docs: Cleanup more literals in API docs (#22174)

Signed-off-by: Ryan Northey <ryan@synca.io>

Mirrored from https://github.com/envoyproxy/envoy @ 2222039d775c45c583f5eef833a482e2be150d21

envoy/admin/v3/clusters.proto

@@ -43,10 +43,10 @@ message ClusterStatus {
   // The success rate threshold used in the last interval.
   // If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *false*, all errors: externally and locally generated were used to calculate the threshold.
+  // is ``false``, all errors: externally and locally generated were used to calculate the threshold.
   // If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *true*, only externally generated errors were used to calculate the threshold.
+  // is ``true``, only externally generated errors were used to calculate the threshold.
   // The threshold is used to eject hosts based on their success rate. See
   // :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for details.
   //
@@ -66,7 +66,7 @@ message ClusterStatus {
   // taken into account and externally originated errors were treated as success.
   // This field should be interpreted only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *true*. The threshold is used to eject hosts based on their success rate.
+  // is ``true``. The threshold is used to eject hosts based on their success rate.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   // details.
   //
@@ -103,10 +103,10 @@ message HostStatus {
   // Request success rate for this host over the last calculated interval.
   // If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *false*, all errors: externally and locally generated were used in success rate
+  // is ``false``, all errors: externally and locally generated were used in success rate
   // calculation. If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *true*, only externally generated errors were used in success rate calculation.
+  // is ``true``, only externally generated errors were used in success rate calculation.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   // details.
   //
@@ -129,7 +129,7 @@ message HostStatus {
   // errors were treated as success.
   // This field should be interpreted only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *true*.
+  // is ``true``.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   // details.
   //

envoy/admin/v3/config_dump.proto

@@ -30,13 +30,13 @@ message ConfigDump {
   // The following configurations are currently supported and will be dumped in the order given
   // below:
   //
-  // * *bootstrap*: :ref:`BootstrapConfigDump <envoy_v3_api_msg_admin.v3.BootstrapConfigDump>`
-  // * *clusters*: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
-  // * *endpoints*:  :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
-  // * *listeners*: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`
-  // * *scoped_routes*: :ref:`ScopedRoutesConfigDump <envoy_v3_api_msg_admin.v3.ScopedRoutesConfigDump>`
-  // * *routes*:  :ref:`RoutesConfigDump <envoy_v3_api_msg_admin.v3.RoutesConfigDump>`
-  // * *secrets*:  :ref:`SecretsConfigDump <envoy_v3_api_msg_admin.v3.SecretsConfigDump>`
+  // * ``bootstrap``: :ref:`BootstrapConfigDump <envoy_v3_api_msg_admin.v3.BootstrapConfigDump>`
+  // * ``clusters``: :ref:`ClustersConfigDump <envoy_v3_api_msg_admin.v3.ClustersConfigDump>`
+  // * ``endpoints``:  :ref:`EndpointsConfigDump <envoy_v3_api_msg_admin.v3.EndpointsConfigDump>`
+  // * ``listeners``: :ref:`ListenersConfigDump <envoy_v3_api_msg_admin.v3.ListenersConfigDump>`
+  // * ``scoped_routes``: :ref:`ScopedRoutesConfigDump <envoy_v3_api_msg_admin.v3.ScopedRoutesConfigDump>`
+  // * ``routes``:  :ref:`RoutesConfigDump <envoy_v3_api_msg_admin.v3.RoutesConfigDump>`
+  // * ``secrets``:  :ref:`SecretsConfigDump <envoy_v3_api_msg_admin.v3.SecretsConfigDump>`
   //
   // EDS Configuration will only be dumped by using parameter ``?include_eds``
   //

envoy/admin/v3/config_dump_shared.proto

@@ -122,7 +122,7 @@ message ListenersConfigDump {
     DynamicListenerState draining_state = 4;
 
     // Set if the last update failed, cleared after the next successful update.
-    // The *error_state* field contains the rejected version of this particular
+    // The ``error_state`` field contains the rejected version of this particular
     // resource along with the reason and timestamp. For successfully updated or
     // acknowledged resource, this field should be empty.
     UpdateFailureState error_state = 5;
@@ -182,7 +182,7 @@ message ClustersConfigDump {
     google.protobuf.Timestamp last_updated = 3;
 
     // Set if the last update failed, cleared after the next successful update.
-    // The *error_state* field contains the rejected version of this particular
+    // The ``error_state`` field contains the rejected version of this particular
     // resource along with the reason and timestamp. For successfully updated or
     // acknowledged resource, this field should be empty.
     // [#not-implemented-hide:]
@@ -249,7 +249,7 @@ message RoutesConfigDump {
     google.protobuf.Timestamp last_updated = 3;
 
     // Set if the last update failed, cleared after the next successful update.
-    // The *error_state* field contains the rejected version of this particular
+    // The ``error_state`` field contains the rejected version of this particular
     // resource along with the reason and timestamp. For successfully updated or
     // acknowledged resource, this field should be empty.
     // [#not-implemented-hide:]
@@ -309,7 +309,7 @@ message ScopedRoutesConfigDump {
     google.protobuf.Timestamp last_updated = 4;
 
     // Set if the last update failed, cleared after the next successful update.
-    // The *error_state* field contains the rejected version of this particular
+    // The ``error_state`` field contains the rejected version of this particular
     // resource along with the reason and timestamp. For successfully updated or
     // acknowledged resource, this field should be empty.
     // [#not-implemented-hide:]
@@ -353,7 +353,7 @@ message EndpointsConfigDump {
     google.protobuf.Timestamp last_updated = 3;
 
     // Set if the last update failed, cleared after the next successful update.
-    // The *error_state* field contains the rejected version of this particular
+    // The ``error_state`` field contains the rejected version of this particular
     // resource along with the reason and timestamp. For successfully updated or
     // acknowledged resource, this field should be empty.
     // [#not-implemented-hide:]

envoy/config/accesslog/v3/accesslog.proto

@@ -151,7 +151,7 @@ message RuntimeFilter {
       "envoy.config.filter.accesslog.v2.RuntimeFilter";
 
   // Runtime key to get an optional overridden numerator for use in the
-  // *percent_sampled* field. If found in runtime, this value will replace the
+  // ``percent_sampled`` field. If found in runtime, this value will replace the
   // default numerator.
   string runtime_key = 1 [(validate.rules).string = {min_len: 1}];
 
@@ -165,9 +165,9 @@ message RuntimeFilter {
   // is present, the filter will consistently sample across multiple hosts based
   // on the runtime key value and the value extracted from
   // :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`. If it is
-  // missing, or *use_independent_randomness* is set to true, the filter will
+  // missing, or ``use_independent_randomness`` is set to true, the filter will
   // randomly sample based on the runtime key value alone.
-  // *use_independent_randomness* can be used for logging kill switches within
+  // ``use_independent_randomness`` can be used for logging kill switches within
   // complex nested :ref:`AndFilter
   // <envoy_v3_api_msg_config.accesslog.v3.AndFilter>` and :ref:`OrFilter
   // <envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks that are easier to

envoy/config/bootstrap/v3/bootstrap.proto

@@ -189,7 +189,7 @@ message Bootstrap {
 
   // Optional watchdog configuration.
   // This is for a single watchdog configuration for the entire system.
-  // Deprecated in favor of *watchdogs* which has finer granularity.
+  // Deprecated in favor of ``watchdogs`` which has finer granularity.
   Watchdog watchdog = 8
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
@@ -249,7 +249,7 @@ message Bootstrap {
   // when :ref:`dns_resolvers <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolvers>` and
   // :ref:`use_tcp_for_dns_lookups <envoy_v3_api_field_config.cluster.v3.Cluster.use_tcp_for_dns_lookups>` are
   // specified.
-  // This field is deprecated in favor of *dns_resolution_config*
+  // This field is deprecated in favor of ``dns_resolution_config``
   // which aggregates all of the DNS resolver configuration in a single message.
   bool use_tcp_for_dns_lookups = 20
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
@@ -267,12 +267,12 @@ message Bootstrap {
   // or any other DNS resolver types and the related parameters.
   // For example, an object of
   // :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`
-  // can be packed into this *typed_dns_resolver_config*. This configuration replaces the
+  // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the
   // :ref:`dns_resolution_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.dns_resolution_config>`
   // configuration.
-  // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,
-  // when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.
-  // When *typed_dns_resolver_config* is missing, the default behavior is in place.
+  // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists,
+  // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``.
+  // When ``typed_dns_resolver_config`` is missing, the default behavior is in place.
   // [#extension-category: envoy.network.dns_resolver]
   core.v3.TypedExtensionConfig typed_dns_resolver_config = 31;
 
@@ -289,18 +289,18 @@ message Bootstrap {
   // xdstp:// URL authority resolution. The algorithm is as
   // follows:
   // 1. The authority field is taken from the xdstp:// URL, call
-  //    this *resource_authority*.
-  // 2. *resource_authority* is compared against the authorities in any peer
-  //    *ConfigSource*. The peer *ConfigSource* is the configuration source
+  //    this ``resource_authority``.
+  // 2. ``resource_authority`` is compared against the authorities in any peer
+  //    ``ConfigSource``. The peer ``ConfigSource`` is the configuration source
   //    message which would have been used unconditionally for resolution
   //    with opaque resource names. If there is a match with an authority, the
-  //    peer *ConfigSource* message is used.
-  // 3. *resource_authority* is compared sequentially with the authorities in
-  //    each configuration source in *config_sources*. The first *ConfigSource*
+  //    peer ``ConfigSource`` message is used.
+  // 3. ``resource_authority`` is compared sequentially with the authorities in
+  //    each configuration source in ``config_sources``. The first ``ConfigSource``
   //    to match wins.
   // 4. As a fallback, if no configuration source matches, then
-  //    *default_config_source* is used.
-  // 5. If *default_config_source* is not specified, resolution fails.
+  //    ``default_config_source`` is used.
+  // 5. If ``default_config_source`` is not specified, resolution fails.
   // [#not-implemented-hide:]
   repeated core.v3.ConfigSource config_sources = 22;
 
@@ -350,7 +350,7 @@ message Admin {
   // The path to write the access log for the administration server. If no
   // access log is desired specify ‘/dev/null’. This is only required if
   // :ref:`address <envoy_v3_api_field_config.bootstrap.v3.Admin.address>` is set.
-  // Deprecated in favor of *access_log* which offers more options.
+  // Deprecated in favor of ``access_log`` which offers more options.
   string access_log_path = 1
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
@@ -392,7 +392,7 @@ message ClusterManager {
   // Name of the local cluster (i.e., the cluster that owns the Envoy running
   // this configuration). In order to enable :ref:`zone aware routing
   // <arch_overview_load_balancing_zone_aware_routing>` this option must be set.
-  // If *local_cluster_name* is defined then :ref:`clusters
+  // If ``local_cluster_name`` is defined then :ref:`clusters
   // <envoy_v3_api_msg_config.cluster.v3.Cluster>` must be defined in the :ref:`Bootstrap
   // static cluster resources
   // <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters>`. This is unrelated to
@@ -408,7 +408,7 @@ message ClusterManager {
   core.v3.BindConfig upstream_bind_config = 3;
 
   // A management server endpoint to stream load stats to via
-  // *StreamLoadStats*. This must have :ref:`api_type
+  // ``StreamLoadStats``. This must have :ref:`api_type
   // <envoy_v3_api_field_config.core.v3.ApiConfigSource.api_type>` :ref:`GRPC
   // <envoy_v3_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC>`.
   core.v3.ApiConfigSource load_stats_config = 4;
@@ -454,15 +454,15 @@ message Watchdog {
   }
 
   // Register actions that will fire on given WatchDog events.
-  // See *WatchDogAction* for priority of events.
+  // See ``WatchDogAction`` for priority of events.
   repeated WatchdogAction actions = 7;
 
   // The duration after which Envoy counts a nonresponsive thread in the
-  // *watchdog_miss* statistic. If not specified the default is 200ms.
+  // ``watchdog_miss`` statistic. If not specified the default is 200ms.
   google.protobuf.Duration miss_timeout = 1;
 
   // The duration after which Envoy counts a nonresponsive thread in the
-  // *watchdog_mega_miss* statistic. If not specified the default is
+  // ``watchdog_mega_miss`` statistic. If not specified the default is
   // 1000ms.
   google.protobuf.Duration megamiss_timeout = 2;
 
@@ -471,20 +471,20 @@ message Watchdog {
   // kill behavior. If not specified the default is 0 (disabled).
   google.protobuf.Duration kill_timeout = 3;
 
-  // Defines the maximum jitter used to adjust the *kill_timeout* if *kill_timeout* is
+  // Defines the maximum jitter used to adjust the ``kill_timeout`` if ``kill_timeout`` is
   // enabled. Enabling this feature would help to reduce risk of synchronized
   // watchdog kill events across proxies due to external triggers. Set to 0 to
   // disable. If not specified the default is 0 (disabled).
   google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}];
 
-  // If max(2, ceil(registered_threads * Fraction(*multikill_threshold*)))
+  // If ``max(2, ceil(registered_threads * Fraction(*multikill_threshold*)))``
   // threads have been nonresponsive for at least this duration kill the entire
   // Envoy process. Set to 0 to disable this behavior. If not specified the
   // default is 0 (disabled).
   google.protobuf.Duration multikill_timeout = 4;
 
-  // Sets the threshold for *multikill_timeout* in terms of the percentage of
-  // nonresponsive threads required for the *multikill_timeout*.
+  // Sets the threshold for ``multikill_timeout`` in terms of the percentage of
+  // nonresponsive threads required for the ``multikill_timeout``.
   // If not specified the default is 0.
   type.v3.Percent multikill_threshold = 5;
 }
@@ -495,7 +495,7 @@ message Watchdog {
 // have an out of band system to terminate the process.
 //
 // The interface for the extension is ``Envoy::Server::Configuration::FatalAction``.
-// *FatalAction* extensions live in the ``envoy.extensions.fatal_actions`` API
+// ``FatalAction`` extensions live in the ``envoy.extensions.fatal_actions`` API
 // namespace.
 message FatalAction {
   // Extension specific configuration for the action. It's expected to conform
@@ -575,7 +575,7 @@ message RuntimeLayer {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.config.bootstrap.v2.RuntimeLayer.RtdsLayer";
 
-    // Resource to subscribe to at *rtds_config* for the RTDS layer.
+    // Resource to subscribe to at ``rtds_config`` for the RTDS layer.
     string name = 1;
 
     // RTDS configuration source.

envoy/config/cluster/v3/cluster.proto

@@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Cluster configuration]
 
-// Cluster list collections. Entries are *Cluster* resources or references.
+// Cluster list collections. Entries are ``Cluster`` resources or references.
 // [#not-implemented-hide:]
 message ClusterCollection {
   xds.core.v3.CollectionEntry entries = 1;
@@ -170,7 +170,7 @@ message Cluster {
     // Optional endpoint metadata match criteria.
     // The connection to the endpoint with metadata matching what is set in this field
     // will use the transport socket configuration specified here.
-    // The endpoint's metadata entry in *envoy.transport_socket_match* is used to match
+    // The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match
     // against the values specified in this field.
     google.protobuf.Struct match = 2;
 
@@ -297,14 +297,14 @@ message Cluster {
     // fallback_policy is
     // :ref:`DEFAULT_SUBSET<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.DEFAULT_SUBSET>`.
     // Each field in default_subset is
-    // compared to the matching LbEndpoint.Metadata under the *envoy.lb*
+    // compared to the matching LbEndpoint.Metadata under the ``envoy.lb``
     // namespace. It is valid for no hosts to match, in which case the behavior
     // is the same as a fallback_policy of
     // :ref:`NO_FALLBACK<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.NO_FALLBACK>`.
     google.protobuf.Struct default_subset = 2;
 
