docs: Fix backticks in api protos (#22026)

Signed-off-by: Albere <alberenorthey@gmail.com>

Signed-off-by: Ryan Northey <ryan@synca.io>

Co-authored-by: Albere <alberenorthey@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ e19476d62956b60688de2b6109de1cf4dea6ae19

contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto

@@ -48,20 +48,20 @@ message SXG {
   // URL to retrieve validity data for signature, a CBOR map. See specification [here](https://tools.ietf.org/html/draft-yasskin-httpbis-origin-signed-exchanges-impl-00#section-3.6)
   string validity_url = 6 [(validate.rules).string = {min_len: 1 prefix: "/"}];
 
-  // Header that will be set if it is determined that the client can accept SXG (typically `accept: application/signed-exchange;v=b3)
-  // If not set, filter will default to: `x-client-can-accept-sxg`
+  // Header that will be set if it is determined that the client can accept SXG (typically ``accept: application/signed-exchange;v=b3``)
+  // If not set, filter will default to: ``x-client-can-accept-sxg``
   string client_can_accept_sxg_header = 7 [
     (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false ignore_empty: true}
   ];
 
   // Header set by downstream service to signal that the response should be transformed to SXG If not set,
-  // filter will default to: `x-should-encode-sxg`
+  // filter will default to: ``x-should-encode-sxg``
   string should_encode_sxg_header = 8 [
     (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false ignore_empty: true}
   ];
 
-  // Headers that will be stripped from the SXG document, by listing a prefix (i.e. `x-custom-` will cause
-  // all headers prefixed by `x-custom-` to be omitted from the SXG document)
+  // Headers that will be stripped from the SXG document, by listing a prefix (i.e. ``x-custom-`` will cause
+  // all headers prefixed by ``x-custom-`` to be omitted from the SXG document)
   repeated string header_prefix_filters = 9 [
     (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
   ];

contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.proto

@@ -81,7 +81,7 @@ message SipProxy {
   // A list of individual Sip filters that make up the filter chain for requests made to the
   // Sip proxy. Order matters as the filters are processed sequentially. For backwards
   // compatibility, if no sip_filters are specified, a default Sip router filter
-  // (`envoy.filters.sip.router`) is used.
+  // (``envoy.filters.sip.router``) is used.
   // [#extension-category: envoy.sip_proxy.filters]
   repeated SipFilter sip_filters = 3;
 
@@ -104,7 +104,7 @@ message SipFilter {
 
 // SipProtocolOptions specifies Sip upstream protocol options. This object is used in
 // :ref:`typed_extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
-// keyed by the name `envoy.filters.network.sip_proxy`.
+// keyed by the name ``envoy.filters.network.sip_proxy``.
 message SipProtocolOptions {
   // All sip messages in one dialog should go to the same endpoint.
   bool session_affinity = 1;

contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha/hyperscan.proto

@@ -37,20 +37,20 @@ message Hyperscan {
 
     // Matching will be performed case-insensitively.
     //
-    // The expression may still use PCRE tokens (notably `(?i)` and `(?-i)`) to switch
+    // The expression may still use PCRE tokens (notably ``(?i)`` and ``(?-i)``) to switch
     // case-insensitive matching on and off.
     bool caseless = 3;
 
-    // Matching a `.` will not exclude newlines.
+    // Matching a ``.`` will not exclude newlines.
     bool dot_all = 4;
 
-    // `^` and `$` anchors match any newlines in data.
+    // ``^`` and ``$`` anchors match any newlines in data.
     bool multiline = 5;
 
     // Allow expressions which can match against an empty string.
     //
     // This option instructs the compiler to allow expressions that can match against empty buffers,
-    // such as `.?`, `.*`, `(a|)`. Since Hyperscan can return every possible match for an expression,
+    // such as ``.?``, ``.*``, ``(a|)``. Since Hyperscan can return every possible match for an expression,
     // such expressions generally execute very slowly.
     bool allow_empty = 6;
 
@@ -60,15 +60,15 @@ message Hyperscan {
     // Use Unicode properties for character classes.
     //
     // This option instructs Hyperscan to use Unicode properties, rather than the default ASCII
-    // interpretations, for character mnemonics like `\w` and `\s` as well as the POSIX character
-    // classes. It is only meaningful in conjunction with `utf8`.
+    // interpretations, for character mnemonics like ``\w`` and ``\s`` as well as the POSIX character
+    // classes. It is only meaningful in conjunction with ``utf8``.
     bool ucp = 8;
 
     // Logical combination.
     //
     // This option instructs Hyperscan to parse this expression as logical combination syntax.
     // Logical constraints consist of operands, operators and parentheses. The operands are
-    // expression indices, and operators can be `!`, `&` or `|`.
+    // expression indices, and operators can be ``!``, ``&`` or ``|``.
     bool combination = 9;
 
     // Don’t do any match reporting.

contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto

@@ -20,10 +20,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.tls.key_providers.cryptomb]
 
 // A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private
-// key provider is configured. The private key provider provides `SIMD`
+// key provider is configured. The private key provider provides ``SIMD``
 // processing for RSA sign and decrypt operations (ECDSA signing uses regular
 // BoringSSL functions). The provider works by gathering the operations into a
-// worker-thread specific queue, and processing the queue using `ipp-crypto`
+// worker-thread specific queue, and processing the queue using ``ipp-crypto``
 // library when the queue is full or when a timer expires.
 // [#extension-category: envoy.tls.key_providers]
 message CryptoMbPrivateKeyMethodConfig {

contrib/envoy/extensions/vcl/v3alpha/vcl_socket_interface.proto

@@ -15,6 +15,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // VCL :ref:`configuration overview <config_sock_interface_vcl>`.
 // [#extension: envoy.bootstrap.vcl]
 
-// Configuration for vcl socket interface that relies on `vpp` `comms` library (VCL)
+// Configuration for vcl socket interface that relies on ``vpp`` ``comms`` library (VCL)
 message VclSocketInterface {
 }

envoy/admin/v3/certs.proto

@@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Certificates]
 
-// Proto representation of certificate details. Admin endpoint uses this wrapper for `/certs` to
+// Proto representation of certificate details. Admin endpoint uses this wrapper for ``/certs`` to
 // display certificate information. See :ref:`/certs <operations_admin_interface_certs>` for more
 // information.
 message Certificates {

envoy/admin/v3/clusters.proto

@@ -20,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Clusters]
 
-// Admin endpoint uses this wrapper for `/clusters` to display cluster status information.
+// Admin endpoint uses this wrapper for ``/clusters`` to display cluster status information.
 // See :ref:`/clusters <operations_admin_interface_clusters>` for more information.
 message Clusters {
   option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Clusters";

envoy/admin/v3/config_dump.proto

@@ -62,7 +62,7 @@ message ConfigDump {
   // * *routes*:  :ref:`RoutesConfigDump <envoy_v3_api_msg_admin.v3.RoutesConfigDump>`
   // * *secrets*:  :ref:`SecretsConfigDump <envoy_v3_api_msg_admin.v3.SecretsConfigDump>`
   //
-  // EDS Configuration will only be dumped by using parameter `?include_eds`
+  // EDS Configuration will only be dumped by using parameter ``?include_eds``
   //
   // You can filter output with the resource and mask query parameters.
   // See :ref:`/config_dump?resource={} <operations_admin_interface_config_dump_by_resource>`,

envoy/admin/v3/listeners.proto

@@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Listeners]
 
-// Admin endpoint uses this wrapper for `/listeners` to display listener status information.
+// Admin endpoint uses this wrapper for ``/listeners`` to display listener status information.
 // See :ref:`/listeners <operations_admin_interface_listeners>` for more information.
 message Listeners {
   option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Listeners";

envoy/admin/v3/memory.proto

@@ -21,28 +21,28 @@ message Memory {
   option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Memory";
 
   // The number of bytes allocated by the heap for Envoy. This is an alias for
-  // `generic.current_allocated_bytes`.
+  // ``generic.current_allocated_bytes``.
   uint64 allocated = 1;
 
   // The number of bytes reserved by the heap but not necessarily allocated. This is an alias for
-  // `generic.heap_size`.
+  // ``generic.heap_size``.
   uint64 heap_size = 2;
 
   // The number of bytes in free, unmapped pages in the page heap. These bytes always count towards
   // virtual memory usage, and depending on the OS, typically do not count towards physical memory
-  // usage. This is an alias for `tcmalloc.pageheap_unmapped_bytes`.
+  // usage. This is an alias for ``tcmalloc.pageheap_unmapped_bytes``.
   uint64 pageheap_unmapped = 3;
 
   // The number of bytes in free, mapped pages in the page heap. These bytes always count towards
   // virtual memory usage, and unless the underlying memory is swapped out by the OS, they also
-  // count towards physical memory usage. This is an alias for `tcmalloc.pageheap_free_bytes`.
+  // count towards physical memory usage. This is an alias for ``tcmalloc.pageheap_free_bytes``.
   uint64 pageheap_free = 4;
 
   // The amount of memory used by the TCMalloc thread caches (for small objects). This is an alias
-  // for `tcmalloc.current_total_thread_cache_bytes`.
+  // for ``tcmalloc.current_total_thread_cache_bytes``.
   uint64 total_thread_cache = 5;
 
   // The number of bytes of the physical memory usage by the allocator. This is an alias for
-  // `generic.total_physical_bytes`.
+  // ``generic.total_physical_bytes``.
   uint64 total_physical_bytes = 6;
 }

envoy/admin/v3/mutex_stats.proto

@@ -14,11 +14,11 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: MutexStats]
 
 // Proto representation of the statistics collected upon absl::Mutex contention, if Envoy is run
-// under :option:`--enable-mutex-tracing`. For more information, see the `absl::Mutex`
+// under :option:`--enable-mutex-tracing`. For more information, see the ``absl::Mutex``
 // [docs](https://abseil.io/about/design/mutex#extra-features).
 //
-// *NB*: The wait cycles below are measured by `absl::base_internal::CycleClock`, and may not
-// correspond to core clock frequency. For more information, see the `CycleClock`
+// *NB*: The wait cycles below are measured by ``absl::base_internal::CycleClock``, and may not
+// correspond to core clock frequency. For more information, see the ``CycleClock``
 // [docs](https://github.com/abseil/abseil-cpp/blob/master/absl/base/internal/cycleclock.h).
 message MutexStats {
   option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.MutexStats";

envoy/config/bootstrap/v3/bootstrap.proto

@@ -169,7 +169,7 @@ message Bootstrap {
   // Optional duration between flushes to configured stats sinks. For
   // performance reasons Envoy latches counters and only flushes counters and
   // gauges at a periodic interval. If not specified the default is 5000ms (5
-  // seconds). Only one of `stats_flush_interval` or `stats_flush_on_admin`
+  // seconds). Only one of ``stats_flush_interval`` or ``stats_flush_on_admin``
   // can be set.
   // Duration must be at least 1ms and at most 5 min.
   google.protobuf.Duration stats_flush_interval = 7 [
@@ -182,8 +182,8 @@ message Bootstrap {
 
   oneof stats_flush {
     // Flush stats to sinks only when queried for on the admin interface. If set,
-    // a flush timer is not created. Only one of `stats_flush_on_admin` or
-    // `stats_flush_interval` can be set.
+    // a flush timer is not created. Only one of ``stats_flush_on_admin`` or
+    // ``stats_flush_interval`` can be set.
     bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}];
   }
 

envoy/config/cluster/v3/cluster.proto

@@ -262,10 +262,10 @@ message Cluster {
       //
       // If a match is found to a host, that host will be used regardless of priority levels, unless the host is unhealthy.
       //
-      // Currently, this mode is only supported if `subset_selectors` has only one entry, and `keys` contains
+      // Currently, this mode is only supported if ``subset_selectors`` has only one entry, and ``keys`` contains
       // only one entry.
       //
-      // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in `keys`
+      // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in ``keys``
       // will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge
       // :ref:`lb_subsets_single_host_per_subset_duplicate<config_cluster_manager_cluster_stats_subset_lb>` indicates how many duplicates are
       // present in the current configuration.
@@ -284,7 +284,7 @@ message Cluster {
       // For any other fallback policy the parameter is not used and should not be set.
       // Only values also present in
       // :ref:`keys<envoy_v3_api_field_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.keys>` are allowed, but
-      // `fallback_keys_subset` cannot be equal to `keys`.
+      // ``fallback_keys_subset`` cannot be equal to ``keys``.
       repeated string fallback_keys_subset = 3;
     }
 
