Node agent fetches k8s secrets

According to https://istio.io/docs/concepts/security/#node-agent-in-kubernetes Citadel stores certificate and key as k8s secrets, so does Node Agent actually fetches certificate and key from k8s secrets and share them with Istio-proxy sidecar via a Unix domain Socket?

My understanding is that the node agent contacts Citadel like you said and transports the keys/certs from citadel to the proxies. The node agent doesn’t have access to the secrets directly.