     // For each entry, LbEndpoint.Metadata's
-    // *envoy.lb* namespace is traversed and a subset is created for each unique
+    // ``envoy.lb`` namespace is traversed and a subset is created for each unique
     // combination of key and value. For example:
     //
     // .. code-block:: json
@@ -664,7 +664,7 @@ message Cluster {
     // Indicates how many many streams (rounded up) can be anticipated across a cluster for each
     // stream, useful for low QPS services. This is currently supported for a subset of
     // deterministic non-hash-based load-balancing algorithms (weighted round robin, random).
-    // Unlike *per_upstream_preconnect_ratio* this preconnects across the upstream instances in a
+    // Unlike ``per_upstream_preconnect_ratio`` this preconnects across the upstream instances in a
     // cluster, doing best effort predictions of what upstream would be picked next and
     // pre-establishing a connection.
     //
@@ -692,7 +692,7 @@ message Cluster {
   reserved "hosts", "tls_context", "extension_protocol_options";
 
   // Configuration to use different transport sockets for different endpoints.
-  // The entry of *envoy.transport_socket_match* in the
+  // The entry of ``envoy.transport_socket_match`` in the
   // :ref:`LbEndpoint.Metadata <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>`
   // is used to match against the transport sockets as they appear in the list. The first
   // :ref:`match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used.
@@ -712,16 +712,16 @@ message Cluster {
   //    transport_socket:
   //      name: envoy.transport_sockets.raw_buffer
   //
-  // Connections to the endpoints whose metadata value under *envoy.transport_socket_match*
+  // Connections to the endpoints whose metadata value under ``envoy.transport_socket_match``
   // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
   //
   // If a :ref:`socket match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` with empty match
   // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
   // socket match in case above.
   //
-  // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any
-  // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
-  // *transport_socket* specified in this cluster.
+  // If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any
+  // ``TransportSocketMatch``, socket configuration fallbacks to use the ``tls_context`` or
+  // ``transport_socket`` specified in this cluster.
   //
   // This field allows gradual and flexible transport socket configuration changes.
   //
@@ -732,8 +732,8 @@ message Cluster {
   //
   // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS
   // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding
-  // *TransportSocketMatch* in this field. Other client Envoys receive CDS without
-  // *transport_socket_match* set, and still send plain text traffic to the same cluster.
+  // ``TransportSocketMatch`` in this field. Other client Envoys receive CDS without
+  // ``transport_socket_match`` set, and still send plain text traffic to the same cluster.
   //
   // This field can be used to specify custom transport socket configurations for health
   // checks by adding matching key/value pairs in a health check's
@@ -787,7 +787,7 @@ message Cluster {
   // :ref:`STATIC<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STATIC>`,
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>` clusters.
-  // This field supersedes the *hosts* field in the v2 API.
+  // This field supersedes the ``hosts`` field in the v2 API.
   //
   // .. attention::
   //
@@ -920,13 +920,13 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
-  // This field is deprecated in favor of *dns_resolution_config*
+  // This field is deprecated in favor of ``dns_resolution_config``
   // which aggregates all of the DNS resolver configuration in a single message.
   repeated core.v3.Address dns_resolvers = 18
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Always use TCP queries instead of UDP queries for DNS lookups.
-  // This field is deprecated in favor of *dns_resolution_config*
+  // This field is deprecated in favor of ``dns_resolution_config``
   // which aggregates all of the DNS resolver configuration in a single message.
   bool use_tcp_for_dns_lookups = 45
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
@@ -941,12 +941,12 @@ message Cluster {
   // or any other DNS resolver types and the related parameters.
   // For example, an object of
   // :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`
-  // can be packed into this *typed_dns_resolver_config*. This configuration replaces the
+  // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the
   // :ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>`
   // configuration.
-  // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,
-  // when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.
-  // When *typed_dns_resolver_config* is missing, the default behavior is in place.
+  // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists,
+  // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``.
+  // When ``typed_dns_resolver_config`` is missing, the default behavior is in place.
   // [#extension-category: envoy.network.dns_resolver]
   core.v3.TypedExtensionConfig typed_dns_resolver_config = 55;
 
@@ -1024,7 +1024,7 @@ message Cluster {
   // cluster. It can be used for stats, logging, and varying filter behavior.
   // Fields should use reverse DNS notation to denote which entity within Envoy
   // will need the information. For instance, if the metadata is intended for
-  // the Router filter, the filter name should be specified as *envoy.filters.http.router*.
+  // the Router filter, the filter name should be specified as ``envoy.filters.http.router``.
   core.v3.Metadata metadata = 25;
 
   // Determines how Envoy selects the protocol used to speak to upstream hosts.

envoy/config/common/mutation_rules/v3/mutation_rules.proto

@@ -25,51 +25,51 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // denoted by an x-envoy prefix) or specific headers that may affect
 // further filter processing:
 //
-// * host
-// * :authority
-// * :scheme
-// * :method
+// * ``host``
+// * ``:authority``
+// * ``:scheme``
+// * ``:method``
 //
 // Every attempt to add, change, append, or remove a header will be
 // tested against the rules here. Disallowed header mutations will be
-// ignored unless *disallow_is_error* is set to true.
+// ignored unless ``disallow_is_error`` is set to true.
 //
 // Attempts to remove headers are further constrained -- regardless of the
-// settings, system-defined headers (that start with ":") and the "host"
+// settings, system-defined headers (that start with ``:``) and the ``host``
 // header may never be removed.
 //
 // In addition, a counter will be incremented whenever a mutation is
 // rejected. In the ext_proc filter, that counter is named
-// "rejected_header_mutations".
+// ``rejected_header_mutations``.
 // [#next-free-field: 8]
 message HeaderMutationRules {
   // By default, certain headers that could affect processing of subsequent
   // filters or request routing cannot be modified. These headers are
-  // "host", ":authority", ":scheme", and ":method". Setting this parameter
+  // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter
   // to true allows these headers to be modified as well.
   google.protobuf.BoolValue allow_all_routing = 1;
 
   // If true, allow modification of envoy internal headers. By default, these
-  // start with "x-envoy" but this may be overridden in the *Bootstrap*
+  // start with ``x-envoy`` but this may be overridden in the ``Bootstrap``
   // configuration using the
   // :ref:`header_prefix <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.header_prefix>`
   // field. Default is false.
   google.protobuf.BoolValue allow_envoy = 2;
 
   // If true, prevent modification of any system header, defined as a header
-  // that starts with a ":" character, regardless of any other settings.
-  // A processing server may still override the ":status" of an HTTP response
-  // using an *ImmediateResponse* message. Default is false.
+  // that starts with a ``:`` character, regardless of any other settings.
+  // A processing server may still override the ``:status`` of an HTTP response
+  // using an ``ImmediateResponse`` message. Default is false.
   google.protobuf.BoolValue disallow_system = 3;
 
   // If true, prevent modifications of all header values, regardless of any
-  // other settings. A processing server may still override the ":status"
-  // of an HTTP response using an *ImmediateResponse* message. Default is false.
+  // other settings. A processing server may still override the ``:status``
+  // of an HTTP response using an ``ImmediateResponse`` message. Default is false.
   google.protobuf.BoolValue disallow_all = 4;
 
   // If set, specifically allow any header that matches this regular
   // expression. This overrides all other settings except for
-  // *disallow_expression*.
+  // ``disallow_expression``.
   type.matcher.v3.RegexMatcher allow_expression = 5;
 
   // If set, specifically disallow any header that matches this regular
@@ -80,7 +80,7 @@ message HeaderMutationRules {
   // disallowed, then the filter using this configuration will terminate the
   // request with a 500 error. In addition, regardless of the setting of this
   // parameter, any attempt to set, add, or modify a disallowed header will
-  // cause the "rejected_header_mutations" counter to be incremented.
+  // cause the ``rejected_header_mutations`` counter to be incremented.
   // Default is false.
   google.protobuf.BoolValue disallow_is_error = 7;
 }

envoy/config/core/v3/address.proto

@@ -62,8 +62,8 @@ message SocketAddress {
   // within an upstream :ref:`BindConfig <envoy_v3_api_msg_config.core.v3.BindConfig>`, the address
   // controls the source address of outbound connections. For :ref:`clusters
   // <envoy_v3_api_msg_config.cluster.v3.Cluster>`, the cluster type determines whether the
-  // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
-  // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
+  // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS
+  // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized
   // via :ref:`resolver_name <envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>`.
   string address = 2 [(validate.rules).string = {min_len: 1}];
 
@@ -82,7 +82,7 @@ message SocketAddress {
   // this is empty, a context dependent default applies. If the address is a concrete
   // IP address, no resolution will occur. If address is a hostname this
   // should be set for resolution other than DNS. Specifying a custom resolver with
-  // *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime.
+  // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime.
   string resolver_name = 5;
 
   // When binding to an IPv6 address above, this enables `IPv4 compatibility
@@ -116,11 +116,11 @@ message BindConfig {
   // The address to bind to when creating a socket.
   SocketAddress source_address = 1 [(validate.rules).message = {required: true}];
 
-  // Whether to set the *IP_FREEBIND* option when creating the socket. When this
+  // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this
   // flag is set to true, allows the :ref:`source_address
   // <envoy_v3_api_field_config.cluster.v3.UpstreamBindConfig.source_address>` to be an IP address
   // that is not configured on the system running Envoy. When this flag is set
-  // to false, the option *IP_FREEBIND* is disabled on the socket. When this
+  // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this
   // flag is not set (default), the socket is not modified, i.e. the option is
   // neither enabled nor disabled.
   google.protobuf.BoolValue freebind = 2;

envoy/config/core/v3/base.proto

@@ -239,20 +239,20 @@ message Node {
 message Metadata {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Metadata";
 
-  // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
+  // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*``
   // namespace is reserved for Envoy's built-in filters.
-  // If both *filter_metadata* and
+  // If both ``filter_metadata`` and
   // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
   // fields are present in the metadata with same keys,
-  // only *typed_filter_metadata* field will be parsed.
+  // only ``typed_filter_metadata`` field will be parsed.
   map<string, google.protobuf.Struct> filter_metadata = 1;
 
-  // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
+  // Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*``
   // namespace is reserved for Envoy's built-in filters.
   // The value is encoded as google.protobuf.Any.
   // If both :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
-  // and *typed_filter_metadata* fields are present in the metadata with same keys,
-  // only *typed_filter_metadata* field will be parsed.
+  // and ``typed_filter_metadata`` fields are present in the metadata with same keys,
+  // only ``typed_filter_metadata`` field will be parsed.
   map<string, google.protobuf.Any> typed_filter_metadata = 2;
 }
 

envoy/config/core/v3/config_source.proto

@@ -168,7 +168,7 @@ message PathConfigSource {
   //
   // .. note::
   //
-  //   If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves.*
+  //   If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*.
   //   This is because in general only moves are atomic. The same method of swapping files as is
   //   demonstrated in the :ref:`runtime documentation <config_runtime_symbolic_link_swap>` can be
   //   used here also. If ``watched_directory`` is configured, no watch will be placed directly on
@@ -176,7 +176,7 @@ message PathConfigSource {
   //   this path. This is required in certain deployment scenarios. See below for more information.
   string path = 1 [(validate.rules).string = {min_len: 1}];
 
-  // If configured, this directory will be watched for *moves.* When an entry in this directory is
+  // If configured, this directory will be watched for *moves*. When an entry in this directory is
   // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios.
   //
   // Specifically, if trying to load an xDS resource using a
@@ -203,7 +203,7 @@ message ConfigSource {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource";
 
   // Authorities that this config source may be used for. An authority specified in a xdstp:// URL
-  // is resolved to a *ConfigSource* prior to configuration fetch. This field provides the
+  // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the
   // association between authority name and configuration source.
   // [#not-implemented-hide:]
   repeated xds.core.v3.Authority authorities = 7;

envoy/config/core/v3/extension.proto

@@ -23,9 +23,9 @@ message TypedExtensionConfig {
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // The typed config for the extension. The type URL will be used to identify
-  // the extension. In the case that the type URL is *xds.type.v3.TypedStruct*
-  // (or, for historical reasons, *udpa.type.v1.TypedStruct*), the inner type
-  // URL of *TypedStruct* will be utilized. See the
+  // the extension. In the case that the type URL is ``xds.type.v3.TypedStruct``
+  // (or, for historical reasons, ``udpa.type.v1.TypedStruct``), the inner type
+  // URL of ``TypedStruct`` will be utilized. See the
   // :ref:`extension configuration overview
   // <config_overview_extension_configuration>` for further details.
   google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}];

envoy/config/core/v3/health_check.proto

@@ -30,7 +30,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // Endpoint health status.
 enum HealthStatus {
-  // The health status is not known. This is interpreted by Envoy as *HEALTHY*.
+  // The health status is not known. This is interpreted by Envoy as ``HEALTHY``.
   UNKNOWN = 0;
 
   // Healthy.
@@ -43,11 +43,11 @@ enum HealthStatus {
   // `<https://aws.amazon.com/blogs/aws/elb-connection-draining-remove-instances-from-service-with-care/>`_
   // or
   // `<https://cloud.google.com/compute/docs/load-balancing/enabling-connection-draining>`_.
-  // This is interpreted by Envoy as *UNHEALTHY*.
+  // This is interpreted by Envoy as ``UNHEALTHY``.
   DRAINING = 3;
 
   // Health check timed out. This is part of HDS and is interpreted by Envoy as
-  // *UNHEALTHY*.
+  // ``UNHEALTHY``.
   TIMEOUT = 4;
 
   // Degraded.
@@ -96,7 +96,7 @@ message HealthCheck {
     string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
     // Specifies the HTTP path that will be requested during health checking. For example
-    // */healthcheck*.
+    // ``/healthcheck``.
     string path = 2
         [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
@@ -260,15 +260,15 @@ message HealthCheck {
   google.protobuf.Duration interval_jitter = 3;
 
   // An optional jitter amount as a percentage of interval_ms. If specified,
-  // during every interval Envoy will add interval_ms *
-  // interval_jitter_percent / 100 to the wait time.
+  // during every interval Envoy will add ``interval_ms`` *
+  // ``interval_jitter_percent`` / 100 to the wait time.
   //
   // If interval_jitter_ms and interval_jitter_percent are both set, both of
   // them will be used to increase the wait time.
   uint32 interval_jitter_percent = 18;
 
   // The number of unhealthy health checks required before a host is marked
-  // unhealthy. Note that for *http* health checking if a host responds with a code not in
+  // unhealthy. Note that for ``http`` health checking if a host responds with a code not in
   // :ref:`expected_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.expected_statuses>`
   // or :ref:`retriable_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.retriable_statuses>`,
   // this threshold is ignored and the host is considered immediately unhealthy.
@@ -386,7 +386,7 @@ message HealthCheck {
   //      name: envoy.transport_sockets.tls
   //      config: { ... } # tls socket configuration
   //
-  // If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the
+  // If this field is set, then for health checks it will supersede an entry of ``envoy.transport_socket`` in the
   // :ref:`LbEndpoint.Metadata <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>`.
   // This allows using different transport socket capabilities for health checking versus proxying to the
   // endpoint.

envoy/config/core/v3/protocol.proto

@@ -75,9 +75,9 @@ message QuicProtocolOptions {
   google.protobuf.UInt32Value initial_stream_window_size = 2
       [(validate.rules).uint32 = {lte: 16777216 gte: 1}];
 
-  // Similar to *initial_stream_window_size*, but for connection-level
+  // Similar to ``initial_stream_window_size``, but for connection-level
   // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16).
-  // window. Currently, this has the same minimum/default as *initial_stream_window_size*.
+  // window. Currently, this has the same minimum/default as ``initial_stream_window_size``.
   //
   // NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default
   // window size now, so it's also the minimum.
@@ -282,18 +282,18 @@ message Http1ProtocolOptions {
   // Handle HTTP requests with absolute URLs in the requests. These requests
   // are generally sent by clients to forward/explicit proxies. This allows clients to configure
   // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the
-  // *http_proxy* environment variable.
+  // ``http_proxy`` environment variable.
   google.protobuf.BoolValue allow_absolute_url = 1;
 
   // Handle incoming HTTP/1.0 and HTTP 0.9 requests.
   // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1
   // style connect logic, dechunking, and handling lack of client host iff
-  // *default_host_for_http_10* is configured.
+  // ``default_host_for_http_10`` is configured.
   bool accept_http_10 = 2;
 
-  // A default host for HTTP/1.0 requests. This is highly suggested if *accept_http_10* is true as
+  // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as
   // Envoy does not otherwise support HTTP/1.0 without a Host header.
-  // This is a no-op if *accept_http_10* is not true.
+  // This is a no-op if ``accept_http_10`` is not true.
   string default_host_for_http_10 = 3;
 
