diff --git a/.github/actions/create-local-registry/insecure/action.yaml b/.github/actions/create-local-registry/insecure/action.yaml
new file mode 100644
index 00000000000..5bace3a2f3b
--- /dev/null
+++ b/.github/actions/create-local-registry/insecure/action.yaml
@@ -0,0 +1,94 @@
+name: "Create a secure local registry"
+description: |
+  This action creates a local registry for the images to be pushed to.
+  It uses the `docker` CLI to create a registry container and then starts it.
+  The registry is then available at `localhost:5000` by default.
+inputs:
+  registry-name:
+    description: "The name of the local registry"
+    required: true
+    default: "radius-registry"
+  registry-server:
+    description: "The server name for the local registry"
+    required: true
+    default: "localhost"
+  registry-port:
+    description: "The port for the local registry"
+    required: true
+    default: "5000"
+runs:
+  using: "composite"
+  steps:
+    - name: Create certificates for local registry
+      shell: bash
+      run: |
+        create_openssl_cfg() {
+          CFG=$(
+            cat <<'EOF'
+        [req]
+        distinguished_name = subject
+        x509_extensions    = x509_ext
+        prompt             = no
+
+        [subject]
+        CN = localhost
+
+        [x509_ext]
+        basicConstraints        = critical, CA:TRUE
+        subjectKeyIdentifier    = hash
+        authorityKeyIdentifier  = keyid:always, issuer:always
+        keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
+        nsComment               = "OpenSSL Generated Certificate"
+        subjectAltName          = @alt_names
+
+        [alt_names]
+        DNS.1 = ${{ inputs.registry-name }}
+        DNS.2 = ${{ inputs.registry-server }}
+        EOF
+          )
+          echo "$CFG"
+        }
+
+        # Create a temporary directory to store the certificates
+        temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')
+        echo "TEMP_CERT_DIR=$temp_cert_dir" >> $GITHUB_ENV
+
+        pushd $temp_cert_dir
+        # Create the directory for the certificates
+        mkdir -p certs/${{ inputs.registry-server }}
+
+        echo "==== Generate the openssl config"
+        create_openssl_cfg >req.cnf
+
+        echo "==== Create the self signed certificate certificate and client key files"
+        openssl req -x509 \
+          -nodes \
+          -days 365 \
+          -newkey rsa:4096 \
+          -keyout certs/${{ inputs.registry-server }}/client.key \
+          -out certs/${{ inputs.registry-server }}/client.crt \
+          -config req.cnf \
+          -sha256
+
+    - name: Add the certificate to the system trust store
+      shell: bash
+      run: |
+        sudo apt install ca-certificates
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-server }}.crt
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-name }}.crt
+        sudo update-ca-certificates
+
+    - name: Create local Docker registry
+      shell: bash
+      run: |
+        if [ "$(docker inspect -f '{{.State.Running}}' "${{ inputs.registry-name }}" 2>/dev/null || true)" != 'true' ]; then
+          echo "==== Creating a docker registry"
+
+          docker run -d \
+            -p ${{ inputs.registry-port }}:5000 \
+            --restart=always \
+            --name ${{ inputs.registry-name }} \
+            -v $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}:/certs \
+            -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
+            -e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
+            registry:2
diff --git a/.github/actions/create-local-registry/secure/action.yaml b/.github/actions/create-local-registry/secure/action.yaml
new file mode 100644
index 00000000000..5bace3a2f3b
--- /dev/null
+++ b/.github/actions/create-local-registry/secure/action.yaml
@@ -0,0 +1,94 @@
+name: "Create a secure local registry"
+description: |
+  This action creates a local registry for the images to be pushed to.
+  It uses the `docker` CLI to create a registry container and then starts it.
+  The registry is then available at `localhost:5000` by default.
+inputs:
+  registry-name:
+    description: "The name of the local registry"
