diff --git a/pkg/client/helper.go b/pkg/client/helper.go
index 0ae507257f3..ac3dce0dd3a 100644
--- a/pkg/client/helper.go
+++ b/pkg/client/helper.go
@@ -18,7 +18,6 @@ package client
 
 import (
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -274,19 +273,6 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip
 	return rt, nil
 }
 
-// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
-// or an error if an error occurred reading the file
-func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
-	if len(data) > 0 {
-		return data, nil
-	}
-	fileData, err := ioutil.ReadFile(file)
-	if err != nil {
-		return []byte{}, err
-	}
-	return fileData, nil
-}
-
 // DefaultServerURL converts a host, host:port, or URL string to the default base server API path
 // to use with a Client at a given API version following the standard conventions for a
 // Kubernetes API.
diff --git a/pkg/client/transport.go b/pkg/client/transport.go
index 62dd0964872..22278c4481e 100644
--- a/pkg/client/transport.go
+++ b/pkg/client/transport.go
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 )
 
@@ -81,32 +82,19 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
 	if hasCA && config.Insecure {
 		return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
 	}
+	if err := LoadTLSFiles(config); err != nil {
+		return nil, err
+	}
 	var tlsConfig *tls.Config
 	switch {
 	case hasCert:
-		certData, err := dataFromSliceOrFile(config.CertData, config.CertFile)
-		if err != nil {
-			return nil, err
-		}
-		keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile)
-		if err != nil {
-			return nil, err
-		}
-		caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
-		if err != nil {
-			return nil, err
-		}
-		cfg, err := NewClientCertTLSConfig(certData, keyData, caData)
+		cfg, err := NewClientCertTLSConfig(config.CertData, config.KeyData, config.CAData)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig = cfg
 	case hasCA:
-		caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
-		if err != nil {
-			return nil, err
-		}
-		cfg, err := NewTLSConfig(caData)
+		cfg, err := NewTLSConfig(config.CAData)
 		if err != nil {
 			return nil, err
 		}
@@ -118,6 +106,45 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
 	return tlsConfig, nil
 }
 
+// LoadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData,
+// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are
+// either populated or were empty to start.
+func LoadTLSFiles(config *Config) error {
+	certData, err := dataFromSliceOrFile(config.CertData, config.CertFile)
+	if err != nil {
+		return err
+	}
+	config.CertData = certData
+	keyData, err := dataFromSliceOrFile(config.KeyData, config.KeyFile)
+	if err != nil {
+		return err
+	}
+	config.KeyData = keyData
+	caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
+	if err != nil {
+		return err
+	}
+	config.CAData = caData
+
+	return nil
+}
+
+// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
+// or an error if an error occurred reading the file
+func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
+	if len(data) > 0 {
+		return data, nil
+	}
+	if len(file) > 0 {
+		fileData, err := ioutil.ReadFile(file)
+		if err != nil {
+			return []byte{}, err
+		}
+		return fileData, nil
+	}
+	return nil, nil
+}
+
 func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) {
 	cert, err := tls.X509KeyPair(certData, keyData)
 	if err != nil {