   // Describes how the keys for response headers should be formatted. By default, all header keys
@@ -425,8 +425,8 @@ message Http2ProtocolOptions {
   google.protobuf.UInt32Value initial_stream_window_size = 3
       [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}];
 
-  // Similar to *initial_stream_window_size*, but for connection-level flow-control
-  // window. Currently, this has the same minimum/maximum/default as *initial_stream_window_size*.
+  // Similar to ``initial_stream_window_size``, but for connection-level flow-control
+  // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``.
   google.protobuf.UInt32Value initial_connection_window_size = 4
       [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}];
 
@@ -466,7 +466,7 @@ message Http2ProtocolOptions {
   // of PRIORITY frames received over the lifetime of connection exceeds the value calculated
   // using this formula::
   //
-  //   max_inbound_priority_frames_per_stream * (1 + opened_streams)
+  //   ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``)
   //
   // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when
   // Envoy receives complete response headers from the upstream server. For upstream connection the
@@ -479,8 +479,8 @@ message Http2ProtocolOptions {
   // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated
   // using this formula::
   //
-  //   5 + 2 * (opened_streams +
-  //            max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames)
+  //   5 + 2 * (``opened_streams`` +
+  //            ``max_inbound_window_update_frames_per_data_frame_sent`` * ``outbound_data_frames``)
   //
   // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when
   // Envoy receives complete response headers from the upstream server. For upstream connections the

envoy/config/core/v3/substitution_format_string.proto

@@ -97,9 +97,9 @@ message SubstitutionFormatString {
   // * for ``json_format`` the keys with null values are omitted in the output structure.
   bool omit_empty_values = 3;
 
-  // Specify a *content_type* field.
-  // If this field is not set then ``text/plain`` is used for *text_format* and
-  // ``application/json`` is used for *json_format*.
+  // Specify a ``content_type`` field.
+  // If this field is not set then ``text/plain`` is used for ``text_format`` and
+  // ``application/json`` is used for ``json_format``.
   //
   // .. validated-code-block:: yaml
   //   :type-name: envoy.config.core.v3.SubstitutionFormatString

envoy/config/endpoint/v3/endpoint_components.proto

@@ -91,8 +91,8 @@ message LbEndpoint {
 
   // The endpoint metadata specifies values that may be used by the load
   // balancer to select endpoints in a cluster for a given request. The filter
-  // name should be specified as *envoy.lb*. An example boolean key-value pair
-  // is *canary*, providing the optional canary status of the upstream host.
+  // name should be specified as ``envoy.lb``. An example boolean key-value pair
+  // is ``canary``, providing the optional canary status of the upstream host.
   // This may be matched against in a route's
   // :ref:`RouteAction <envoy_v3_api_msg_config.route.v3.RouteAction>` metadata_match field
   // to subset the endpoints considered in cluster load balancing.
@@ -140,13 +140,13 @@ message LocalityLbEndpoints {
 
   // The group of endpoints belonging to the locality specified.
   // [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be
-  // deprecated and replaced by *load_balancer_endpoints*.]
+  // deprecated and replaced by ``load_balancer_endpoints``.]
   repeated LbEndpoint lb_endpoints = 2;
 
   // [#not-implemented-hide:]
   oneof lb_config {
     // The group of endpoints belonging to the locality.
-    // [#comment:TODO(adisuissa): Once LEDS is implemented the *lb_endpoints* field
+    // [#comment:TODO(adisuissa): Once LEDS is implemented the ``lb_endpoints`` field
     // needs to be deprecated.]
     LbEndpointList load_balancer_endpoints = 7;
 

envoy/config/endpoint/v3/load_report.proto

@@ -161,8 +161,8 @@ message ClusterStats {
   repeated DroppedRequests dropped_requests = 5;
 
   // Period over which the actual load report occurred. This will be guaranteed to include every
-  // request reported. Due to system load and delays between the *LoadStatsRequest* sent from Envoy
-  // and the *LoadStatsResponse* message sent from the management server, this may be longer than
-  // the requested load reporting interval in the *LoadStatsResponse*.
+  // request reported. Due to system load and delays between the ``LoadStatsRequest`` sent from Envoy
+  // and the ``LoadStatsResponse`` message sent from the management server, this may be longer than
+  // the requested load reporting interval in the ``LoadStatsResponse``.
   google.protobuf.Duration load_report_interval = 4;
 }

envoy/config/listener/v3/listener.proto

@@ -39,7 +39,7 @@ message AdditionalAddress {
   core.v3.Address address = 1;
 }
 
-// Listener list collections. Entries are *Listener* resources or references.
+// Listener list collections. Entries are ``Listener`` resources or references.
 // [#not-implemented-hide:]
 message ListenerCollection {
   repeated xds.core.v3.CollectionEntry entries = 1;
@@ -118,7 +118,7 @@ message Listener {
   // The address that the listener should listen on. In general, the address must be unique, though
   // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
   // Linux as the actual port will be allocated by the OS.
-  // Required unless *api_listener* or *listener_specifier* is populated.
+  // Required unless ``api_listener`` or ``listener_specifier`` is populated.
   core.v3.Address address = 2;
 
   // The additional addresses the listener should listen on. The addresses must be unique across all
@@ -160,7 +160,7 @@ message Listener {
   xds.type.matcher.v3.Matcher filter_chain_matcher = 32
       [(xds.annotations.v3.field_status).work_in_progress = true];
 
-  // If a connection is redirected using *iptables*, the port on which the proxy
+  // If a connection is redirected using ``iptables``, the port on which the proxy
   // receives it might be different from the original destination address. When this flag is set to
   // true, the listener hands off redirected connections to the listener associated with the
   // original destination address. If there is no listener associated with the original destination
@@ -213,24 +213,24 @@ message Listener {
 
   // Whether the listener should be set as a transparent socket.
   // When this flag is set to true, connections can be redirected to the listener using an
-  // *iptables* *TPROXY* target, in which case the original source and destination addresses and
+  // ``iptables`` ``TPROXY`` target, in which case the original source and destination addresses and
   // ports are preserved on accepted connections. This flag should be used in combination with
   // :ref:`an original_dst <config_listener_filters_original_dst>` :ref:`listener filter
   // <envoy_v3_api_field_config.listener.v3.Listener.listener_filters>` to mark the connections' local addresses as
   // "restored." This can be used to hand off each redirected connection to another listener
   // associated with the connection's destination address. Direct connections to the socket without
-  // using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are
+  // using ``TPROXY`` cannot be distinguished from connections redirected using ``TPROXY`` and are
   // therefore treated as if they were redirected.
   // When this flag is set to false, the listener's socket is explicitly reset as non-transparent.
-  // Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability.
+  // Setting this flag requires Envoy to run with the ``CAP_NET_ADMIN`` capability.
   // When this flag is not set (default), the socket is not modified, i.e. the transparent option
   // is neither set nor reset.
   google.protobuf.BoolValue transparent = 10;
 
-  // Whether the listener should set the *IP_FREEBIND* socket option. When this
+  // Whether the listener should set the ``IP_FREEBIND`` socket option. When this
   // flag is set to true, listeners can be bound to an IP address that is not
   // configured on the system running Envoy. When this flag is set to false, the
-  // option *IP_FREEBIND* is disabled on the socket. When this flag is not set
+  // option ``IP_FREEBIND`` is disabled on the socket. When this flag is not set
   // (default), the socket is not modified, i.e. the option is neither enabled
   // nor disabled.
   google.protobuf.BoolValue freebind = 11;
@@ -298,7 +298,7 @@ message Listener {
   // Deprecated. Use ``enable_reuse_port`` instead.
   bool reuse_port = 21 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
-  // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and
+  // When this flag is set to true, listeners set the ``SO_REUSEPORT`` socket option and
   // create one socket for each worker thread. This makes inbound connections
   // distribute among worker threads roughly evenly in cases where there are a high number
   // of connections. When this flag is set to false, all worker threads share one socket. This field

envoy/config/metrics/v3/metrics_service.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Metrics service]
 
-// Metrics Service is configured as a built-in *envoy.stat_sinks.metrics_service* :ref:`StatsSink
+// Metrics Service is configured as a built-in ``envoy.stat_sinks.metrics_service`` :ref:`StatsSink
 // <envoy_v3_api_msg_config.metrics.v3.StatsSink>`. This opaque configuration will be used to create
 // Metrics Service.
 //

envoy/config/metrics/v3/stats.proto

@@ -299,7 +299,7 @@ message HistogramBucketSettings {
   }];
 }
 
-// Stats configuration proto schema for built-in *envoy.stat_sinks.statsd* sink. This sink does not support
+// Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support
 // tagged metrics.
 // [#extension: envoy.stat_sinks.statsd]
 message StatsdSink {
@@ -348,7 +348,7 @@ message StatsdSink {
   string prefix = 3;
 }
 
-// Stats configuration proto schema for built-in *envoy.stat_sinks.dog_statsd* sink.
+// Stats configuration proto schema for built-in ``envoy.stat_sinks.dog_statsd`` sink.
 // The sink emits stats with `DogStatsD <https://docs.datadoghq.com/guides/dogstatsd/>`_
 // compatible tags. Tags are configurable via :ref:`StatsConfig
 // <envoy_v3_api_msg_config.metrics.v3.StatsConfig>`.
@@ -380,7 +380,7 @@ message DogStatsdSink {
   google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}];
 }
 
-// Stats configuration proto schema for built-in *envoy.stat_sinks.hystrix* sink.
+// Stats configuration proto schema for built-in ``envoy.stat_sinks.hystrix`` sink.
 // The sink emits stats in `text/event-stream
 // <https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events>`_
 // formatted stream for use by `Hystrix dashboard
@@ -401,7 +401,7 @@ message HystrixSink {
   // in the process). The sink then outputs the aggregate statistics across the
   // current rolling window to the event stream(s).
   //
-  // rolling_window(ms) = stats_flush_interval(ms) * num_of_buckets
+  // ``rolling_window(ms)`` = ``stats_flush_interval(ms)`` * ``num_of_buckets``
   //
   // More detailed explanation can be found in `Hystrix wiki
   // <https://github.com/Netflix/Hystrix/wiki/Metrics-and-Monitoring#hystrixrollingnumber>`_.

envoy/config/rbac/v3/rbac.proto

@@ -39,10 +39,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //
 // Here is an example of RBAC configuration. It has two policies:
 //
-// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
+// * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
 //   does "cluster.local/ns/default/sa/superuser".
 //
-// * Any user can read ("GET") the service at paths with prefix "/products", so long as the
+// * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
 //   destination port is either 80 or 443.
 //
 //  .. code-block:: yaml
@@ -99,13 +99,13 @@ message RBAC {
   //
   // Actions:
   //
-  //  * ALLOW: Allows the request if and only if there is a policy that matches
+  //  * ``ALLOW``: Allows the request if and only if there is a policy that matches
   //    the request.
-  //  * DENY: Allows the request if and only if there are no policies that
+  //  * ``DENY``: Allows the request if and only if there are no policies that
   //    match the request.
-  //  * LOG: Allows all requests. If at least one policy matches, the dynamic
+  //  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
   //    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
-  //    key namespace 'envoy.common'. If no policies match, it is set to ``false``.
+  //    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
   //    Other actions do not modify this key.
   //
   Action action = 1 [(validate.rules).enum = {defined_only: true}];
@@ -321,12 +321,12 @@ message Action {
   //
   // Actions:
   //
-  //  * ALLOW: If the request gets matched on ALLOW, it is permitted.
-  //  * DENY: If the request gets matched on DENY, it is not permitted.
-  //  * LOG: If the request gets matched on LOG, it is permitted. Besides, the
+  //  * ``ALLOW``: If the request gets matched on ALLOW, it is permitted.
+  //  * ``DENY``: If the request gets matched on DENY, it is not permitted.
+  //  * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the
   //    dynamic metadata key ``access_log_hint`` under the shared key namespace
-  //    'envoy.common' will be set to the value ``true``.
-  //  * If the request cannot get matched, it will fallback to DENY.
+  //    ``envoy.common`` will be set to the value ``true``.
+  //  * If the request cannot get matched, it will fallback to ``DENY``.
   //
   // Log behavior:
   //

envoy/config/route/v3/route.proto

@@ -36,10 +36,10 @@ message RouteConfiguration {
   repeated VirtualHost virtual_hosts = 2;
 
   // An array of virtual hosts will be dynamically loaded via the VHDS API.
-  // Both *virtual_hosts* and *vhds* fields will be used when present. *virtual_hosts* can be used
-  // for a base routing table or for infrequently changing virtual hosts. *vhds* is used for
+  // Both ``virtual_hosts`` and ``vhds`` fields will be used when present. ``virtual_hosts`` can be used
+  // for a base routing table or for infrequently changing virtual hosts. ``vhds`` is used for
   // on-demand discovery of virtual hosts. The contents of these two fields will be merged to
-  // generate a routing table for a given RouteConfiguration, with *vhds* derived configuration
+  // generate a routing table for a given RouteConfiguration, with ``vhds`` derived configuration
   // taking precedence.
   Vhds vhds = 9;
 
@@ -122,7 +122,7 @@ message RouteConfiguration {
 
   // A list of plugins and their configurations which may be used by a
   // :ref:`cluster specifier plugin name <envoy_v3_api_field_config.route.v3.RouteAction.cluster_specifier_plugin>`
-  // within the route. All *extension.name* fields in this list must be unique.
+  // within the route. All ``extension.name`` fields in this list must be unique.
   repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12;
 
   // Specify a set of default request mirroring policies which apply to all routes under its virtual hosts.

envoy/config/route/v3/route_components.proto

@@ -148,7 +148,7 @@ message VirtualHost {
   // The per_filter_config field can be used to provide virtual host-specific configurations for filters.
   // The key should match the :ref:`filter config name
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`.
-  // The canonical filter name (e.g., *envoy.filters.http.buffer* for the HTTP buffer filter) can also
+  // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also
   // be used for the backwards compatibility. If there is no entry referred by the filter config name, the
   // entry referred by the canonical filter name will be provided to the filters as fallback.
   //
@@ -267,7 +267,7 @@ message Route {
   // about the route. It can be used for configuration, stats, and logging.
   // The metadata should go under the filter namespace that will need it.
   // For instance, if the metadata is intended for the Router filter,
-  // the filter name should be specified as *envoy.filters.http.router*.
+  // the filter name should be specified as ``envoy.filters.http.router``.
   core.v3.Metadata metadata = 4;
 
   // Decorator for the matched route.
@@ -276,7 +276,7 @@ message Route {
   // The per_filter_config field can be used to provide route-specific configurations for filters.
   // The key should match the :ref:`filter config name
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`.
-  // The canonical filter name (e.g., *envoy.filters.http.buffer* for the HTTP buffer filter) can also
+  // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also
   // be used for the backwards compatibility. If there is no entry referred by the filter config name, the
   // entry referred by the canonical filter name will be provided to the filters as fallback.
   //
@@ -360,13 +360,13 @@ message WeightedCluster {
 
     reserved "per_filter_config";
 
-    // Only one of *name* and *cluster_header* may be specified.
+    // Only one of ``name`` and ``cluster_header`` may be specified.
     // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}]
     // Name of the upstream cluster. The cluster must exist in the
     // :ref:`cluster manager configuration <config_cluster_manager>`.
     string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"];
 
-    // Only one of *name* and *cluster_header* may be specified.
+    // Only one of ``name`` and ``cluster_header`` may be specified.
     // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }]
     // Envoy will determine the cluster to route to by reading the value of the
     // HTTP header named by cluster_header from the request headers. If the
@@ -375,8 +375,8 @@ message WeightedCluster {
     //
     // .. attention::
     //
-    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
-    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+    //   Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1
+    //   ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead.
     //
     // .. note::
     //
@@ -396,7 +396,7 @@ message WeightedCluster {
     // the upstream cluster with metadata matching what is set in this field will be considered for
     // load balancing. Note that this will be merged with what's provided in
     // :ref:`RouteAction.metadata_match <envoy_v3_api_field_config.route.v3.RouteAction.metadata_match>`, with
-    // values here taking precedence. The filter name should be specified as *envoy.lb*.
+    // values here taking precedence. The filter name should be specified as ``envoy.lb``.
     core.v3.Metadata metadata_match = 3;
 
