docs: add Vault auth to README and fix stale mutually-exclusive comments

Update the README feature table and auth method list to include
HashiCorp Vault. Fix stale mutually-exclusive comments on
KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity
fields that were missing SPIFFEAuth and/or VaultAuth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: chris-rock

README.md

@@ -74,7 +74,7 @@ Install the operator in a central management cluster and scan remote clusters vi
 │  └──────────┬──────────────────┘    │
 └─────────────┼───────────────────────┘
               │
-              │ kubeconfig / WIF / SPIFFE
+              │ kubeconfig / WIF / SPIFFE / Vault
               │
     ┌─────────┴─────────┬─────────────────┐
     ▼                   ▼                 ▼
@@ -91,6 +91,7 @@ Install the operator in a central management cluster and scan remote clusters vi
 - **Kubeconfig**: Use a kubeconfig file stored in a Secret
 - **Workload Identity (WIF)**: Native cloud provider authentication for GKE, EKS, AKS
 - **SPIFFE**: Use SPIFFE/SPIRE for cross-cluster authentication
+- **HashiCorp Vault**: Dynamic short-lived credentials via Vault's Kubernetes secrets engine
 
 ```yaml
 # External cluster scanning with kubeconfig
@@ -139,6 +140,7 @@ spec:
 | Kubeconfig Auth                 |      -       |        ✅        |
 | Workload Identity (GKE/EKS/AKS) |      -       |        ✅        |
 | SPIFFE Auth                     |      -       |        ✅        |
+| HashiCorp Vault Auth            |      -       |        ✅        |
 
 ![Architecture](docs/img/architecture.svg)
 

api/v1alpha2/mondooauditconfig_types.go

@@ -154,17 +154,17 @@ type ExternalCluster struct {
 
 	// KubeconfigSecretRef references a Secret containing kubeconfig for the remote cluster.
 	// The Secret must have a key "kubeconfig" with the kubeconfig content.
-	// Mutually exclusive with ServiceAccountAuth and WorkloadIdentity.
+	// Mutually exclusive with ServiceAccountAuth, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
 	// +optional
 	KubeconfigSecretRef *corev1.LocalObjectReference `json:"kubeconfigSecretRef,omitempty"`
 
 	// ServiceAccountAuth configures authentication using a service account token.
-	// Mutually exclusive with KubeconfigSecretRef and WorkloadIdentity.
+	// Mutually exclusive with KubeconfigSecretRef, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
 	// +optional
 	ServiceAccountAuth *ServiceAccountAuth `json:"serviceAccountAuth,omitempty"`
 
 	// WorkloadIdentity configures cloud-native Workload Identity Federation authentication.
-	// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and SPIFFEAuth.
+	// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, SPIFFEAuth, and VaultAuth.
 	// +optional
 	WorkloadIdentity *WorkloadIdentityConfig `json:"workloadIdentity,omitempty"`