diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
index 7ff841d9b50..07f3fd88c88 100644
--- a/.pipelines/ci.yml
+++ b/.pipelines/ci.yml
@@ -11,22 +11,22 @@ trigger:
     include:
       - v2*
 
-# PR triggers are overridden in the ADO UI
-
-resources:
-  containers:
-    - container: golang
-      image: mcr.microsoft.com/onebranch/cbl-mariner/build:2.0
-      options: --user=0
-    - container: python
-      image: registry.access.redhat.com/ubi8/python-39:latest
-      options: --user=0
-    - container: ubi8
-      image: registry.access.redhat.com/ubi8/toolbox:8.8
-      options: --user=0 --privileged -v /dev/shm:/dev/shm --device /dev/net/tun --name vpn
-
 variables:
   - template: vars.yml
+  - name: REGISTRY
+    value: registry.access.redhat.com
+  - name: LOCAL_ARO_RP_IMAGE
+    value: "arosvcdev.azurecr.io/aro"
+  - name: LOCAL_ARO_RP_BUILD_IMAGE
+    value: "arosvcdev.azurecr.io/aro-build"  
+  - name: LOCAL_ARO_AZEXT_IMAGE
+    value: "arosvcdev.azurecr.io/azext-aro"
+  - name: LOCAL_VPN_IMAGE
+    value: "arosvcdev.azurecr.io/vpn"
+  - name: TAG
+    value: $(Build.BuildId)
+  - name: VERSION
+    value: $(Build.BuildId)
 
 jobs:
   - job: Build_Test_And_Push_Az_ARO_Extension
@@ -38,7 +38,7 @@ jobs:
       # Build and test the Az ARO Extension
       - script: |
           set -xe
-          DOCKER_BUILD_CI_ARGS="--load" make ci-azext-aro VERSION=$(Build.BuildId)
+          DOCKER_BUILD_CI_ARGS="--load" make ci-azext-aro VERSION=$(VERSION)
         displayName: 🛠 Build & Test Az ARO Extension
 
       # Push the image to ACR
@@ -57,7 +57,7 @@ jobs:
       # Build and test RP and Portal
       - script: |
           set -xe
-          DOCKER_BUILD_CI_ARGS="--load" make ci-rp VERSION=$(Build.BuildId)
+          DOCKER_BUILD_CI_ARGS="--load" make ci-rp VERSION=$(VERSION)
         displayName: 🛠 Build & Test RP and Portal
 
       # Publish test results
diff --git a/.pipelines/templates/template-acr-push.yml b/.pipelines/templates/template-acr-push.yml
index aadf07132a2..f45b2e46706 100644
--- a/.pipelines/templates/template-acr-push.yml
+++ b/.pipelines/templates/template-acr-push.yml
@@ -20,6 +20,23 @@ steps:
       scriptLocation: 'inlineScript'
       inlineScript: |
         set -xe
+
+        # Update packages and install docker.io and docker-compose-plugin
+        echo "Installing Docker and Docker Compose Plugin..."
+        sudo apt-get update
+        sudo apt-get install -y ca-certificates curl gnupg
+        sudo install -m 0755 -d /etc/apt/keyrings
+        curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.asc
+        sudo chmod a+r /etc/apt/keyrings/docker.asc
+        echo \
+          "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+          $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" | \
+          sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+        sudo apt-get update
+        sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+        sudo systemctl start docker
+        sudo systemctl enable docker
+
         echo "Authenticating to Azure and ACR..."
         ACR_FQDN="${{ parameters.acrFQDN }}"
         REGISTRY_NAME=$(echo $ACR_FQDN | cut -d'.' -f1)
@@ -32,7 +49,7 @@ steps:
         docker images
 
         # Ensure the image is available locally before tagging the build ID
-        IMAGE_NAME="${{ parameters.repository }}:$(Build.BuildId)"
+        IMAGE_NAME="${{ parameters.repository }}:$(VERSION)"  # Use $(VERSION) defined in the pipeline
         if [[ "$(docker images -q $IMAGE_NAME 2> /dev/null)" == "" ]]; then
           echo "Error: Image $IMAGE_NAME not found. Exiting."
           exit 1
@@ -41,25 +58,26 @@ steps:
         # Ensure the image is available locally before tagging 'latest'
         IMAGE_LATEST="${{ parameters.repository }}:latest"
         if [[ "$(docker images -q $IMAGE_LATEST 2> /dev/null)" == "" ]]; then
-          echo "Warning: Image $IMAGE_LATEST not found. Skipping latest tag."
+          echo "Warning: Image $IMAGE_LATEST not found. Skipping 'latest' tag."
           SKIP_LATEST=true
         else
+          echo "Image $IMAGE_LATEST found. Proceeding with 'latest' tag."
           SKIP_LATEST=false
         fi
 