     // Specifies a list of headers to be added to requests when this cluster is selected
@@ -435,7 +435,7 @@ message WeightedCluster {
     // for filters.
     // The key should match the :ref:`filter config name
     // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`.
-    // The canonical filter name (e.g., *envoy.filters.http.buffer* for the HTTP buffer filter) can also
+    // The canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) can also
     // be used for the backwards compatibility. If there is no entry referred by the filter config name, the
     // entry referred by the canonical filter name will be provided to the filters as fallback.
     //
@@ -462,10 +462,10 @@ message WeightedCluster {
   google.protobuf.UInt32Value total_weight = 3;
 
   // Specifies the runtime key prefix that should be used to construct the
-  // runtime keys associated with each cluster. When the *runtime_key_prefix* is
+  // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is
   // specified, the router will look for weights associated with each upstream
-  // cluster under the key *runtime_key_prefix* + "." + *cluster[i].name* where
-  // *cluster[i]* denotes an entry in the clusters array field. If the runtime
+  // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where
+  // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime
   // key for the cluster does not exist, the value specified in the
   // configuration file will be used as the default weight. See the :ref:`runtime documentation
   // <operations_runtime>` for how key names map to the underlying implementation.
@@ -529,17 +529,17 @@ message RouteMatch {
     option (validate.required) = true;
 
     // If specified, the route is a prefix rule meaning that the prefix must
-    // match the beginning of the *:path* header.
+    // match the beginning of the ``:path`` header.
     string prefix = 1;
 
     // If specified, the route is an exact path rule meaning that the path must
-    // exactly match the *:path* header once the query string is removed.
+    // exactly match the ``:path`` header once the query string is removed.
     string path = 2;
 
     // If specified, the route is a regular expression rule meaning that the
-    // regex must match the *:path* header once the query string is removed. The entire path
+    // regex must match the ``:path`` header once the query string is removed. The entire path
     // (without the query string) must match the regex. The rule will not match if only a
-    // subsequence of the *:path* header matches the regex.
+    // subsequence of the ``:path`` header matches the regex.
     //
     // [#next-major-version: In the v3 API we should redo how path specification works such
     // that we utilize StringMatcher, and additionally have consistent options around whether we
@@ -632,9 +632,9 @@ message RouteMatch {
   repeated HeaderMatcher headers = 6;
 
   // Specifies a set of URL query parameters on which the route should
-  // match. The router will check the query string from the *path* header
+  // match. The router will check the query string from the ``path`` header
   // against all the specified query parameters. If the number of specified
-  // query parameters is nonzero, they all must match the *path* header's
+  // query parameters is nonzero, they all must match the ``path`` header's
   // query string for a match to occur.
   //
   // .. note::
@@ -676,16 +676,16 @@ message CorsPolicy {
   // string matchers match.
   repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11;
 
-  // Specifies the content for the *access-control-allow-methods* header.
+  // Specifies the content for the ``access-control-allow-methods`` header.
   string allow_methods = 2;
 
-  // Specifies the content for the *access-control-allow-headers* header.
+  // Specifies the content for the ``access-control-allow-headers`` header.
   string allow_headers = 3;
 
-  // Specifies the content for the *access-control-expose-headers* header.
+  // Specifies the content for the ``access-control-expose-headers`` header.
   string expose_headers = 4;
 
-  // Specifies the content for the *access-control-max-age* header.
+  // Specifies the content for the ``access-control-max-age`` header.
   string max_age = 5;
 
   // Specifies whether the resource allows credentials.
@@ -710,7 +710,7 @@ message CorsPolicy {
   //
   // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
   // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
-  // and track the request's *Origin* to determine if it's valid but will not enforce any policies.
+  // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies.
   core.v3.RuntimeFractionalPercent shadow_enabled = 10;
 }
 
@@ -743,8 +743,8 @@ message RouteAction {
   // respond before returning the response from the primary cluster. All normal statistics are
   // collected for the shadow cluster making this feature useful for testing.
   //
-  // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is
-  // useful for logging. For example, *cluster1* becomes *cluster1-shadow*.
+  // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is
+  // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``.
   //
   // .. note::
   //
@@ -758,13 +758,13 @@ message RouteAction {
 
     reserved "runtime_key";
 
-    // Only one of *cluster* and *cluster_header* can be specified.
+    // Only one of ``cluster`` and ``cluster_header`` can be specified.
     // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}]
     // Specifies the cluster that requests will be mirrored to. The cluster must
     // exist in the cluster manager configuration.
     string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"];
 
-    // Only one of *cluster* and *cluster_header* can be specified.
+    // Only one of ``cluster`` and ``cluster_header`` can be specified.
     // Envoy will determine the cluster to route to by reading the value of the
     // HTTP header named by cluster_header from the request headers. Only the first value in header is used,
     // and no shadow request will happen if the value is not found in headers. Envoy will not wait for
@@ -772,8 +772,8 @@ message RouteAction {
     //
     // .. attention::
     //
-    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
-    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+    //   Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1
+    //   ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead.
     //
     // .. note::
     //
@@ -969,7 +969,7 @@ message RouteAction {
 
     // If present, and the request contains a `grpc-timeout header
     // <https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md>`_, use that value as the
-    // *max_stream_duration*, but limit the applied timeout to the maximum value specified here.
+    // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here.
     // If set to 0, the ``grpc-timeout`` header is used without modification.
     google.protobuf.Duration grpc_timeout_header_max = 2;
 
@@ -1000,8 +1000,8 @@ message RouteAction {
     //
     // .. attention::
     //
-    //   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1
-    //   *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+    //   Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1
+    //   ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead.
     //
     // .. note::
     //
@@ -1036,7 +1036,7 @@ message RouteAction {
   // in the upstream cluster with metadata matching what's set in this field will be considered
   // for load balancing. If using :ref:`weighted_clusters
   // <envoy_v3_api_field_config.route.v3.RouteAction.weighted_clusters>`, metadata will be merged, with values
-  // provided there taking precedence. The filter name should be specified as *envoy.lb*.
+  // provided there taking precedence. The filter name should be specified as ``envoy.lb``.
   core.v3.Metadata metadata_match = 4;
 
   // Indicates that during forwarding, the matched prefix (or path) should be
@@ -1047,14 +1047,14 @@ message RouteAction {
   //
   // Only one of :ref:`regex_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.regex_rewrite>`
   // [#comment:TODO(silverstar194) add the following once path_template_rewrite is implemented: :ref:`path_template_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.path_template_rewrite>`]
-  // or *prefix_rewrite* may be specified.
+  // or ``prefix_rewrite`` may be specified.
   //
   // .. attention::
   //
   //   Pay careful attention to the use of trailing slashes in the
   //   :ref:`route's match <envoy_v3_api_field_config.route.v3.Route.match>` prefix value.
   //   Stripping a prefix from a path requires multiple Routes to handle all cases. For example,
-  //   rewriting */prefix* to */* and */prefix/etc* to */etc* cannot be done in a single
+  //   rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single
   //   :ref:`Route <envoy_v3_api_msg_config.route.v3.Route>`, as shown by the below config entries:
   //
   //   .. code-block:: yaml
@@ -1068,8 +1068,8 @@ message RouteAction {
   //       route:
   //         prefix_rewrite: "/"
   //
-  //   Having above entries in the config, requests to */prefix* will be stripped to */*, while
-  //   requests to */prefix/etc* will be stripped to */etc*.
+  //   Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while
+  //   requests to ``/prefix/etc`` will be stripped to ``/etc``.
   string prefix_rewrite = 5
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
@@ -1084,7 +1084,7 @@ message RouteAction {
   //
   // Only one of :ref:`prefix_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.prefix_rewrite>`
   // [#comment:TODO(silverstar194) add the following once path_template_rewrite is implemented: :ref:`path_template_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.path_template_rewrite>`,]
-  // or *regex_rewrite* may be specified.
+  // or ``regex_rewrite`` may be specified.
   //
   // Examples using Google's `RE2 <https://github.com/google/re2>`_ engine:
   //
@@ -1115,7 +1115,7 @@ message RouteAction {
   //
   // Only one of :ref:`prefix_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.prefix_rewrite>`,
   // :ref:`regex_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.regex_rewrite>`,
-  // or *path_template_rewrite* may be specified.
+  // or ``path_template_rewrite`` may be specified.
   //
   // Template pattern matching types:
   //
@@ -1159,7 +1159,7 @@ message RouteAction {
     // Indicates that during forwarding, the host header will be swapped with
     // the hostname of the upstream host chosen by the cluster manager. This
     // option is applicable only when the destination cluster for a route is of
-    // type *strict_dns* or *logical_dns*. Setting this to true with other cluster types
+    // type ``strict_dns`` or ``logical_dns``. Setting this to true with other cluster types
     // has no effect. Using this option will append the
     // :ref:`config_http_conn_man_headers_x-forwarded-host` header if
     // :ref:`append_x_forwarded_host <envoy_v3_api_field_config.route.v3.RouteAction.append_x_forwarded_host>`
@@ -1754,7 +1754,7 @@ message DirectResponseAction {
   //
   // .. note::
   //
-  //   Headers can be specified using *response_headers_to_add* in the enclosing
+  //   Headers can be specified using ``response_headers_to_add`` in the enclosing
   //   :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or
   //   :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.
   core.v3.DataSource body = 2;
@@ -1897,7 +1897,7 @@ message RateLimit {
     }
 
     // The following descriptor entry is appended when a header contains a key that matches the
-    // *header_name*:
+    // ``header_name``:
     //
     // .. code-block:: cpp
     //
@@ -2017,7 +2017,7 @@ message RateLimit {
       // only happen if the value in the dynamic metadata is of type string.
       type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
 
-      // An optional value to use if *metadata_key* is empty. If not set and
+      // An optional value to use if ``metadata_key`` is empty. If not set and
       // no value is present under the metadata_key then no descriptor is generated.
       string default_value = 3;
     }
@@ -2043,7 +2043,7 @@ message RateLimit {
       // only happen if the value in the metadata is of type string.
       type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
 
-      // An optional value to use if *metadata_key* is empty. If not set and
+      // An optional value to use if ``metadata_key`` is empty. If not set and
       // no value is present under the metadata_key then no descriptor is generated.
       string default_value = 3;
 
@@ -2147,12 +2147,12 @@ message RateLimit {
 
 // .. attention::
 //
-//   Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 *Host*
-//   header. Thus, if attempting to match on *Host*, match on *:authority* instead.
+//   Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host``
+//   header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead.
 //
 // .. attention::
 //
-//   To route on HTTP method, use the special HTTP/2 *:method* header. This works for both
+//   To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both
 //   HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g.,
 //
 //   .. code-block:: json
@@ -2204,8 +2204,8 @@ message HeaderMatcher {
     //
     // Examples:
     //
-    // * For range [-10,0), route will match for header value -1, but not for 0, "somestring", 10.9,
-    //   "-1somestring"
+    // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9,
+    //   ``-1somestring``
     type.v3.Int64Range range_match = 6;
 
     // If specified as true, header match will be performed based on whether the header is in the
@@ -2218,7 +2218,7 @@ message HeaderMatcher {
     //
     // Examples:
     //
-    // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*.
+    // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``.
     string prefix_match = 9 [
       deprecated = true,
       (validate.rules).string = {min_len: 1},
@@ -2231,7 +2231,7 @@ message HeaderMatcher {
     //
     // Examples:
     //
-    // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*.
+    // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``.
     string suffix_match = 10 [
       deprecated = true,
       (validate.rules).string = {min_len: 1},
@@ -2245,7 +2245,7 @@ message HeaderMatcher {
     //
     // Examples:
     //
-    // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*.
+    // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``.
     string contains_match = 12 [
       deprecated = true,
       (validate.rules).string = {min_len: 1},
@@ -2260,7 +2260,7 @@ message HeaderMatcher {
   //
   // Examples:
   //
-  // * The regex ``\d{3}`` does not match the value *1234*, so it will match when inverted.
+  // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted.
   // * The range [-10,0) will match the value -1, so it will not match when inverted.
   bool invert_match = 8;
 
@@ -2305,7 +2305,7 @@ message QueryParameterMatcher {
   reserved "value", "regex";
 
   // Specifies the name of a key that must be present in the requested
-  // *path*'s query string.
+  // ``path``'s query string.
   string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}];
 
   oneof query_parameter_match_specifier {

envoy/data/accesslog/v3/accesslog.proto

@@ -110,14 +110,14 @@ message AccessLogCommon {
   google.protobuf.Duration time_to_last_rx_byte = 6;
 
   // Interval between the first downstream byte received and the first upstream byte sent. There may
-  // by considerable delta between *time_to_last_rx_byte* and this value due to filters.
-  // Additionally, the same caveats apply as documented in *time_to_last_downstream_tx_byte* about
+  // by considerable delta between ``time_to_last_rx_byte`` and this value due to filters.
+  // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about
   // not accounting for kernel socket buffer time, etc.
   google.protobuf.Duration time_to_first_upstream_tx_byte = 7;
 
   // Interval between the first downstream byte received and the last upstream byte sent. There may
-  // by considerable delta between *time_to_last_rx_byte* and this value due to filters.
-  // Additionally, the same caveats apply as documented in *time_to_last_downstream_tx_byte* about
+  // by considerable delta between ``time_to_last_rx_byte`` and this value due to filters.
+  // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about
   // not accounting for kernel socket buffer time, etc.
   google.protobuf.Duration time_to_last_upstream_tx_byte = 8;
 
@@ -130,14 +130,14 @@ message AccessLogCommon {
   google.protobuf.Duration time_to_last_upstream_rx_byte = 10;
 
   // Interval between the first downstream byte received and the first downstream byte sent.
-  // There may be a considerable delta between the *time_to_first_upstream_rx_byte* and this field
+  // There may be a considerable delta between the ``time_to_first_upstream_rx_byte`` and this field
   // due to filters. Additionally, the same caveats apply as documented in
-  // *time_to_last_downstream_tx_byte* about not accounting for kernel socket buffer time, etc.
+  // ``time_to_last_downstream_tx_byte`` about not accounting for kernel socket buffer time, etc.
   google.protobuf.Duration time_to_first_downstream_tx_byte = 11;
 
   // Interval between the first downstream byte received and the last downstream byte sent.
   // Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta
-  // between *time_to_last_upstream_rx_byte* and this field. Note also that this is an approximate
+  // between ``time_to_last_upstream_rx_byte`` and this field. Note also that this is an approximate
   // time. In the current implementation it does not include kernel socket buffer time. In the
   // current implementation it also does not include send window buffering inside the HTTP/2 codec.
   // In the future it is likely that work will be done to make this duration more accurate.
@@ -150,7 +150,7 @@ message AccessLogCommon {
   // The upstream local/origin address that handles this exchange. This does not include retries.
   config.core.v3.Address upstream_local_address = 14;
 
-  // The upstream cluster that *upstream_remote_address* belongs to.
+  // The upstream cluster that ``upstream_remote_address`` belongs to.
   string upstream_cluster = 15;
 
   // Flags indicating occurrences during request/response processing.

envoy/data/cluster/v3/outlier_detection_event.proto

@@ -23,7 +23,7 @@ enum OutlierEjectionType {
   // In case upstream host returns certain number of consecutive 5xx.
   // If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *false*, all type of errors are treated as HTTP 5xx errors.
+  // is ``false``, all type of errors are treated as HTTP 5xx errors.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   // details.
   CONSECUTIVE_5XX = 0;
@@ -36,7 +36,7 @@ enum OutlierEjectionType {
   // in the cluster.
   // If
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is *false*, all errors (externally and locally generated) are used to calculate success rate
+  // is ``false``, all errors (externally and locally generated) are used to calculate success rate
   // statistics. See :ref:`Cluster outlier detection <arch_overview_outlier_detection>`
   // documentation for details.
   SUCCESS_RATE = 2;
@@ -44,7 +44,7 @@ enum OutlierEjectionType {
   // Consecutive local origin failures: Connection failures, resets, timeouts, etc
   // This type of ejection happens only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is set to *true*.
+  // is set to ``true``.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   CONSECUTIVE_LOCAL_ORIGIN_FAILURE = 3;
 