@@ -365,8 +365,8 @@ message Cluster {
     // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve.
     //
     // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression:
-    // `new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))`,
-    // where `time_factor=(time_since_start_seconds / slow_start_time_seconds)`.
+    // ``new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))``,
+    // where ``time_factor=(time_since_start_seconds / slow_start_time_seconds)``.
     //
     // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window.
     // Once host exits slow start, time_factor and aggression no longer affect its weight.
@@ -397,18 +397,18 @@ message Cluster {
     // The following formula is used to calculate the dynamic weights when hosts have different load
     // balancing weights:
     //
-    // `weight = load_balancing_weight / (active_requests + 1)^active_request_bias`
+    // ``weight = load_balancing_weight / (active_requests + 1)^active_request_bias``
     //
     // The larger the active request bias is, the more aggressively active requests will lower the
     // effective weight when all host weights are not equal.
     //
-    // `active_request_bias` must be greater than or equal to 0.0.
+    // ``active_request_bias`` must be greater than or equal to 0.0.
     //
-    // When `active_request_bias == 0.0` the Least Request Load Balancer doesn't consider the number
+    // When ``active_request_bias == 0.0`` the Least Request Load Balancer doesn't consider the number
     // of active requests at the time it picks a host and behaves like the Round Robin Load
     // Balancer.
     //
-    // When `active_request_bias > 0.0` the Least Request Load Balancer scales the load balancing
+    // When ``active_request_bias > 0.0`` the Least Request Load Balancer scales the load balancing
     // weight by the number of active requests at the time it does a pick.
     //
     // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's
@@ -539,7 +539,7 @@ message Cluster {
       option (udpa.annotations.versioning).previous_message_type =
           "envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig";
 
-      // If set to `true`, the cluster will use hostname instead of the resolved
+      // If set to ``true``, the cluster will use hostname instead of the resolved
       // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address.
       bool use_hostname_for_hashing = 1;
 
@@ -551,7 +551,7 @@ message Cluster {
       // Applies to both Ring Hash and Maglev load balancers.
       //
       // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified
-      // `hash_balance_factor`, requests to any upstream host are capped at `hash_balance_factor/100` times the average number of requests
+      // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests
       // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing
       // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify
       // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the
@@ -559,7 +559,7 @@ message Cluster {
       //
       // If weights are specified on the hosts, they are respected.
       //
-      // This is an O(N) algorithm, unlike other load balancers. Using a lower `hash_balance_factor` results in more hosts
+      // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts
       // being probed, so use a higher value if you require better performance.
       google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}];
     }
@@ -599,7 +599,7 @@ message Cluster {
     // This will have no effect unless active health checking is also configured.
     bool ignore_new_hosts_until_first_hc = 5;
 
-    // If set to `true`, the cluster manager will drain all existing
+    // If set to ``true``, the cluster manager will drain all existing
     // connections to upstream hosts whenever hosts are added or removed from the cluster.
     bool close_connections_on_host_set_change = 6;
 
@@ -856,7 +856,7 @@ message Cluster {
   // set so that Envoy will assume that the upstream supports HTTP/2 when
   // making new HTTP connection pool connections. Currently, Envoy only
   // supports prior knowledge for upstream connections. Even if TLS is used
-  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
+  // with ALPN, ``http2_protocol_options`` must be specified. As an aside this allows HTTP/2
   // connections to happen over plain text.
   // This has been deprecated in favor of http2_protocol_options fields in the
   // :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>`
@@ -1014,8 +1014,8 @@ message Cluster {
   CommonLbConfig common_lb_config = 27;
 
   // Optional custom transport socket implementation to use for upstream connections.
-  // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and
-  // :ref:`UpstreamTlsContexts <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>` in the `typed_config`.
+  // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and
+  // :ref:`UpstreamTlsContexts <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>` in the ``typed_config``.
   // If no transport socket configuration is specified, new connections
   // will be set up with plaintext.
   core.v3.TransportSocket transport_socket = 24;
@@ -1092,7 +1092,7 @@ message Cluster {
   //
   // .. attention::
   //
-  //   This field has been deprecated in favor of `timeout_budgets`, part of
+  //   This field has been deprecated in favor of ``timeout_budgets``, part of
   //   :ref:`track_cluster_stats <envoy_v3_api_field_config.cluster.v3.Cluster.track_cluster_stats>`.
   bool track_timeout_budgets = 47
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
@@ -1103,7 +1103,7 @@ message Cluster {
   // TCP upstreams.
   //
   // For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream
-  // HTTP, using the http connection pool and the codec from `http2_protocol_options`
+  // HTTP, using the http connection pool and the codec from ``http2_protocol_options``
   //
   // For routes where CONNECT termination is configured, Envoy will take downstream CONNECT
   // requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool.
@@ -1123,7 +1123,7 @@ message Cluster {
   // Preconnect configuration for this cluster.
   PreconnectPolicy preconnect_policy = 50;
 
-  // If `connection_pool_per_downstream_connection` is true, the cluster will use a separate
+  // If ``connection_pool_per_downstream_connection`` is true, the cluster will use a separate
   // connection pool for every downstream connection
   bool connection_pool_per_downstream_connection = 51;
 }

envoy/config/core/v3/base.proto

@@ -201,7 +201,7 @@ message Node {
 
   // Client feature support list. These are well known features described
   // in the Envoy API repository for a given major version of an API. Client features
-  // use reverse DNS naming scheme, for example `com.acme.feature`.
+  // use reverse DNS naming scheme, for example ``com.acme.feature``.
   // See :ref:`the list of features <client_features>` that xDS client may
   // support.
   repeated string client_features = 10;
@@ -209,7 +209,7 @@ message Node {
   // Known listening ports on the node as a generic hint to the management server
   // for filtering :ref:`listeners <config_listeners>` to be returned. For example,
   // if there is a listener bound to port 80, the list can optionally contain the
-  // SocketAddress `(0.0.0.0,80)`. The field is optional and just a hint.
+  // SocketAddress ``(0.0.0.0,80)``. The field is optional and just a hint.
   repeated Address listening_addresses = 11
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 }
@@ -323,7 +323,7 @@ message HeaderValue {
   //
   // The same :ref:`format specifier <config_access_log_format>` as used for
   // :ref:`HTTP access logging <config_access_log>` applies here, however
-  // unknown header values are replaced with the empty string instead of `-`.
+  // unknown header values are replaced with the empty string instead of ``-``.
   string value = 2 [
     (validate.rules).string = {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}
   ];
@@ -477,7 +477,7 @@ message TransportSocket {
 //   :ref:`FractionalPercent <envoy_v3_api_msg_type.v3.FractionalPercent>` proto represented as JSON/YAML
 //   and may also be represented as an integer with the assumption that the value is an integral
 //   percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse
-//   as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED.
+//   as a ``FractionalPercent`` whose numerator is 42 and denominator is HUNDRED.
 message RuntimeFractionalPercent {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.core.RuntimeFractionalPercent";

envoy/config/core/v3/config_source.proto

@@ -114,7 +114,7 @@ message ApiConfigSource {
   // A list of config validators that will be executed when a new update is
   // received from the ApiConfigSource. Note that each validator handles a
   // specific xDS service type, and only the validators corresponding to the
-  // type url (in `:ref: DiscoveryResponse` or `:ref: DeltaDiscoveryResponse`)
+  // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``)
   // will be invoked.
   // If the validator returns false or throws an exception, the config will be rejected by
   // the client, and a NACK will be sent.
@@ -168,24 +168,24 @@ message PathConfigSource {
   //
   // .. note::
   //
-  //   If `watched_directory` is *not* configured, Envoy will watch the file path for *moves.*
+  //   If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves.*
   //   This is because in general only moves are atomic. The same method of swapping files as is
   //   demonstrated in the :ref:`runtime documentation <config_runtime_symbolic_link_swap>` can be
-  //   used here also. If `watched_directory` is configured, no watch will be placed directly on
-  //   this path. Instead, the configured `watched_directory` will be used to trigger reloads of
+  //   used here also. If ``watched_directory`` is configured, no watch will be placed directly on
+  //   this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of
   //   this path. This is required in certain deployment scenarios. See below for more information.
   string path = 1 [(validate.rules).string = {min_len: 1}];
 
   // If configured, this directory will be watched for *moves.* When an entry in this directory is
-  // moved to, the `path` will be reloaded. This is required in certain deployment scenarios.
+  // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios.
   //
   // Specifically, if trying to load an xDS resource using a
   // `Kubernetes ConfigMap <https://kubernetes.io/docs/concepts/configuration/configmap/>`_, the
   // following configuration might be used:
   // 1. Store xds.yaml inside a ConfigMap.
-  // 2. Mount the ConfigMap to `/config_map/xds`
-  // 3. Configure path `/config_map/xds/xds.yaml`
-  // 4. Configure watched directory `/config_map/xds`
+  // 2. Mount the ConfigMap to ``/config_map/xds``
+  // 3. Configure path ``/config_map/xds/xds.yaml``
+  // 4. Configure watched directory ``/config_map/xds``
   //
   // The above configuration will ensure that Envoy watches the owning directory for moves which is
   // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates.
@@ -211,7 +211,7 @@ message ConfigSource {
   oneof config_source_specifier {
     option (validate.required) = true;
 
-    // Deprecated in favor of `path_config_source`. Use that field instead.
+    // Deprecated in favor of ``path_config_source``. Use that field instead.
     string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
     // Local filesystem path configuration source.
@@ -269,7 +269,7 @@ message ExtensionConfigSource {
 
   // Optional default configuration to use as the initial configuration if
   // there is a failure to receive the initial extension configuration or if
-  // `apply_default_config_without_warming` flag is set.
+  // ``apply_default_config_without_warming`` flag is set.
   google.protobuf.Any default_config = 2;
 
   // Use the default config as the initial configuration without warming and

envoy/config/core/v3/grpc_service.proto

@@ -38,7 +38,7 @@ message GrpcService {
     // <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket>`.
     string cluster_name = 1 [(validate.rules).string = {min_len: 1}];
 
-    // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.
+    // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``.
     // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.
     string authority = 2
         [(validate.rules).string =

envoy/config/core/v3/health_check.proto

@@ -316,7 +316,7 @@ message HealthCheck {
   // (including new hosts) when the cluster has received no traffic.
   //
   // This is useful for when we want to send frequent health checks with
-  // `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once
+  // ``no_traffic_interval`` but then revert to lower frequency ``no_traffic_healthy_interval`` once
   // a host in the cluster is marked as healthy.
   //
   // Once a cluster has been used for traffic routing, Envoy will shift back to using the

envoy/config/core/v3/http_uri.proto

@@ -30,7 +30,7 @@ message HttpUri {
   //
   string uri = 1 [(validate.rules).string = {min_len: 1}];
 
