Support for TLS Client Certificates

I use gitlab for work, and because we take security seriously we use TLS mutual authentication to protect our source code, artefact servers, and ci machines. Unfortunately, this seems to be fairly uncommon because many services have poor support for TLS mutual auth, with gitlab-ci being the latest offender.

Prior to version 1.2 we used stunnel to encrypt gitlab-ci's upstream traffic which worked fine because we could configure the gitlab upstream host and port in gitlab-ci. Unfortunately, that's no longer the case, after receiving a build now gitlab-ci tries to retrieve artefacts from the host gitlab tells it about, rather than the host it's configured to connect to. This is ok, but it makes it much harder to work around limitations in gitlab-ci's ability to deal with non-standard authentication configurations.

I notice there's been a merge request for adding some level of TLS mutual authentication to gitlab-ci open for a while (!86 (closed)).

This merge request goes part of the way there, it allows gitlab-ci to connect to the remote gitlab host using a client certificate and listen for build requests. However, as the comments on the merge request mention, it doesn't handle authenticating git, which required to handle TLS mutual authentication correctly.

I've investigated completing the merge request but I don't understand what the gitlab-ci author's intended behaviour is here with respect to getting the credentials from the gitlab host. Why does GetBuildResponse copy the TLSCAChain from the TLS connection rather than using the configured certificate file?