jet/diagnostics/configuration`.
+#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
+#[derive(Serialize)]
+pub(crate) struct AgentTunnelDiagnostic {
+    /// Whether the agent tunnel listener is enabled.
+    enabled: bool,
+    /// UDP port the agent tunnel QUIC listener is bound to.
+    listen_port: u16,
+    /// Names or IPs this Gateway is reachable as for agent tunnel enrollment.
+    advertised_names: Vec<AdvertisedNameDiagnostic>,
+}
+
+/// One advertised name entry, with an optional display label for DVLS UI.
+#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
+#[derive(Serialize)]
+pub(crate) struct AdvertisedNameDiagnostic {
+    /// Host or IP literal (canonical form).
+    name: String,
+    /// Optional display label.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    label: Option<String>,
 }
 
 impl From<&Conf> for ConfigDiagnostic {
@@ -75,11 +105,30 @@ impl From<&Conf> for ConfigDiagnostic {
             }
         }
 
+        let agent_tunnel = if conf.agent_tunnel.enabled {
+            Some(AgentTunnelDiagnostic {
+                enabled: conf.agent_tunnel.enabled,
+                listen_port: conf.agent_tunnel.listen_port,
+                advertised_names: conf
+                    .agent_tunnel
+                    .advertised_names
+                    .iter()
+                    .map(|n| AdvertisedNameDiagnostic {
+                        name: n.name().to_owned(),
+                        label: n.label().map(str::to_owned),
+                    })
+                    .collect(),
+            })
+        } else {
+            None
+        };
+
         ConfigDiagnostic {
             id: conf.id,
             listeners,
             version: env!("CARGO_PKG_VERSION"),
             hostname: conf.hostname.clone(),
+            agent_tunnel,
         }
     }
 }