-  // Specify how `uri` is to be fetched. Today, this requires an explicit
+  // Specify how ``uri`` is to be fetched. Today, this requires an explicit
   // cluster, but in the future we may support dynamic cluster creation or
   // inline DNS resolution. See `issue
   // <https://github.com/envoyproxy/envoy/issues/1606>`_.

envoy/config/core/v3/protocol.proto

@@ -109,7 +109,7 @@ message UpstreamHttpProtocolOptions {
   // Automatic validate upstream presented certificate for new upstream connections based on the
   // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`
   // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
-  // This field is intended to be set with `auto_sni` field.
+  // This field is intended to be set with ``auto_sni`` field.
   bool auto_san_validation = 2;
 
   // An optional alternative to the host/authority header to be used for setting the SNI value.
@@ -117,7 +117,7 @@ message UpstreamHttpProtocolOptions {
   // :ref:`router filter <config_http_filters_router>`.
   // If unset, host/authority header will be used for populating the SNI. If the specified header
   // is not found or the value is empty, host/authority header will be used instead.
-  // This field is intended to be set with `auto_sni` and/or `auto_san_validation` fields.
+  // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields.
   // If none of these fields are set then setting this would be a no-op.
   string override_auto_sni_header = 3
       [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
@@ -311,7 +311,7 @@ message Http1ProtocolOptions {
   //   - The content length header is not present.
   bool enable_trailers = 5;
 
-  // Allows Envoy to process requests/responses with both `Content-Length` and `Transfer-Encoding`
+  // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding``
   // headers set. By default such messages are rejected, but if option is enabled - Envoy will
   // remove Content-Length header and process message.
   // See `RFC7230, sec. 3.3.3 <https://tools.ietf.org/html/rfc7230#section-3.3.3>`_ for details.
@@ -468,9 +468,9 @@ message Http2ProtocolOptions {
   //
   //   max_inbound_priority_frames_per_stream * (1 + opened_streams)
   //
-  // the connection is terminated. For downstream connections the `opened_streams` is incremented when
+  // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when
   // Envoy receives complete response headers from the upstream server. For upstream connection the
-  // `opened_streams` is incremented when Envoy send the HEADERS frame for a new stream. The
+  // ``opened_streams`` is incremented when Envoy send the HEADERS frame for a new stream. The
   // ``http2.inbound_priority_frames_flood`` stat tracks
   // the number of connections terminated due to flood mitigation. The default limit is 100.
   google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10;
@@ -482,9 +482,9 @@ message Http2ProtocolOptions {
   //   5 + 2 * (opened_streams +
   //            max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames)
   //
-  // the connection is terminated. For downstream connections the `opened_streams` is incremented when
+  // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when
   // Envoy receives complete response headers from the upstream server. For upstream connections the
-  // `opened_streams` is incremented when Envoy sends the HEADERS frame for a new stream. The
+  // ``opened_streams`` is incremented when Envoy sends the HEADERS frame for a new stream. The
   // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to
   // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10.
   // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control,

envoy/config/listener/v3/listener.proto

@@ -128,8 +128,8 @@ message Listener {
   repeated AdditionalAddress additional_addresses = 33;
 
   // Optional prefix to use on listener stats. If empty, the stats will be rooted at
-  // `listener.<address as string>.`. If non-empty, stats will be rooted at
-  // `listener.<stat_prefix>.`.
+  // ``listener.<address as string>.``. If non-empty, stats will be rooted at
+  // ``listener.<stat_prefix>.``.
   string stat_prefix = 28;
 
   // A list of filter chains to consider for this listener. The
@@ -198,7 +198,7 @@ message Listener {
 
   // The timeout to wait for all listener filters to complete operation. If the timeout is reached,
   // the accepted socket is closed without a connection being created unless
-  // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the
+  // ``continue_on_listener_filters_timeout`` is set to true. Specify 0 to disable the
   // timeout. If not specified, a default timeout of 15s is used.
   google.protobuf.Duration listener_filters_timeout = 15;
 
@@ -295,7 +295,7 @@ message Listener {
   // enable the balance config in Y1 and Y2 to balance the connections among the workers.
   ConnectionBalanceConfig connection_balance_config = 20;
 
-  // Deprecated. Use `enable_reuse_port` instead.
+  // Deprecated. Use ``enable_reuse_port`` instead.
   bool reuse_port = 21 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and

envoy/config/listener/v3/listener_components.proto

@@ -246,8 +246,8 @@ message FilterChain {
   core.v3.Metadata metadata = 5;
 
   // Optional custom transport socket implementation to use for downstream connections.
-  // To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and
-  // :ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the `typed_config`.
+  // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and
+  // :ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the ``typed_config``.
   // If no transport socket configuration is specified, new connections
   // will be set up with plaintext.
   // [#extension-category: envoy.transport_sockets.downstream]

envoy/config/listener/v3/quic_config.proto

@@ -54,12 +54,12 @@ message QuicProtocolOptions {
   google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5
       [(validate.rules).uint32 = {gte: 1}];
 
-  // Configure which implementation of `quic::QuicCryptoClientStreamBase` to be used for this listener.
+  // Configure which implementation of ``quic::QuicCryptoClientStreamBase`` to be used for this listener.
   // If not specified the :ref:`QUICHE default one configured by <envoy_v3_api_msg_extensions.quic.crypto_stream.v3.CryptoServerStreamConfig>` will be used.
   // [#extension-category: envoy.quic.server.crypto_stream]
   core.v3.TypedExtensionConfig crypto_stream_config = 6;
 
-  // Configure which implementation of `quic::ProofSource` to be used for this listener.
+  // Configure which implementation of ``quic::ProofSource`` to be used for this listener.
   // If not specified the :ref:`default one configured by <envoy_v3_api_msg_extensions.quic.proof_source.v3.ProofSourceConfig>` will be used.
   // [#extension-category: envoy.quic.proof_source]
   core.v3.TypedExtensionConfig proof_source_config = 7;

envoy/config/metrics/v2/stats.proto

@@ -88,8 +88,8 @@ message StatsMatcher {
   // limited by either an exclusion or an inclusion list of :ref:`StringMatcher
   // <envoy_api_msg_type.matcher.StringMatcher>` protos:
   //
-  // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to
-  //   `false`, all stats will be instantiated.
+  // * If ``reject_all`` is set to ``true``, no stats will be instantiated. If ``reject_all`` is set to
+  //   ``false``, all stats will be instantiated.
   //
   // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the
   //   list will not instantiate.

envoy/config/metrics/v3/stats.proto

@@ -120,7 +120,7 @@ message StatsMatcher {
   // limited by either an exclusion or an inclusion list of :ref:`StringMatcher
   // <envoy_v3_api_msg_type.matcher.v3.StringMatcher>` protos:
   //
-  // * If `reject_all` is set to `true`, no stats will be instantiated. If `reject_all` is set to
+  // * If ``reject_all`` is set to `true`, no stats will be instantiated. If ``reject_all`` is set to
   //   `false`, all stats will be instantiated.
   //
   // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the
@@ -186,7 +186,7 @@ message StatsMatcher {
   oneof stats_matcher {
     option (validate.required) = true;
 
-    // If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all
+    // If ``reject_all`` is true, then all stats are disabled. If ``reject_all`` is false, then all
     // stats are enabled.
     bool reject_all = 1;
 
@@ -287,7 +287,7 @@ message TagSpecifier {
 // Specifies a matcher for stats and the buckets that matching stats should use.
 message HistogramBucketSettings {
   // The stats that this rule applies to. The match is applied to the original stat name
-  // before tag-extraction, for example `cluster.exampleclustername.upstream_cx_length_ms`.
+  // before tag-extraction, for example ``cluster.exampleclustername.upstream_cx_length_ms``.
   type.matcher.v3.StringMatcher match = 1 [(validate.rules).message = {required: true}];
 
   // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique.

envoy/config/overload/v3/overload.proto

@@ -56,7 +56,7 @@ message ThresholdTrigger {
 message ScaledTrigger {
   // If the resource pressure is greater than this value, the trigger will be in the
   // :ref:`scaling <arch_overview_overload_manager-triggers-state>` state with value
-  // `(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)`.
+  // ``(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)``.
   double scaling_threshold = 1 [(validate.rules).double = {lte: 1.0 gte: 0.0}];
 
   // If the resource pressure is greater than this value, the trigger will enter saturation.

envoy/config/rbac/v3/rbac.proto

@@ -28,13 +28,13 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Role Based Access Control (RBAC)]
 
 // Role Based Access Control (RBAC) provides service-level and method-level access control for a
-// service. Requests are allowed or denied based on the `action` and whether a matching policy is
+// service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
 // found. For instance, if the action is ALLOW and a matching policy is found the request should be
 // allowed.
 //
 // RBAC can also be used to make access logging decisions by communicating with access loggers
 // through dynamic metadata. When the action is LOG and at least one policy matches, the
-// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating
+// ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
 // the request should be logged.
 //
 // Here is an example of RBAC configuration. It has two policies:
@@ -89,7 +89,7 @@ message RBAC {
     // access control.
     DENY = 1;
 
-    // The policies set the `access_log_hint` dynamic metadata key based on if requests match.
+    // The policies set the ``access_log_hint`` dynamic metadata key based on if requests match.
     // All requests are allowed.
     LOG = 2;
   }
@@ -104,8 +104,8 @@ message RBAC {
   //  * DENY: Allows the request if and only if there are no policies that
   //    match the request.
   //  * LOG: Allows all requests. If at least one policy matches, the dynamic
-  //    metadata key `access_log_hint` is set to the value `true` under the shared
-  //    key namespace 'envoy.common'. If no policies match, it is set to `false`.
+  //    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
+  //    key namespace 'envoy.common'. If no policies match, it is set to ``false``.
   //    Other actions do not modify this key.
   //
   Action action = 1 [(validate.rules).enum = {defined_only: true}];
@@ -124,12 +124,12 @@ message Policy {
 
   // Required. The set of permissions that define a role. Each permission is
   // matched with OR semantics. To match all actions for this policy, a single
-  // Permission with the `any` field set to true should be used.
+  // Permission with the ``any`` field set to true should be used.
   repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}];
 
   // Required. The set of principals that are assigned/denied the role based on
   // “action”. Each principal is matched with OR semantics. To match all
-  // downstreams for this policy, a single Principal with the `any` field set to
+  // downstreams for this policy, a single Principal with the ``any`` field set to
   // true should be used.
   repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}];
 
@@ -152,7 +152,7 @@ message Policy {
 message Permission {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";
 
-  // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context,
+  // Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context,
   // each are applied with the associated behavior.
   message Set {
     option (udpa.annotations.versioning).previous_message_type =
@@ -175,7 +175,7 @@ message Permission {
 
     // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
     // available for HTTP request.
-    // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
+    // Note: the pseudo-header :path includes the query and fragment string. Use the ``url_path``
     // field if you want to match the URL path without the query and fragment string.
     route.v3.HeaderMatcher header = 4;
 
@@ -195,8 +195,8 @@ message Permission {
     type.matcher.v3.MetadataMatcher metadata = 7;
 
     // Negates matching the provided permission. For instance, if the value of
-    // `not_rule` would match, this permission would not match. Conversely, if
-    // the value of `not_rule` would not match, this permission would match.
+    // ``not_rule`` would match, this permission would not match. Conversely, if
+    // the value of ``not_rule`` would not match, this permission would match.
     Permission not_rule = 8;
 
