From f48b075f826ef17d02548fbcce4bcbd3f4d46f15 Mon Sep 17 00:00:00 2001
From: Quintessence <quintessenceanx@gmail.com>
Date: Fri, 1 Mar 2024 16:50:11 -0800
Subject: [PATCH] Adding note about Key Manager from PR 285

---
 content/docs/latest/deploying/registering.md | 2 +-
 content/docs/latest/planning/extending.md    | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/content/docs/latest/deploying/registering.md b/content/docs/latest/deploying/registering.md
index 14b0a281..9d34f8d9 100644
--- a/content/docs/latest/deploying/registering.md
+++ b/content/docs/latest/deploying/registering.md
@@ -64,7 +64,7 @@ Different selectors are available depending on the platform or architecture on w
 |-----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **Kubernetes**                                      | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_sat.md)                       |
 | **AWS**                                             | The [configuration reference page for the AWS Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_aws_iid.md)                              |
-| **Azure**                                           | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_azure_msi.md) |
+| **Azure**                                           | The [configuration reference page for the Azure Managed Service Identity Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_azure_msi.md) |
 
 ## 2. Defining the SPIFFE ID of the Workload
 
diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md
index f0487ba3..20fdcce9 100644
--- a/content/docs/latest/planning/extending.md
+++ b/content/docs/latest/planning/extending.md
@@ -57,7 +57,9 @@ SPIRE comes with a set of built-in Key Manager plugins for the [Server](/docs/la
 
 Notifier plugins allow actions to be triggered in other systems when certain events occur on the SPIRE Server, and in some cases interrupt the event itself. Notifier plugins can support a number of different use cases, such as when certificate rotation events occur.
 
-SPIRE comes with a set of built-in Notifier plugins for the [Server](/docs/latest/deploying/spire_server/).
+SPIRE comes with a set of built-in Notifier plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/).
+
+Note that the Key Manager is **not** provided with contextual metadata about the signing operation that it is performing (e.g., X.509 Certificate Signing Request). The SPIRE Server performs any necessary policy evaluation on the signing request itself, and hands hashed data to the Key Manager plugin that is used as an input for creating a signature. This means that a Key Manager plugin cannot be developed to evaluate the request outside of the SPIRE Server (e.g., Certificate Authority (CA) service in the case of X.509). The Upstream Authority plugin is the single method of integration between SPIRE and external CAs.
 
 # Working with first-party plugins