Created a wildcard record even there is no * host record in ingress rules

[yukccy]

What happened:
I used External-DNS to create DNS records on Route53 for my dynamic environments. It works fine to create the records I need, however, it also creates A and TXT records for *.example.com.

What you expected to happen:
Only the records specified in Ingress rule are being created.

For example, in my Ingress rules, there is only one record abc.example.com. I expect only A and TXT record for abc.example.com would be created. However, there are 6 records in total, 3 for abc.example.com and 3 for *.example.com.

How to reproduce it (as minimally and precisely as possible):
My ingress YAML:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
    alb.ingress.kubernetes.io/load-balancer-name: ingress-test
spec:
  ingressClassName: alb
    tls:
    - hosts:
      - "*.example.com"
  rules:
  - host: abc.example.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: abc
            port: 
              number: 80

Anything else we need to know?:
values.yaml for Helm:

sources:
  - ingress
policy: sync
registry: txt
txtOwnerId: external-dns
domainFilters:
  - example.com

Log

time="2024-03-28T17:59:36Z" level=info msg="Desired change: CREATE *.example.com A [Id: /hostedzone/123]"
time="2024-03-28T17:59:36Z" level=info msg="Desired change: CREATE *.example.com TXT [Id: /hostedzone/123]"
time="2024-03-28T17:59:36Z" level=info msg="Desired change: CREATE abc.example.com A [Id: /hostedzone/123]"
time="2024-03-28T17:59:36Z" level=info msg="Desired change: CREATE abc.example.com TXT [Id: /hostedzone/123]"
time="2024-03-28T17:59:36Z" level=info msg="Desired change: CREATE cname-*.example.com TXT [Id: /hostedzone/123]"
time="2024-03-28T17:59:123" level=info msg="Desired change: CREATE cname-abc.example.com TXT [Id: /hostedzone/123]"
time="2024-03-28T17:59:37Z" level=info msg="6 record(s) in zone example.com. [Id: /hostedzone/123] were successfully updated"

Environment:

• External-DNS version (use external-dns --version): v0.14.0, Chart version v1.14.3
• DNS provider: aws
• Others:

[yukccy]

The wildcard record will not create anymore once removed the tls section under spec. I was using the Certificate Discovery feature by tls field. Now I use the Discover vis Ingress host rule method.

Reference: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/cert_discovery/

However, I doubt a wildcard record should be created just because of using Discover vis Ingress tls method, as this is just a way of attaching TLS certificate instead of a route. Not sure if this case has been discussed before.

This is my updated ingress.yaml,

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
    alb.ingress.kubernetes.io/load-balancer-name: ingress-test
spec:
  ingressClassName: alb
  rules:
  - host: abc.example.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: abc
            port: 
              number: 80