     // The request server from the client's connection request. This is
@@ -208,7 +208,7 @@ message Permission {
     //   as explained below.
     //
     //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
-    //     filter is not added, and if a `FilterChainMatch` is not defined for
+    //     filter is not added, and if a ``FilterChainMatch`` is not defined for
     //     the :ref:`server name
     //     <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
     //     a TLS connection's requested SNI server name will be treated as if it
@@ -233,7 +233,7 @@ message Permission {
 message Principal {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";
 
-  // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof.
+  // Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof.
   // Depending on the context, each are applied with the associated behavior.
   message Set {
     option (udpa.annotations.versioning).previous_message_type =
@@ -294,7 +294,7 @@ message Principal {
 
     // A header (or pseudo-header such as :path or :method) on the incoming HTTP
     // request. Only available for HTTP request. Note: the pseudo-header :path
-    // includes the query and fragment string. Use the `url_path` field if you
+    // includes the query and fragment string. Use the ``url_path`` field if you
     // want to match the URL path without the query and fragment string.
     route.v3.HeaderMatcher header = 6;
 
@@ -305,8 +305,8 @@ message Principal {
     type.matcher.v3.MetadataMatcher metadata = 7;
 
     // Negates matching the provided principal. For instance, if the value of
-    // `not_id` would match, this principal would not match. Conversely, if the
-    // value of `not_id` would not match, this principal would match.
+    // ``not_id`` would match, this principal would not match. Conversely, if the
+    // value of ``not_id`` would not match, this principal would match.
     Principal not_id = 8;
   }
 }
@@ -324,14 +324,14 @@ message Action {
   //  * ALLOW: If the request gets matched on ALLOW, it is permitted.
   //  * DENY: If the request gets matched on DENY, it is not permitted.
   //  * LOG: If the request gets matched on LOG, it is permitted. Besides, the
-  //    dynamic metadata key `access_log_hint` under the shared key namespace
-  //    'envoy.common' will be set to the value `true`.
+  //    dynamic metadata key ``access_log_hint`` under the shared key namespace
+  //    'envoy.common' will be set to the value ``true``.
   //  * If the request cannot get matched, it will fallback to DENY.
   //
   // Log behavior:
   //
   //  If the RBAC matcher contains at least one LOG action, the dynamic
-  //  metadata key `access_log_hint` will be set based on if the request
+  //  metadata key ``access_log_hint`` will be set based on if the request
   //  get matched on the LOG action.
   //
   RBAC.Action action = 2;

envoy/config/route/v3/route_components.proto

@@ -91,11 +91,11 @@ message VirtualHost {
 
   // The list of routes that will be matched, in order, for incoming requests.
   // The first route that matches will be used.
-  // Only one of this and `matcher` can be specified.
+  // Only one of this and ``matcher`` can be specified.
   repeated Route routes = 3;
 
   // [#next-major-version: This should be included in a oneof with routes wrapped in a message.]
-  // The match tree to use when resolving route actions for incoming requests. Only one of this and `routes`
+  // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes``
   // can be specified.
   xds.type.matcher.v3.Matcher matcher = 21
       [(xds.annotations.v3.field_status).work_in_progress = true];
@@ -769,7 +769,7 @@ message RouteAction {
 
     // If not specified, all requests to the target cluster will be mirrored.
     //
-    // If specified, this field takes precedence over the `runtime_key` field and requests must also
+    // If specified, this field takes precedence over the ``runtime_key`` field and requests must also
     // fall under the percentage of matches indicated by this field.
     //
     // For some fraction N/D, a random number in the range [0,D) is selected. If the
@@ -954,10 +954,10 @@ message RouteAction {
     // If present, and the request contains a `grpc-timeout header
     // <https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md>`_, use that value as the
     // *max_stream_duration*, but limit the applied timeout to the maximum value specified here.
-    // If set to 0, the `grpc-timeout` header is used without modification.
+    // If set to 0, the ``grpc-timeout`` header is used without modification.
     google.protobuf.Duration grpc_timeout_header_max = 2;
 
-    // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by
+    // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by
     // subtracting the provided duration from the header. This is useful for allowing Envoy to set
     // its global timeout to be less than that of the deadline imposed by the calling client, which
     // makes it more likely that Envoy will handle the timeout instead of having the call canceled
@@ -1186,7 +1186,7 @@ message RouteAction {
     //         regex: "^/(.+)/.+$"
     //       substitution: \1
     //
-    // Would rewrite the host header to `envoyproxy.io` given the path `/envoyproxy.io/some/path`.
+    // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``.
     type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35;
   }
 
@@ -1297,7 +1297,7 @@ message RouteAction {
   // or its default value (infinity) instead of
   // :ref:`timeout <envoy_v3_api_field_config.route.v3.RouteAction.timeout>`, but limit the applied timeout
   // to the maximum value specified here. If configured as 0, the maximum allowed timeout for
-  // gRPC requests is infinity. If not configured at all, the `grpc-timeout` header is not used
+  // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used
   // and gRPC requests time out like any other requests using
   // :ref:`timeout <envoy_v3_api_field_config.route.v3.RouteAction.timeout>` or its default.
   // This can be used to prevent unexpected upstream request timeouts due to potentially long
@@ -1315,7 +1315,7 @@ message RouteAction {
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Deprecated by :ref:`grpc_timeout_header_offset <envoy_v3_api_field_config.route.v3.RouteAction.MaxStreamDuration.grpc_timeout_header_offset>`.
-  // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting
+  // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting
   // the provided duration from the header. This is useful in allowing Envoy to set its global
   // timeout to be less than that of the deadline imposed by the calling client, which makes it more
   // likely that Envoy will handle the timeout instead of having the call canceled by the client.
@@ -1418,8 +1418,8 @@ message RetryPolicy {
     }];
 
     // Specifies the maximum interval between retries. This parameter is optional, but must be
-    // greater than or equal to the `base_interval` if set. The default is 10 times the
-    // `base_interval`. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion
+    // greater than or equal to the ``base_interval`` if set. The default is 10 times the
+    // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion
     // of Envoy's back-off algorithm.
     google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}];
   }
@@ -1564,7 +1564,7 @@ message RetryPolicy {
 
   // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the
   // default base interval is 25 milliseconds or, if set, the current value of the
-  // `upstream.base_retry_backoff_ms` runtime parameter. The default maximum interval is 10 times
+  // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times
   // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries`
   // describes Envoy's back-off algorithm.
   RetryBackOff retry_back_off = 8;
@@ -1574,7 +1574,7 @@ message RetryPolicy {
   // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to
   // provide feedback to the client on how long to wait before retrying. If
   // configured, this back-off strategy will be used instead of the
-  // default exponential back off strategy (configured using `retry_back_off`)
+  // default exponential back off strategy (configured using ``retry_back_off``)
   // whenever a response includes the matching headers.
   RateLimitedRetryBackOff rate_limited_retry_back_off = 11;
 
@@ -1641,10 +1641,10 @@ message RedirectAction {
   }
 
   // When the scheme redirection take place, the following rules apply:
-  //  1. If the source URI scheme is `http` and the port is explicitly
-  //     set to `:80`, the port will be removed after the redirection
-  //  2. If the source URI scheme is `https` and the port is explicitly
-  //     set to `:443`, the port will be removed after the redirection
+  //  1. If the source URI scheme is ``http`` and the port is explicitly
+  //     set to ``:80``, the port will be removed after the redirection
+  //  2. If the source URI scheme is ``https`` and the port is explicitly
+  //     set to ``:443``, the port will be removed after the redirection
   oneof scheme_rewrite_specifier {
     // The scheme portion of the URL will be swapped with "https".
     bool https_redirect = 4;
@@ -1827,7 +1827,7 @@ message VirtualCluster {
   reserved "pattern", "method";
 
   // Specifies a list of header matchers to use for matching requests. Each specified header must
-  // match. The pseudo-headers `:path` and `:method` can be used to match the request path and
+  // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and
   // method, respectively.
   repeated HeaderMatcher headers = 4;
 
@@ -1925,14 +1925,14 @@ message RateLimit {
     message MaskedRemoteAddress {
       // Length of prefix mask len for IPv4 (e.g. 0, 32).
       // Defaults to 32 when unset.
-      // For example, trusted address from x-forwarded-for is `192.168.1.1`,
+      // For example, trusted address from x-forwarded-for is ``192.168.1.1``,
       // the descriptor entry is ("masked_remote_address", "192.168.1.1/32");
       // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24").
       google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}];
 
       // Length of prefix mask len for IPv6 (e.g. 0, 128).
       // Defaults to 128 when unset.
-      // For example, trusted address from x-forwarded-for is `2001:abcd:ef01:2345:6789:abcd:ef01:234`,
+      // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``,
       // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128");
       // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64").
       google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}];
@@ -1964,7 +1964,7 @@ message RateLimit {
       option (udpa.annotations.versioning).previous_message_type =
           "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch";
 
-      // The key to use in the descriptor entry. Defaults to `header_match`.
+      // The key to use in the descriptor entry. Defaults to ``header_match``.
       string descriptor_key = 4;
 
       // The value to use in the descriptor entry.

envoy/config/route/v3/scoped_route.proto

@@ -77,7 +77,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //     Host: foo.com
 //     X-Route-Selector: vip=172.10.10.20
 //
-// would result in the routing table defined by the `route-config1`
+// would result in the routing table defined by the ``route-config1``
 // RouteConfiguration being assigned to the HTTP request/stream.
 //
 // [#next-free-field: 6]

envoy/config/tap/v3/common.proto

@@ -271,7 +271,7 @@ message StreamingAdminSink {
 // BufferedAdminSink configures a tap output to collect traces without returning them until
 // one of multiple criteria are satisfied.
 // Similar to StreamingAdminSink, it is only allowed to specify the buffered admin output
-// sink if the tap is being configured from the `/tap` admin endpoint.
+// sink if the tap is being configured from the ``/tap`` admin endpoint.
 message BufferedAdminSink {
   // Stop collecting traces when the specified number are collected.
   // If other criteria for ending collection are reached first, this value will not be used.

envoy/data/accesslog/v3/accesslog.proto

@@ -181,8 +181,8 @@ message AccessLogCommon {
   config.core.v3.Address downstream_direct_remote_address = 20;
 
   // Map of filter state in stream info that have been configured to be logged. If the filter
-  // state serialized to any message other than `google.protobuf.Any` it will be packed into
-  // `google.protobuf.Any`.
+  // state serialized to any message other than ``google.protobuf.Any`` it will be packed into
+  // ``google.protobuf.Any``.
   map<string, google.protobuf.Any> filter_state_objects = 21;
 
   // A list of custom tags, which annotate logs with additional information.

envoy/data/tap/v3/common.proto

@@ -20,7 +20,7 @@ message Body {
 
   oneof body_type {
     // Body data as bytes. By default, tap body data will be present in this field, as the proto
-    // `bytes` type can contain any valid byte.
+    // ``bytes`` type can contain any valid byte.
     bytes as_bytes = 1;
 
     // Body data as string. This field is only used when the :ref:`JSON_BODY_AS_STRING

envoy/extensions/access_loggers/filters/cel/v3/cel.proto

@@ -21,7 +21,7 @@ message ExpressionFilter {
   // Expressions are based on the set of Envoy :ref:`attributes <arch_overview_attributes>`.
   // The provided expression must evaluate to true for logging (expression errors are considered false).
   // Examples:
-  // - `response.code >= 400`
-  // - `(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')`
+  // - ``response.code >= 400``
+  // - ``(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')``
   string expression = 1;
 }

envoy/extensions/access_loggers/grpc/v3/als.proto

@@ -87,7 +87,7 @@ message CommonGrpcAccessLogConfig {
 
   // Additional filter state objects to log in :ref:`filter_state_objects
   // <envoy_v3_api_field_data.accesslog.v3.AccessLogCommon.filter_state_objects>`.
-  // Logger will call `FilterState::Object::serializeAsProto` to serialize the filter state object.
+  // Logger will call ``FilterState::Object::serializeAsProto`` to serialize the filter state object.
   repeated string filter_state_objects_to_log = 5;
 
