Unable to secure ingress with SDS

1

I just upgraded my test cluster running 1.0.6 to 1.1. I am attempting to setup an ingress via the instructions here:
https://istio.io/docs/tasks/traffic-management/secure-ingress/sds/
but thus far am not having any luck. Any time I attempt to test my ingress I get

* TCP_NODELAY set
* Connected to httpbin-istio.domain (52.71.246.28) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to httpbin-istio.domain:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to httpbin-istio.domain:443

Here are the manifests:

apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: default
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8000
  selector:
    app: httpbin

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: httpbin
  namespace: default
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
      - image: docker.io/citizenstig/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 8000

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway-external
  namespace: default
  annotations:
    kubernetes.io/ingress.class: external
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https-httpbin
      protocol: HTTPS
    hosts:
    - "httpbin-istio.domain"
    tls:
      mode: SIMPLE
      credentialName: "httpbin-credential"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin-external
  namespace: default
spec:
  hosts:
  - "httpbin-istio.domain"
  gateways:
  - httpbin-gateway-external
  http:
  - route:
    - destination:
        port:
          number: 8000
        host: httpbin.default.svc.cluster.local

I have been able to validate that from a sleep pod I can access the httpbin service successfully with mtls enabled as well as access the service through the ingress via HTTP.

Please help. Thanks

2

Was able to finally track down that the issue is that the secret (from the cert) needs to exist in the same namespace as the ingressgateway pod. Though the gateway definition can exist outside the istio ns.