Have you enabled the ingress-sds container on your Ingress Gateway controller ? See https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/#configure-a-tls-ingress-gateway-using-sds
Once you have this enabled you should see 2/2 containers in your istio-ingressgateway pod.
The credentialName should match a type/generic or type/tls Secret resource deployed in the SAME namespace as the Gateway controller (cross namespace Secrets are not supported).
I have a recent post on the forum regarding using cert-manager with ingress SDS here [mTLS] Default RootCA for Client Certificates. It shows how the ingress-sds container is configured to watch Secrets.
Also with regards to troubleshooting, I would watch the ingress-sds logs and also the istio-proxy logs for SDS related messages.