   // Sets the retry policy when the establishment of a gRPC stream fails.

envoy/extensions/common/async_files/v3/async_file_manager.proto

@@ -16,7 +16,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: AsyncFileManager configuration]
 
-// Configuration to instantiate or select a singleton `AsyncFileManager`.
+// Configuration to instantiate or select a singleton ``AsyncFileManager``.
 message AsyncFileManagerConfig {
   message ThreadPool {
     // The number of threads to use. If unset or zero, will default to the number
@@ -26,7 +26,7 @@ message AsyncFileManagerConfig {
   }
 
   // An optional identifier for the manager. An empty string is a valid identifier
-  // for a common, default `AsyncFileManager`.
+  // for a common, default ``AsyncFileManager``.
   //
   // Reusing the same id with different configurations in the same envoy instance
   // is an error.

envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -61,13 +61,13 @@ message DnsCacheConfig {
   // The refresh rate is rounded to the closest millisecond, and must be at least 1ms.
   //
   // Once a host has been resolved, the refresh rate will be the DNS TTL, capped
-  // at a minimum of `dns_min_refresh_rate`.
+  // at a minimum of ``dns_min_refresh_rate``.
   google.protobuf.Duration dns_refresh_rate = 3
       [(validate.rules).duration = {gte {nanos: 1000000}}];
 
-  // The minimum rate that DNS resolution will occur. Per `dns_refresh_rate`, once a host is
-  // resolved, the DNS TTL will be used, with a minimum set by `dns_min_refresh_rate`.
-  // `dns_min_refresh_rate` defaults to 5s and must also be >= 5s.
+  // The minimum rate that DNS resolution will occur. Per ``dns_refresh_rate``, once a host is
+  // resolved, the DNS TTL will be used, with a minimum set by ``dns_min_refresh_rate``.
+  // ``dns_min_refresh_rate`` defaults to 5s and must also be >= 5s.
   google.protobuf.Duration dns_min_refresh_rate = 14
       [(validate.rules).duration = {gte {seconds: 5}}];
 

envoy/extensions/filters/common/matcher/action/v3/skip_action.proto

@@ -13,7 +13,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Common Match Actions]
 
 // Configuration for the SkipFilter match action. When matching results in this action, the
-// associated filter will be ignored for all filter callbacks (e.g. `encodeHeaders`, `encodeData`,
+// associated filter will be ignored for all filter callbacks (e.g. ``encodeHeaders``, ``encodeData``,
 // etc. for HTTP filters) after the matcher arrives at the match, including the callback that
 // caused the match result. For example, when used with a HTTP filter and the match result was
 // resolved after receiving the HTTP response headers, the HTTP filter will *not* receive the

envoy/extensions/filters/http/compressor/v3/compressor.proto

@@ -114,13 +114,13 @@ message Compressor {
   //
   // .. attention::
   //
-  //    If the field is not empty then the duplicate deprecated fields of the `Compressor` message,
-  //    such as `content_length`, `content_type`, `disable_on_etag_header`,
-  //    `remove_accept_encoding_header` and `runtime_enabled`, are ignored.
+  //    If the field is not empty then the duplicate deprecated fields of the ``Compressor`` message,
+  //    such as ``content_length``, ``content_type``, ``disable_on_etag_header``,
+  //    ``remove_accept_encoding_header`` and ``runtime_enabled``, are ignored.
   //
   //    Also all the statistics related to response compression will be rooted in
-  //    `<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.response.*`
+  //    ``<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.response.*``
   //    instead of
-  //    `<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.*`.
+  //    ``<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.*``.
   ResponseDirectionConfig response_direction_config = 8;
 }

envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto

@@ -31,7 +31,7 @@ message FilterConfig {
 
   // When this flag is set, the filter will add the resolved upstream address in the filter
   // state. The state should be saved with key
-  // `envoy.stream.upstream_address` (See
+  // ``envoy.stream.upstream_address`` (See
   // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
   bool save_upstream_address = 2;
 }

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -100,7 +100,7 @@ message ExtAuthz {
   // Specifies a list of metadata namespaces whose values, if present, will be passed to the
   // ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an *protobuf::Any*.
   //
-  // It works in a way similar to `metadata_context_namespaces` but allows envoy and external authz server to share the protobuf message definition
+  // It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
   // in order to do a safe parsing.
   //
   repeated string typed_metadata_context_namespaces = 16;

envoy/extensions/filters/http/fault/v3/fault.proto

@@ -96,9 +96,9 @@ message HTTPFault {
   // filter. Note that because this setting can be overridden at the route level, it's possible
   // for the number of active faults to be greater than this value (if injected via a different
   // route). If not specified, defaults to unlimited. This setting can be overridden via
-  // `runtime <config_http_filters_fault_injection_runtime>` and any faults that are not injected
-  // due to overflow will be indicated via the `faults_overflow
-  // <config_http_filters_fault_injection_stats>` stat.
+  // ``runtime <config_http_filters_fault_injection_runtime>`` and any faults that are not injected
+  // due to overflow will be indicated via the ``faults_overflow
+  // <config_http_filters_fault_injection_stats>`` stat.
   //
   // .. attention::
   //   Like other :ref:`circuit breakers <arch_overview_circuit_break>` in Envoy, this is a fuzzy

envoy/extensions/filters/http/grpc_http1_bridge/v3/config.proto

@@ -20,7 +20,7 @@ message Config {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.grpc_http1_bridge.v2.Config";
 
-  // If true then requests with content type set to `application/x-protobuf` will be automatically converted to gRPC.
+  // If true then requests with content type set to ``application/x-protobuf`` will be automatically converted to gRPC.
   // This works by prepending the payload data with the gRPC header frame, as defined by the wiring format, and
   // Content-Type will be updated accordingly before sending the request.
   // For the requests that went through this upgrade the filter will also strip the frame before forwarding the

envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto

@@ -29,7 +29,7 @@ message FilterConfig {
   // If true, Envoy will assume that the upstream doesn't understand gRPC frames and
   // strip the gRPC frame from the request, and add it back in to the response. This will
   // hide the gRPC semantics from the upstream, allowing it to receive and respond with a
-  // simple binary encoded protobuf. In order to calculate the `Content-Length` header value, Envoy
+  // simple binary encoded protobuf. In order to calculate the ``Content-Length`` header value, Envoy
   // will buffer the upstream response unless :ref:`response_size_header
   // <envoy_v3_api_field_extensions.filters.http.grpc_http1_reverse_bridge.v3.FilterConfig.response_size_header>`
   // is set, in which case Envoy will use the value of an upstream header to calculate the content
@@ -38,11 +38,11 @@ message FilterConfig {
 
   // When :ref:`withhold_grpc_frames
   // <envoy_v3_api_field_extensions.filters.http.grpc_http1_reverse_bridge.v3.FilterConfig.withhold_grpc_frames>`
-  // is true, this option controls how Envoy calculates the `Content-Length`. When
+  // is true, this option controls how Envoy calculates the ``Content-Length``. When
   // *response_size_header* is empty, Envoy will buffer the upstream response to calculate its
   // size. When *response_size_header* is set to a non-empty string, Envoy will stream the response
   // to the downstream and it will use the value of the response header with this name to set the
-  // `Content-Length` header and gRPC frame size. If the header with this name is repeated, only
+  // ``Content-Length`` header and gRPC frame size. If the header with this name is repeated, only
   // the first value will be used.
   //
   // Envoy will treat the upstream response as an error if this option is specified and the header

envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto

@@ -31,17 +31,17 @@ message GrpcJsonTranscoder {
 
   enum UrlUnescapeSpec {
     // URL path parameters will not decode RFC 6570 reserved characters.
-    // For example, segment `%2f%23/%20%2523` is unescaped to `%2f%23/ %23`.
+    // For example, segment ``%2f%23/%20%2523`` is unescaped to ``%2f%23/ %23``.
     ALL_CHARACTERS_EXCEPT_RESERVED = 0;
 
     // URL path parameters will be fully URI-decoded except in
-    // cases of single segment matches in reserved expansion, where "%2F" will be
+    // cases of single segment matches in reserved expansion, where ``%2F`` will be
     // left encoded.
-    // For example, segment `%2f%23/%20%2523` is unescaped to `%2f#/ %23`.
+    // For example, segment ``%2f%23/%20%2523`` is unescaped to ``%2f#/ %23``.
     ALL_CHARACTERS_EXCEPT_SLASH = 1;
 
     // URL path parameters will be fully URI-decoded.
-    // For example, segment `%2f%23/%20%2523` is unescaped to `/#/ %23`.
+    // For example, segment ``%2f%23/%20%2523`` is unescaped to ``/#/ %23``.
     ALL_CHARACTERS = 2;
   }
 
@@ -227,8 +227,8 @@ message GrpcJsonTranscoder {
 
   // URL unescaping policy.
   // This spec is only applied when extracting variable with multiple segments in the URL path.
-  // For example, in case of `/foo/{x=*}/bar/{y=prefix/*}/{z=**}` `x` variable is single segment and `y` and `z` are multiple segments.
-  // For a path with `/foo/first/bar/prefix/second/third/fourth`, `x=first`, `y=prefix/second`, `z=third/fourth`.
+  // For example, in case of ``/foo/{x=*}/bar/{y=prefix/*}/{z=**}`` ``x`` variable is single segment and ``y`` and ``z`` are multiple segments.
+  // For a path with ``/foo/first/bar/prefix/second/third/fourth``, ``x=first``, ``y=prefix/second``, ``z=third/fourth``.
   // If this setting is not specified, the value defaults to :ref:`ALL_CHARACTERS_EXCEPT_RESERVED<envoy_v3_api_enum_value_extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder.UrlUnescapeSpec.ALL_CHARACTERS_EXCEPT_RESERVED>`.
   UrlUnescapeSpec url_unescape_spec = 10 [(validate.rules).enum = {defined_only: true}];
 
@@ -242,9 +242,9 @@ message GrpcJsonTranscoder {
   // According to the http template `syntax <https://github.com/googleapis/googleapis/blob/master/google/api/http.proto#L226-L231>`_,
   // the custom verb is **":" LITERAL** at the end of http template.
   //
-  // For a request with */foo/bar:baz* and *:baz* is not registered in any url_template, here is the behavior change
-  // - if the field is not set, *:baz* will not be treated as custom verb, so it will match **/foo/{x=*}**.
-  // - if the field is set, *:baz* is treated as custom verb,  so it will NOT match **/foo/{x=*}** since the template doesn't use any custom verb.
+  // For a request with ``/foo/bar:baz`` and ``:baz`` is not registered in any url_template, here is the behavior change
+  // - if the field is not set, ``:baz`` will not be treated as custom verb, so it will match ``/foo/{x=*}``.
+  // - if the field is set, ``:baz`` is treated as custom verb,  so it will NOT match ``/foo/{x=*}`` since the template doesn't use any custom verb.
   bool match_unregistered_custom_verb = 13;
 
   // Configure the behavior when handling requests that cannot be transcoded.