+    required: true
+    default: "radius-registry"
+  registry-server:
+    description: "The server name for the local registry"
+    required: true
+    default: "localhost"
+  registry-port:
+    description: "The port for the local registry"
+    required: true
+    default: "5000"
+runs:
+  using: "composite"
+  steps:
+    - name: Create certificates for local registry
+      shell: bash
+      run: |
+        create_openssl_cfg() {
+          CFG=$(
+            cat <<'EOF'
+        [req]
+        distinguished_name = subject
+        x509_extensions    = x509_ext
+        prompt             = no
+
+        [subject]
+        CN = localhost
+
+        [x509_ext]
+        basicConstraints        = critical, CA:TRUE
+        subjectKeyIdentifier    = hash
+        authorityKeyIdentifier  = keyid:always, issuer:always
+        keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
+        nsComment               = "OpenSSL Generated Certificate"
+        subjectAltName          = @alt_names
+
+        [alt_names]
+        DNS.1 = ${{ inputs.registry-name }}
+        DNS.2 = ${{ inputs.registry-server }}
+        EOF
+          )
+          echo "$CFG"
+        }
+
+        # Create a temporary directory to store the certificates
+        temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')
+        echo "TEMP_CERT_DIR=$temp_cert_dir" >> $GITHUB_ENV
+
+        pushd $temp_cert_dir
+        # Create the directory for the certificates
+        mkdir -p certs/${{ inputs.registry-server }}
+
+        echo "==== Generate the openssl config"
+        create_openssl_cfg >req.cnf
+
+        echo "==== Create the self signed certificate certificate and client key files"
+        openssl req -x509 \
+          -nodes \
+          -days 365 \
+          -newkey rsa:4096 \
+          -keyout certs/${{ inputs.registry-server }}/client.key \
+          -out certs/${{ inputs.registry-server }}/client.crt \
+          -config req.cnf \
+          -sha256
+
+    - name: Add the certificate to the system trust store
+      shell: bash
+      run: |
+        sudo apt install ca-certificates
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-server }}.crt
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-name }}.crt
+        sudo update-ca-certificates
+
+    - name: Create local Docker registry
+      shell: bash
+      run: |
+        if [ "$(docker inspect -f '{{.State.Running}}' "${{ inputs.registry-name }}" 2>/dev/null || true)" != 'true' ]; then
+          echo "==== Creating a docker registry"
+
+          docker run -d \
+            -p ${{ inputs.registry-port }}:5000 \
+            --restart=always \
+            --name ${{ inputs.registry-name }} \
+            -v $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}:/certs \
+            -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
+            -e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
+            registry:2
diff --git a/.github/actions/save-pr-as-artifact/action.yaml b/.github/actions/save-pr-as-artifact/action.yaml
index 10d58f1eba3..10ba355d727 100644
--- a/.github/actions/save-pr-as-artifact/action.yaml
+++ b/.github/actions/save-pr-as-artifact/action.yaml
@@ -8,10 +8,9 @@ runs:
       env:
         PR_NUMBER: ${{ github.event.number }}
       run: |
-          mkdir -p ./pr
-          echo $PR_NUMBER > ./pr/pr_number
+        mkdir -p ./pr
+        echo $PR_NUMBER > ./pr/pr_number
     - uses: actions/upload-artifact@v4
       with:
         name: pr_number
         path: pr/
-
diff --git a/.github/actions/setup-rad-cli/action.yaml b/.github/actions/setup-rad-cli/action.yaml
index bc6e20a957a..1f1054acd5c 100644
--- a/.github/actions/setup-rad-cli/action.yaml
+++ b/.github/actions/setup-rad-cli/action.yaml
@@ -35,4 +35,3 @@ runs:
       shell: bash
       run: chmod +x rad
       working-directory: dist
-
diff --git a/.github/scripts/publish-recipes.sh b/.github/scripts/publish-recipes.sh
index c839334b0d3..c065f911eac 100755
--- a/.github/scripts/publish-recipes.sh
+++ b/.github/scripts/publish-recipes.sh
@@ -64,13 +64,5 @@ for RECIPE in $(find "$DIRECTORY" -type f -name "*.bicep"); do
 
