Fixes as per @knobunc review comments.

Author: ramr

images/router/haproxy/conf/haproxy-config.template

@@ -237,8 +237,11 @@ frontend fe_sni
   # requests if the DN field in the client certificate doesn't match that value.
   # Please note that this match is a subset (substring) match.
   # Example: For DN set to: /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3,
-  #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test" would match the
-  #             DN field and the request will be passed on to the backend.
+  #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test"   OR
+  #             ROUTER_MUTUAL_TLS_AUTH_FILTER="head"          OR
+  #             ROUTER_MUTUAL_TLS_AUTH_FILTER="/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3" /* exact match example */
+  #             the filter would match the DN field (substring or exact match)
+  #             and the request will be passed on to the backend.
   #          B. ROUTER_MUTUAL_TLS_AUTH_FILTER="legacy-web-client", the request
   #             will be rejected.
   acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
@@ -302,11 +305,7 @@ frontend fe_no_sni
   # If a mutual TLS auth subject filter environment variable is set, we deny
   # requests if the DN field in the client certificate doesn't match that value.
   # Please note that this match is a subset (substring) match.
-  # Example: For DN set to: /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3,
-  #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test" would match the
-  #             DN field and the request will be passed on to the backend.
-  #          B. ROUTER_MUTUAL_TLS_AUTH_FILTER="legacy-web-client", the request
-  #             will be rejected.
+  # See the config section 'frontend fe_sni' for examples.
   acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}

pkg/oc/admin/router/router.go

@@ -237,7 +237,7 @@ type RouterConfig struct {
 	Local bool
 
 	// MutualTLSAuth controls access to the router using a mutually agreed
-	// upon TLS authentication mechanism (ala client certificates).
+	// upon TLS authentication mechanism (example client certificates).
 	// One of: required | optional | none  - the default is none.
 	MutualTLSAuth string
 
@@ -334,7 +334,7 @@ func NewCmdRouter(f kcmdutil.Factory, parentName, name string, out, errout io.Wr
 	cmd.Flags().BoolVar(&cfg.StrictSNI, "strict-sni", cfg.StrictSNI, "Use strict-sni bind processing (do not use default cert). Not supported for F5.")
 	cmd.Flags().BoolVar(&cfg.Local, "local", cfg.Local, "If true, do not contact the apiserver")
 
-	cmd.Flags().StringVar(&cfg.MutualTLSAuth, "mutual-tls-auth", cfg.MutualTLSAuth, "Controls access to the router using mutually agreed upon TLS configuration (ala client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.")
+	cmd.Flags().StringVar(&cfg.MutualTLSAuth, "mutual-tls-auth", cfg.MutualTLSAuth, "Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCA, "mutual-tls-auth-ca", cfg.MutualTLSAuthCA, "Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCRL, "mutual-tls-auth-crl", cfg.MutualTLSAuthCRL, "Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthFilter, "mutual-tls-auth-filter", cfg.MutualTLSAuthFilter, "Optional value to filter the client certificates. If the client certificate subject field does _not_ contain (substring match) this value, requests will be rejected by the router.")