kubectl: Can't read certificate authority from named pipe

It seems that kubectl can’t read --certificate-authority from named pipes or /dev/stdin.

What happened:

$ cat ~/.kube/config | grep certificate-authority | head -n 1 | sed 's/.* //' | base64 --decode > cluster.ca

$ kubectl --certificate-authority=cluster.ca get pods
No resources found in default namespace.

$ kubectl --certificate-authority=<(cat cluster.ca) get pods
Unable to connect to the server: x509: certificate signed by unknown authority

$ cat cluster.ca | kubectl --certificate-authority=/dev/stdin get pods
Unable to connect to the server: x509: certificate signed by unknown authority

What you expected to happen: This should work regardless of whether kubectl is reading from a regular file, from a named pipe, or from /dev/stdin.

How to reproduce it (as minimally and precisely as possible): See above.

Anything else we need to know?: Kubectl seems to handle this properly for --kubeconfig, so presumably there’s some difference between how it’s reading --certificate-authority and --kubeconfig. Perhaps it’s trying to read the CA file twice? It gives the same error if passed an empty file.

Environment: Tested on macOS with kubectl 1.20.4 and Debian 10 with kubectl 1.18.16.