envoy/extensions/filters/http/grpc_stats/v3/config.proto

@@ -31,13 +31,13 @@ message FilterConfig {
   oneof per_method_stat_specifier {
     // If set, specifies an allowlist of service/methods that will have individual stats
     // emitted for them. Any call that does not match the allowlist will be counted
-    // in a stat with no method specifier: `cluster.<name>.grpc.*`.
+    // in a stat with no method specifier: ``cluster.<name>.grpc.*``.
     config.core.v3.GrpcMethodList individual_method_stats_allowlist = 2;
 
     // If set to true, emit stats for all service/method names.
     //
     // If set to false, emit stats for all service/message types to the same stats without including
-    // the service/method in the name, with prefix `cluster.<name>.grpc`. This can be useful if
+    // the service/method in the name, with prefix ``cluster.<name>.grpc``. This can be useful if
     // service/method granularity is not needed, or if each cluster only receives a single method.
     //
     // .. attention::
@@ -46,10 +46,10 @@ message FilterConfig {
     //   Envoy, using unbounded memory and potentially slowing down stats pipelines.
     //
     // .. attention::
-    //   If neither `individual_method_stats_allowlist` nor `stats_for_all_methods` is set, the
-    //   behavior will default to `stats_for_all_methods=false`. This default value is changed due
+    //   If neither ``individual_method_stats_allowlist`` nor ``stats_for_all_methods`` is set, the
+    //   behavior will default to ``stats_for_all_methods=false``. This default value is changed due
     //   to the previous value being deprecated. This behavior can be changed with runtime override
-    //   `envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default`.
+    //   ``envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default``.
     google.protobuf.BoolValue stats_for_all_methods = 3;
   }
 

envoy/extensions/filters/http/gzip/v3/gzip.proto

@@ -72,7 +72,7 @@ message Gzip {
   google.protobuf.UInt32Value window_bits = 9 [(validate.rules).uint32 = {lte: 15 gte: 9}];
 
   // Set of configuration parameters common for all compression filters. You can define
-  // `content_length`, `content_type` and other parameters in this field.
+  // ``content_length``, ``content_type`` and other parameters in this field.
   compressor.v3.Compressor compressor = 10;
 
   // Value for Zlib's next output buffer. If not set, defaults to 4096.

envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto

@@ -74,7 +74,7 @@ message Config {
     //
     // This is only used for :ref:`on_header_present <envoy_v3_api_field_extensions.filters.http.header_to_metadata.v3.Config.Rule.on_header_present>`.
     //
-    // Note: if the `value` field is non-empty this field should be empty.
+    // Note: if the ``value`` field is non-empty this field should be empty.
     type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 6
         [(udpa.annotations.field_migrate).oneof_promotion = "value_type"];
 

envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -166,7 +166,7 @@ message JwtProvider {
   //
   repeated JwtHeader from_headers = 6;
 
-  // JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
+  // JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names.
   //
   // For example, if config is:
   //
@@ -181,7 +181,7 @@ message JwtProvider {
   //
   repeated string from_params = 7;
 
-  // JWT is sent in a cookie. `from_cookies` represents the cookie names to extract from.
+  // JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from.
   //
   // For example, if config is:
   //
@@ -190,7 +190,7 @@ message JwtProvider {
   //   from_cookies:
   //   - auth-token
   //
-  // Then JWT will be extracted from `auth-token` cookie in the request.
+  // Then JWT will be extracted from ``auth-token`` cookie in the request.
   //
   repeated string from_cookies = 13;
 
@@ -271,7 +271,7 @@ message JwtProvider {
   string header_in_metadata = 14;
 
   // Specify the clock skew in seconds when verifying JWT time constraint,
-  // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
+  // such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
 
   // Enables JWT cache, its size is specified by *jwt_cache_size*.
@@ -550,13 +550,13 @@ message RequirementRule {
     // Use requirement_name to specify a Jwt requirement.
     // This requirement_name MUST be specified at the
     // :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
-    // in `JwtAuthentication`.
+    // in ``JwtAuthentication``.
     string requirement_name = 3 [(validate.rules).string = {min_len: 1}];
   }
 }
 
 // This message specifies Jwt requirements based on stream_info.filterState.
-// This FilterState should use `Router::StringAccessor` object to set a string value.
+// This FilterState should use ``Router::StringAccessor`` object to set a string value.
 // Other HTTP filters can use it to specify Jwt requirements dynamically.
 //
 // Example:
@@ -576,7 +576,7 @@ message FilterStateRule {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.FilterStateRule";
 
-  // The filter state name to retrieve the `Router::StringAccessor` object.
+  // The filter state name to retrieve the ``Router::StringAccessor`` object.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // A map of string keys to requirements. The string key is the string value
@@ -698,7 +698,7 @@ message JwtAuthentication {
 
   // A map of unique requirement_names to JwtRequirements.
   // :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
-  // in `PerRouteConfig` uses this map to specify a JwtRequirement.
+  // in ``PerRouteConfig`` uses this map to specify a JwtRequirement.
   map<string, JwtRequirement> requirement_map = 5;
 }
 
@@ -713,7 +713,7 @@ message PerRouteConfig {
     // Use requirement_name to specify a JwtRequirement.
     // This requirement_name MUST be specified at the
     // :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
-    // in `JwtAuthentication`. If no, the requests using this route will be rejected with 403.
+    // in ``JwtAuthentication``. If no, the requests using this route will be rejected with 403.
     string requirement_name = 2 [(validate.rules).string = {min_len: 1}];
   }
 }

envoy/extensions/filters/http/kill_request/v3/kill_request.proto

@@ -19,8 +19,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // Configuration for KillRequest filter.
 message KillRequest {
-  // On which direction should the filter check for the `kill_request_header`.
-  // Default to `REQUEST` if unspecified.
+  // On which direction should the filter check for the ``kill_request_header``.
+  // Default to ``REQUEST`` if unspecified.
   enum Direction {
     REQUEST = 0;
     RESPONSE = 1;

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto

@@ -69,8 +69,8 @@ message RateLimit {
   // communication failure between rate limiting service and the proxy.
   bool failure_mode_deny = 5;
 
-  // Specifies whether a `RESOURCE_EXHAUSTED` gRPC code must be returned instead
-  // of the default `UNAVAILABLE` gRPC code for a rate limited gRPC call. The
+  // Specifies whether a ``RESOURCE_EXHAUSTED`` gRPC code must be returned instead
+  // of the default ``UNAVAILABLE`` gRPC code for a rate limited gRPC call. The
   // HTTP code will be 200 for a gRPC response.
   bool rate_limited_as_resource_exhausted = 6;
 
@@ -86,7 +86,7 @@ message RateLimit {
   //   client in the current time-window followed by the description of the
   //   quota policy. The values are returned by the rate limiting service in
   //   :ref:`current_limit<envoy_v3_api_field_service.ratelimit.v3.RateLimitResponse.DescriptorStatus.current_limit>`
-  //   field. Example: `10, 10;w=1;name="per-ip", 1000;w=3600`.
+  //   field. Example: ``10, 10;w=1;name="per-ip", 1000;w=3600``.
   // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the
   //   current time-window. The values are returned by the rate limiting service
   //   in :ref:`limit_remaining<envoy_v3_api_field_service.ratelimit.v3.RateLimitResponse.DescriptorStatus.limit_remaining>`

envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto

@@ -21,6 +21,6 @@ message TlsInspector {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.listener.tls_inspector.v2.TlsInspector";
 
-  // Populate `JA3` fingerprint hash using data from the TLS Client Hello packet. Default is false.
+  // Populate ``JA3`` fingerprint hash using data from the TLS Client Hello packet. Default is false.
   google.protobuf.BoolValue enable_ja3_fingerprinting = 1;
 }

envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto

@@ -78,7 +78,7 @@ message DubboProxy {
   // A list of individual Dubbo filters that make up the filter chain for requests made to the
   // Dubbo proxy. Order matters as the filters are processed sequentially. For backwards
   // compatibility, if no dubbo_filters are specified, a default Dubbo router filter
-  // (`envoy.filters.dubbo.router`) is used.
+  // (``envoy.filters.dubbo.router``) is used.
   repeated DubboFilter dubbo_filters = 5;
 }
 

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -320,36 +320,36 @@ message HttpConnectionManager {
   // [#next-free-field: 7]
   message ProxyStatusConfig {
     // If true, the details field of the Proxy-Status header is not populated with stream_info.response_code_details.
-    // This value defaults to `false`, i.e. the `details` field is populated by default.
+    // This value defaults to ``false``, i.e. the ``details`` field is populated by default.
     bool remove_details = 1;
 
     // If true, the details field of the Proxy-Status header will not contain
-    // connection termination details. This value defaults to `false`, i.e. the
-    // `details` field will contain connection termination details by default.
+    // connection termination details. This value defaults to ``false``, i.e. the
+    // ``details`` field will contain connection termination details by default.
     bool remove_connection_termination_details = 2;
 
     // If true, the details field of the Proxy-Status header will not contain an
-    // enumeration of the Envoy ResponseFlags. This value defaults to `false`,
-    // i.e. the `details` field will contain a list of ResponseFlags by default.
+    // enumeration of the Envoy ResponseFlags. This value defaults to ``false``,
+    // i.e. the ``details`` field will contain a list of ResponseFlags by default.
     bool remove_response_flags = 3;
 
     // If true, overwrites the existing Status header with the response code
     // recommended by the Proxy-Status spec.
-    // This value defaults to `false`, i.e. the HTTP response code is not
+    // This value defaults to ``false``, i.e. the HTTP response code is not
     // overwritten.
     bool set_recommended_response_code = 4;
 
     // The name of the proxy as it appears at the start of the Proxy-Status
     // header.
     //
-    // If neither of these values are set, this value defaults to `server_name`,
+    // If neither of these values are set, this value defaults to ``server_name``,
     // which itself defaults to "envoy".
     oneof proxy_name {
-      // If `use_node_id` is set, Proxy-Status headers will use the Envoy's node
+      // If ``use_node_id`` is set, Proxy-Status headers will use the Envoy's node
       // ID as the name of the proxy.
       bool use_node_id = 5;
 
-      // If `literal_proxy_name` is set, Proxy-Status headers will use this
+      // If ``literal_proxy_name`` is set, Proxy-Status headers will use this
       // value as the name of the proxy.
       string literal_proxy_name = 6;
     }
@@ -671,8 +671,8 @@ message HttpConnectionManager {
 
   // Determines if adjacent slashes in the path are merged into one before any processing of
   // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
-  // setting this option, incoming requests with path `//dir///file` will not match against route
-  // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of
+  // setting this option, incoming requests with path ``//dir///file`` will not match against route
+  // with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of
   // `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
   // [#comment:TODO: This field is ignored when the
   // :ref:`header validation configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.typed_header_validation_config>`
@@ -717,10 +717,10 @@ message HttpConnectionManager {
   // local port. This affects the upstream host header unless the method is
   // CONNECT in which case if no filter adds a port the original port will be restored before headers are
   // sent upstream.
-  // Without setting this option, incoming requests with host `example:443` will not match against
-  // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to `example`. Defaults to `false`. Note that port removal is not part
+  // Without setting this option, incoming requests with host ``example:443`` will not match against
+  // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to ``example``. Defaults to ``false``. Note that port removal is not part
   // of `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
-  // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set.
+  // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set.
   bool strip_matching_host_port = 39
       [(udpa.annotations.field_migrate).oneof_promotion = "strip_port_mode"];
 