@@ -52,7 +52,7 @@ enum OutlierEjectionType {
   // for all hosts in the cluster and selects hosts for which success rate deviates from other
   // hosts in the cluster. This type of ejection happens only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is set to *true*.
+  // is set to ``true``.
   // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
   SUCCESS_RATE_LOCAL_ORIGIN = 4;
 

envoy/extensions/access_loggers/file/v3/file.proto

@@ -21,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog <envoy_v3_api_msg_config.accesslog.v3.AccessLog>`
-// that writes log entries directly to a file. Configures the built-in *envoy.access_loggers.file*
+// that writes log entries directly to a file. Configures the built-in ``envoy.access_loggers.file``
 // AccessLog.
 // [#next-free-field: 6]
 message FileAccessLog {

envoy/extensions/access_loggers/grpc/v3/als.proto

@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: gRPC Access Log Service (ALS)]
 
-// Configuration for the built-in *envoy.access_loggers.http_grpc*
+// Configuration for the built-in ``envoy.access_loggers.http_grpc``
 // :ref:`AccessLog <envoy_v3_api_msg_config.accesslog.v3.AccessLog>`. This configuration will
 // populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_v3_api_field_service.accesslog.v3.StreamAccessLogsMessage.http_logs>`.
@@ -46,8 +46,8 @@ message HttpGrpcAccessLogConfig {
   repeated string additional_response_trailers_to_log = 4;
 }
 
-// Configuration for the built-in *envoy.access_loggers.tcp_grpc* type. This configuration will
-// populate *StreamAccessLogsMessage.tcp_logs*.
+// Configuration for the built-in ``envoy.access_loggers.tcp_grpc`` type. This configuration will
+// populate ``StreamAccessLogsMessage.tcp_logs``.
 // [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   option (udpa.annotations.versioning).previous_message_type =

envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto

@@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: OpenTelemetry (gRPC) Access Log]
 
-// Configuration for the built-in *envoy.access_loggers.open_telemetry*
+// Configuration for the built-in ``envoy.access_loggers.open_telemetry``
 // :ref:`AccessLog <envoy_v3_api_msg_config.accesslog.v3.AccessLog>`. This configuration will
 // populate `opentelemetry.proto.collector.v1.logs.ExportLogsServiceRequest.resource_logs <https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/collector/logs/v1/logs_service.proto>`_.
 // In addition, the request start time is set in the dedicated field.

envoy/extensions/access_loggers/wasm/v3/wasm.proto

@@ -16,7 +16,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.access_loggers.wasm]
 
 // Custom configuration for an :ref:`AccessLog <envoy_v3_api_msg_config.accesslog.v3.AccessLog>`
-// that calls into a WASM VM. Configures the built-in *envoy.access_loggers.wasm*
+// that calls into a WASM VM. Configures the built-in ``envoy.access_loggers.wasm``
 // AccessLog.
 message WasmAccessLog {
   envoy.extensions.wasm.v3.PluginConfig config = 1;

envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -76,7 +76,7 @@ message DnsCacheConfig {
   //
   // .. note:
   //
-  //   The TTL is only checked at the time of DNS refresh, as specified by *dns_refresh_rate*. This
+  //   The TTL is only checked at the time of DNS refresh, as specified by ``dns_refresh_rate``. This
   //   means that if the configured TTL is shorter than the refresh rate the host may not be removed
   //   immediately.
   //
@@ -104,7 +104,7 @@ message DnsCacheConfig {
   DnsCacheCircuitBreakers dns_cache_circuit_breaker = 7;
 
   // Always use TCP queries instead of UDP queries for DNS lookups.
-  // This field is deprecated in favor of *dns_resolution_config*
+  // This field is deprecated in favor of ``dns_resolution_config``
   // which aggregates all of the DNS resolver configuration in a single message.
   bool use_tcp_for_dns_lookups = 8
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
@@ -119,12 +119,12 @@ message DnsCacheConfig {
   // or any other DNS resolver types and the related parameters.
   // For example, an object of
   // :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`
-  // can be packed into this *typed_dns_resolver_config*. This configuration replaces the
+  // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the
   // :ref:`dns_resolution_config <envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_resolution_config>`
   // configuration.
-  // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,
-  // when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.
-  // When *typed_dns_resolver_config* is missing, the default behavior is in place.
+  // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists,
+  // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``.
+  // When ``typed_dns_resolver_config`` is missing, the default behavior is in place.
   // [#extension-category: envoy.network.dns_resolver]
   config.core.v3.TypedExtensionConfig typed_dns_resolver_config = 12;
 

envoy/extensions/filters/http/bandwidth_limit/v3/bandwidth_limit.proto

@@ -72,10 +72,10 @@ message BandwidthLimit {
   //
   // .. note::
   //
-  //   * If set true, the response trailers *bandwidth-request-delay-ms* and *bandwidth-response-delay-ms* will be added, prefixed by *response_trailer_prefix*.
+  //   * If set true, the response trailers ``bandwidth-request-delay-ms`` and ``bandwidth-response-delay-ms`` will be added, prefixed by ``response_trailer_prefix``.
   //   * bandwidth-request-delay-ms: delay time in milliseconds it took for the request stream transfer.
   //   * bandwidth-response-delay-ms: delay time in milliseconds it took for the response stream transfer.
-  //   * If :ref:`enable_mode <envoy_v3_api_field_extensions.filters.http.bandwidth_limit.v3.BandwidthLimit.enable_mode>` is DISABLED or REQUEST, the trailers will not be set.
+  //   * If :ref:`enable_mode <envoy_v3_api_field_extensions.filters.http.bandwidth_limit.v3.BandwidthLimit.enable_mode>` is ``DISABLED`` or ``REQUEST``, the trailers will not be set.
   //   * If both the request and response delay time is 0, the trailers will not be set.
   //
   bool enable_response_trailers = 6;

envoy/extensions/filters/http/cache/v3/cache.proto

@@ -38,14 +38,14 @@ message CacheConfig {
     // ever depend on host.
     bool exclude_host = 2;
 
-    // If *query_parameters_included* is nonempty, only query parameters matched
+    // If ``query_parameters_included`` is nonempty, only query parameters matched
     // by one or more of its matchers are included in the cache key. Any other
     // query params will not affect cache lookup.
     repeated config.route.v3.QueryParameterMatcher query_parameters_included = 3;
 
-    // If *query_parameters_excluded* is nonempty, query parameters matched by one
+    // If ``query_parameters_excluded`` is nonempty, query parameters matched by one
     // or more of its matchers are excluded from the cache key (even if also
-    // matched by *query_parameters_included*), and will not affect cache lookup.
+    // matched by ``query_parameters_included``), and will not affect cache lookup.
     repeated config.route.v3.QueryParameterMatcher query_parameters_excluded = 4;
   }
 
@@ -53,17 +53,17 @@ message CacheConfig {
   // [#extension-category: envoy.http.cache]
   google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}];
 
-  // List of matching rules that defines allowed *Vary* headers.
+  // List of matching rules that defines allowed ``Vary`` headers.
   //
-  // The *vary* response header holds a list of header names that affect the
+  // The ``vary`` response header holds a list of header names that affect the
   // contents of a response, as described by
   // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses.
   //
-  // During insertion, *allowed_vary_headers* acts as a allowlist: if a
-  // response's *vary* header mentions any header names that aren't matched by any rules in
-  // *allowed_vary_headers*, that response will not be cached.
+  // During insertion, ``allowed_vary_headers`` acts as a allowlist: if a
+  // response's ``vary`` header mentions any header names that aren't matched by any rules in
+  // ``allowed_vary_headers``, that response will not be cached.
   //
-  // During lookup, *allowed_vary_headers* controls what request headers will be
+  // During lookup, ``allowed_vary_headers`` controls what request headers will be
   // sent to the cache storage implementation.
   repeated type.matcher.v3.StringMatcher allowed_vary_headers = 2;
 

envoy/extensions/filters/http/csrf/v3/csrf.proto

@@ -42,7 +42,7 @@ message CsrfPolicy {
   //
   // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
   // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
-  // and track the request's *Origin* and *Destination* to determine if it's valid, but will not
+  // and track the request's ``Origin`` and ``Destination`` to determine if it's valid, but will not
   // enforce any policies.
   config.core.v3.RuntimeFractionalPercent shadow_enabled = 2;
 

envoy/extensions/filters/http/decompressor/v3/decompressor.proto

@@ -26,7 +26,7 @@ message Decompressor {
     // filter will operate as a pass-through filter. If the message is unspecified, the filter will be enabled.
     config.core.v3.RuntimeFeatureFlag enabled = 1;
 
-    // If set to true, will decompress response even if a *no-transform* cache control header is set.
+    // If set to true, will decompress response even if a ``no-transform`` cache control header is set.
     bool ignore_no_transform_header = 2;
   }
 

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -50,15 +50,15 @@ message ExtAuthz {
 
   //  Changes filter's behaviour on errors:
   //
-  //  1. When set to true, the filter will *accept* client request even if the communication with
+  //  1. When set to true, the filter will ``accept`` client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
   //  error.
   //
-  //  2. When set to false, ext-authz will *reject* client requests and return a *Forbidden*
+  //  2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden``
   //  response if the communication with the authorization service has failed, or if the
   //  authorization service has returned a HTTP 5xx error.
   //
-  // Note that errors can be *always* tracked in the :ref:`stats
+  // Note that errors can be ``always`` tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.
   bool failure_mode_allow = 2;
 
@@ -70,11 +70,11 @@ message ExtAuthz {
   // Clears route cache in order to allow the external authorization service to correctly affect
   // routing decisions. Filter clears all cached routes when:
   //
-  // 1. The field is set to *true*.
+  // 1. The field is set to ``true``.
   //
   // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
   //
-  // 3. At least one *authorization response header* is added to the client request, or is used for
+  // 3. At least one ``authorization response header`` is added to the client request, or is used for
   // altering another client request header.
   //
   bool clear_route_cache = 6;
@@ -84,9 +84,9 @@ message ExtAuthz {
   type.v3.HttpStatus status_on_error = 7;
 
   // Specifies a list of metadata namespaces whose values, if present, will be passed to the
-  // ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque *protobuf::Struct*.
+  // ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
   //
-  // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
+  // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
   // <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
   // then the following will pass the jwt payload to the authorization server.
   //
@@ -98,7 +98,7 @@ message ExtAuthz {
   repeated string metadata_context_namespaces = 8;
 
   // Specifies a list of metadata namespaces whose values, if present, will be passed to the
-  // ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an *protobuf::Any*.
+  // ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
   //
   // It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
   // in order to do a safe parsing.
@@ -133,7 +133,7 @@ message ExtAuthz {
   bool include_peer_certificate = 10;
 
   // Optional additional prefix to use when emitting statistics. This allows to distinguish
-  // emitted statistics between configured *ext_authz* filters in an HTTP filter chain. For example:
+  // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:
   //
   // .. code-block:: yaml
   //
@@ -161,12 +161,12 @@ message BufferSettings {
       "envoy.config.filter.http.ext_authz.v2.BufferSettings";
 
   // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
-  // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number
+  // ``HTTP 413`` and will *not* initiate the authorization process when buffer reaches the number
   // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow
   // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.failure_mode_allow>`.
   uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}];
 
-  // When this field is true, Envoy will buffer the message until *max_request_bytes* is reached.
+  // When this field is true, Envoy will buffer the message until ``max_request_bytes`` is reached.
   // The authorization request will be dispatched and no 413 HTTP error will be returned by the
   // filter.
   bool allow_partial_message = 2;
@@ -216,7 +216,7 @@ message HttpService {
   // Sets the HTTP server URI which the authorization requests must be sent to.
   config.core.v3.HttpUri server_uri = 1;
 
-  // Sets a prefix to the value of authorization request header *Path*.
+  // Sets a prefix to the value of authorization request header ``Path``.
   string path_prefix = 2;
 
   // Settings used for controlling authorization request metadata.
@@ -270,9 +270,9 @@ message AuthorizationResponse {
 
   // When this :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. is set, authorization
   // response headers that have a correspondent match will be added to the client's response. Note
-  // that when this list is *not* set, all the authorization response headers, except *Authority
-  // (Host)* will be in the response to the client. When a header is included in this list, *Path*,
-  // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
+  // that when this list is *not* set, all the authorization response headers, except ``Authority
+  // (Host)`` will be in the response to the client. When a header is included in this list, ``Path``,
+  // ``Status``, ``Content-Length``, ``WWWAuthenticate`` and ``Location`` are automatically added.
   type.matcher.v3.ListStringMatcher allowed_client_headers = 2;
 
   // When this :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. is set, authorization

envoy/extensions/filters/http/fault/v3/fault.proto

@@ -65,7 +65,7 @@ message HTTPFault {
   common.fault.v3.FaultDelay delay = 1;
 
   // If specified, the filter will abort requests based on the values in
-  // the object. At least *abort* or *delay* must be specified.
+  // the object. At least ``abort`` or ``delay`` must be specified.
   FaultAbort abort = 2;
 
   // Specifies the name of the (destination) upstream cluster that the
@@ -81,7 +81,7 @@ message HTTPFault {
   // The filter will check the request's headers against all the specified
   // headers in the filter config. A match will happen if all the headers in the
   // config are present in the request with the same values (or based on
-  // presence if the *value* field is not in the config).
+  // presence if the ``value`` field is not in the config).
   repeated config.route.v3.HeaderMatcher headers = 4;
 
   // Faults are injected for the specified list of downstream hosts. If this

envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto

@@ -39,8 +39,8 @@ message FilterConfig {
   // When :ref:`withhold_grpc_frames
   // <envoy_v3_api_field_extensions.filters.http.grpc_http1_reverse_bridge.v3.FilterConfig.withhold_grpc_frames>`
   // is true, this option controls how Envoy calculates the ``Content-Length``. When
-  // *response_size_header* is empty, Envoy will buffer the upstream response to calculate its
-  // size. When *response_size_header* is set to a non-empty string, Envoy will stream the response
+  // ``response_size_header`` is empty, Envoy will buffer the upstream response to calculate its
+  // size. When ``response_size_header`` is set to a non-empty string, Envoy will stream the response
   // to the downstream and it will use the value of the response header with this name to set the
   // ``Content-Length`` header and gRPC frame size. If the header with this name is repeated, only
   // the first value will be used.

envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto

@@ -137,7 +137,7 @@ message GrpcJsonTranscoder {
 
   // Whether to keep the incoming request route after the outgoing headers have been transformed to
   // the match the upstream gRPC service. Note: This means that routes for gRPC services that are
-  // not transcoded cannot be used in combination with *match_incoming_request_route*.
+  // not transcoded cannot be used in combination with ``match_incoming_request_route``.
   bool match_incoming_request_route = 5;
 
   // A list of query parameters to be ignored for transcoding method mapping.

envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -31,7 +31,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //
 // A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:
 //
-// * issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT.
+// * issuer: the principal that issues the JWT. If specified, it has to match the ``iss`` field in JWT.
 // * allowed audiences: the ones in the token have to be listed here.
 // * how to fetch public key JWKS to verify the token signature.
 // * how to extract JWT token in the request.
@@ -61,17 +61,17 @@ message JwtProvider {
   // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
   // the JWT, usually a URL or an email address.
   //
-  // It is optional. If specified, it has to match the *iss* field in JWT,
-  // otherwise the JWT *iss* field is not checked.
+  // It is optional. If specified, it has to match the ``iss`` field in JWT,
+  // otherwise the JWT ``iss`` field is not checked.
   //
-  // Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
+  // Note: ``JwtRequirement`` :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
   // and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
-  // are implemented differently than other *JwtRequirements*. Hence the usage of this field
-  // is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
+  // are implemented differently than other ``JwtRequirements``. Hence the usage of this field
+  // is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used:
   //
-  // * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
-  // * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
-  // * Multiple *JwtProviders* should not have same value in this field.
+  // * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``.
+  // * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty.
+  // * Multiple ``JwtProviders`` should not have same value in this field.
   //
   // Example: https://securetoken.google.com
   // Example: 1234567-compute@developer.gserviceaccount.com
@@ -213,11 +213,11 @@ message JwtProvider {
   bool pad_forward_payload_header = 11;
 
   // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
-  // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
-  // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
-  // and the value is the *protobuf::Struct* converted from JWT JSON payload.
+  // in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
+  // The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields``
+  // and the value is the ``protobuf::Struct`` converted from JWT JSON payload.
   //
-  // For example, if payload_in_metadata is *my_payload*:
+  // For example, if payload_in_metadata is ``my_payload``:
   //
   // .. code-block:: yaml
   //
@@ -232,10 +232,10 @@ message JwtProvider {
 
   // If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
   // a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
-  // as an entry (``protobuf::Struct``) in **envoy.filters.http.jwt_authn** *namespace* with the
+  // as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
   // value of this field as the key.
   //
-  // For example, if ``header_in_metadata`` is *my_header*:
+  // For example, if ``header_in_metadata`` is ``my_header``:
   //
   // .. code-block:: yaml
   //
@@ -245,9 +245,9 @@ message JwtProvider {
   //       kid: EF71iSaosbC5C4tC6Syq1Gm647M
   //       alg: PS256
   //
-  // When the metadata has **envoy.filters.http.jwt_authn** entry already (for example if
+  // When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if
   // :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
-  // is not empty), it will be inserted as a new entry in the same *namespace* as shown below:
+  // is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below:
   //
   // .. code-block:: yaml
   //
@@ -274,7 +274,7 @@ message JwtProvider {
   // such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
 
-  // Enables JWT cache, its size is specified by *jwt_cache_size*.
+  // Enables JWT cache, its size is specified by ``jwt_cache_size``.
   // Only valid JWT tokens are cached.
   JwtCacheConfig jwt_cache_config = 12;
 }
@@ -580,7 +580,7 @@ message FilterStateRule {
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A map of string keys to requirements. The string key is the string value
-  // in the FilterState with the name specified in the *name* field above.
+  // in the FilterState with the name specified in the ``name`` field above.
   map<string, JwtRequirement>
   requires = 3;
 }
@@ -687,7 +687,7 @@ message JwtAuthentication {
 
   // This message specifies Jwt requirements based on stream_info.filterState.
   // Other HTTP filters can use it to specify Jwt requirements dynamically.
-  // The *rules* field above is checked first, if it could not find any matches,
+  // The ``rules`` field above is checked first, if it could not find any matches,
   // check this one.
   FilterStateRule filter_state_rules = 3;
 

envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto

@@ -204,7 +204,7 @@ message RateLimitQuotaBucketSettings {
     //    message.
     //
     // If the field is not set, the ``ExpiredAssignmentBehavior`` time is **not limited**:
-    // it applies to the bucket until replaced by an *active* assignment.
+    // it applies to the bucket until replaced by an ``active`` assignment.
     google.protobuf.Duration expired_assignment_behavior_timeout = 1
         [(validate.rules).duration = {gt {}}];
 
@@ -217,7 +217,7 @@ message RateLimitQuotaBucketSettings {
       // runs out.
       type.v3.RateLimitStrategy fallback_rate_limit = 2;
 
-      // Reuse the last *active* assignment until the RLQS server sends a new assignment, or the
+      // Reuse the last ``active`` assignment until the RLQS server sends a new assignment, or the
       // :ref:`expired_assignment_behavior_timeout
       // <envoy_v3_api_field_extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings.ExpiredAssignmentBehavior.expired_assignment_behavior_timeout>`
       // runs out.
@@ -343,7 +343,7 @@ message RateLimitQuotaBucketSettings {
   // In this example, the value of ``BucketId`` key ``env`` is substituted from the ``environment``
   // request header.
   //
-  // This is equivalent to the following *pseudo-code*:
+  // This is equivalent to the following ``pseudo-code``:
   //
   // .. code-block:: yaml
   //
@@ -411,7 +411,7 @@ message RateLimitQuotaBucketSettings {
   // Configures the behavior in the "expired assignment" state: the bucket's assignment has expired,
   // and cannot be refreshed.
   //
-  // If not set, the bucket is abandoned when its *active* assignment expires.
+  // If not set, the bucket is abandoned when its ``active`` assignment expires.
   // The process of abandoning the bucket, and restarting the subscription is described in the
   // :ref:`AbandonAction <envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.AbandonAction>`
   // message.

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto

@@ -52,10 +52,10 @@ message RateLimit {
   uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}];
 
   // The type of requests the filter should apply to. The supported
-  // types are *internal*, *external* or *both*. A request is considered internal if
+  // types are ``internal``, ``external`` or ``both``. A request is considered internal if
   // :ref:`x-envoy-internal<config_http_conn_man_headers_x-envoy-internal>` is set to true. If
   // :ref:`x-envoy-internal<config_http_conn_man_headers_x-envoy-internal>` is not set or false, a
-  // request is considered external. The filter defaults to *both*, and it will apply to all request
+  // request is considered external. The filter defaults to ``both``, and it will apply to all request
   // types.
   string request_type = 3
       [(validate.rules).string = {in: "internal" in: "external" in: "both" in: ""}];
@@ -158,7 +158,7 @@ message RateLimitConfig {
     }
 
     // The following descriptor entry is appended when a header contains a key that matches the
-    // *header_name*:
+    // ``header_name``:
     //
     // .. code-block:: cpp
     //
@@ -247,7 +247,7 @@ message RateLimitConfig {
       // only happen if the value in the metadata is of type string.
       type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
 
-      // An optional value to use if *metadata_key* is empty. If not set and
+      // An optional value to use if ``metadata_key`` is empty. If not set and
       // no value is present under the metadata_key then no descriptor is generated.
       string default_value = 3;
 

envoy/extensions/filters/http/router/v3/router.proto

@@ -41,10 +41,10 @@ message Router {
   // requests may be made for each downstream (inbound) request.
   repeated config.accesslog.v3.AccessLog upstream_log = 3;
 
-  // Do not add any additional *x-envoy-* headers to requests or responses. This
-  // only affects the :ref:`router filter generated *x-envoy-* headers
+  // Do not add any additional ``x-envoy-`` headers to requests or responses. This
+  // only affects the :ref:`router filter generated x-envoy- headers
   // <config_http_filters_router_headers_set>`, other Envoy filters and the HTTP
-  // connection manager may continue to set *x-envoy-* headers.
+  // connection manager may continue to set ``x-envoy-`` headers.
   bool suppress_envoy_headers = 4;
 
   // Specifies a list of HTTP headers to strictly validate. Envoy will reject a

envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto

@@ -37,7 +37,7 @@ enum SerializationType {
 
 message Drds {
   // Configuration source specifier.
-  // In case of *api_config_source* only aggregated *api_type* is supported.
+  // In case of ``api_config_source`` only aggregated ``api_type`` is supported.
   config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
 
   // The name of the multiple route configuration. This allows to use different multiple route
@@ -69,7 +69,7 @@ message DubboProxy {
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   oneof route_specifier {
-    // Use xDS to fetch the route configuration. It is invalid to define both *route_config* and *drds*.
+    // Use xDS to fetch the route configuration. It is invalid to define both ``route_config`` and ``drds``.
     Drds drds = 6 [(udpa.annotations.field_migrate).oneof_promotion = "route_specifier"];
 
     MultipleRouteConfiguration multiple_route_config = 7;

envoy/extensions/filters/network/dubbo_proxy/v3/route.proto

@@ -94,7 +94,7 @@ message RouteAction {
 
   // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in
   // the upstream cluster with metadata matching what is set in this field will be considered for
-  // load balancing. The filter name should be specified as *envoy.lb*.
+  // load balancing. The filter name should be specified as ``envoy.lb``.
   config.core.v3.Metadata metadata_match = 3;
 }
 

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -187,7 +187,7 @@ message HttpConnectionManager {
     // If not specified, no tracing will be performed.
     //
     // .. attention::
-    //   Please be aware that *envoy.tracers.opencensus* provider can only be configured once
+    //   Please be aware that ``envoy.tracers.opencensus`` provider can only be configured once
     //   in Envoy lifetime.
     //   Any attempts to reconfigure it or to use different configurations for different HCM filters
     //   will be rejected.
@@ -280,13 +280,13 @@ message HttpConnectionManager {
   // path will be visible internally if a transformation is enabled. Any path rewrites that the
   // router performs (e.g. :ref:`regex_rewrite
   // <envoy_v3_api_field_config.route.v3.RouteAction.regex_rewrite>` or :ref:`prefix_rewrite
-  // <envoy_v3_api_field_config.route.v3.RouteAction.prefix_rewrite>`) will apply to the *:path* header
+  // <envoy_v3_api_field_config.route.v3.RouteAction.prefix_rewrite>`) will apply to the ``:path`` header
   // destined for the upstream.
   //
-  // Note: access logging and tracing will show the original *:path* header.
+  // Note: access logging and tracing will show the original ``:path`` header.
   message PathNormalizationOptions {
     // [#not-implemented-hide:] Normalization applies internally before any processing of requests by
-    // HTTP filters, routing, and matching *and* will affect the forwarded *:path* header. Defaults
+    // HTTP filters, routing, and matching *and* will affect the forwarded ``:path`` header. Defaults
     // to :ref:`NormalizePathRFC3986
     // <envoy_v3_api_msg_type.http.v3.PathTransformation.Operation.NormalizePathRFC3986>`. When not
     // specified, this value may be overridden by the runtime variable
@@ -297,7 +297,7 @@ message HttpConnectionManager {
 
     // [#not-implemented-hide:] Normalization only applies internally before any processing of
     // requests by HTTP filters, routing, and matching. These will be applied after full
-    // transformation is applied. The *:path* header before this transformation will be restored in
+    // transformation is applied. The ``:path`` header before this transformation will be restored in
     // the router filter and sent upstream unless it was mutated by a filter. Defaults to no
     // transformations.
     // Multiple actions can be applied in the same Transformation, forming a sequential
@@ -418,7 +418,7 @@ message HttpConnectionManager {
   config.core.v3.Http3ProtocolOptions http3_protocol_options = 44;
 
   // An optional override that the connection manager will write to the server
-  // header in responses. If not set, the default is *envoy*.
+  // header in responses. If not set, the default is ``envoy``.
   string server_name = 10
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
@@ -591,7 +591,7 @@ message HttpConnectionManager {
   // has mutated the request headers. While :ref:`use_remote_address
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`
   // will also suppress XFF addition, it has consequences for logging and other
-  // Envoy uses of the remote address, so *skip_xff_append* should be used
+  // Envoy uses of the remote address, so ``skip_xff_append`` should be used
   // when only an elision of XFF addition is intended.
   bool skip_xff_append = 21;
 
@@ -625,8 +625,8 @@ message HttpConnectionManager {
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.forward_client_cert_details>`
   // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in
   // the client certificate to be forwarded. Note that in the
-  // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and
-  // *By* is always set when the client certificate presents the URI type Subject Alternative Name
+  // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, ``Hash`` is always set, and
+  // ``By`` is always set when the client certificate presents the URI type Subject Alternative Name
   // value.
   SetCurrentClientCertDetails set_current_client_cert_details = 17;
 
@@ -640,7 +640,7 @@ message HttpConnectionManager {
   // :ref:`use_remote_address
   // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.use_remote_address>`
   // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is
-  // an IPv4 address, the address will be mapped to IPv6 before it is appended to *x-forwarded-for*.
+  // an IPv4 address, the address will be mapped to IPv6 before it is appended to ``x-forwarded-for``.
   // This is useful for testing compatibility of upstream services that parse the header value. For
   // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses
   // <https://tools.ietf.org/html/rfc4291#section-2.5.5.2>`_ for details. This will also affect the
@@ -654,7 +654,7 @@ message HttpConnectionManager {
   repeated UpgradeConfig upgrade_configs = 23;
 
   // Should paths be normalized according to RFC 3986 before any processing of
-  // requests by HTTP filters or routing? This affects the upstream *:path* header
+  // requests by HTTP filters or routing? This affects the upstream ``:path`` header
   // as well. For paths that fail this check, Envoy will respond with 400 to
   // paths that are malformed. This defaults to false currently but will default
   // true in the future. When not specified, this value may be overridden by the
@@ -670,7 +670,7 @@ message HttpConnectionManager {
   google.protobuf.BoolValue normalize_path = 30;
 
   // Determines if adjacent slashes in the path are merged into one before any processing of
-  // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
+  // requests by HTTP filters or routing. This affects the upstream ``:path`` header as well. Without
   // setting this option, incoming requests with path ``//dir///file`` will not match against route
   // with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of
   // `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
@@ -750,14 +750,14 @@ message HttpConnectionManager {
   // <envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.override_stream_error_on_invalid_http_message>` or the new HTTP/2 option
   // :ref:`override_stream_error_on_invalid_http_message
   // <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.override_stream_error_on_invalid_http_message>`
-  // *not* the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging
+  // ``not`` the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging
   // <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.stream_error_on_invalid_http_messaging>`
   google.protobuf.BoolValue stream_error_on_invalid_http_message = 40;
 
   // [#not-implemented-hide:] Path normalization configuration. This includes
   // configurations for transformations (e.g. RFC 3986 normalization or merge
   // adjacent slashes) and the policy to apply them. The policy determines
-  // whether transformations affect the forwarded *:path* header. RFC 3986 path
+  // whether transformations affect the forwarded ``:path`` header. RFC 3986 path
   // normalization is enabled by default and the default policy is that the
   // normalized header will be forwarded. See :ref:`PathNormalizationOptions
   // <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.PathNormalizationOptions>`

envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto

@@ -312,10 +312,10 @@ message RedisProxy {
 
   // If a username is provided an ACL style AUTH command will be required with a username and password.
   // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis
-  // AUTH command <https://redis.io/commands/auth>`_ with this username and the *downstream_auth_password*
+  // AUTH command <https://redis.io/commands/auth>`_ with this username and the ``downstream_auth_password``
   // before enabling any other command. If an AUTH command's username and password matches this username
-  // and the *downstream_auth_password* , an "OK" response will be returned to the client. If the AUTH
-  // command username or password does not match this username or the *downstream_auth_password*, then an
+  // and the ``downstream_auth_password`` , an "OK" response will be returned to the client. If the AUTH
+  // command username or password does not match this username or the ``downstream_auth_password``, then an
   // "WRONGPASS invalid username-password pair" error will be returned. If any other command is received before AUTH when this
   // password is set, then a "NOAUTH Authentication required." error response will be sent to the
   // client. If an AUTH command is received when the password is not set, then an "ERR Client sent

envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto

@@ -53,7 +53,7 @@ message TcpProxy {
       // for load balancing. Note that this will be merged with what's provided in
       // :ref:`TcpProxy.metadata_match
       // <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.metadata_match>`, with values
-      // here taking precedence. The filter name should be specified as *envoy.lb*.
+      // here taking precedence. The filter name should be specified as ``envoy.lb``.
       config.core.v3.Metadata metadata_match = 3;
     }
 
@@ -96,7 +96,7 @@ message TcpProxy {
     // Additional request headers to upstream proxy. This is mainly used to
     // trigger upstream to convert POST requests back to CONNECT requests.
     //
-    // Neither *:-prefixed* pseudo-headers nor the Host: header can be overridden.
+    // Neither ``:-prefixed`` pseudo-headers nor the Host: header can be overridden.
     repeated config.core.v3.HeaderValueOption headers_to_add = 3
         [(validate.rules).repeated = {max_items: 1000}];
   }
@@ -149,7 +149,7 @@ message TcpProxy {
 
   // Optional endpoint metadata match criteria. Only endpoints in the upstream
   // cluster with metadata matching that set in metadata_match will be
-  // considered. The filter name should be specified as *envoy.lb*.
+  // considered. The filter name should be specified as ``envoy.lb``.
   config.core.v3.Metadata metadata_match = 9;
 
   // The idle timeout for connections managed by the TCP proxy filter. The idle timeout

envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto

@@ -65,7 +65,7 @@ enum ProtocolType {
 
 message Trds {
   // Configuration source specifier.
-  // In case of *api_config_source* only aggregated *api_type* is supported.
+  // In case of ``api_config_source`` only aggregated ``api_type`` is supported.
   config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
 