         # Tag the image with the ACR repository for the build ID
         echo "Tagging image with build ID..."
-        docker tag $IMAGE_NAME ${ACR_FQDN}/${{ parameters.repository }}:$(Build.BuildId)
+        docker tag $IMAGE_NAME ${ACR_FQDN}/${{ parameters.repository }}:$(VERSION)
 
         # If the latest image exists, tag it as well
         if [ "$SKIP_LATEST" == "false" ]; then
           echo "Tagging image with 'latest'..."
-          docker tag $IMAGE_LATEST ${ACR_FQDN}/${{ parameters.repository }}:latest
+          docker tag $IMAGE_NAME ${ACR_FQDN}/${{ parameters.repository }}:latest
         fi
 
         # Push the Docker image to ACR with build ID
         echo "Pushing image with build ID to ACR..."
-        docker push ${ACR_FQDN}/${{ parameters.repository }}:$(Build.BuildId)
+        docker push ${ACR_FQDN}/${{ parameters.repository }}:$(VERSION)
 
         # Optionally push the image as 'latest'
         if [ "${{ parameters.pushLatest }}" == "true" ] && [ "$SKIP_LATEST" == "false" ]; then
diff --git a/Makefile b/Makefile
index 7a7b28f4da9..4e4b8d1a1ec 100644
--- a/Makefile
+++ b/Makefile
@@ -374,7 +374,6 @@ DOCKER_BUILD_CI_ARGS ?=
 
 # Image names that will be found in the local podman image registry after build
 # (tags are always VERSION).
-LOCAL_ARO_RP_IMAGE ?= aro
 LOCAL_ARO_PORTAL_BUILD_IMAGE ?= $(LOCAL_ARO_RP_IMAGE)-portal-build
 LOCAL_ARO_RP_BUILD_IMAGE ?= $(LOCAL_ARO_RP_IMAGE)-build
 LOCAL_AZ_EXT_ARO_IMAGE ?= azext-aro
@@ -397,9 +396,16 @@ ci-clean:
 	podman $(PODMAN_REMOTE_ARGS) \
 	    image prune --all --filter="label=aro-*=true"
 
+.PHONY: version
+version:
+	echo "RP $(LOCAL_ARO_RP_IMAGE):$(VERSION)"
+
 .PHONY: ci-rp
 ci-rp: fix-macos-vendor
-	docker build . $(DOCKER_BUILD_CI_ARGS) \
+	@echo "LOCAL_ARO_RP_IMAGE: $(LOCAL_ARO_RP_IMAGE)"
+	@echo "VERSION: $(VERSION)"
+	@echo "LOCAL_ARO_RP_BUILD_IMAGE: $(LOCAL_ARO_RP_BUILD_IMAGE)"
+	docker build . ${DOCKER_BUILD_CI_ARGS} \
 		-f Dockerfile.ci-rp \
 		--ulimit=nofile=4096:4096 \
 		--build-arg REGISTRY=$(REGISTRY) \
@@ -408,19 +414,14 @@ ci-rp: fix-macos-vendor
 		--target=builder \
 		-t $(LOCAL_ARO_RP_BUILD_IMAGE):$(VERSION)
 
-	docker build . $(DOCKER_BUILD_CI_ARGS) \
-		-f Dockerfile.ci-rp \
-		--ulimit=nofile=4096:4096 \
-		--build-arg REGISTRY=$(REGISTRY) \
-		--build-arg ARO_VERSION=$(VERSION) \
-		-t $(LOCAL_ARO_RP_IMAGE):$(VERSION)
+	docker compose build rp
 
 	# Extract test coverage files from build to local filesystem
 	docker create --name extract_cover_out $(LOCAL_ARO_RP_BUILD_IMAGE):$(VERSION); \
 	docker cp extract_cover_out:/app/report.xml ./report.xml; \
 	docker cp extract_cover_out:/app/coverage.xml ./coverage.xml; \
 	docker rm extract_cover_out;
-
+	
 
