Add notes within the documentation about the generate_key flag (#28898)

website/content/api-docs/system/managed-keys.mdx

@@ -85,6 +85,9 @@ $ curl \
 - `allow_generate_key` `(string: "false")` - If no existing key can be found in the referenced backend, instructs
   Vault to generate a key within the backend.
 
+  ~> **NOTE**: Once the initial key creation has occurred, it is advisable to disable this flag to prevent any
+  unintended key creation in the future.
+
 - `allow_replace_key` `(string: "false")` - Controls the ability for Vault to replace through generation or importing
   a key into the configured backend even if a key is present, if set to false those operations are forbidden
   if a key exists.

website/content/docs/configuration/seal/pkcs11.mdx

@@ -156,6 +156,10 @@ These parameters apply to the `seal` stanza in the Vault configuration file:
   circumstances, such as if proprietary vendor extensions are required to
   create keys of a suitable type.
 
+  ~> **NOTE**: Once the initial key creation has occurred post cluster
+  initialization, it is advisable to disable this flag to prevent any
+  unintended key creation in the future.
+
 - `force_rw_session` `(string: "false")`: Force all operations to open up
   a read-write session to the HSM. This is a boolean expressed as a string (e.g.
   `"true"`). May also be specified by the `VAULT_HSM_FORCE_RW_SESSION` environment