You are developing an application that consists of several microservices running in a Google Kubernetes Engine cluster. One microservice needs to connect to a third-party database running on-premises. You need to store credentials to the database and ensure that these credentials can be rotated while following security best practices. What should you do?

A. Store the credentials in a sidecar container proxy, and use it to connect to the third-party database. B. Configure a service mesh to allow or restrict traffic from the Pods in your microservice to the database. C. Store the credentials in an encrypted volume mount, and associate a Persistent Volume Claim with the client Pod. D. Store the credentials as a Kubernetes Secret, and use the Cloud Key Management Service plugin to handle encryption and decryption.