diff --git a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
index 8d8a9950e..7b3a1fe65 100644
--- a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
+++ b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
@@ -60,3 +60,53 @@ app.kubernetes.io/component: {{ $component }}
 {{- default "default" .Values.serviceAccount.name -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Render a component image reference, applying the WSO2 subscription registry rewrite
+only when wso2.subscription.imagePullSecret is set AND the repository value is
+exactly the chart-canonical default for this component. Any explicit override —
+including overrides that happen to stay under `ghcr.io/wso2/api-platform/` (e.g.
+SHA-pinned references, canary tags) — passes through unchanged.
+
+Args (dict): root, repository, defaultRepository, tag
+*/}}
+{{- define "gateway-operator.componentImage" -}}
+{{- $root := .root -}}
+{{- $repo := .repository -}}
+{{- $defaultRepo := .defaultRepository -}}
+{{- $tag := .tag -}}
+{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}}
+{{- $defaultPrefix := "ghcr.io/wso2/api-platform/" -}}
+{{- $wso2Prefix := "registry.wso2.com/wso2-api-platform/" -}}
+{{- if and (ne $sub "") (eq $repo $defaultRepo) (hasPrefix $defaultPrefix $repo) -}}
+{{- printf "%s%s:%s" $wso2Prefix (trimPrefix $defaultPrefix $repo) $tag -}}
+{{- else -}}
+{{- printf "%s:%s" $repo $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render an `imagePullSecrets:` YAML block (without indentation) by merging:
+  1. wso2.subscription.imagePullSecret (if set)
+  2. .Values.imagePullSecrets (global)
+  3. component-level imagePullSecrets (passed in)
+
+Returns an empty string when no secrets resolve, so callers can wrap in
+`{{- with (include ...) }} {{- . | nindent N }} {{- end }}`.
+
+Args (dict): root, componentPullSecrets
+*/}}
+{{- define "gateway-operator.componentImagePullSecretsBlock" -}}
+{{- $root := .root -}}
+{{- $componentPullSecrets := default (list) .componentPullSecrets -}}
+{{- $globalPullSecrets := default (list) $root.Values.imagePullSecrets -}}
+{{- $sub := $root.Values.wso2.subscription.imagePullSecret -}}
+{{- $subList := ternary (list $sub) (list) (ne $sub "") -}}
+{{- $all := concat $subList $globalPullSecrets $componentPullSecrets -}}
+{{- if $all -}}
+imagePullSecrets:
+{{- range $all }}
+  - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
index c107095e9..aff073a89 100644
--- a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
+++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
@@ -42,14 +42,8 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }}
-      {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }}
-      {{- $componentPullSecrets := default (list) $controller.imagePullSecrets }}
-      {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }}
-      {{- if $pullSecrets }}
-      imagePullSecrets:
-        {{- range $pullSecrets }}
-        - name: {{ . }}
-        {{- end }}
+      {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $controller.imagePullSecrets)) }}
+      {{- . | nindent 6 }}
       {{- end }}
       {{- with $deployment.podSecurityContext }}
       securityContext:
@@ -72,7 +66,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-controller
-          image: "{{ $controller.image.repository }}:{{ $controller.image.tag }}"
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-controller" "tag" $controller.image.tag) | quote }}
           imagePullPolicy: {{ $controller.image.pullPolicy }}
           {{- with $deployment.securityContext }}
           securityContext:
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
index 7b2f39d71..c9149f716 100644
--- a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
+++ b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
@@ -39,14 +39,8 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "gateway-operator.serviceAccountName" . }}
-      {{- $globalPullSecrets := default (list) .Values.imagePullSecrets }}
-      {{- $componentPullSecrets := default (list) $unified.imagePullSecrets }}
-      {{- $pullSecrets := concat $globalPullSecrets $componentPullSecrets }}
-      {{- if $pullSecrets }}
-      imagePullSecrets:
-        {{- range $pullSecrets }}
-        - name: {{ . }}
-        {{- end }}
+      {{- with (include "gateway-operator.componentImagePullSecretsBlock" (dict "root" . "componentPullSecrets" $unified.imagePullSecrets)) }}
+      {{- . | nindent 6 }}
       {{- end }}
       {{- with $deployment.podSecurityContext }}
       securityContext:
@@ -69,7 +63,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-runtime
-          image: "{{ $unified.image.repository }}:{{ $unified.image.tag }}"
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-runtime" "tag" $unified.image.tag) | quote }}
           imagePullPolicy: {{ $unified.image.pullPolicy }}
           args: ["--pol.config", "/etc/policy-engine/config.toml"]
           {{- with $deployment.securityContext }}
diff --git a/kubernetes/helm/gateway-helm-chart/values.yaml b/kubernetes/helm/gateway-helm-chart/values.yaml
index 0773b873d..7f4a61148 100644
--- a/kubernetes/helm/gateway-helm-chart/values.yaml
+++ b/kubernetes/helm/gateway-helm-chart/values.yaml
@@ -6,6 +6,24 @@ fullnameOverride: ""
 
 imagePullSecrets: []
 
+# WSO2 Subscription parameters (https://wso2.com/subscription/)
+wso2:
+  subscription:
+    # Name of a docker-registry Secret (in the release namespace) holding credentials
+    # for registry.wso2.com. Setting this enables WSO2 subscription mode:
+    #   1. The secret is added to every component's imagePullSecrets.
+    #   2. Default `ghcr.io/wso2/api-platform/*` image repositories are rewritten to
+    #      `registry.wso2.com/wso2-api-platform/*`, so the released WSO2 images at
+    #      https://docker.wso2.com/ are pulled instead.
+    # Explicit image.repository overrides are preserved as-is.
+    #
+    # Create the secret with:
+    #   kubectl create secret docker-registry wso2-subscription-creds \
+    #     --docker-server=registry.wso2.com \
+    #     --docker-username=<wso2-email> \
+    #     --docker-password=<wso2-password-or-token>
+    imagePullSecret: ""
+
 commonLabels: {}
 commonAnnotations: {}