I think I see what is going on here. I had seen the "authentication-key" statement in the "protocols bgp" hierarchy already, but when I had tried to use it,
{master:1}[edit routing-instances centuryLink protocols bgp]
cjc@scea-bp-lab-exstack# show
local-address 10.113.33.165;
authentication-key "$9$M9EWNVg4JDH.BI"; ## SECRET-DATA
##
## Warning: May not be configured with authentication-key
##
authentication-algorithm md5;
local-as 65009;
group SCEA {
import scea-import;
export scea-default;
peer-as 64989;
neighbor 10.113.33.166;
}
Which made me go looking for the "security authentication-key-chains" stanza.
However, playing around a bit more, it looks like, it's a conflict between the "authentication-algorithm" and "authentication-key" statements. If you just supply, "authentication-key" with no "authentication-algorithm," the configuration is accepted and authentication between the peers works.
Be nice if in addition to losing the "security authentication-key-chains," they took out a useless dependency like the "authentication-algorithm" statement to match. Lot less confusing.