     echo "Publishing $RECIPE to $PUBLISH_REF"
     echo "- $PUBLISH_REF" >>$GITHUB_STEP_SUMMARY
-
-    # Check if INSECURE_REGISTRY is set. If it is, we'll use the --plain-http flag when
-    # publishing the recipe.
-    if [[ -n "$INSECURE_REGISTRY" ]]; then
-        echo "INSECURE_REGISTRY is set. Using --plain-http flag."
-        rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF" --plain-http
-    else
-        rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF"
-    fi
+    rad bicep publish --file $RECIPE --target "br:$PUBLISH_REF"
 done
diff --git a/.github/workflows/functional-test-noncloud.yaml b/.github/workflows/functional-test-noncloud.yaml
index 63d6fb8fdb8..35114d5a849 100644
--- a/.github/workflows/functional-test-noncloud.yaml
+++ b/.github/workflows/functional-test-noncloud.yaml
@@ -47,9 +47,9 @@ on:
 
 env:
   # Go version
-  GOVER: "1.22.2"
+  GOVER: "1.22.5"
   # Helm version
-  HELM_VER: "v3.12.0"
+  HELM_VER: "v3.15.3"
   # KinD cluster version
   KIND_VER: "v0.23.0"
   # Dapr version
@@ -57,16 +57,7 @@ env:
   # Dapr dashboard version
   DAPR_DASHBOARD_VER: "0.14.0"
   # Kubectl version
-  KUBECTL_VER: "v1.25.0"
-
-  # Container registry for storing container images
-  CONTAINER_REGISTRY: "radius-registry:5000"
-  # Container registry for storing Bicep recipe artifacts
-  BICEP_RECIPE_REGISTRY: "radius-registry:5000"
-  # Local Docker registry name
-  LOCAL_REGISTRY_NAME: "radius-registry"
-  # Local Docker registry port
-  LOCAL_REGISTRY_PORT: "5000"
+  KUBECTL_VER: "v1.30.0"
 
   # The radius functional test timeout
   FUNCTIONALTEST_TIMEOUT: 15m
@@ -84,6 +75,13 @@ env:
   # The number of failed tests to report.
   ISSUE_CREATE_THRESHOLD: 2
 
+  # Local Docker registry name
+  LOCAL_REGISTRY_NAME: "radius-registry"
+  # Local Docker registry server
+  LOCAL_REGISTRY_SERVER: "localhost"
+  # Local Docker registry port
+  LOCAL_REGISTRY_PORT: "5000"
+
 jobs:
   build:
     name: Build Radius for test
@@ -140,9 +138,9 @@ jobs:
     name: Run ${{ matrix.name }} functional tests
     needs: build
     strategy:
-      fail-fast: false
+      fail-fast: true
       matrix:
-        os: [ubuntu-latest]
+        os: [ubuntu-latest-m]
         name:
           [
             cli-noncloud,
@@ -208,37 +206,18 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
 
-      - name: Create local Docker registry
-        run: |
-          # This is going to start an insecure registry on localhost:5000 on the host machine.
-          if [ "$(docker inspect -f '{{.State.Running}}' "${{ env.LOCAL_REGISTRY_NAME }}" 2>/dev/null || true)" != 'true' ]; then
-            docker run \
-              -d --restart=always -p "127.0.0.1:${{ env.LOCAL_REGISTRY_PORT }}:5000" --network bridge --name "${{ env.LOCAL_REGISTRY_NAME }}" \
-              registry:2
-          fi
-
-      - name: Add insecure registry to Docker daemon
-        run: |
-          # Check if /etc/docker/daemon.json exists
-          if [ ! -f /etc/docker/daemon.json ]; then
-            echo "daemon.json doesn't exist. Creating one..."
-            echo '{}' | sudo tee /etc/docker/daemon.json
-          fi
-
-          # Add insecure registries to /etc/docker/daemon.json
-          echo '{"insecure-registries": ["radius-registry:5000"]}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl daemon-reload
-          sudo systemctl restart docker
-
-      - name: Add radius-registry to /etc/hosts
-        run: |
-          sudo sh -c 'echo "127.0.0.1 radius-registry" >> /etc/hosts'
+      - name: Create a secure local registry
+        uses: ./.github/actions/create-local-registry/secure
+        with:
+          registry-name: ${{ env.LOCAL_REGISTRY_NAME }}
+          registry-server: ${{ env.LOCAL_REGISTRY_SERVER }}
+          registry-port: ${{ env.LOCAL_REGISTRY_PORT }}
 
       - name: Build and Push container images
         run: |
           make build && make docker-build && make docker-push
         env:
-          DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
+          DOCKER_REGISTRY: "${{ env.LOCAL_REGISTRY_SERVER }}:${{ env.LOCAL_REGISTRY_PORT }}"
           DOCKER_TAG_VERSION: ${{ env.REL_VERSION }}
 