 .PHONY: ci-tunnel
 ci-tunnel: fix-macos-vendor
diff --git a/docker-compose.yml b/docker-compose.yml
index fc1e12eb6a5..0c44ef96522 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,8 +1,6 @@
-version: '3.8'
-
 services:
   vpn:
-    image: vpn:${VERSION}
+    image: ${LOCAL_VPN_IMAGE}:${VERSION}
     build:
       context: .
       dockerfile: Dockerfile.vpn
@@ -10,6 +8,8 @@ services:
     privileged: true
     volumes:
       - ${PWD}/secrets:/secrets:z
+    devices:
+      - /dev/net/tun  # required to modify VPN on host
     entrypoint: "openvpn"
     command: ["/secrets/vpn-eastus.ovpn"]
     healthcheck:
@@ -18,3 +18,95 @@ services:
       interval: 20s
       timeout: 3s
       retries: 3
+
+  rp:
+    image: $(LOCAL_ARO_RP_IMAGE):$(VERSION)
+    build:
+      context: .
+      dockerfile: Dockerfile.ci-rp
+      args:
+        - REGISTRY=${REGISTRY}
+        - ARO_VERSION=${VERSION}
+      ulimits:
+        nofile:
+          soft: 4096
+          hard: 4096
+    container_name: aro-rp
+    depends_on:
+      vpn:
+        condition: service_healthy
+    command: ["rp"]
+    secrets:
+      - source: proxy-client-key
+        target: /app/secrets/proxy-client.key
+      - source: proxy-client-crt
+        target: /app/secrets/proxy-client.crt
+      - source: proxy-crt
+        target: /app/secrets/proxy.crt
+      - source: hive-kubeconfig
+        target: /app/secrets/aks.kubeconfig
+    environment:
+      # inherit from host
+      - ADMIN_OBJECT_ID
+      - ARO_IMAGE
+      - AZURE_ARM_CLIENT_ID
+      - AZURE_CLIENT_ID
+      - AZURE_CLIENT_SECRET
+      - AZURE_DBTOKEN_CLIENT_ID
+      - AZURE_ENVIRONMENT
+      - AZURE_FP_CLIENT_ID
+      - AZURE_FP_SERVICE_PRINCIPAL_ID
+      - AZURE_GATEWAY_CLIENT_ID
+      - AZURE_GATEWAY_CLIENT_SECRET
+      - AZURE_GATEWAY_SERVICE_PRINCIPAL_ID
+      - AZURE_PORTAL_ACCESS_GROUP_IDS
+      - AZURE_PORTAL_CLIENT_ID
+      - AZURE_RP_CLIENT_ID
+      - AZURE_RP_CLIENT_SECRET
+      - AZURE_SERVICE_PRINCIPAL_ID
+      - AZURE_SUBSCRIPTION_ID
+      - AZURE_TENANT_ID
+      - DATABASE_ACCOUNT_NAME
+      - DATABASE_NAME
+      - DOMAIN_NAME
+      - KEYVAULT_PREFIX
+      - LOCATION
+      - MOCK_MSI_CERT
+      - MOCK_MSI_CLIENT_ID
+      - MOCK_MSI_TENANT_ID
+      - OIDC_STORAGE_ACCOUNT_NAME
+      - PARENT_DOMAIN_NAME
+      - PARENT_DOMAIN_RESOURCEGROUP
+      - PROXY_HOSTNAME
+      - PULL_SECRET
+      - RESOURCEGROUP
+      - SECRET_SA_ACCOUNT_NAME
+      - STORAGE_ACCOUNT_DOMAIN
+
+      # override
+      - ARO_ADOPT_BY_HIVE=true
+      - ARO_CHECKOUT_PATH=/app
+      - ARO_INSTALL_VIA_HIVE=true
+      - HIVE_KUBE_CONFIG_PATH=/app/secrets/aks.kubeconfig
+      - KUBECONFIG=/app/secrets/aks.kubeconfig
+      - RP_MODE=development
+    expose:
+      - "8443"
+    ports:
+      - "127.0.0.1:8443:8443"
+    healthcheck:
+      test: ["CMD", "curl", "-k", "http://localhost:8443/healthz"]
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    restart: on-failure:3
+
+secrets:
+  proxy-client-key:
+    file: ./secrets/proxy-client.key
+  proxy-client-crt:
+    file: ./secrets/proxy-client.crt
+  proxy-crt:
+    file: ./secrets/proxy.crt
+  hive-kubeconfig:
+    file: ./aks.kubeconfig