How can I expose some routes via http, and some routes via https? Do I need to start two separate embedded servers?

It seems that way. An alternative solution would be to run it behind nginx or similar services to handle what routes listen on port 80 and which listen on port 443 with ssl enabled. Out of curiosity, what's your usecase for wanting to use both?

I'm making a sidecar container that runs in a k8s pod, and I want to use https to ensure the communication is encrypted between containers. The sidecar will not be exposed outside of the container, so only other containers in the same pod will be able to communicate with this app. It's not entirely necessary for this to be https, but due to the nature of the data, it will give us warm and fuzzies if it's encrypted even though it's only sent over the virtual network device and doesn't actually hit any wires. I plan to generate a ca and self signed cert on start up, then make the CA available via an http end point. The calling container will first load the CA (it's trusted in this case, because it was loaded from localhost) then add that CA to the client being used to call the sidecar container's https end points that are secured with the certificate signed by the CA. I would use a kubernetes generated CA, or other manually added CA, but this is going to be deployed along side many different applications in many clusters, which increases the complexity of the deployment to get encrypted traffic that never leaves the pod.

Also, you can have one server with all routes available via HTTP and HTTPS but for some of them you can return 404 depending on a request protocol and your logic.

Ah, I like that better than two embedded servers, thanks for the suggestion.