       - name: Install rad CLI
@@ -261,17 +240,17 @@ jobs:
           chmod +x ./kind
 
           # Create kind cluster with containerd registry config dir enabled
-          cat <<EOF | ./kind create cluster --config=-
+          cat <<EOF | kind create cluster --config=-
           kind: Cluster
           apiVersion: kind.x-k8s.io/v1alpha4
+          nodes:
+          - role: control-plane
+            extraMounts:
+              - containerPath: "/etc/containerd/certs.d/${{ env.LOCAL_REGISTRY_NAME }}"
+                hostPath: "$TEMP_CERT_DIR/certs/${{ env.LOCAL_REGISTRY_SERVER }}"
           containerdConfigPatches:
           - |-
             [plugins."io.containerd.grpc.v1.cri".registry]
-              [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
-                [plugins."io.containerd.grpc.v1.cri".registry.mirrors."radius-registry:5000"]
-                  endpoint = ["http://radius-registry:5000"]
-                [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
-                  endpoint = ["http://radius-registry:5000"]
               config_path = "/etc/containerd/certs.d"
           EOF
 
@@ -283,21 +262,23 @@ jobs:
           #
           # We want a consistent name that works from both ends, so we tell containerd to
           # alias localhost:${reg_port} to the registry container when pulling images
-          LOCALHOST_REGISTRY_DIR="/etc/containerd/certs.d/localhost:${{ env.LOCAL_REGISTRY_PORT }}"
-          RADIUS_REGISTRY_DIR="/etc/containerd/certs.d/radius-registry:5000"
+          LOCALHOST_DIR="/etc/containerd/certs.d/${{ env.LOCAL_REGISTRY_SERVER }}:${{ env.LOCAL_REGISTRY_PORT }}"
+          RADIUS_DIR="/etc/containerd/certs.d/${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"
+
           for node in $(kind get nodes); do
-            # LOCALHOST_REGISTRY_DIR
-            docker exec "${node}" mkdir -p "${LOCALHOST_REGISTRY_DIR}"
-            cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${LOCALHOST_REGISTRY_DIR}/hosts.toml"
-          [host."http://${{ env.LOCAL_REGISTRY_NAME }}:5000"]
+            
+            # LOCALHOST_DIR
+            docker exec "${node}" mkdir -p "${LOCALHOST_DIR}"
+            cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${LOCALHOST_DIR}/hosts.toml"
+          [host."http://${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"]
             capabilities = ["pull", "resolve", "push"]
             skip_verify = true
           EOF
 
-              # RADIUS_REGISTRY_DIR
-              docker exec "${node}" mkdir -p "${RADIUS_REGISTRY_DIR}"
-              cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${RADIUS_REGISTRY_DIR}/hosts.toml"
-          [host."http://radius-registry:5000"]
+            # RADIUS_DIR
+            docker exec "${node}" mkdir -p "${RADIUS_DIR}"
+            cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${RADIUS_DIR}/hosts.toml"
+          [host."http://${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"]
             capabilities = ["pull", "resolve", "push"]
             skip_verify = true
           EOF
@@ -320,7 +301,7 @@ jobs:
             namespace: kube-public
           data:
             localRegistryHosting.v1: |
-              host: "localhost:${{ env.LOCAL_REGISTRY_PORT }}"
+              host: "${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"
               help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
           EOF
 
@@ -353,10 +334,11 @@ jobs:
           echo "*** Installing Radius to Kubernetes ***"
           rad install kubernetes \
             --chart ${{ env.RADIUS_CHART_LOCATION }} \
-            --set rp.image=${{ env.CONTAINER_REGISTRY }}/applications-rp,rp.tag=${{ env.REL_VERSION }} \
-            --set controller.image=${{ env.CONTAINER_REGISTRY }}/controller,controller.tag=${{ env.REL_VERSION }} \
-            --set ucp.image=${{ env.CONTAINER_REGISTRY }}/ucpd,ucp.tag=${{ env.REL_VERSION }} \
-            --set de.image=${{ env.DE_IMAGE }},de.tag=${{ env.DE_TAG }}
+            --set rp.image=${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}/applications-rp,rp.tag=${{ env.REL_VERSION }} \
+            --set controller.image=${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}/controller,controller.tag=${{ env.REL_VERSION }} \
+            --set ucp.image=${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}/ucpd,ucp.tag=${{ env.REL_VERSION }} \
+            --set de.image=${{ env.DE_IMAGE }},de.tag=${{ env.DE_TAG }} \
+            --set-file global.rootCA.cert=$TEMP_CERT_DIR/certs/${{ env.LOCAL_REGISTRY_SERVER }}/client.crt
 