@@ -729,10 +729,10 @@ message HttpConnectionManager {
     // of request by HTTP filters or routing.
     // This affects the upstream host header unless the method is CONNECT in
     // which case if no filter adds a port the original port will be restored before headers are sent upstream.
-    // Without setting this option, incoming requests with host `example:443` will not match against
-    // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to `example`. Defaults to `false`. Note that port removal is not part
+    // Without setting this option, incoming requests with host ``example:443`` will not match against
+    // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to ``example``. Defaults to ``false``. Note that port removal is not part
     // of `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
-    // Only one of `strip_matching_host_port` or `strip_any_host_port` can be set.
+    // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set.
     bool strip_any_host_port = 42;
   }
 
@@ -767,11 +767,11 @@ message HttpConnectionManager {
   // Determines if trailing dot of the host should be removed from host/authority header before any
   // processing of request by HTTP filters or routing.
   // This affects the upstream host header.
-  // Without setting this option, incoming requests with host `example.com.` will not match against
-  // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to `example.com`. Defaults to `false`.
+  // Without setting this option, incoming requests with host ``example.com.`` will not match against
+  // route with :ref:`domains<envoy_v3_api_field_config.route.v3.VirtualHost.domains>` match set to ``example.com``. Defaults to ``false``.
   // When the incoming request contains a host/authority header that includes a port number,
   // setting this option will strip a trailing dot, if present, from the host section,
-  // leaving the port as is (e.g. host value `example.com.:443` will be updated to `example.com:443`).
+  // leaving the port as is (e.g. host value ``example.com.:443`` will be updated to ``example.com:443``).
   bool strip_trailing_host_dot = 47;
 
   // Proxy-Status HTTP response header configuration.
@@ -860,11 +860,11 @@ message ResponseMapper {
   // The new response status code if specified.
   google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}];
 
-  // The new local reply body text if specified. It will be used in the `%LOCAL_REPLY_BODY%`
-  // command operator in the `body_format`.
+  // The new local reply body text if specified. It will be used in the ``%LOCAL_REPLY_BODY%``
+  // command operator in the ``body_format``.
   config.core.v3.DataSource body = 3;
 
-  // A per mapper `body_format` to override the :ref:`body_format <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format>`.
+  // A per mapper ``body_format`` to override the :ref:`body_format <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.LocalReplyConfig.body_format>`.
   // It will be used when this mapper is matched.
   config.core.v3.SubstitutionFormatString body_format_override = 4;
 

envoy/extensions/filters/network/local_ratelimit/v3/local_rate_limit.proto

@@ -48,7 +48,7 @@ message LocalRateLimit {
 
   // Specifies that the token bucket used for rate limiting should be shared with other local_rate_limit filters
   // with a matching :ref:`token_bucket <envoy_v3_api_field_extensions.filters.network.local_ratelimit.v3.LocalRateLimit.token_bucket>`
-  // and `share_key` configuration. All fields of `token_bucket` must match exactly for the token bucket to be shared. If this
+  // and ``share_key`` configuration. All fields of ``token_bucket`` must match exactly for the token bucket to be shared. If this
   // field is empty, this filter will not share a token bucket with any other filter.
   string share_key = 4;
 }

envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto

@@ -95,19 +95,19 @@ message RedisProxy {
     uint32 max_buffer_size_before_flush = 4;
 
     // The encoded request buffer is flushed N milliseconds after the first request has been
-    // encoded, unless the buffer size has already exceeded `max_buffer_size_before_flush`.
-    // If `max_buffer_size_before_flush` is not set, this flush timer is not used. Otherwise,
+    // encoded, unless the buffer size has already exceeded ``max_buffer_size_before_flush``.
+    // If ``max_buffer_size_before_flush`` is not set, this flush timer is not used. Otherwise,
     // the timer should be set according to the number of clients, overall request rate and
     // desired maximum latency for a single command. For example, if there are many requests
     // being batched together at a high rate, the buffer will likely be filled before the timer
     // fires. Alternatively, if the request rate is lower the buffer will not be filled as often
     // before the timer fires.
-    // If `max_buffer_size_before_flush` is set, but `buffer_flush_timeout` is not, the latter
+    // If ``max_buffer_size_before_flush`` is set, but ``buffer_flush_timeout`` is not, the latter
     // defaults to 3ms.
     google.protobuf.Duration buffer_flush_timeout = 5;
 
-    // `max_upstream_unknown_connections` controls how many upstream connections to unknown hosts
-    // can be created at any given time by any given worker thread (see `enable_redirection` for
+    // ``max_upstream_unknown_connections`` controls how many upstream connections to unknown hosts
+    // can be created at any given time by any given worker thread (see ``enable_redirection`` for
     // more details). If the host is unknown and a connection cannot be created due to enforcing
     // this limit, then redirection will fail and the original redirection error will be passed
     // downstream unchanged. This limit defaults to 100.
@@ -305,16 +305,16 @@ message RedisProxy {
 
 // RedisProtocolOptions specifies Redis upstream protocol options. This object is used in
 // :ref:`typed_extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
-// keyed by the name `envoy.filters.network.redis_proxy`.
+// keyed by the name ``envoy.filters.network.redis_proxy``.
 message RedisProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.redis_proxy.v2.RedisProtocolOptions";
 
-  // Upstream server password as defined by the `requirepass` directive
-  // <https://redis.io/topics/config>`_ in the server's configuration file.
+  // Upstream server password as defined by the ``requirepass`` directive
+  // `<https://redis.io/topics/config>`_ in the server's configuration file.
   config.core.v3.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true];
 
-  // Upstream server username as defined by the `user` directive
-  // <https://redis.io/topics/acl>`_ in the server's configuration file.
+  // Upstream server username as defined by the ``user`` directive
+  // `<https://redis.io/topics/acl>`_ in the server's configuration file.
   config.core.v3.DataSource auth_username = 2 [(udpa.annotations.sensitive) = true];
 }

envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto

@@ -67,7 +67,7 @@ message HeaderToMetadata {
       //
       // This is only used for on_present.
       //
-      // Note: if the `value` field is non-empty this field should be empty.
+      // Note: if the ``value`` field is non-empty this field should be empty.
       type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 4;
     }
 

envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto

@@ -101,7 +101,7 @@ message ThriftProxy {
   // A list of individual Thrift filters that make up the filter chain for requests made to the
   // Thrift proxy. Order matters as the filters are processed sequentially. For backwards
   // compatibility, if no thrift_filters are specified, a default Thrift router filter
-  // (`envoy.filters.thrift.router`) is used.
+  // (``envoy.filters.thrift.router``) is used.
   // [#extension-category: envoy.thrift_proxy.filters]
   repeated ThriftFilter thrift_filters = 5;
 
@@ -153,7 +153,7 @@ message ThriftFilter {
 // ThriftProtocolOptions specifies Thrift upstream protocol options. This object is used in
 // in
 // :ref:`typed_extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
-// keyed by the name `envoy.filters.network.thrift_proxy`.
+// keyed by the name ``envoy.filters.network.thrift_proxy``.
 message ThriftProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.thrift_proxy.v2alpha1.ThriftProtocolOptions";

envoy/extensions/http/stateful_session/cookie/v3/cookie.proto

@@ -18,23 +18,23 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // This extension allows the session state to be tracked via cookies.
 //
 // This extension first encodes the address of the upstream host selected by the load balancer
-// into a `set-cookie` response header with the :ref:`cookie configuration
+// into a ``set-cookie`` response header with the :ref:`cookie configuration
 // <envoy_v3_api_field_extensions.http.stateful_session.cookie.v3.CookieBasedSessionState.cookie>`.
 // when new requests are incoming, this extension will try to parse the specific upstream host
 // address by the cookie name. If the address parsed from the cookie corresponds to a valid
 // upstream host, this upstream host will be selected first. See :ref:`stateful session filter
 // <envoy_v3_api_msg_extensions.filters.http.stateful_session.v3.StatefulSession>`.
 //
-// For example, if the cookie name is set to `sticky-host`, envoy will prefer `1.2.3.4:80`
+// For example, if the cookie name is set to ``sticky-host``, envoy will prefer ``1.2.3.4:80``
 // as the upstream host when the request contains the following header:
 //
 // .. code-block:: none
 //
 //     cookie: sticky-host="MS4yLjMuNDo4MA=="
 //
-// When processing the upstream response, if `1.2.3.4:80` is indeed the final choice the extension
-// does nothing. If `1.2.3.4:80` is not the final choice, the new selected host will be used to
-// update the cookie (via the `set-cookie` response header).
+// When processing the upstream response, if ``1.2.3.4:80`` is indeed the final choice the extension
+// does nothing. If ``1.2.3.4:80`` is not the final choice, the new selected host will be used to
+// update the cookie (via the ``set-cookie`` response header).
 //
 // [#extension: envoy.http.stateful_session.cookie]
 message CookieBasedSessionState {

envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto

@@ -21,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // one is supplied the other is a wildcard match.
 // This matcher requires a filter in the chain to have saved the upstream address in the
 // filter state before the matcher is executed by RBAC filter. The state should be saved with key
-// `envoy.stream.upstream_address` (See
+// ``envoy.stream.upstream_address`` (See
 // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
 // Also, See :repo:`proxy_filter.cc<source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc>`
 // for an example of a filter which populates the FilterState.

envoy/extensions/regex_engines/v3/google_re2.proto

@@ -17,8 +17,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // the documented `syntax <https://github.com/google/re2/wiki/Syntax>`_. The engine is designed
 // to complete execution in linear time as well as limit the amount of memory used.
 //
-// Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`,
-// which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented
+// Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``,
+// which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented
 // each time the program size exceeds the warn level threshold.
 message GoogleRE2 {
 }

envoy/extensions/request_id/uuid/v3/uuid.proto

@@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //    more information.
 message UuidRequestIdConfig {
   // Whether the implementation alters the UUID to contain the trace sampling decision as per the
-  // `UuidRequestIdConfig` message documentation. This defaults to true. If disabled no
+  // ``UuidRequestIdConfig`` message documentation. This defaults to true. If disabled no
   // modification to the UUID will be performed. It is important to note that if disabled,
   // stable sampling of traces, access logs, etc. will no longer work and only random sampling will
   // be possible.

envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -155,7 +155,7 @@ message TlsCertificate {
   // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS.
   config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
 
-  // `Pkcs12` data containing TLS certificate, chain, and private key.
+  // ``Pkcs12`` data containing TLS certificate, chain, and private key.
   //
   // If *pkcs12* is a filesystem path, the file will be read, but no watch will
   // be added to the parent directory, since *pkcs12* isn't used by SDS.
@@ -167,7 +167,7 @@ message TlsCertificate {
   // and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`
   // fields will result in an error. Use :ref:`password
   // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`
-  // to specify the password to unprotect the `PKCS12` data, if necessary.
+  // to specify the password to unprotect the ``PKCS12`` data, if necessary.
   config.core.v3.DataSource pkcs12 = 8 [(udpa.annotations.sensitive) = true];
 
   // If specified, updates of file-based *certificate_chain* and *private_key*

envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto

@@ -35,9 +35,9 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //         trust_bundle:
 //           filename: "envoy.pem"
 //
-// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
+// In this example, a presented peer certificate whose SAN matches ``spiffe//foo.com/**`` is validated against
 // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
-// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
+// a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe//foo.com/**``
 // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
 //
 // Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
@@ -47,7 +47,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //
 message SPIFFECertValidatorConfig {
   message TrustDomain {
-    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
+    // Name of the trust domain, ``example.com``, ``foo.bar.gov`` for example.
     // Note that this must *not* have "spiffe://" prefix.
     string name = 1 [(validate.rules).string = {min_len: 1}];
 

envoy/extensions/upstreams/http/v3/http_protocol_options.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // HttpProtocolOptions specifies Http upstream protocol options. This object
 // is used in
 // :ref:`typed_extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
-// keyed by the name `envoy.extensions.upstreams.http.v3.HttpProtocolOptions`.
+// keyed by the name ``envoy.extensions.upstreams.http.v3.HttpProtocolOptions``.
 //
 // This controls what protocol(s) should be used for upstream and how said protocol(s) are configured.
 //

envoy/extensions/wasm/v3/wasm.proto

@@ -85,9 +85,9 @@ message VmConfig {
   config.core.v3.AsyncDataSource code = 3;
 