   // The name of the route configuration. This allows to use different route
@@ -91,11 +91,11 @@ message ThriftProxy {
   string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
   // The route table for the connection manager is static and is specified in this property.
-  // It is invalid to define both *route_config* and *trds*.
+  // It is invalid to define both ``route_config`` and ``trds``.
   RouteConfiguration route_config = 4
       [(udpa.annotations.field_migrate).oneof_promotion = "route_specifier"];
 
-  // Use xDS to fetch the route configuration. It is invalid to define both *route_config* and *trds*.
+  // Use xDS to fetch the route configuration. It is invalid to define both ``route_config`` and ``trds``.
   Trds trds = 8 [(udpa.annotations.field_migrate).oneof_promotion = "route_specifier"];
 
   // A list of individual Thrift filters that make up the filter chain for requests made to the

envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto

@@ -78,12 +78,12 @@ message DnsFilterConfig {
     // or any other DNS resolver types and the related parameters.
     // For example, an object of
     // :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`
-    // can be packed into this *typed_dns_resolver_config*. This configuration replaces the
+    // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the
     // :ref:`dns_resolution_config <envoy_v3_api_field_extensions.filters.udp.dns_filter.v3.DnsFilterConfig.ClientContextConfig.dns_resolution_config>`
     // configuration.
-    // During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,
-    // when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.
-    // When *typed_dns_resolver_config* is missing, the default behavior is in place.
+    // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists,
+    // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``.
+    // When ``typed_dns_resolver_config`` is missing, the default behavior is in place.
     // [#extension-category: envoy.network.dns_resolver]
     config.core.v3.TypedExtensionConfig typed_dns_resolver_config = 4;
 

envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto

@@ -75,7 +75,7 @@ message UdpProxyConfig {
   google.protobuf.Duration idle_timeout = 3;
 
   // Use the remote downstream IP address as the sender IP address when sending packets to upstream hosts.
-  // This option requires Envoy to be run with the *CAP_NET_ADMIN* capability on Linux.
+  // This option requires Envoy to be run with the ``CAP_NET_ADMIN`` capability on Linux.
   // And the IPv6 stack must be enabled on Linux kernel.
   // This option does not preserve the remote downstream port.
   // If this option is enabled, the IP address of sent datagrams will be changed to the remote downstream IP address.

envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto

@@ -73,7 +73,7 @@ message TransportProtocolInput {
 // Examples:
 //
 // * ``'h2','http/1.1'``
-// * ``'h2c'```
+// * ``'h2c'``
 //
 // Suggested values in the list include:
 //

envoy/extensions/request_id/uuid/v3/uuid.proto

@@ -24,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //    <https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random)>`_.
 //
 // 3. Tracing decision (sampled, forced, etc) is set in 14th nibble of the UUID. By default this will
-//    overwrite existing UUIDs received in the *x-request-id* header if the trace sampling decision
+//    overwrite existing UUIDs received in the ``x-request-id`` header if the trace sampling decision
 //    is changed. The 14th nibble of the UUID4 has been chosen because it is fixed to '4' by the
 //    standard. Thus, '4' indicates a default UUID and no trace status. This nibble is swapped to:
 //

envoy/extensions/retry/host/omit_host_metadata/v3/omit_host_metadata_config.proto

@@ -25,6 +25,6 @@ message OmitHostMetadataConfig {
   // Retry host predicate metadata match criteria. The hosts in
   // the upstream cluster with matching metadata will be omitted while
   // attempting a retry of a failed request. The metadata should be specified
-  // under the *envoy.lb* key.
+  // under the ``envoy.lb`` key.
   config.core.v3.Metadata metadata_match = 1;
 }

envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -142,24 +142,24 @@ message TlsCertificate {
 
   // The TLS certificate chain.
   //
-  // If *certificate_chain* is a filesystem path, a watch will be added to the
+  // If ``certificate_chain`` is a filesystem path, a watch will be added to the
   // parent directory for any file moves to support rotation. This currently
-  // only applies to dynamic secrets, when the *TlsCertificate* is delivered via
+  // only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via
   // SDS.
   config.core.v3.DataSource certificate_chain = 1;
 
   // The TLS private key.
   //
-  // If *private_key* is a filesystem path, a watch will be added to the parent
+  // If ``private_key`` is a filesystem path, a watch will be added to the parent
   // directory for any file moves to support rotation. This currently only
-  // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS.
+  // applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS.
   config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
 
   // ``Pkcs12`` data containing TLS certificate, chain, and private key.
   //
-  // If *pkcs12* is a filesystem path, the file will be read, but no watch will
-  // be added to the parent directory, since *pkcs12* isn't used by SDS.
-  // This field is mutually exclusive with *certificate_chain*, *private_key* and *private_key_provider*.
+  // If ``pkcs12`` is a filesystem path, the file will be read, but no watch will
+  // be added to the parent directory, since ``pkcs12`` isn't used by SDS.
+  // This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``.
   // This can't be marked as ``oneof`` due to API compatibility reasons. Setting
   // both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,
   // :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,
@@ -170,14 +170,14 @@ message TlsCertificate {
   // to specify the password to unprotect the ``PKCS12`` data, if necessary.
   config.core.v3.DataSource pkcs12 = 8 [(udpa.annotations.sensitive) = true];
 
-  // If specified, updates of file-based *certificate_chain* and *private_key*
+  // If specified, updates of file-based ``certificate_chain`` and ``private_key``
   // sources will be triggered by this watch. The certificate/key pair will be
   // read together and validated for atomic read consistency (i.e. no
   // intervening modification occurred between cert/key read, verified by file
   // hash comparisons). This allows explicit control over the path watched, by
   // default the parent directories of the filesystem paths in
-  // *certificate_chain* and *private_key* are watched if this field is not
-  // specified. This only applies when a *TlsCertificate* is delivered by SDS
+  // ``certificate_chain`` and ``private_key`` are watched if this field is not
+  // specified. This only applies when a ``TlsCertificate`` is delivered by SDS
   // with references to filesystem paths. See the :ref:`SDS key rotation
   // <sds_key_rotation>` documentation for further details.
   config.core.v3.WatchedDirectory watched_directory = 7;
@@ -320,12 +320,12 @@ message CertificateValidationContext {
   // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
   // system CA locations.
   //
-  // If *trusted_ca* is a filesystem path, a watch will be added to the parent
+  // If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
   // directory for any file moves to support rotation. This currently only
-  // applies to dynamic secrets, when the *CertificateValidationContext* is
+  // applies to dynamic secrets, when the ``CertificateValidationContext`` is
   // delivered via SDS.
   //
-  // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
+  // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
   //
   // [#next-major-version: This field and watched_directory below should ideally be moved into a
   // separate sub-message, since there's no point in specifying the latter field without this one.]
@@ -334,16 +334,16 @@ message CertificateValidationContext {
 
   // Certificate provider instance for fetching TLS certificates.
   //
-  // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
+  // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
   // [#not-implemented-hide:]
   CertificateProviderPluginInstance ca_certificate_provider_instance = 13
       [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
 
-  // If specified, updates of a file-based *trusted_ca* source will be triggered
+  // If specified, updates of a file-based ``trusted_ca`` source will be triggered
   // by this watch. This allows explicit control over the path watched, by
-  // default the parent directory of the filesystem path in *trusted_ca* is
+  // default the parent directory of the filesystem path in ``trusted_ca`` is
   // watched if this field is not specified. This only applies when a
-  // *CertificateValidationContext* is delivered by SDS with references to
+  // ``CertificateValidationContext`` is delivered by SDS with references to
   // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
   // documentation for further details.
   config.core.v3.WatchedDirectory watched_directory = 11;

envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -210,13 +210,13 @@ message CommonTlsContext {
         [(validate.rules).message = {required: true}];
 
     // Certificate provider for fetching CA certs. This will populate the
-    // *default_validation_context.trusted_ca* field.
+    // ``default_validation_context.trusted_ca`` field.
     // [#not-implemented-hide:]
     CertificateProvider validation_context_certificate_provider = 3
         [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
     // Certificate provider instance for fetching CA certs. This will populate the
-    // *default_validation_context.trusted_ca* field.
+    // ``default_validation_context.trusted_ca`` field.
     // [#not-implemented-hide:]
     CertificateProviderInstance validation_context_certificate_provider_instance = 4
         [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
@@ -234,8 +234,8 @@ message CommonTlsContext {
   // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
   // used for clients that support ECDSA.
   //
-  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
-  // and *tls_certificate_provider_instance* may be used.
+  // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
+  // and ``tls_certificate_provider_instance`` may be used.
   // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
   // not legal to put a repeated field in a oneof. In the next major version, we should rework
   // this to avoid this problem.]
@@ -247,8 +247,8 @@ message CommonTlsContext {
   // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
   // are valid in the the certificates fetched through this setting.
   //
-  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
-  // and *tls_certificate_provider_instance* may be used.
+  // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
+  // and ``tls_certificate_provider_instance`` may be used.
   // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
   // not legal to put a repeated field in a oneof. In the next major version, we should rework
   // this to avoid this problem.]
@@ -257,8 +257,8 @@ message CommonTlsContext {
 
   // Certificate provider instance for fetching TLS certs.
   //
-  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
-  // and *tls_certificate_provider_instance* may be used.
+  // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
+  // and ``tls_certificate_provider_instance`` may be used.
   // [#not-implemented-hide:]
   CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
 

envoy/extensions/upstreams/http/v3/http_protocol_options.proto

@@ -94,9 +94,9 @@ message HttpProtocolOptions {
 
   // If this is used, the cluster can use either HTTP/1 or HTTP/2, and will use whichever
   // protocol is negotiated by ALPN with the upstream.
-  // Clusters configured with *AutoHttpConfig* will use the highest available
+  // Clusters configured with ``AutoHttpConfig`` will use the highest available
   // protocol; HTTP/2 if supported, otherwise HTTP/1.
-  // If the upstream does not support ALPN, *AutoHttpConfig* will fail over to HTTP/1.
+  // If the upstream does not support ALPN, ``AutoHttpConfig`` will fail over to HTTP/1.
   // This can only be used with transport sockets which support ALPN. Using a
   // transport socket which does not support ALPN will result in configuration
   // failure. The transport layer may be configured with custom ALPN, but the default ALPN
@@ -137,8 +137,8 @@ message HttpProtocolOptions {
   oneof upstream_protocol_options {
     option (validate.required) = true;
 
-    // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use *explicit_http_config*.
-    // If the *explicit_http_config* is empty, HTTP/1.1 is used.
+    // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use ``explicit_http_config``.
+    // If the ``explicit_http_config`` is empty, HTTP/1.1 is used.
     ExplicitHttpConfig explicit_http_config = 3;
 
     // This allows switching on protocol based on what protocol the downstream

envoy/extensions/wasm/v3/wasm.proto

@@ -21,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Configuration for restricting Proxy-Wasm capabilities available to modules.
 message CapabilityRestrictionConfig {
   // The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by
-  // name. The *SanitizationConfig* which each capability maps to is currently unimplemented and ignored,
+  // name. The ``SanitizationConfig`` which each capability maps to is currently unimplemented and ignored,
   // and so should be left empty.
   //
   // The capability names are given in the
@@ -29,8 +29,8 @@ message CapabilityRestrictionConfig {
   // Additionally, the following WASI capabilities from
   // `this list <https://github.com/WebAssembly/WASI/blob/master/phases/snapshot/docs.md#modules>`_
   // are implemented and can be allowed:
-  // *fd_write*, *fd_read*, *fd_seek*, *fd_close*, *fd_fdstat_get*, *environ_get*, *environ_sizes_get*,
-  // *args_get*, *args_sizes_get*, *proc_exit*, *clock_time_get*, *random_get*.
+  // ``fd_write``, ``fd_read``, ``fd_seek``, ``fd_close``, ``fd_fdstat_get``, ``environ_get``, ``environ_sizes_get``,
+  // ``args_get``, ``args_sizes_get``, ``proc_exit``, ``clock_time_get``, ``random_get``.
   map<string, SanitizationConfig> allowed_capabilities = 1;
 }
 
@@ -45,7 +45,7 @@ message SanitizationConfig {
 message VmConfig {
   // An ID which will be used along with a hash of the wasm code (or the name of the registered Null
   // VM plugin) to determine which VM will be used for the plugin. All plugins which use the same
-  // *vm_id* and code will use the same VM. May be left blank. Sharing a VM between plugins can
+  // ``vm_id`` and code will use the same VM. May be left blank. Sharing a VM between plugins can
   // reduce memory utilization and make sharing of data easier which may have security implications.
   // [#comment: TODO: add ref for details.]
   string vm_id = 1;
@@ -57,7 +57,7 @@ message VmConfig {
   // .. _extension_envoy.wasm.runtime.null:
   //
   // **envoy.wasm.runtime.null**: Null sandbox, the Wasm module must be compiled and linked into the
-  // Envoy binary. The registered name is given in the *code* field as *inline_string*.
+  // Envoy binary. The registered name is given in the ``code`` field as ``inline_string``.
   //
   // .. _extension_envoy.wasm.runtime.v8:
   //
@@ -121,13 +121,13 @@ message EnvironmentVariables {
 // [#next-free-field: 7]
 message PluginConfig {
   // A unique name for a filters/services in a VM for use in identifying the filter/service if
-  // multiple filters/services are handled by the same *vm_id* and *root_id* and for
+  // multiple filters/services are handled by the same ``vm_id`` and ``root_id`` and for
   // logging/debugging.
   string name = 1;
 
   // A unique ID for a set of filters/services in a VM which will share a RootContext and Contexts
   // if applicable (e.g. an Wasm HttpFilter and an Wasm AccessLog). If left blank, all
-  // filters/services with a blank root_id with the same *vm_id* will share Context(s).
+  // filters/services with a blank root_id with the same ``vm_id`` will share Context(s).
   string root_id = 2;
 
   // Configuration for finding or starting VM.
@@ -154,7 +154,7 @@ message PluginConfig {
   CapabilityRestrictionConfig capability_restriction_config = 6;
 }
 
-// WasmService is configured as a built-in *envoy.wasm_service* :ref:`WasmService
+// WasmService is configured as a built-in ``envoy.wasm_service`` :ref:`WasmService
 // <config_wasm_service>` This opaque configuration will be used to create a Wasm Service.
 message WasmService {
   // General plugin configuration.

envoy/service/discovery/v3/discovery.proto

@@ -68,12 +68,12 @@ message DiscoveryRequest {
   repeated string resource_names = 3;
 
   // [#not-implemented-hide:]
-  // Alternative to *resource_names* field that allows specifying dynamic
+  // Alternative to ``resource_names`` field that allows specifying dynamic
   // parameters along with each resource name. Clients that populate this
   // field must be able to handle responses from the server where resources
   // are wrapped in a Resource message.
   // Note that it is legal for a request to have some resources listed
-  // in *resource_names* and others in *resource_locators*.
+  // in ``resource_names`` and others in ``resource_locators``.
   repeated ResourceLocator resource_locators = 7;
 
   // Type of the resource that is being requested, e.g.
@@ -90,7 +90,7 @@ message DiscoveryRequest {
   string response_nonce = 5;
 
   // This is populated when the previous :ref:`DiscoveryResponse <envoy_v3_api_msg_service.discovery.v3.DiscoveryResponse>`
-  // failed to update configuration. The *message* field in *error_details* provides the Envoy
+  // failed to update configuration. The ``message`` field in ``error_details`` provides the Envoy
   // internal exception related to the failure. It is only intended for consumption during manual
   // debugging, the string provided is not guaranteed to be stable across Envoy versions.
   google.rpc.Status error_detail = 6;
@@ -180,9 +180,9 @@ message DeltaDiscoveryRequest {
   config.core.v3.Node node = 1;
 
   // Type of the resource that is being requested, e.g.
-  // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This does not need to be set if
-  // resources are only referenced via *xds_resource_subscribe* and
-  // *xds_resources_unsubscribe*.
+  // ``type.googleapis.com/envoy.api.v2.ClusterLoadAssignment``. This does not need to be set if
+  // resources are only referenced via ``xds_resource_subscribe`` and
+  // ``xds_resources_unsubscribe``.
   string type_url = 2;
 
   // DeltaDiscoveryRequests allow the client to add or remove individual
@@ -212,17 +212,17 @@ message DeltaDiscoveryRequest {
   repeated string resource_names_unsubscribe = 4;
 
