diff --git a/controller-norbac.jsonnet b/controller-norbac.jsonnet
index 25e8a559f2..a244d9f2da 100644
--- a/controller-norbac.jsonnet
+++ b/controller-norbac.jsonnet
@@ -1,52 +1,52 @@
 // Minimal required deployment for a functional controller.
-local kube = import "kube.libsonnet";
+local kube = import 'kube.libsonnet';
 
 local trim = function(str) (
-  if std.startsWith(str, " ") || std.startsWith(str, "\n") then
-  trim(std.substr(str, 1, std.length(str) - 1))
-  else if std.endsWith(str, " ") || std.endsWith(str, "\n") then
-  trim(std.substr(str, 0, std.length(str) - 1))
+  if std.startsWith(str, ' ') || std.startsWith(str, '\n') then
+    trim(std.substr(str, 1, std.length(str) - 1))
+  else if std.endsWith(str, ' ') || std.endsWith(str, '\n') then
+    trim(std.substr(str, 0, std.length(str) - 1))
   else
     str
 );
 
-local namespace = "kube-system";
-local controllerImage = std.extVar("CONTROLLER_IMAGE");
-local imagePullPolicy = std.extVar("IMAGE_PULL_POLICY");
+local namespace = 'kube-system';
+local controllerImage = std.extVar('CONTROLLER_IMAGE');
+local imagePullPolicy = std.extVar('IMAGE_PULL_POLICY');
 
 // This is a bit odd: Downgrade to apps/v1beta1 so we can continue
 // to support k8s v1.6.
 // TODO: re-evaluate sealed-secrets support timeline and/or
 // kube.libsonnet versioned API support.
 local v1beta1_Deployment(name) = kube.Deployment(name) {
-  assert std.assertEqual(super.apiVersion, "apps/v1beta2"),
-  apiVersion: "apps/v1beta1",
+  assert std.assertEqual(super.apiVersion, 'apps/v1beta2'),
+  apiVersion: 'apps/v1beta1',
 };
 
 {
-  crd: kube.CustomResourceDefinition("bitnami.com", "v1alpha1", "SealedSecret"),
+  crd: kube.CustomResourceDefinition('bitnami.com', 'v1alpha1', 'SealedSecret'),
 
-  namespace:: {metadata+: {namespace: namespace}},
+  namespace:: { metadata+: { namespace: namespace } },
 
-  service: kube.Service("sealed-secrets-controller") + $.namespace {
+  service: kube.Service('sealed-secrets-controller') + $.namespace {
     target_pod: $.controller.spec.template,
   },
 
-  controller: v1beta1_Deployment("sealed-secrets-controller") + $.namespace {
+  controller: v1beta1_Deployment('sealed-secrets-controller') + $.namespace {
     spec+: {
       template+: {
         spec+: {
           containers_+: {
-            controller: kube.Container("sealed-secrets-controller") {
+            controller: kube.Container('sealed-secrets-controller') {
               image: controllerImage,
               imagePullPolicy: imagePullPolicy,
-              command: ["controller"],
+              command: ['controller'],
               readinessProbe: {
-                httpGet: {path: "/healthz", port: "http"},
+                httpGet: { path: '/healthz', port: 'http' },
               },
               livenessProbe: self.readinessProbe,
               ports_+: {
-                http: {containerPort: 8080},
+                http: { containerPort: 8080 },
               },
               securityContext+: {
                 readOnlyRootFilesystem: true,
diff --git a/controller.jsonnet b/controller.jsonnet
index a6a01006ab..bc14c89b3c 100644
--- a/controller.jsonnet
+++ b/controller.jsonnet
@@ -1,49 +1,49 @@
 // This is the recommended cluster deployment of sealed-secrets.
 // See controller-norbac.jsonnet for the bare minimum functionality.
 
-local kube = import "kube.libsonnet";
-local controller = import "controller-norbac.jsonnet";
+local controller = import 'controller-norbac.jsonnet';
+local kube = import 'kube.libsonnet';
 
-controller + {
-  account: kube.ServiceAccount("sealed-secrets-controller") + $.namespace,
+controller {
+  account: kube.ServiceAccount('sealed-secrets-controller') + $.namespace,
 
-  unsealerRole: kube.ClusterRole("secrets-unsealer") {
+  unsealerRole: kube.ClusterRole('secrets-unsealer') {
     rules: [
       {
-        apiGroups: ["bitnami.com"],
-        resources: ["sealedsecrets"],
-        verbs: ["get", "list", "watch", "update"],
+        apiGroups: ['bitnami.com'],
+        resources: ['sealedsecrets'],
+        verbs: ['get', 'list', 'watch', 'update'],
       },
       {
-        apiGroups: [""],
-        resources: ["secrets"],
-        verbs: ["get", "create", "update", "delete"],
+        apiGroups: [''],
+        resources: ['secrets'],
+        verbs: ['get', 'create', 'update', 'delete'],
       },
       {
-        apiGroups: [""],
-        resources: ["events"],
-        verbs: ["create", "patch"],
+        apiGroups: [''],
+        resources: ['events'],
+        verbs: ['create', 'patch'],
       },
     ],
   },
 
-  unsealKeyRole: kube.Role("sealed-secrets-key-admin") + $.namespace {
+  unsealKeyRole: kube.Role('sealed-secrets-key-admin') + $.namespace {
     rules: [
       {
-        apiGroups: [""],
-        resources: ["secrets"],
+        apiGroups: [''],
+        resources: ['secrets'],
         // Can't limit create by resource name as keys are produced on the fly
-        verbs: ["create", "list"],
+        verbs: ['create', 'list'],
       },
     ],
   },
 
-  unsealerBinding: kube.ClusterRoleBinding("sealed-secrets-controller") {
+  unsealerBinding: kube.ClusterRoleBinding('sealed-secrets-controller') {
     roleRef_: $.unsealerRole,
     subjects_+: [$.account],
   },
 
-  unsealKeyBinding: kube.RoleBinding("sealed-secrets-controller") + $.namespace {
+  unsealKeyBinding: kube.RoleBinding('sealed-secrets-controller') + $.namespace {
     roleRef_: $.unsealKeyRole,
     subjects_+: [$.account],
   },