           echo "*** Create workspace, group and environment for test ***"
           rad workspace create kubernetes
@@ -377,8 +359,9 @@ jobs:
           which rad || { echo "cannot find rad"; exit 1; }
           make publish-test-bicep-recipes
         env:
+          BICEP_RECIPE_REGISTRY: "${{ env.LOCAL_REGISTRY_SERVER }}:${{ env.LOCAL_REGISTRY_PORT }}"
           BICEP_RECIPE_TAG_VERSION: ${{ env.REL_VERSION }}
-          INSECURE_REGISTRY: true
+          SSL_CERT_FILE: $TEMP_CERT_DIR/certs/${{ env.LOCAL_REGISTRY_SERVER }}/client.crt
 
       - name: Run functional tests
         run: |
@@ -392,11 +375,11 @@ jobs:
 
           make test-functional-${{ matrix.name }}
         env:
-          DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
+          DOCKER_REGISTRY: "${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"
           TEST_TIMEOUT: ${{ env.FUNCTIONALTEST_TIMEOUT }}
           RADIUS_CONTAINER_LOG_PATH: ${{ github.workspace }}/${{ env.RADIUS_CONTAINER_LOG_BASE }}
           RADIUS_SAMPLES_REPO_ROOT: ${{ github.workspace }}/samples
-          BICEP_RECIPE_REGISTRY: ${{ env.BICEP_RECIPE_REGISTRY }}
+          BICEP_RECIPE_REGISTRY: "${{ env.LOCAL_REGISTRY_NAME }}:${{ env.LOCAL_REGISTRY_PORT }}"
           BICEP_RECIPE_TAG_VERSION: ${{ env.BICEP_RECIPE_TAG_VERSION }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GOTESTSUM_OPTS: "--junitfile ./dist/functional_test/results.xml"
diff --git a/.github/workflows/purge-artifacts.yaml b/.github/workflows/purge-artifacts.yaml
index 765740b1a47..209d71d30ae 100644
--- a/.github/workflows/purge-artifacts.yaml
+++ b/.github/workflows/purge-artifacts.yaml
@@ -1,12 +1,12 @@
-name: 'Delete all GitHub artifacts'
+name: "Delete all GitHub artifacts"
 
 on:
   workflow_dispatch:
     inputs:
       retention:
-        description: 'Retention period (0 = delete immediately)'     
+        description: "Retention period (0 = delete immediately)"
         required: true
-        default: '0'
+        default: "0"
 
 jobs:
   delete-artifacts:
diff --git a/.github/workflows/release-verification.yaml b/.github/workflows/release-verification.yaml
index c5f9c7de238..e7b6cc7f38c 100644
--- a/.github/workflows/release-verification.yaml
+++ b/.github/workflows/release-verification.yaml
@@ -4,7 +4,7 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#    
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
@@ -20,11 +20,11 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Radius version number to use (e.g. 0.1.0, 0.1.0-rc1)'
+        description: "Radius version number to use (e.g. 0.1.0, 0.1.0-rc1)"
         required: true
-        default: ''
+        default: ""
         type: string
-  
+
 jobs:
   release-verification:
     runs-on: ubuntu-latest
diff --git a/test/functional-portable/cli/noncloud/cli_test.go b/test/functional-portable/cli/noncloud/cli_test.go
index bc4fe05f84c..f7567b279ca 100644
--- a/test/functional-portable/cli/noncloud/cli_test.go
+++ b/test/functional-portable/cli/noncloud/cli_test.go
@@ -68,7 +68,9 @@ func verifyRecipeCLI(ctx context.Context, t *testing.T, test rp.RPTest) {
 	version := strings.TrimPrefix(testutil.GetBicepRecipeVersion(), "version=")
 	resourceType := "Applications.Datastores/redisCaches"
 	file := "../../../testrecipes/test-bicep-recipes/corerp-redis-recipe.bicep"
-	target := fmt.Sprintf("br:ghcr.io/radius-project/dev/test-bicep-recipes/redis-recipe:%s", generateUniqueTag())
+
+	// The target is a local registry, so we can use localhost.
+	target := fmt.Sprintf("br:localhost:5000/dev/test-bicep-recipes/redis-recipe:%s", generateUniqueTag())
 
 	recipeName := "recipeName"
 	recipeTemplate := fmt.Sprintf("%s/recipes/local-dev/rediscaches:%s", registry, version)