   // [#not-implemented-hide:]
-  // Alternative to *resource_names_subscribe* field that allows specifying dynamic parameters
+  // Alternative to ``resource_names_subscribe`` field that allows specifying dynamic parameters
   // along with each resource name.
   // Note that it is legal for a request to have some resources listed
-  // in *resource_names_subscribe* and others in *resource_locators_subscribe*.
+  // in ``resource_names_subscribe`` and others in ``resource_locators_subscribe``.
   repeated ResourceLocator resource_locators_subscribe = 8;
 
   // [#not-implemented-hide:]
-  // Alternative to *resource_names_unsubscribe* field that allows specifying dynamic parameters
+  // Alternative to ``resource_names_unsubscribe`` field that allows specifying dynamic parameters
   // along with each resource name.
   // Note that it is legal for a request to have some resources listed
-  // in *resource_names_unsubscribe* and others in *resource_locators_unsubscribe*.
+  // in ``resource_names_unsubscribe`` and others in ``resource_locators_unsubscribe``.
   repeated ResourceLocator resource_locators_unsubscribe = 9;
 
   // Informs the server of the versions of the resources the xDS client knows of, to enable the
@@ -242,7 +242,7 @@ message DeltaDiscoveryRequest {
   string response_nonce = 6;
 
   // This is populated when the previous :ref:`DiscoveryResponse <envoy_v3_api_msg_service.discovery.v3.DiscoveryResponse>`
-  // failed to update configuration. The *message* field in *error_details*
+  // failed to update configuration. The ``message`` field in ``error_details``
   // provides the Envoy internal exception related to the failure.
   google.rpc.Status error_detail = 7;
 }
@@ -346,13 +346,13 @@ message Resource {
   }
 
   // The resource's name, to distinguish it from others of the same type of resource.
-  // Only one of *name* or *resource_name* may be set.
+  // Only one of ``name`` or ``resource_name`` may be set.
   string name = 3;
 
-  // Alternative to the *name* field, to be used when the server supports
+  // Alternative to the ``name`` field, to be used when the server supports
   // multiple variants of the named resource that are differentiated by
   // dynamic parameter constraints.
-  // Only one of *name* or *resource_name* may be set.
+  // Only one of ``name`` or ``resource_name`` may be set.
   ResourceName resource_name = 8;
 
   // The aliases are a list of other names that this resource can go by.

envoy/service/ext_proc/v3/external_processor.proto

@@ -65,10 +65,10 @@ message ProcessingRequest {
   // or asynchronous mode. The choice of synchronous or asynchronous mode
   // can be set in the filter configuration, and defaults to false.
   //
-  // * A value of "false" indicates that the server must respond
+  // * A value of ``false`` indicates that the server must respond
   //   to this message by either sending back a matching ProcessingResponse message,
   //   or by closing the stream.
-  // * A value of "true" indicates that the server must not respond to this
+  // * A value of ``true`` indicates that the server must not respond to this
   //   message, although it may still close the stream to indicate that no more messages
   //   are needed.
   //
@@ -81,37 +81,37 @@ message ProcessingRequest {
     option (validate.required) = true;
 
     // Information about the HTTP request headers, as well as peer info and additional
-    // properties. Unless "async_mode" is true, the server must send back a
+    // properties. Unless ``async_mode`` is ``true``, the server must send back a
     // HeaderResponse message, an ImmediateResponse message, or close the stream.
     HttpHeaders request_headers = 2;
 
     // Information about the HTTP response headers, as well as peer info and additional
-    // properties. Unless "async_mode" is true, the server must send back a
+    // properties. Unless ``async_mode`` is ``true``, the server must send back a
     // HeaderResponse message or close the stream.
     HttpHeaders response_headers = 3;
 
-    // A chunk of the HTTP request body. Unless "async_mode" is true, the server must send back
+    // A chunk of the HTTP request body. Unless ``async_mode`` is true, the server must send back
     // a BodyResponse message, an ImmediateResponse message, or close the stream.
     HttpBody request_body = 4;
 
-    // A chunk of the HTTP request body. Unless "async_mode" is true, the server must send back
+    // A chunk of the HTTP request body. Unless ``async_mode`` is ``true``, the server must send back
     // a BodyResponse message or close the stream.
     HttpBody response_body = 5;
 
-    // The HTTP trailers for the request path. Unless "async_mode" is true, the server
+    // The HTTP trailers for the request path. Unless ``async_mode`` is ``true``, the server
     // must send back a TrailerResponse message or close the stream.
     //
-    // This message is only sent if the trailers processing mode is set to "SEND".
+    // This message is only sent if the trailers processing mode is set to ``SEND``.
     // If there are no trailers on the original downstream request, then this message
     // will only be sent (with empty trailers waiting to be populated) if the
     // processing mode is set before the request headers are sent, such as
     // in the filter configuration.
     HttpTrailers request_trailers = 6;
 
-    // The HTTP trailers for the response path. Unless "async_mode" is true, the server
+    // The HTTP trailers for the response path. Unless ``async_mode`` is ``true``, the server
     // must send back a TrailerResponse message or close the stream.
     //
-    // This message is only sent if the trailers processing mode is set to "SEND".
+    // This message is only sent if the trailers processing mode is set to ``SEND``.
     // If there are no trailers on the original downstream request, then this message
     // will only be sent (with empty trailers waiting to be populated) if the
     // processing mode is set before the request headers are sent, such as
@@ -120,7 +120,7 @@ message ProcessingRequest {
   }
 }
 
-// For every ProcessingRequest received by the server with the "async_mode" field
+// For every ProcessingRequest received by the server with the ``async_mode`` field
 // set to false, the server must send back exactly one ProcessingResponse message.
 // [#next-free-field: 10]
 message ProcessingResponse {
@@ -128,34 +128,34 @@ message ProcessingResponse {
     option (validate.required) = true;
 
     // The server must send back this message in response to a message with the
-    // "request_headers" field set.
+    // ``request_headers`` field set.
     HeadersResponse request_headers = 1;
 
     // The server must send back this message in response to a message with the
-    // "response_headers" field set.
+    // ``response_headers`` field set.
     HeadersResponse response_headers = 2;
 
     // The server must send back this message in response to a message with
-    // the "request_body" field set.
+    // the ``request_body`` field set.
     BodyResponse request_body = 3;
 
     // The server must send back this message in response to a message with
-    // the "response_body" field set.
+    // the ``response_body`` field set.
     BodyResponse response_body = 4;
 
     // The server must send back this message in response to a message with
-    // the "request_trailers" field set.
+    // the ``request_trailers`` field set.
     TrailersResponse request_trailers = 5;
 
     // The server must send back this message in response to a message with
-    // the "response_trailers" field set.
+    // the ``response_trailers`` field set.
     TrailersResponse response_trailers = 6;
 
     // If specified, attempt to create a locally generated response, send it
     // downstream, and stop processing additional filters and ignore any
     // additional messages received from the remote server for this request or
     // response. If a response has already started -- for example, if this
-    // message is sent response to a "response_body" message -- then
+    // message is sent response to a ``response_body`` message -- then
     // this will either ship the reply directly to the downstream codec,
     // or reset the stream.
     ImmediateResponse immediate_response = 7;
@@ -163,7 +163,7 @@ message ProcessingResponse {
 
   // [#not-implemented-hide:]
   // Optional metadata that will be emitted as dynamic metadata to be consumed by the next
-  // filter. This metadata will be placed in the namespace "envoy.filters.http.ext_proc".
+  // filter. This metadata will be placed in the namespace ``envoy.filters.http.ext_proc``.
   google.protobuf.Struct dynamic_metadata = 8;
 
   // Override how parts of the HTTP request and response are processed
@@ -183,8 +183,8 @@ message HttpHeaders {
   config.core.v3.HeaderMap headers = 1;
 
   // [#not-implemented-hide:]
-  // The values of properties selected by the "request_attributes"
-  // or "response_attributes" list in the configuration. Each entry
+  // The values of properties selected by the ``request_attributes``
+  // or ``response_attributes`` list in the configuration. Each entry
   // in the list is populated
   // from the standard :ref:`attributes <arch_overview_attributes>`
   // supported across Envoy.
@@ -261,7 +261,7 @@ message CommonResponse {
   // Replace the body of the last message sent to the remote server on this
   // stream. If responding to an HttpBody request, simply replace or clear
   // the body chunk that was sent with that request. Body mutations only take
-  // effect in response to "body" messages and are ignored otherwise.
+  // effect in response to ``body`` messages and are ignored otherwise.
   BodyMutation body_mutation = 3;
 
   // [#not-implemented-hide:]
@@ -313,12 +313,12 @@ message GrpcStatus {
 // headers.
 message HeaderMutation {
   // Add or replace HTTP headers. Attempts to set the value of
-  // any "x-envoy" header, and attempts to set the ":method",
-  // ":authority", ":scheme", or "host" headers will be ignored.
+  // any ``x-envoy`` header, and attempts to set the ``:method``,
+  // ``:authority``, ``:scheme``, or ``host`` headers will be ignored.
   repeated config.core.v3.HeaderValueOption set_headers = 1;
 
   // Remove these HTTP headers. Attempts to remove system headers --
-  // any header starting with ":", plus "host" -- will be ignored.
+  // any header starting with ``:``, plus ``host`` -- will be ignored.
   repeated string remove_headers = 2;
 }
 

envoy/service/load_stats/v3/lrs.proto

@@ -79,7 +79,7 @@ message LoadStatsResponse {
       "envoy.service.load_stats.v2.LoadStatsResponse";
 
   // Clusters to report stats for.
-  // Not populated if *send_all_clusters* is true.
+  // Not populated if ``send_all_clusters`` is true.
   repeated string clusters = 1;
 
   // If true, the client should send all clusters it knows about.
@@ -90,14 +90,14 @@ message LoadStatsResponse {
   // The minimum interval of time to collect stats over. This is only a minimum for two reasons:
   //
   // 1. There may be some delay from when the timer fires until stats sampling occurs.
-  // 2. For clusters that were already feature in the previous *LoadStatsResponse*, any traffic
-  //    that is observed in between the corresponding previous *LoadStatsRequest* and this
-  //    *LoadStatsResponse* will also be accumulated and billed to the cluster. This avoids a period
+  // 2. For clusters that were already feature in the previous ``LoadStatsResponse``, any traffic
+  //    that is observed in between the corresponding previous ``LoadStatsRequest`` and this
+  //    ``LoadStatsResponse`` will also be accumulated and billed to the cluster. This avoids a period
   //    of inobservability that might otherwise exists between the messages. New clusters are not
   //    subject to this consideration.
   google.protobuf.Duration load_reporting_interval = 2;
 
-  // Set to *true* if the management server supports endpoint granularity
+  // Set to ``true`` if the management server supports endpoint granularity
   // report.
   bool report_endpoint_granularity = 3;
 }

envoy/service/rate_limit_quota/v3/rlqs.proto

@@ -108,13 +108,13 @@ message RateLimitQuotaResponse {
     // report for the bucket, and start rate limiting requests matched into the bucket
     // using the strategy configured in the :ref:`rate_limit_strategy
     // <envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction.rate_limit_strategy>`
-    // field. The assignment becomes bucket's *active* assignment.
+    // field. The assignment becomes bucket's ``active`` assignment.
     //
     // **Expiring the assignment**
     //
     // The duration of the assignment defined in the :ref:`assignment_time_to_live
     // <envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction.assignment_time_to_live>`
-    // field. When the duration runs off, the assignment is *expired*, and no longer *active*.
+    // field. When the duration runs off, the assignment is ``expired``, and no longer ``active``.
     // The data plane should stop applying the rate limiting strategy to the bucket, and transition
     // the bucket to the "expired assignment" state. This activates the behavior configured in the
     // :ref:`expired_assignment_behavior <envoy_v3_api_field_extensions.filters.http.rate_limit_quota.v3.RateLimitQuotaBucketSettings.expired_assignment_behavior>`
@@ -122,17 +122,17 @@ message RateLimitQuotaResponse {
     //
     // **Replacing the assignment**
     //
-    // * If the rate limiting strategy is different from bucket's *active* assignment, or
-    //   the current bucket assignment is *expired*, the data plane must immediately
+    // * If the rate limiting strategy is different from bucket's ``active`` assignment, or
+    //   the current bucket assignment is ``expired``, the data plane must immediately
     //   end the current assignment, report the bucket usage, and apply the new assignment.
-    //   The new assignment becomes bucket's *active* assignment.
-    // * If the rate limiting strategy is the same as the bucket's *active* (not *expired*)
-    //   assignment, the data plane should extend the duration of the *active* assignment
+    //   The new assignment becomes bucket's ``active`` assignment.
+    // `` If the rate limiting strategy is the same as the bucket's ``active`` (not ``expired``)
+    //   assignment, the data plane should extend the duration of the ``active`` assignment
     //   for the duration of the new assignment provided in the :ref:`assignment_time_to_live
     //   <envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction.assignment_time_to_live>`
-    //   field. The *active* assignment is considered unchanged.
+    //   field. The ``active`` assignment is considered unchanged.
     message QuotaAssignmentAction {
-      // A duration after which the assignment is be considered *expired*. The process of the
+      // A duration after which the assignment is be considered ``expired``. The process of the
       // expiration is described :ref:`above
       // <envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction>`.
       //

envoy/service/route/v3/rds.proto

@@ -46,9 +46,9 @@ service RouteDiscoveryService {
 // during the processing of an HTTP request if a route for the request cannot be resolved. The
 // :ref:`resource_names_subscribe <envoy_v3_api_field_service.discovery.v3.DeltaDiscoveryRequest.resource_names_subscribe>`
 // field contains a list of virtual host names or aliases to track. The contents of an alias would
-// be the contents of a *host* or *authority* header used to make an http request. An xDS server
+// be the contents of a ``host`` or ``authority`` header used to make an http request. An xDS server
 // will match an alias to a virtual host based on the content of :ref:`domains'
-// <envoy_v3_api_field_config.route.v3.VirtualHost.domains>` field. The *resource_names_unsubscribe* field
+// <envoy_v3_api_field_config.route.v3.VirtualHost.domains>` field. The ``resource_names_unsubscribe`` field
 // contains a list of virtual host names that have been :ref:`unsubscribed
 // <xds_protocol_unsubscribe>` from the routing table associated with the RouteConfiguration.
 service VirtualHostDiscoveryService {

envoy/type/matcher/v3/path.proto

@@ -25,7 +25,7 @@ message PathMatcher {
 
     // The ``path`` must match the URL path portion of the :path header. The query and fragment
     // string (if present) are removed in the URL path portion.
-    // For example, the path */data* will match the *:path* header */data#fragment?param=value*.
+    // For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
     StringMatcher path = 1 [(validate.rules).message = {required: true}];
   }
 }

envoy/type/matcher/v3/string.proto

@@ -32,7 +32,7 @@ message StringMatcher {
     //
     // Examples:
     //
-    // * *abc* only matches the value *abc*.
+    // * ``abc`` only matches the value ``abc``.
     string exact = 1;
 
     // The input string must have the prefix specified here.
@@ -40,7 +40,7 @@ message StringMatcher {
     //
     // Examples:
     //
-    // * *abc* matches the value *abc.xyz*
+    // * ``abc`` matches the value ``abc.xyz``
     string prefix = 2 [(validate.rules).string = {min_len: 1}];
 
     // The input string must have the suffix specified here.
@@ -48,7 +48,7 @@ message StringMatcher {
     //
     // Examples:
     //
-    // * *abc* matches the value *xyz.abc*
+    // * ``abc`` matches the value ``xyz.abc``
     string suffix = 3 [(validate.rules).string = {min_len: 1}];
 
     // The input string must match the regular expression specified here.
@@ -59,13 +59,13 @@ message StringMatcher {
     //
     // Examples:
     //
-    // * *abc* matches the value *xyz.abc.def*
+    // * ``abc`` matches the value ``xyz.abc.def``
     string contains = 7 [(validate.rules).string = {min_len: 1}];
   }
 
   // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This
   // has no effect for the safe_regex match.
-  // For example, the matcher *data* will match both input string *Data* and *data* if set to true.
+  // For example, the matcher ``data`` will match both input string ``Data`` and ``data`` if set to true.
   bool ignore_case = 6;
 }