diff --git a/changelog.d/5-internal/nginx-ingress-controller-upgrade b/changelog.d/5-internal/nginx-ingress-controller-upgrade
new file mode 100644
index 00000000000..e6ab1b62a09
--- /dev/null
+++ b/changelog.d/5-internal/nginx-ingress-controller-upgrade
@@ -0,0 +1 @@
+Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work)
diff --git a/charts/ingress-nginx-controller/Chart.yaml b/charts/ingress-nginx-controller/Chart.yaml
index 64e708e97a8..bdfd92237bf 100644
--- a/charts/ingress-nginx-controller/Chart.yaml
+++ b/charts/ingress-nginx-controller/Chart.yaml
@@ -4,5 +4,5 @@ name: ingress-nginx-controller
 version: 0.0.42
 dependencies:
 - name: ingress-nginx
-  version: 4.11.5 # k8s compatibility [1.26 - 1.30]
+  version: 4.13.5 # k8s compatibility [1.29 - 1.33]
   repository: https://kubernetes.github.io/ingress-nginx
diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml
index c28eb2a065c..1020ceef6a8 100644
--- a/charts/ingress-nginx-controller/values.yaml
+++ b/charts/ingress-nginx-controller/values.yaml
@@ -14,6 +14,7 @@
 # for all possible values to override.
 ingress-nginx:
   controller:
+    enableAnnotationValidations: false # due to https://github.com/kubernetes/ingress-nginx/issues/12709
     enableTopologyAwareRouting: true
     # Use kind: `DaemonSet` (when using NodePort) or `Deployment` (when using
     # LoadBalancer)
@@ -56,4 +57,5 @@ ingress-nginx:
       # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?)
       log-format-escape-json: true
       log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}'
-    allowSnippetAnnotations: true
+      allow-snippet-annotations: true # new format for this flag in newer versions
+    allowSnippetAnnotations: true # needed up to and including version 1.13
diff --git a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
index c137f045884..fdcd7c9c5cb 100644
--- a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
+++ b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
@@ -1,6 +1,12 @@
 ingress-nginx:
   fullnameOverride: "{{ .Release.Namespace }}-nginx-ingress"
   controller:
+    # Must match the controllerValue on the IngressClass or the controller
+    # will ignore the ingress resources.
+    class: "k8s.io/{{ .Release.Namespace }}-nginx-ingress"
+    # Accept IngressClass names even if the IngressClass object is not found yet
+    # (controller still filters by the class string).
+    ingressClassByName: true
     ingressClassResource:
         name: "nginx-{{ .Release.Namespace }}"
         # -- Is this ingressClass enabled or not