   // The Wasm configuration used in initialization of a new VM
-  // (proxy_on_start). `google.protobuf.Struct` is serialized as JSON before
-  // passing it to the plugin. `google.protobuf.BytesValue` and
-  // `google.protobuf.StringValue` are passed directly without the wrapper.
+  // (proxy_on_start). ``google.protobuf.Struct`` is serialized as JSON before
+  // passing it to the plugin. ``google.protobuf.BytesValue`` and
+  // ``google.protobuf.StringValue`` are passed directly without the wrapper.
   google.protobuf.Any configuration = 4;
 
   // Allow the wasm file to include pre-compiled code on VMs which support it.
@@ -138,9 +138,9 @@ message PluginConfig {
 
   // Filter/service configuration used to configure or reconfigure a plugin
   // (proxy_on_configuration).
-  // `google.protobuf.Struct` is serialized as JSON before
-  // passing it to the plugin. `google.protobuf.BytesValue` and
-  // `google.protobuf.StringValue` are passed directly without the wrapper.
+  // ``google.protobuf.Struct`` is serialized as JSON before
+  // passing it to the plugin. ``google.protobuf.BytesValue`` and
+  // ``google.protobuf.StringValue`` are passed directly without the wrapper.
   google.protobuf.Any configuration = 4;
 
   // If there is a fatal error on the VM (e.g. exception, abort(), on_start or on_configure return false),

envoy/service/auth/v3/attribute_context.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // For example, the size of an HTTP request, or the status code of an HTTP response.
 //
 // Each attribute has a type and a name, which is logically defined as a proto message field
-// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes
+// of the ``AttributeContext``. The ``AttributeContext`` is a collection of individual attributes
 // supported by Envoy authorization system.
 // [#comment: The following items are left out of this proto
 // Request.Auth field for jwt tokens
@@ -45,8 +45,8 @@ message AttributeContext {
 
   // This message defines attributes for a node that handles a network request.
   // The node can be either a service or an application that sends, forwards,
-  // or receives the request. Service peers should fill in the `service`,
-  // `principal`, and `labels` as appropriate.
+  // or receives the request. Service peers should fill in the ``service``,
+  // ``principal``, and ``labels`` as appropriate.
   // [#next-free-field: 6]
   message Peer {
     option (udpa.annotations.versioning).previous_message_type =
@@ -71,12 +71,12 @@ message AttributeContext {
     // The authenticated identity of this peer.
     // For example, the identity associated with the workload such as a service account.
     // If an X.509 certificate is used to assert the identity this field should be sourced from
-    // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order.
+    // ``URI Subject Alternative Names``, ``DNS Subject Alternate Names`` or ``Subject`` in that order.
     // The primary identity should be the principal. The principal format is issuer specific.
     //
     // Example:
-    // *    SPIFFE format is `spiffe://trust-domain/path`
-    // *    Google account format is `https://accounts.google.com/{userid}`
+    // *    SPIFFE format is ``spiffe://trust-domain/path``
+    // *    Google account format is ``https://accounts.google.com/{userid}``
     string principal = 4;
 
     // The X.509 certificate used to authenticate the identify of this peer.
@@ -109,7 +109,7 @@ message AttributeContext {
     // For HTTP requests, it should be X-Request-ID or equivalent.
     string id = 1;
 
-    // The HTTP request method, such as `GET`, `POST`.
+    // The HTTP request method, such as ``GET``, ``POST``.
     string method = 2;
 
     // The HTTP request headers. If multiple headers share the same key, they
@@ -121,14 +121,14 @@ message AttributeContext {
     // the URL path and query-string. No decoding is performed.
     string path = 4;
 
-    // The HTTP request `Host` or 'Authority` header value.
+    // The HTTP request ``Host`` or '`Authority`` header value.
     string host = 5;
 
-    // The HTTP URL scheme, such as `http` and `https`.
+    // The HTTP URL scheme, such as ``http`` and ``https``.
     string scheme = 6;
 
     // This field is always empty, and exists for compatibility reasons. The HTTP URL query is
-    // included in `path` field.
+    // included in ``path`` field.
     string query = 7;
 
     // This field is always empty, and exists for compatibility reasons. The URL fragment is

envoy/service/auth/v3/external_auth.proto

@@ -69,22 +69,22 @@ message OkHttpResponse {
   // HTTP entity headers in addition to the original request headers. This allows the authorization
   // service to append, to add or to override headers from the original request before
   // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
-  // false when used in this message. By setting the `append` field to `true`,
+  // false when used in this message. By setting the ``append`` field to ``true``,
   // the filter will append the correspondent header value to the matched request header.
-  // By leaving `append` as false, the filter will either add a new header, or override an existing
+  // By leaving ``append`` as false, the filter will either add a new header, or override an existing
   // one if there is a match.
   repeated config.core.v3.HeaderValueOption headers = 2;
 
   // HTTP entity headers to remove from the original request before dispatching
   // it to the upstream. This allows the authorization service to act on auth
-  // related headers (like `Authorization`), process them, and consume them.
+  // related headers (like ``Authorization``), process them, and consume them.
   // Under this model, the upstream will either receive the request (if it's
   // authorized) or not receive it (if it's not), but will not see headers
   // containing authorization credentials.
   //
-  // Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as
-  // the header `Host`, may not be removed as that would make the request
-  // malformed. If mentioned in `headers_to_remove` these special headers will
+  // Pseudo headers (such as ``:authority``, ``:method``, ``:path`` etc), as well as
+  // the header ``Host``, may not be removed as that would make the request
+  // malformed. If mentioned in ``headers_to_remove`` these special headers will
   // be ignored.
   //
   // When using the HTTP service this must instead be set by the HTTP
@@ -114,12 +114,12 @@ message OkHttpResponse {
   repeated string query_parameters_to_remove = 8;
 }
 
-// Intended for gRPC and Network Authorization servers `only`.
+// Intended for gRPC and Network Authorization servers ``only``.
 message CheckResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.CheckResponse";
 
-  // Status `OK` allows the request. Any other status indicates the request should be denied, and
+  // Status ``OK`` allows the request. Any other status indicates the request should be denied, and
   // for HTTP filter, if not overridden by :ref:`denied HTTP response status <envoy_v3_api_field_service.auth.v3.DeniedHttpResponse.status>`
   // Envoy sends ``403 Forbidden`` HTTP status code by default.
   google.rpc.Status status = 1;

envoy/type/http/v3/path_transformation.proto

@@ -34,10 +34,10 @@ message PathTransformation {
     }
 
     // Determines if adjacent slashes are merged into one. A common use case is for a request path
-    // header. Using this option in `:ref: PathNormalizationOptions
-    // <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions>`
-    // will allow incoming requests with path `//dir///file` to match against route with `prefix`
-    // match set to `/dir`. When using for header transformations, note that slash merging is not
+    // header. Using this option in ``:ref: PathNormalizationOptions
+    // <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.PathNormalizationOptions>``
+    // will allow incoming requests with path ``//dir///file`` to match against route with ``prefix``
+    // match set to ``/dir``. When using for header transformations, note that slash merging is not
     // part of `HTTP spec <https://tools.ietf.org/html/rfc3986>`_ and is provided for convenience.
     message MergeSlashes {
     }

envoy/type/matcher/regex.proto

@@ -21,11 +21,11 @@ message RegexMatcher {
   // the documented `syntax <https://github.com/google/re2/wiki/Syntax>`_. The engine is designed
   // to complete execution in linear time as well as limit the amount of memory used.
   //
-  // Envoy supports program size checking via runtime. The runtime keys `re2.max_program_size.error_level`
-  // and `re2.max_program_size.warn_level` can be set to integers as the maximum program size or
+  // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level``
+  // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or
   // complexity that a compiled regex can have before an exception is thrown or a warning is
-  // logged, respectively. `re2.max_program_size.error_level` defaults to 100, and
-  // `re2.max_program_size.warn_level` has no default if unset (will not check/log a warning).
+  // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and
+  // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning).
   //
   // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`,
   // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented

envoy/type/matcher/v3/path.proto

@@ -23,7 +23,7 @@ message PathMatcher {
   oneof rule {
     option (validate.required) = true;
 
-    // The `path` must match the URL path portion of the :path header. The query and fragment
+    // The ``path`` must match the URL path portion of the :path header. The query and fragment
     // string (if present) are removed in the URL path portion.
     // For example, the path */data* will match the *:path* header */data#fragment?param=value*.
     StringMatcher path = 1 [(validate.rules).message = {required: true}];

envoy/type/matcher/v3/regex.proto

@@ -25,14 +25,14 @@ message RegexMatcher {
   // the documented `syntax <https://github.com/google/re2/wiki/Syntax>`_. The engine is designed
   // to complete execution in linear time as well as limit the amount of memory used.
   //
-  // Envoy supports program size checking via runtime. The runtime keys `re2.max_program_size.error_level`
-  // and `re2.max_program_size.warn_level` can be set to integers as the maximum program size or
+  // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level``
+  // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or
   // complexity that a compiled regex can have before an exception is thrown or a warning is
-  // logged, respectively. `re2.max_program_size.error_level` defaults to 100, and
-  // `re2.max_program_size.warn_level` has no default if unset (will not check/log a warning).
+  // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and
+  // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning).
   //
-  // Envoy emits two stats for tracking the program size of regexes: the histogram `re2.program_size`,
-  // which records the program size, and the counter `re2.exceeded_warn_level`, which is incremented
+  // Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``,
+  // which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented
   // each time the program size exceeds the warn level threshold.
   message GoogleRE2 {
     option (udpa.annotations.versioning).previous_message_type =

envoy/type/matcher/v3/struct.proto

@@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Struct matcher]
 
 // StructMatcher provides a general interface to check if a given value is matched in
-// google.protobuf.Struct. It uses `path` to retrieve the value
+// google.protobuf.Struct. It uses ``path`` to retrieve the value
 // from the struct and then check if it's matched to the specified value.
 //
 // For example, for the following Struct:

envoy/type/metadata/v3/metadata.proto

@@ -14,7 +14,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Metadata]
 
-// MetadataKey provides a general interface using `key` and `path` to retrieve value from
+// MetadataKey provides a general interface using ``key`` and ``path`` to retrieve value from
 // :ref:`Metadata <envoy_v3_api_msg_config.core.v3.Metadata>`.
 //
 // For example, for the following Metadata:

envoy/type/v3/token_bucket.proto

@@ -30,8 +30,8 @@ message TokenBucket {
   google.protobuf.UInt32Value tokens_per_fill = 2 [(validate.rules).uint32 = {gt: 0}];
 
   // The fill interval that tokens are added to the bucket. During each fill interval
-  // `tokens_per_fill` are added to the bucket. The bucket will never contain more than
-  // `max_tokens` tokens.
+  // ``tokens_per_fill`` are added to the bucket. The bucket will never contain more than
+  // ``max_tokens`` tokens.
   google.protobuf.Duration fill_interval = 3 [(validate.rules).duration = {
     required: true
     gt {}